hi
I have a problem with MBRoot-J / Sinowal and what it installed. :-\
my bank blocked my account because of suspicious transfers.
so i check my computer (windows xp sp3) for malware with Avast Free edition (runs and updates daily on my pc).
after it found nothing i checked my Avast logs
This is what it reported to have removed from my system in the last 7 days:
Found: Win32:Crypt-LJI during a complete scan. (5 days ago)
(same day computer is rebooted)
Found during startupscan:
Win32 MBRoot-J
Java:Agent-GI
Java:Agent-GG
Java:Agent-GH
Java:Agent-FN
Java:Agent-FM
Java:CVE-2011-3544-BP
JS: Downloader-BGH
JS: Downloader-BDP
The day after Avast reported that it could not access these files:
folder: defs\12021301
Algo.dll
aswcmbs.dll
aswcmnis.dll
aswcmnos.dll
aswengin.dll
aswfidb.dll
aswrep.dll
aswscan.dll
after this every scan comes up clean.
BUT:
my bank has a tool that checks for infections and it found a trojan. you can see/get it here: (https://www.ing.nl/particulier/internetbankieren/veilig-internetbankieren/cleaner/index.aspx)
after the quickscan and hit from the tool, the tool starts aswMBR.exe and locks up (have tried multiple times)
After this I downloaded the aswMBR.exe and run it myself.
The Log reported this:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2012-02-16 01:00:11
01:00:11.703 OS Version: Windows 5.1.2600 Service Pack 3
01:00:11.718 Number of processors: 1 586 0x401
01:00:11.718 ComputerName: HUISKAMER UserName: Eigenaar
01:00:26.734 Initialize success
01:00:28.593 AVAST engine defs: 12021500
01:00:28.640 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
01:00:28.640 Disk 0 Vendor: Hitachi_HDP725025GLAT80 GM2OA42A Size: 238475MB BusType: 3
01:00:28.640 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
01:00:28.640 Disk 1 Vendor: IBM-DJNA-371350 J76OA30K Size: 12949MB BusType: 3
01:00:28.640 Device owAZEVAoRGRCZ → DriverStartIo RGRCZ@J@ f7545864
01:00:30.640 Disk 0 MBR read successfully
01:00:30.640 Disk 0 MBR scan
01:00:30.640 Disk 0 Windows XP default MBR code
01:00:30.640 Disk 0 scanning sectors +488376000
01:00:30.687 Disk 0 scanning C:\WINDOWS\system32\drivers
01:01:09.156 Service scanning
01:01:10.843 Modules scanning
01:01:37.531 Disk 0 trace - called modules:
01:01:37.531 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8636e000]<<
01:01:37.546 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86375ab8]
01:01:37.546 3 CLASSPNP.SYS[f7616fd7] → nt!IofCallDriver → \Device\0000006b[0x863d9f18]
01:01:37.546 5 ACPI.sys[f758c620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x863d0940]
01:01:40.656 AVAST engine scan C:\WINDOWS
01:01:56.968 AVAST engine scan C:\WINDOWS\system32
01:05:09.515 AVAST engine scan C:\WINDOWS\system32\drivers
01:05:34.718 AVAST engine scan C:\Documents and Settings\Eigenaar.HUISKAMER
01:07:14.609 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
01:08:08.562 Scan finished successfully
After the scan the tool did not offer the function “Fix”
After the aswMBR tool, I tried TDSSKiller. It found and put files into Quarantine (see attached logfile)
when i rebooted Avast found and cleared the quarantined files of TDSSKiller.
After this I checked autoruns to see if anything was starting up that shouldn’t start.
Autoruns found several entries in HKLM/System/CurrentControlSet/Services
The funny thing about these entries is that every one of them represents a file or folder in C:\ en points to “\ [file/foldername] .EXE”
unchecking these entries will not help. (they are checked again after reboot)
deleting these entries cannot be done by autoruns.
2nd attachment: logfile from autoruns.
I also get these errors: NTVDM reports error: C0H when starting the game Majong
Does anybody know what i’m infected with and how to get rid of it?
any help is appreciated.