Jump to content


Photo

Cannot remove win32.backdoor.sinowal


  • This topic is locked This topic is locked
12 replies to this topic

#1 Reshuken

Reshuken

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 11 September 2008 - 01:19 AM

Hello guys.

I have a computer running Windows 2000 and Ad-Aware SE and have a problem regarding some malware, specifically win32.backdoor.sinowal. The first time I did a scan, it detected several objects and removed them. A second scan (and subsequent ones) detect two registry values:

HKEY_LOCAL_MACHINE:system\controlset001\enum\root\legacy_{def85c80-216a-43ab-af70-1665edbe2780}
HKEY_LOCAL_MACHINE:system\currentcontrolset\enum\root\legacy_{def85c80-216a-43ab-af70-1665edbe2780}

The real problem is that they cannot be deleted by Ad-Aware SE, nor with Regedit. I think that they may be orphan registry entries (I may be wrong), but I would like to be on the safe side and remove them completely. Also, searching the forums I found an existing thread regarding this but it's closed now because the user apparently found a way to clear it, although he didn't specify how:
http://www.lavasofts...showtopic=20427

I would really appreciate any help or advice you can give me. Thanks in advance.

#2 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 12 September 2008 - 05:27 PM

Hi

Read IMPORTANT - Before Posting a HijackThis Log & Instructions On Creating A Hijackthis Log stickies.

Then post a HijackThis log here.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#3 Reshuken

Reshuken

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 12 September 2008 - 09:33 PM

Thank you for response. Here is the HijackThis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:25:02 p.m., on 12/09/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Archivos de programa\Compaq\Compaq EAB Software\cpqek.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\Archivos de programa\ESET\ESET Smart Security\egui.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {54755249-CCF2-AC55-A560-EE1C8693B393} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\ARCHIV~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [cpqek] C:\Archivos de programa\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Archivos de programa\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = C:\Archivos de programa\WIDCOMM\Software Bluetooth\BTTray.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FLASHGET\flashget.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

--
End of file - 6430 bytes

Edited by Reshuken, 12 September 2008 - 09:34 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 12 September 2008 - 09:41 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#5 Reshuken

Reshuken

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 15 September 2008 - 05:02 PM

Sorry for the late reply, but I was busy during weekend.

Anyway, I ran Combofix but right now my computer is standing still. It went fine until the part that said that Combofix would reboot Windows, but now it has been idle for like 10 minutes now. Should I manually reset my computer or do I wait a little bit longer?

#6 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 15 September 2008 - 05:13 PM

Did you disable your Antivirus?
Just give it a little time. If still the same.. then reboot and see if it's still running after reboot and creates a log afterwards. If not, try again from Windows Safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#7 Reshuken

Reshuken

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 15 September 2008 - 05:23 PM

Yes I disabled my antivirus (NOD32), and it's the same... it's been still for half and hour now; I don't even hear the hard drive spinning, although the screen is still on with my second wallpaper. Is if safe if I reboot now? I really don't mind waiting for another 1/2 hour to be on the safe side and then rebooting.

Edited by Reshuken, 15 September 2008 - 05:23 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 15 September 2008 - 05:25 PM

Yes, reboot and try again from Windows Safe mode if no report is generated after reboot.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#9 Reshuken

Reshuken

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 15 September 2008 - 06:24 PM

Success! The entries in the log of Ad-Aware don't appear anymore. (That's why I took so long, I was doing a scan)

In any case I will post the ComboFix and HijackThis logs for you. Also, it's worth mentioning that once I rebooted my computer ComboFix popped up a windows that said "Cannot import creg.dat: Registry access error" (Traduction from the spanish text).


Combofix log (sorry that it is in spanish, but I have Windows in spanish):
ComboFix 08-09-11.02 - Reshuken 15/09/2008  9:53:03.1 - <strong class='bbc'>FAT32</strong>x86Microsoft Windows 2000 Professional  5.0.2195.4.1252.34.3082.18.76 [GMT -6:00]Se ejecuta desde: C:\Documents and Settings\Administrador\Escritorio\ComboFix.exe<strong class='bbc'>ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! </strong>.((((((((((((((((((((((((((((((((((((   Otras eliminaciones   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Archivos de programa\smbols~1C:\WINNT\system32\asks~1C:\WINNT\Web\default.htt.(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}((((((((((((((((((   Archivos creados desde 2008-08-15 - 2008-09-15  ))))))))))))))))))))))))))))))))).2008-09-12 14:24 . 08-09-12 14:24 	<DIR>	d--------	C:\Archivos de programa\Trend Micro2008-09-11 05:45 . 08-09-11 05:45 	<DIR>	d--------	C:\Documents and Settings\All Users\Datos de programa\Malwarebytes2008-09-11 05:45 . 08-09-11 05:45 	<DIR>	d--------	C:\Documents and Settings\Administrador\Datos de programa\Malwarebytes2008-09-10 22:12 . 08-09-10 22:12 	<DIR>	d--------	C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy2008-09-10 20:32 . 08-09-10 20:32 	<DIR>	d--------	C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com2008-09-10 20:31 . 08-09-10 20:31 	<DIR>	d--------	C:\Documents and Settings\Administrador\Datos de programa\SUPERAntiSpyware.com2008-09-10 20:31 . 08-09-10 20:31 	<DIR>	d--------	C:\Archivos de programa\SUPERAntiSpyware2008-09-10 14:00 . 08-09-14 09:23 	642,602	---h-----	C:\WINNT\ShellIconCache2008-09-01 09:43 . 08-09-01 09:43 	<DIR>	d--------	C:\Archivos de programa\ESET2008-08-31 15:52 . 08-08-31 15:52 	<DIR>	d--------	C:\WINNT\Downloaded Installations.((((((((((((((((((((((((((((((((((((((   Reporte Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))).2000-10-04 04:59	271	---ha-w	C:\Archivos de programa\DESKTOP.INI2000-10-04 04:59	22,020	---ha-w	C:\Archivos de programa\FOLDER.HTT2000-08-09 01:00	32,528	----a-w	C:\WINNT\INF\WBFIRDMA.SYS2005-10-14 03:27	422,400	--sha-r	C:\WINNT\x2.64.exe2005-05-13 23:12	217,073	--sha-r	C:\WINNT\meta4.exe2005-10-24 17:13	66,560	--sha-r	C:\WINNT\MOTA113.exe2005-06-26 21:32	616,448	--sha-r	C:\WINNT\SYSTEM32\cygwin1.dll2005-06-22 04:37	45,568	--sha-r	C:\WINNT\SYSTEM32\cygz.dll2005-10-08 01:14	308,224	--sha-r	C:\WINNT\SYSTEM32\avisynth.dll2005-02-28 19:16	240,128	--sha-r	C:\WINNT\SYSTEM32\x.264.exe2004-01-25 06:00	70,656	--sha-r	C:\WINNT\SYSTEM32\i420vfw.dll2004-01-25 06:00	70,656	--sha-r	C:\WINNT\SYSTEM32\yv12vfw.dll2005-07-14 18:31	27,648	--sha-r	C:\WINNT\SYSTEM32\AVSredirect.dll2006-04-27 16:24	2,945,024	--sha-r	C:\WINNT\SYSTEM32\Smab.dll.(((((((((((((((((((((((((((((((((   Cargando Puntos Reg   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradasREGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe" [07-09-04 23:40  6856704][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"cpqek"="C:\Archivos de programa\Compaq\Compaq EAB Software\cpqek.exe" [01-09-20 14:58  69632]"SynTPLpr"="C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe" [01-07-27 12:18  94208]"SynTPEnh"="C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [01-07-27 12:17  282624]"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25  144784]"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [06-12-26 15:57  282624]"DAEMON Tools"="C:\Archivos de programa\DAEMON Tools\daemon.exe" [06-11-12 04:48  157592]"egui"="C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" [07-12-21 08:21  1443072]"Synchronization Manager"="mobsync.exe" [03-06-19 13:05  111888 C:\WINNT\SYSTEM32\mobsync.exe]"ATIModeChange"="Ati2mdxx.exe" [01-09-04 17:24  28672 C:\WINNT\SYSTEM32\Ati2mdxx.exe]"PRPCMonitor"="PRPCUI.exe" [01-04-24 10:00  41984 C:\WINNT\SYSTEM32\prpcui.exe]"LoadQM"="loadqm.exe" [00-05-03 17:23  7536 C:\WINNT\loadqm.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"^SetupICWDesktop"="C:\Archivos de programa\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05  189712][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"= mmdrv.dll"VIDC.I420"= i420vfw.dll"vidc.DIVF"= DivX412.dll"vidc.XVID"= xvid.dll"vidc.yv12"= yv12vfw.dll"msacm.divxa32"= DivXa32.acm"msacm.l3codec"= L3codecp.acmR0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS [00-05-27 04:37  28224]R1 epfwndhk;epfwndhk;C:\WINNT\system32\DRIVERS\EPFWNDHK.sys [07-12-21 08:21  33800]R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [01-02-01 14:01  15130]S3 cirrus;cirrus;C:\WINNT\system32\DRIVERS\cirrus.sys [99-10-08 23:31  45744]S3 FBIKB_NT;FBIKB_NT;C:\WINNT\System32\Drivers\FBIKB_NT.Sys [ ]S3 N100;Compaq Ethernet or Fast Ethernet NIC NT Driver;C:\WINNT\system32\DRIVERS\n100nt5.sys [99-12-14 21:31  88848]*Newly Created Service* - IPNAT*Newly Created Service* - RASAUTO*Newly Created Service* - SHAREDACCESS.- - - - ORPHANS REMOVED - - - -BHO-{54755249-CCF2-AC55-A560-EE1C8693B393} - (no file).------- Supplementary Scan -------.FireFox -: Profile - C:\Documents and Settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\qe53ryjt.default\FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.comFF -: plugin - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dllFF -: plugin - C:\Archivos de programa\Mozilla Firefox\plugins\npunagi2.dllFF -: plugin - C:\Documents and Settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\qe53ryjt.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-09-15 10:36:48Windows 5.0.2195 Service Pack 4 FAT NTAPIescaneando procesos ocultos ...escaneando entradas ocultas de autostart ...escaneando archivos ocultos ...el escaneo se completo con exitoarchivos ocultos: 0**************************************************************************.Tiempo completado: 2008-09-15 10:38:38 - machine was rebootedComboFix-quarantined-files.txt  2008-09-15 16:38:30Pre-Run: 3,859,562,496 bytes libresPost-Run: 3,821,453,312 bytes libres113

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:49:57 a.m., on 15/09/2008Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\Ati2evxx.exeC:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exeC:\Archivos de programa\ESET\ESET Smart Security\ekrn.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\svchost.exeC:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exeC:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exeC:\WINNT\system32\PRPCUI.exeC:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exeC:\Archivos de programa\QuickTime\qttask.exeC:\Archivos de programa\DAEMON Tools\daemon.exeC:\Archivos de programa\ESET\ESET Smart Security\egui.exeC:\Archivos de programa\MSN Messenger\msnmsgr.exeC:\Archivos de programa\WIDCOMM\Software Bluetooth\BTTray.exeC:\WINNT\explorer.exeC:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.comR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VínculosO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\ARCHIV~1\FLASHGET\jccatch.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FLASHGET\fgiebar.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [cpqek] C:\Archivos de programa\Compaq\Compaq EAB Software\cpqek.exeO4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Archivos de programa\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User &#39;Default user&#39;)O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BTTray.lnk = C:\Archivos de programa\WIDCOMM\Software Bluetooth\BTTray.exeO8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htmO8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra &#39;Tools&#39; menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htmO9 - Extra &#39;Tools&#39; menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htmO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FLASHGET\flashget.exeO9 - Extra &#39;Tools&#39; menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FLASHGET\flashget.exeO20 - AppInit_DLLs:   O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exeO23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE--End of file - 6303 bytes

I still need to run a scan with Nod32 and check that everything is good, but so far everything seems OK. Really, thanks for your help!!!

Edited by Reshuken, 15 September 2008 - 07:02 PM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 15 September 2008 - 06:36 PM

Hi,

From what I can see, Combofix already removed the sinowal legacy leftover.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O20 - AppInit_DLLs:


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Also, uninstall the "Automatic LiveUpdate Scheduler" and "Automatic LiveUpdate" by symantec via add/remove programs. This because I don't see Norton/installed here anymore, so there's really no need to have both services still present and running.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#11 Reshuken

Reshuken

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 15 September 2008 - 07:09 PM

Hi,

I did all the steps that you told me to. Everything is fine and running OK; I'm really grateful for your help and advice. No I can say that this problem is officially solved. Once again thank you very much.

#12 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 15 September 2008 - 07:59 PM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#13 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 17 September 2008 - 10:20 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users