For the last week I have been chasing this sinowal trojan and it’s still winning, I think!? I used so many ‘tools’ I’ve lost count. THis computer was updated from a free version of avast to Internet Security version. It found the sinowal trojan and locked up. The log show that it did nothing with the infected file. After running all the steps suggested by essexboy’s post and a few others. I delete all the restores, left them off and ran online antivirus f-secure in between doing boot scans with Avast. that I’ve tried TFC, OTA, HAMeb_check, Secunia, performed the FIXMBR 3 different times, on in recovery mode. I’ve posted the log from the program that seems to be the only one reporting it now. At one time in this long process, there was even a file next to the “ntkrnlpa.exe” line that was named catchme.sys!!! :
Can some PLEASE take a look and let me know what I can do, other than wipe out the hard drive?
THANKS AHEAD! -Kathy
aswMBR Log:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 20:47:50
20:47:50.828 OS Version: Windows 5.1.2600 Service Pack 3
20:47:50.828 Number of processors: 1 586 0x2402
20:47:50.828 ComputerName: MARCHLAPTOP01 UserName:
20:47:51.125 Initialize success
20:47:55.250 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
20:47:55.250 Disk 0 Vendor: FUJITSU_MHV2080AT_PL 008300A1 Size: 76319MB BusType: 3
20:47:57.296 Disk 0 MBR read successfully
20:47:57.296 Disk 0 MBR scan
20:47:59.312 Disk 0 scanning sectors +156296385
20:47:59.343 Disk 0 malicious Win32:MBRoot code @ sector 156296388 !
20:47:59.359 Disk 0 PE file @ sector 156296410 !
20:47:59.375 Disk 0 scanning C:\WINDOWS\system32\drivers
20:48:07.640 Service scanning
20:48:09.437 Disk 0 trace - called modules:
20:48:09.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:48:09.468 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85938ab8]
20:48:09.468 3 CLASSPNP.SYS[f7632fd7] → nt!IofCallDriver → \Device\00000085[0x85968288]
20:48:09.484 5 ACPI.sys[f74a9620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x85967d98]
20:48:10.015 Scan finished successfully