Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32 Sality Virus


  • Please log in to reply
1 reply to this topic

#1 chunl

chunl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 22 September 2008 - 03:07 AM

hi bleeping computers experts. my laptop microsoft vista buisness had been infected by w32 sality. run button disappear from start, my task manager cannot be started, regedit was disabled by adminstrator but im the adminstrator. All my .exe is infected. im running SDfixa2cmd.exe, norman malware cleaner, AVG free edition and virus remover for W32 sality now. i also tried errosmart and antispyware, but after scanning and removing threats, task manager and regedit is still not enabled.
i really need serious help here. i have hijackthis in my computer too. seriously need instructions to clear this W32 sality.

this is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:32 PM, on 22/9/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Safe mode with network support

Running processes:
C:WindowsExplorer.EXE
C:Windowssystem32wbemunsecapp.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Windowssystem32igfxsrvc.exe
C:UserschunAppDataLocalTempwinpdtt.exe
C:UserschunAppDataLocalTempwinqklter.exe
C:Windowssystem32cleanmgr.exe
C:UserschunAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5TR0M2572stinger[1].exe
C:Program Fileshijackthisanalyze.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = www.google.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.tp.edu.sg;<local>
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKLM..Run: [MSConfig] "C:Windowssystem32msconfig.exe" /auto
O4 - HKCU..Run: [Antispyware] C:Program FilesAntiSpywareAppAntispyware.exe -boot
O4 - HKCU..Run: [msnmsgr] "C:Program FilesWindows LiveMessengermsnmsgr.exe" /background
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: explorer.exe
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02binssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - http://cdn.scan.onecare.live.com/resource/...g/wlscctrl2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:WindowsSYSTEM32avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:Program Filesa-squared Freea2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:Windowssystem32agrsmsvc.exe
O23 - Service: AntiSpyware Scanning Engine (AntiSpywareSrv) - Unknown owner - C:Program FilesAntiSpywareAppAntiSpyware.srv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgrssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:Windowssystem32oodag.exe
O23 - Service: o2flash - O2Micro International - C:Windowssystem32o2flash.exe
O23 - Service: PowerSavingUtilityService - FUJITSU LIMITED - C:Program FilesFujitsuPSUtilityPSUService.exe
O23 - Service: UpdateNaviInstallService - FUJITSU LIMITED - C:Program FilesFUJITSUupdnaviupdnvsrv.exe

--
End of file - 5376 bytes

Merged posts. ~ OB

Edited by Orange Blossom, 22 September 2008 - 06:39 PM.


BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:36 AM

Posted 03 October 2008 - 10:36 AM

Hello chunl

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users