Thread: Need help removing Sinowal.Trojan
View Single Post
Old 12-05-2008, 02:52 AM   #1 (permalink)
DLEEUS
Registered User
 
Join Date: Dec 2008
Posts: 5
OS: Windows XP


Need help removing Sinowal.Trojan
Hello,

I believe that I may have been infected by the Sinowal.Trojan virus. I have experienced symptoms like others with the firewall pop-up messages and Firefox not starting on my home page. I have downloaded and ran the programs as described on your forum. They are attached. Please help me any way you can to get rid of this nasty virus.

Thank you,

DLEEUS


DDS (Version 1.0) - NTFSx86
Run by Owner at 1:39:18.43 on Fri 12/05/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.461 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Documents and Settings\Owner\Application Data\Google\xtgoj6119471.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {C56CB6B0-0D96-11D6-8C65-B2868B609932} - c:\program files\xi\nettransport 2\NTIEHelper.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
uRun: [vxdhm] "c:\documents and settings\owner\application data\google\xtgoj6119471.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [LTMSG] LTMSG.exe 7
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Home Theater SchSvr] "c:\program files\common files\intervideo\schsvr\SchSvr.exe"
mRun: [WINCINEMAMGR] "c:\program files\intervideo\common\bin\WinCinemaMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
uPolicies-explorer: Btn_Search = 0 (0x0)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download all by Net Transport - c:\program files\xi\nettransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\xi\nettransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: SpSubLSP.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2007-2-4 140160]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2006-3-20 44288]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 BT848;AVerDVD EZMaker WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2004-8-30 261696]
R2 BTXBAR;AVerDVD EZMaker WDM Crossbar;c:\windows\system32\drivers\BTXBAR.sys [2004-8-30 13312]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2004-2-29 255096]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2004-2-29 242808]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.sys [2005-5-27 3584]
R2 HPWebJetadmin;HP Web Jetadmin;"c:\program files\hp web jetadmin\hpwebjetd.exe" -k runservice [2004-4-15 13312]
R2 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2004-3-12 169192]
R2 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2004-3-12 1221864]
R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [2005-5-26 271104]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081203.004\naveng.sys [2008-12-4 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081203.004\navex15.sys [2008-12-4 876112]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2006-3-20 59136]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [2008-10-19 17432]
S2 mrtRate;mrtRate; []
S2 RadPciNT;RadPciNT;\??\c:\windows\system32\drivers\RadPciNT.sys [2000-4-24 9417]
S3 CCCP106;D-Link CIF Webcam;c:\windows\system32\drivers\cccp106.sys [2004-12-2 227200]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2004-2-29 87160]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\fide.sys [2004-9-24 14601]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2006-3-20 115584]
S3 XIRLINK;VivaPix WebCam;c:\windows\system32\drivers\ucdnt.sys [2004-5-27 1001404]

=============== Created Last 30 ================

2008-12-05 01:16 250 a------- c:\windows\gmer.ini
2008-12-04 00:57 2,274 a------- c:\windows\system32\TDSScrhiyxrn.dll
2008-12-04 00:57 73,728 a------- c:\windows\system32\TDSScoyidoex.dll
2008-12-04 00:57 31,232 a------- c:\windows\system32\TDSSbndpulhh.dll
2008-12-04 00:57 29,696 a------- c:\windows\system32\TDSStpklyabp.dll
2008-12-04 00:57 527 a------- c:\windows\system32\TDSSbebpthgu.dat
2008-12-04 00:57 35,840 a------- c:\windows\system32\TDSSvmaybpjn.dll
2008-12-04 00:55 42,496 a------- c:\windows\system32\drivers\svchost.exe
2008-12-04 00:12 <DIR> --d----- c:\program files\HandBrake
2008-11-30 13:54 <DIR> --d----- c:\program files\iTunes
2008-11-30 13:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-11 18:59 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 18:59 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-05 01:10 <DIR> --d----- c:\program files\Symantec AntiVirus
2008-12-02 22:33 <DIR> --d----- c:\docume~1\owner\applic~1\TeraCopy
2008-11-30 21:10 <DIR> --d----- c:\docume~1\owner\applic~1\LimeWire
2008-11-30 13:54 <DIR> --d----- c:\program files\iPod
2008-11-20 21:08 <DIR> --d----- c:\program files\LimeWire
2008-10-23 22:20 <DIR> --d----- c:\program files\Advanced IP Scanner
2008-10-17 18:40 <DIR> --d----- c:\program files\SiSoftware
2008-10-01 19:55 <DIR> --d----- c:\docume~1\owner\applic~1\DVDFab
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-19 22:14 80,795 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-07-02 20:52 <DIR> --d----- c:\docume~1\owner\applic~1\GARMIN
2008-03-28 13:15 <DIR> --d----- c:\docume~1\owner\applic~1\Intuit
2007-12-27 15:50 <DIR> --d----- c:\docume~1\owner\applic~1\FlashFXP
2007-12-27 13:55 <DIR> --d----- c:\docume~1\owner\applic~1\Subversion
2006-11-08 23:17 <DIR> --d----- c:\docume~1\owner\applic~1\Good Keywords v2
2006-04-05 15:03 <DIR> --d----- c:\docume~1\owner\applic~1\STOIK
2006-03-12 21:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2005-05-26 20:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\InterVideo
2005-04-02 16:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2004-09-29 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2004-08-30 21:25 <DIR> --d----- c:\docume~1\owner\applic~1\Broderbund
2004-08-30 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\broderbund
2004-08-05 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBT
2004-06-02 20:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2003-10-14 05:31 <DIR> --d----- c:\docume~1\owner\applic~1\Symantec
2003-10-11 02:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 1:39:31.96 ===============
Attached Files
File Type: txt Gmer.txt (66.5 KB, 3 views)
File Type: txt Attach.txt (11.0 KB, 3 views)
DLEEUS is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here