Backdoor Sinowal

Hello,
I tried but I get an error that windows is unable to find mbr.

Could you copy the MBR.exe file to your C drive please. I forgot it was on your desktop

Hello,
Thank you for your help.
I copied it to C drive and I got the same error. I copied it to C/windows and I saw a small black screen appear very quickly but no log is created.

Hi,
Just to let you know that the computer I have opened the topic for is a desktop I use at home. I also have a laptop which is behaving in a similar manner. The laptop I connect to a wireless router at work and at home I disconnect the desktop from the router and connect the laptop. I can only connect one computer at a time on this router. Last week I got a bad MBR rootkit infection on the laptop which I thought was cleaned. However I have noticed that when I turn the laptop on as well I get a warning that windows firewall is disabled and Avast takes a while to enable. Firewall then enables itself.
I downloaded MBR and I have attached the log. I am not sure if you prefer I open a new topic for this one or if they can be treated the same way.

I am also wondering if it’s a coincidence…

Thank you in advance.

OK run MBR -f on the laptop the same as you did before (place in the windows folder - oops )

Then run MBR on both and post the logs

I would also recommend that you reset the router as well - do you know how to do that ?

Hi,
Thanks again for your help.
I have reset the router.
I am not sure if I am doing something wrong. I downloaded the tool to my desktop. I ran the file and it gave me a log.
Then I cut and paste to C:windows.
Start - Run- mbr -f and enter

I get a small black screen but it disappears quickly.
I didn’t get a log. If I run mbr again then I get a log with the same results as before.
Hope it’s correct.
Here is the log from the laptop.

Log from the desktop.

You will still get a copy of the malware but the actual mbr looks good now - You will need to do this for both systems - mark one laptop and the other desktop so I can tell them apart

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hello,
Thank you again for your help.
Here is the laptop log.

OK that confirmed the MBR has gone from the laptop ;D

That’s great to hear!
Here is the desktop log.
Thank you so much. :slight_smile:

And that one too ;D

What problems do you have now ?

That’s great!

I turned them both off and started them again. When they start Avast’s icon displays on the bottom with an exclamation mark inside a triangle and then a warning that computer is not protected because Windows firewall is disabled. They then enable themselves. This is true for both computers.

I am just wondering if this is normal.

Thanks again.
:slight_smile:

How long does it take for that to occur ? As I sometimes find that my Avast will take two seconds or so to become fully active

Hi,
The desktop takes about 30-40 seconds. I’s an old machine though…
The laptop takes about 15-20 seconds. There were times today where the Avast icon came on without a warning, like it was enabled quickly.
I don’t understand why both have suddenly been giving warnings that windows firewall is disabled.

On the laptop while it was infected malware came up with Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Thanks again for your help.

Do you have Avast set to load after windows ?

I’m not sure. Is there a way for me to check?

In the Avast settings
Load Avast! services only after loading other system services
It is unchecked.

This morning the Windows firewall warning appeared again as I turned on the laptop. Avast loaded quickly without a warning.

Thanks again.
:slight_smile:

Sounds like the vagaries of your system - but keep an eye on it and let me know if anything else untoward happens

Thank you very much for your help.

I will see how it goes. I don’t mind the security warning as long as it’s not malware related. That’s my only worry.

It hasn’t been a good month for me computer-wise. I just opened another topic for my son’s laptop.

http://forum.avast.com/index.php?topic=58840.0

If you have a chance please have a look. I am stuck at getting the computer to give me an OTL log.

Thank you again. You have been so helpful.
:slight_smile: