Spyware, Viruses, & Security forum

General discussion

psw.sinowal.a & trojan.pakes.abl

by shelby68gt500 / December 29, 2007 12:09 AM PST

A sibling of mine just called this morning that she had to disconnect her 2 computers from the web due to a couple of viruses she had recently found. They were psw.sinowal.a as well as trojan.pakes.abl
She is afraid (apparently well-founded based on what I've found online to date) that alot of her personal data might be or has been compromised. I've come across people using HijackThis and a few other programs on at least the PSW one. Does anyone have any ideas if there are any specific removal tools or possibly more specific information for either of these 2 programs? Both the Symantec and McAfee sites have no mention at all of these. She is running XP and Norton 360 on both computers. I'm concerned here as I just updated my wifes and kids computers to 360 just a week ago. I run McAfee on this computer.

Thanks, Bob

Post a reply
Discussion is locked
You are posting a reply to: psw.sinowal.a & trojan.pakes.abl
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: psw.sinowal.a & trojan.pakes.abl
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Online scanner
by Donna Buenaventura / December 29, 2007 12:36 AM PST

Hi Bob,

Suggest to her to run an online scan using any of the following:

Housecall: http://www.trendsecure.com/portal/en-US/free_security_tools/housecall_free_scan.php
Use Firefox browser (if installed). IE is OK to use too. This is not Vista compatible.

ESET Online scanner: http://www.eset.com/onlinescan/
Requires IE. It's Vista compatible.

Since she is using XP, she can also try to scan using a-squared malware scanner: http://www.emsisoft.com/en/software/ax/

Question: Which scanner detected trojan.pakes.abl and psw.sinowal.a in her computers?

Collapse -
trojan.pakes.abl and psw.sinowal.a
by shelby68gt500 / December 29, 2007 1:01 AM PST
In reply to: Online scanner

Hi Donna,

Thank you for your help. The scanner that pickedup these programs was AVG by Grisoft. If this scanner picked them up and quarantined, does it also get rid of all the registry entries and other files?
Also, would system restore fix all of this as well by going back far enough? Anyway to possibly tell when the virus was downloaded so she can pic the right restore point if that will work?

Thanks, Bob

Collapse -
It should
by Donna Buenaventura / December 29, 2007 1:13 AM PST

Bob,

If AVG detected and successfully quarantine the infection, it should be gone already. You can ask her to re-scan the system using AVG (antispyware or antimalware?) to see if no more traces of the infection.

Please ask her to check the log of AVG and if the infected file has the extension that is monitored by System Restore (see http://msdn.microsoft.com/library/en-us/sr/sr/monitored_file_extensions.asp for the types of extension), ask her to trash the current restore points by disabling System Restore.
After disabling System Restore, restart the system. Run full system scan again. If clean, please tell her to enable System Restore again.

Also, would system restore fix all of this as well by going back far enough? Anyway to possibly tell when the virus was downloaded so she can pic the right restore point if that will work?

Yes but she might lose some of her installed applications or items that was added by herself.
Only your sister can find out when the infection occur and how she got it. Example: Thru email, compromised site, messenger link, attachments etc

Collapse -
Trojans
by shelby68gt500 / December 29, 2007 2:44 AM PST
In reply to: It should

Donna, Once again, thank you for your help. I've called my sister, informed her of your responses and also sent her this link in case she has already stopped these trojan/viruses. Hopefully we will see her post on here before long..

Regards, Bob

Collapse -
(NT) You're welcome Bob
by Donna Buenaventura / December 29, 2007 9:14 AM PST
In reply to: Trojans
Collapse -
Donna Please help
by Kilty123 / January 6, 2008 7:51 AM PST
In reply to: You're welcome Bob

I have been discussing my computer issues with my brother and he has advised me to message you with the details in hopes that you can help me. I've added on to his thread, I hope this is ok.
We started just before Christmas with a discovery that there were viruses on both of our home computers both are Sonys but one is older...PSW.sinowal.a was a virus found on my girls computer and Trojan.Pakes.abl was on mine. I had originally started posting on WhatTheTech.com before I informed my brother of my Issues. After working with them for several days, I was lead to believe my computers were clean. I went thru HiJackThis, CCCleaner, etc... However, I've been fighting an issue with my computer because my Windows Update will is ghosted out and will not allow automatic updates. Also the new AVG AntiVirus would not allow me to update it. So...I took matters in my own hands and uninstalled AVG, installed AVG Malware/AntiVirus and all seemed to be well. However, I uninstalled the old Spybot Search and Destroy today and installed the new and ran it. All seemed to be ok...tho it says that 58,980 processes are blacklisted...I'm not sure what this means. I also uninstalled the old spybot on the girls computer and downloaded the new version and ran it just an hour ago...it came up with a ton of Errors! Access Violation at address 005E1C38 in module SpybotSD.exe Read of address 00000004 and others had 00000014. Then each line also had file names in it. As the screen scrolled up the ones that were being added to the list were disappearing, but they were all BAD things! Such as, ActivityKeyLogger, Hastalavista, Hacker.ag, FamilyKeyLoggerProDemo, CyberSpy, ActiveKeyLogger, SmartKeyStroke,Contravirus, Hitvirus, Malwareburn, Macrovirus...and this list went on! There was no way to "Fix" these in Spybot, but I did save a log.
I just don't know where to turn and I'm hoping you can help me.
I run Windows XP on both computers, both have AVG Anti-Malware and AVG Anti-Spyware, as well as AD-Aware and SpybotSD. Not that any of these matter if Viruses are set up to disable. This is my fear.

My computer is a Sony R VGC-RA710G
My girls is a PCV-RX650

Thank You for any assistance you can provide.

Collapse -
See if this will help
by Donna Buenaventura / January 6, 2008 12:13 PM PST
In reply to: Donna Please help

Hi,
The items you said as blacklisted means you are using the TeaTimer of Spybot S&D.
Please read this information about TeaTimer:
http://www.safer-networking.org/en/faq/33.html
and http://www.safer-networking.org/en/faq/34.html

I suggest that you first turn off the TeaTimer until the other issues is fixed. To turn off the TeaTimer:
Run Spybot-S&D, switch to the Advanced mode via the menu bar item Mode --> hit Yes --> select Tools in the navigation bar on the left --> Resident. Uncheck "Resident TeaTimer".

"I've been fighting an issue with my computer because my Windows Update will is ghosted out and will not allow automatic updates."

Please tell me exactly what happens when you visit http://windowsupdate.microsoft.com/ website. Do you see error message or it is not loading or the browser is directed to another website?

" I also uninstalled the old spybot on the girls computer and downloaded the new version and ran it just an hour ago...it came up with a ton of Errors! Access Violation at address 005E1C38 in module SpybotSD.exe Read of address 00000004 and others had 00000014. Then each line also had file names in it. As the screen scrolled up the ones that were being added to the list were disappearing, but they were all BAD things! Such as, ActivityKeyLogger, Hastalavista, Hacker.ag, FamilyKeyLoggerProDemo, CyberSpy, ActiveKeyLogger, SmartKeyStroke,Contravirus, Hitvirus, Malwareburn, Macrovirus...and this list went on! There was no way to "Fix" these in Spybot, but I did save a log."

Try this:
Restart the computer in Safe mode
Scan using Spybot S&D in safe mode.
Let it fix what it detects. If it ask for a reboot and another scan, please do it. Then let us know how it goes.

"I run Windows XP on both computers, both have AVG Anti-Malware and AVG Anti-Spyware, as well as AD-Aware and SpybotSD. Not that any of these matter if Viruses are set up to disable. This is my fear."
You can uninstall AVG antispyware now because AVG Anti-malware includes spyware detection/protection but this is not important for you to do now. Let's try to fix first the above issues.

I would also like to suggest to do this:
Go to http://www.eset.com/onlinescan/ or http://www.trendsecure.com/portal/en-US/free_security_tools/housecall_free_scan.php
If you can run their online scan, go ahead.
Let it find what it can find and let it disinfect the system.

If you will still see access violation in Spybot S&D while in safe mode, please go to http://forums.spybot.info/forumdisplay.php?f=4 then report it to the Spybot S&D team. They will try to fix that error just like what they did with this user's report:
http://forums.spybot.info/showthread.php?t=22065

Collapse -
Virtumonde, Zlob, NCast, GAINGator, Cydoor, Smitfraud-C.
by Kilty123 / January 7, 2008 11:15 AM PST
In reply to: See if this will help

Hi Donna,
I greatly appreciate your message. I'm working on the Girls computer first. I went into safe mode and ran Spybot, it was almost like a joke watching it scan hundreds of files with names like I mentioned to you yesterday and watched as they just passed them all by. It did identify 16 items and fixed them, but let the others go by. I wrote down about 70 of the file names, and missed that many and more.

Running in safe mode I'm not permitted to run AVG Malware. So I'm now running Ad-Aware and so far it's found 16 items.

The real problem here is going to be tough. When you click on start and see a list of the most recent programs you've run, there was a program called Transfer Wizard (and when you put the cursor over it, it said Migrates files and settings from one computer to another). I followed the Target Location and Deleted all the files in that folder. Unfortunately I didn't write it down. It is also sitting in my trash can...should I delete it or do you want to know the details?

Also, I noticed in my Control Panel, I have a folder called ODBC Data Source Admin, Wild Tangent Control Pannel and UI DEsign Selector, neither of which are programs in the Program list and I cannot delete them.

I could see that someone has been logging onto the computer for the last few days as Domain NT Authority and it mentioned Privileges SEAudit Privilege, Token Privilege and SEChange NotifyPrivilege.

Ad-Aware only found 16 cookies and 2 Mru Objects so I removed them, none of those were listed as critical.

At one time I got an error "0x7c9111de" referenced memory at "ox00000014" - which I think is related to the lines I mentioned in Spybots errors.

I renamed the computer from Kitchen to Virus. I'm also calling COMCAST to see if I can get a new IP address. I've disconnected the girls computer from the internet, and went into the control panel and clicked on Security and clicked off the check in allow others remote access to this computer. DUH!

I don't know what else to do with that computer because the programs I've run on there are not working. I can run a hijackthis report from a thumb drive and provide that to you if you need it.

Thank you again for your note.
V/R, Kilty123

Collapse -
More to do for you
by Donna Buenaventura / January 7, 2008 11:39 AM PST

Hi,

Please get the following:

SmithFraudFix - http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
Follow the guide in the page on how to use it.

RogueRemover Free - http://www.malwarebytes.org/rogueremover.php
Install the program, update it. Let it scan for rogue product traces.

Let us know how it goes.

"The real problem here is going to be tough. When you click on start and see a list of the most recent programs you've run, there was a program called Transfer Wizard (and when you put the cursor over it, it said Migrates files and settings from one computer to another). I followed the Target Location and Deleted all the files in that folder. Unfortunately I didn't write it down. It is also sitting in my trash can...should I delete it or do you want to know the details?"

Please do not browse to that area and do not delete anything there. It's a feature in Windows if user want to transfer their files to another PC. Deleting means you will delete your own files.

"Also, I noticed in my Control Panel, I have a folder called ODBC Data Source Admin, Wild Tangent Control Pannel and UI DEsign Selector, neither of which are programs in the Program list and I cannot delete them."

Please do not touch the ODBC Data Source Admin and the UI DEsign Selector in Administrative Tools in the Control Panel.

Spybot S&D & Ad-Aware should handle Wild Tangent but if they failed, you might want to get the "automatic removal tool" of Wild Tangent at http://www.pchell.com/support/wildtangent.shtml (scroll down to download the WildTangent Remover) but if you cannot run to normal mode, you will need another tool.

I suggest that you post your HijackThis log in HijackThis forum. The instruction or forums to post the HijackThis log is at:
http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=255339&messageID=2533167
We don't attend on logs here.

"I renamed the computer from Kitchen to Virus. I'm also calling COMCAST to see if I can get a new IP address. I've disconnected the girls computer from the internet, and went into the control panel and clicked on Security and clicked off the check in allow others remote access to this computer. DUH!"
You do not need to rename the computer like that but if that's what you like to do Happy
Yes, you can disable "allow remote connection". You do not need to get a new IP address.
If the PC is compromised, a reformat is the best option but if it's not compromised then there's a chance to clean it up. You need to be patient though because it's going to take time. Depending on the infection found by HijackThis analysts, they will provide special tools with guide on how to use them.

Collapse -
Virtumonde, and friends
by Kilty123 / January 7, 2008 8:51 PM PST
In reply to: More to do for you

Donna, Thanks for your support. I'll read what you've recommended and I'll go ahead and post a hijackthis report. Unfortunately what I've seen scares me to death, and leads me to believe my computer has been compromised. In this case reformatting the hard drive would be my best option. Can I save any of the files on that computer? Would .jpg's be safe to keep. Or does saving any of them to a thumb or CD pose a threat by taking other unknown (unseen) files with them? Thanks again!

Collapse -
Don't reformat soon :)
by Donna Buenaventura / January 7, 2008 11:30 PM PST

Yes, let the HijackThis analysts analyze the log. They'll offer you tools and simple guide on how to remove the remaining infections (that AVG antimalware failed to remove).
If it's compromised... they will let you know. They can fix those for sure but you need to be patient and follow the instruction carefully.

By the way, I'm not sure if you've done the online scanner that I suggested in my previous post. Did you scan the system using Housecall? :
http://www.trendsecure.com/portal/en-US/free_security_tools/housecall_free_scan.php

Also, is AVG Antimalware enabled or still disabled? Can you update it now or still cannot?

"Can I save any of the files on that computer? Would .jpg's be safe to keep. Or does saving any of them to a thumb or CD pose a threat by taking other unknown (unseen) files with them? Thanks again!"
Yes you can still save a copy of your important files but make sure you'll scan the files before transferring or saving in another location.

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech Tip

Stuck without Internet and want to watch movies?

CNET shows you how to download movies and TV shows onto your device using Amazon Prime so you'll always be entertained.