Problems with MBRoot-J / Sinowal and what it installed.

hi

I have a problem with MBRoot-J / Sinowal and what it installed. :-\

my bank blocked my account because of suspicious transfers.
so i check my computer (windows xp sp3) for malware with Avast Free edition (runs and updates daily on my pc).

after it found nothing i checked my Avast logs

This is what it reported to have removed from my system in the last 7 days:

Found: Win32:Crypt-LJI during a complete scan. (5 days ago)
(same day computer is rebooted)
Found during startupscan:
Win32 MBRoot-J
Java:Agent-GI
Java:Agent-GG
Java:Agent-GH
Java:Agent-FN
Java:Agent-FM
Java:CVE-2011-3544-BP
JS: Downloader-BGH
JS: Downloader-BDP

The day after Avast reported that it could not access these files:
folder: defs\12021301
Algo.dll
aswcmbs.dll
aswcmnis.dll
aswcmnos.dll
aswengin.dll
aswfidb.dll
aswrep.dll
aswscan.dll

after this every scan comes up clean.

BUT:

my bank has a tool that checks for infections and it found a trojan. you can see/get it here: (https://www.ing.nl/particulier/internetbankieren/veilig-internetbankieren/cleaner/index.aspx)

after the quickscan and hit from the tool, the tool starts aswMBR.exe and locks up (have tried multiple times)

After this I downloaded the aswMBR.exe and run it myself.

The Log reported this:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2012-02-16 01:00:11

01:00:11.703 OS Version: Windows 5.1.2600 Service Pack 3
01:00:11.718 Number of processors: 1 586 0x401
01:00:11.718 ComputerName: HUISKAMER UserName: Eigenaar
01:00:26.734 Initialize success
01:00:28.593 AVAST engine defs: 12021500
01:00:28.640 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
01:00:28.640 Disk 0 Vendor: Hitachi_HDP725025GLAT80 GM2OA42A Size: 238475MB BusType: 3
01:00:28.640 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
01:00:28.640 Disk 1 Vendor: IBM-DJNA-371350 J76OA30K Size: 12949MB BusType: 3
01:00:28.640 Device owAZEVAoRGRCZ → DriverStartIo RGRCZ@J@ f7545864
01:00:30.640 Disk 0 MBR read successfully
01:00:30.640 Disk 0 MBR scan
01:00:30.640 Disk 0 Windows XP default MBR code
01:00:30.640 Disk 0 scanning sectors +488376000
01:00:30.687 Disk 0 scanning C:\WINDOWS\system32\drivers
01:01:09.156 Service scanning
01:01:10.843 Modules scanning
01:01:37.531 Disk 0 trace - called modules:
01:01:37.531 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8636e000]<<
01:01:37.546 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86375ab8]
01:01:37.546 3 CLASSPNP.SYS[f7616fd7] → nt!IofCallDriver → \Device\0000006b[0x863d9f18]
01:01:37.546 5 ACPI.sys[f758c620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x863d0940]
01:01:40.656 AVAST engine scan C:\WINDOWS
01:01:56.968 AVAST engine scan C:\WINDOWS\system32
01:05:09.515 AVAST engine scan C:\WINDOWS\system32\drivers
01:05:34.718 AVAST engine scan C:\Documents and Settings\Eigenaar.HUISKAMER
01:07:14.609 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
01:08:08.562 Scan finished successfully

After the scan the tool did not offer the function “Fix”

After the aswMBR tool, I tried TDSSKiller. It found and put files into Quarantine (see attached logfile)

when i rebooted Avast found and cleared the quarantined files of TDSSKiller.

After this I checked autoruns to see if anything was starting up that shouldn’t start.
Autoruns found several entries in HKLM/System/CurrentControlSet/Services
The funny thing about these entries is that every one of them represents a file or folder in C:\ en points to “\ [file/foldername] .EXE”
unchecking these entries will not help. (they are checked again after reboot)
deleting these entries cannot be done by autoruns.

2nd attachment: logfile from autoruns.

I also get these errors: NTVDM reports error: C0H when starting the game Majong

Does anybody know what i’m infected with and how to get rid of it?

any help is appreciated.

Does anybody know what i'm infected with and how to get rid of it?
Follow the guide and attach the log`s http://forum.avast.com/index.php?topic=53253.0

Essexboy is notified :wink:

Sinowal info

Win32/Sinowal is a family of password-stealing and backdoor Trojans. The Trojan may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. The Trojan may also capture user data such as banking credentials from various user accounts and send the data to Web sites specified by the attacker. Some Win32/Sinowal components may also open a backdoor on a TCP port. Win32/Sinowal may try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Sinowal

my logs according to your guide:

mbam log
OTL & EXTRA log

and the rest of the logs according to your guide:

aswMBR log
RogueKiller logs

if you need more just ask :slight_smile:

Essexboy should be here in a few hours… :wink:

01:00:28.640 Device owAZEVAoRGRCZ -> DriverStartIo RGRCZ@J@ f7545864
This was the bad boy as identified by aswMBR

However, I can see two suspect services that are not showing in OTL

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

The computer seems to be working fine.

Booting is now a lot faster than it was. EDIT: this is propable due because i forgot enabling my antivirusscanner again.

The entries i talked about in my first post have dissappeared in Autoruns.

I attached the Combofix Log

Do you have any idea what infected my system?

Yes I do there is a small synopsis of it here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3ADOS%2FSinowal.K

I would recommend that you change all your passwords as the malware may have got them

Any further problems as the logs look good now

It looks like the virus is gone. the computer behaves normally and faster.

But I did run a startup-scan with Avast and it detected in the system restore folder: A0000050.exe which it flagged as Win32:PUP-Gen [PUP].
Avast deleted the file.

every scan i do now comes up clean. (malwarebytes and avast).

thanks for the help and info everybody.

OK lets clear the restore points and remove my junk

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: