Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infect With Win32.sality Virus


  • Please log in to reply
3 replies to this topic

#1 lolilaughed

lolilaughed

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 20 February 2008 - 03:03 PM

For a while now, I've been having a struggle against the Win32.Sality. Any Antivirus programs I install cannot boot up (it says something about services unable to start up). I've tried AVG, Nod32, McAfee, Norton, Panda etc. Any Antivirus Websites such as virusscan.jotti.org, kaspersky.com, symantec.com etc. will not load at all, which is the strangest part. Also, simple programs like AdAware or CCleaner close immediately upon execution. I have tried booting into safe mode, but as soon as I press "Boot into Safe Mode" the computer restarts itself.

In addition to all of this, I have Process Guard up and I am constantly bombarded with random applications in my Temp folder being created and attempting to execute. These include malware like:

winpidn.exe
wineuje.exe
winxxax.exe

etc.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:24 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\SYSTEM32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
F:\WINDOWS\Explorer.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
F:\Program Files\ProcessGuard\pgaccount.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\ProcessGuard\dcsuserprot.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\Program Files\CyberLink\Shared files\RichVideo.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\Xfire\Xfire.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\SYSTEM32\taskmgr.exe
F:\WINDOWS\system32\cleanmgr.exe
F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\progra~1\mozill~1\firefox.exe

F2 - REG:system.ini: Shell=Explorer.exe "F:\DOCUME~1\DELOSC~1\LOCALS~1\Temp\wineuje.exe"
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] F:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] F:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!1_pgaccount] "F:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "F:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKUS\S-1-5-21-507921405-515967899-725345543-1003\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-507921405-515967899-725345543-1003\..\Run: [!1_ProcessGuard_Startup] "F:\Program Files\ProcessGuard\procguard.exe" -minimize (User '?')
O4 - S-1-5-21-507921405-515967899-725345543-1003 Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User '?')
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - AppInit_DLLs: PAVWAIT.DLL,wbsys.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - F:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - F:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5394 bytes

I am at wit's end on how to solve this problem, please help!

Thanks for reading it. Whatever help you guys can give is very much appreciated.

Edited by lolilaughed, 20 February 2008 - 03:04 PM.


BC AdBot (Login to Remove)

 


#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 20 February 2008 - 10:12 PM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 lolilaughed

lolilaughed
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 20 February 2008 - 11:44 PM

Thank you so much for the reply! Any help that you can come up with for me would be greatly appreciated.

#4 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 23 February 2008 - 03:06 PM

Hello lolilaughed,

Sorry for the delay.

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Step 1
First lets make a folder on your desktop. If you don't know how to make a windows folder, please visit the following link.
http://www.basiccomputerinformation.ca/make-folder-windows/
Make sure to name it sality fix.

Step 2
Please download the following three files into the folder that you just created from the following link.
http://free.grisoft.com/doc/29223/us/frt/0/ndi/67769
  • rmsality.exe
    rmsality.nt
    rmsality.dos
  • Open the sality fix folder
  • Double-Click rmsality.exe to run it
  • The scan will now begin (The scan will take some time, so allow it to run completly)
  • When it is completed, hit the button saying Save log... and save it to your desktop
  • Please attach the VirusRemover.log to your next post along with a fresh HJT log


Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users