Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus/ unable to remove it


  • Please log in to reply
16 replies to this topic

#1 harbingerx

harbingerx

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 17 October 2008 - 03:48 PM

Thank you forthe reply , here is my HJT log :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:08 AM, on 10/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2652 bytes

BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 27 October 2008 - 09:39 AM

Hello harbinqerx,

I apologise for the delay, the forum is too busy.

If you still need help, post a new HijackThis log.

Please let HijackThis log finish scanning and the report will open by it's self.
Your HijackThis log is very small, many lines are missing.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 02 November 2008 - 02:43 AM

Due to the lack of feedback, this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:56 PM

Posted 02 November 2008 - 10:52 AM

Reopen per OP's request
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 harbingerx

harbingerx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 02 November 2008 - 11:03 AM

Thank you for granting it. I really need help badly. I had this problem before, unfortunately I didint get any reply from the forum and since my concern was urgent I ended up reformatting my hard drives for all 16 computers including my server.
I was able to clean them and worked just fine, Now its back and is wreaking havoc on my network, please help

#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 02 November 2008 - 11:24 AM

Hello harbingerx,

So this is a business pc, and we talk for a network with 16 pcs.

Is there a main pc?
Can you post a HijackThis log from that one? Rename it first as my instructions below.
----------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.
----------------------------------------------

Please let HijackThis log finish scanning and the report will open by it's self.
Your HijackThis log is very small, many lines are missing

Have in mind the above and let HijackThis finish.

I need to see what infection you have there since this is a business network.

Edited by chryssi2001, 02 November 2008 - 11:31 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 harbingerx

harbingerx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 02 November 2008 - 12:09 PM

Thank you for the reply: I also scanned the forum and found this thread http://www.bleepingcomputer.com/forums/ind...;hl=sality+worm
We have the exact same problem . Apparently it could be the win32 sality worm , its very very evil.

Here is my Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:22 AM, on 11/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\wgp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\system32\wgp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224771219859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

--
End of file - 4910 bytes

#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 02 November 2008 - 01:02 PM

Hello harbingerx,

Your HijackThis log doesn't show signs of infections.

What are the symptoms you have?
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
As i am not familiar with WinGuard Pro please disable it for now, and do enable it after we finish cleaning your pc.
----------------------------------------------
Download ComboFix from one of these locations:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this topic if you need help to disable your protection programs.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 harbingerx

harbingerx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 02 November 2008 - 01:14 PM

The symptons I have is the same as this thread , http://www.bleepingcomputer.com/forums/ind...;hl=sality+worm
My task manager, regedit, Antivirus has been disabled. It prevents me from getting an online scan on any known antivirus website such as mcafee, bit defender , trend micro
House Call, Kaspersky Online. Unfortunately it already has disabled and corrupted Hijack This. I am now getting a system error message when I run Hijack this.
I am also unable to boot to safe mode which really leaves me no option to fix it.

Here is my combo fix log:

ComboFix 08-11-01.06 - eosInfinityX 2008-11-02 21:31:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.615 [GMT -8:00]
Running from: C:\Documents and Settings\eosInfinityX\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\eosInfinityX\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-11-02 21:20 . 2008-11-02 21:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-11-02 08:19 . 2008-04-13 16:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-11-01 10:10 . 2008-04-13 11:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-11-01 09:29 . 2008-11-01 09:29 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-10-28 12:10 . 2008-10-31 08:36 31 --a------ C:\WINDOWS\GunzLauncher.INI
2008-10-28 11:14 . 2008-10-28 11:14 <DIR> d-------- C:\ijji
2008-10-28 11:14 . 2008-10-31 09:28 <DIR> d--h----- C:\Documents and Settings\eosInfinityX\Application Data\ijjigame
2008-10-28 11:13 . 2008-10-28 11:13 <DIR> d-------- C:\Program Files\NHN USA
2008-10-28 11:13 . 2008-06-17 19:28 710,064 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2008-10-28 11:13 . 2008-04-23 14:02 157,152 --a------ C:\WINDOWS\system32\PubPlugin.dll
2008-10-28 11:13 . 2008-06-11 23:01 58,800 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2008-10-23 11:45 . 2008-10-23 11:45 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-10-23 11:42 . 2008-10-23 11:42 <DIR> d-------- C:\Program Files\WinGuard Pro 2007
2008-10-23 11:42 . 2006-10-18 16:24 282,624 --a------ C:\WINDOWS\system32\wgp.exe
2008-10-23 11:42 . 2004-03-08 23:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-10-23 11:42 . 2006-10-07 16:31 221,184 --a------ C:\WINDOWS\system32\rspencr330.ocx
2008-10-23 11:42 . 2004-11-14 04:27 212,992 --a------ C:\WINDOWS\system32\wodShellMenu.dll
2008-10-23 11:42 . 2006-10-02 16:40 106,496 --a------ C:\WINDOWS\system32\wgp_menu.exe
2008-10-23 11:42 . 2006-10-03 08:47 21,835 --a------ C:\WINDOWS\system32\wgp.chm
2008-10-23 11:36 . 2008-11-01 14:57 <DIR> d-------- C:\Program Files\Garena
2008-10-23 11:36 . 2008-10-23 11:36 <DIR> d-------- C:\Documents and Settings\eosInfinityX\Application Data\InstallShield
2008-10-23 11:16 . 2008-11-02 17:09 <DIR> d-------- C:\Program Files\Warcraft III
2008-10-23 11:02 . 2008-10-23 11:02 <DIR> d-------- C:\Documents and Settings\eosInfinityX\Application Data\Yahoo!
2008-10-23 11:02 . 2008-10-23 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-10-23 10:58 . 2008-10-23 11:08 <DIR> d-------- C:\Program Files\Perfect World
2008-10-23 10:32 . 2008-10-23 10:32 <DIR> d-------- C:\Program Files\Netgames
2008-10-23 10:04 . 2008-11-02 17:11 <DIR> d-------- C:\Program Files\Lineage II the Kamael
2008-10-23 09:57 . 2008-10-23 09:57 <DIR> d-------- C:\Program Files\Dragonfly
2008-10-23 09:30 . 2008-11-02 21:12 <DIR> d-------- C:\Program Files\RF Online Crimson Dawn
2008-10-23 08:54 . 2008-10-23 08:54 <DIR> d-------- C:\Program Files\Netplay
2008-10-23 08:46 . 2008-10-23 08:46 <DIR> d-------- C:\Program Files\Mobius
2008-10-23 08:42 . 2003-07-20 01:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-10-23 08:42 . 2005-01-03 16:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-10-23 07:54 . 2008-10-23 08:03 <DIR> d-------- C:\Program Files\e-Games
2008-10-23 07:50 . 2008-10-23 07:50 <DIR> d-------- C:\Documents and Settings\eosInfinityX\Application Data\OpenOffice.org
2008-10-23 07:49 . 2008-10-23 07:49 <DIR> d-------- C:\Program Files\OpenOffice.org 3
2008-10-23 07:49 . 2008-10-23 07:49 <DIR> d-------- C:\Program Files\JRE
2008-10-23 07:49 . 2008-06-10 01:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-23 07:48 . 2008-10-23 07:49 <DIR> d-------- C:\Program Files\Java
2008-10-23 07:48 . 2008-10-23 07:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-23 07:44 . 2008-10-23 07:46 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-23 07:44 . 2008-10-25 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-10-23 07:36 . 2008-10-23 07:36 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-23 07:33 . 2008-10-23 07:33 <DIR> d--hs---- C:\Documents and Settings\eosInfinityX\PrivacIE
2008-10-23 07:28 . 2008-10-23 07:29 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-23 07:22 . 2008-10-23 07:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-23 07:21 . 2008-10-23 07:21 <DIR> d-------- C:\Documents and Settings\eosInfinityX\Application Data\PC Tools
2008-10-23 07:21 . 2008-11-02 07:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-23 07:20 . 2008-11-02 21:05 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-10-23 07:20 . 2008-10-23 07:20 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-10-23 07:20 . 2008-10-23 07:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-10-23 07:20 . 2006-11-24 09:19 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-23 07:20 . 2006-11-24 09:19 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-10-23 07:20 . 2007-12-06 14:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-10-23 07:20 . 2007-12-06 14:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-10-23 07:20 . 2008-02-12 09:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-10-23 07:05 . 2008-10-23 07:07 <DIR> d-------- C:\WINDOWS\nview
2008-10-23 07:05 . 2007-02-28 21:36 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-10-23 07:05 . 2008-11-02 21:05 89,134 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-23 07:05 . 2007-02-28 21:36 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-10-23 07:04 . 2006-11-29 12:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-10-23 07:04 . 2006-09-28 15:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-10-23 07:04 . 2007-01-24 14:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-10-23 07:04 . 2006-12-08 11:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-10-23 07:04 . 2006-09-28 15:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-10-23 07:04 . 2006-09-28 15:04 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-10-23 07:04 . 2007-01-08 14:30 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-10-23 06:50 . 2008-10-23 06:50 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-23 06:50 . 2008-10-23 06:50 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-23 06:50 . 2008-10-23 06:50 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-23 06:50 . 2008-10-23 06:50 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-23 06:49 . 2008-10-23 06:49 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-23 06:45 . 2008-10-23 06:45 <DIR> d-------- C:\WINDOWS\EHome
2008-10-23 06:41 . 2007-02-28 21:36 3,994,688 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-10-23 06:15 . 2007-07-30 18:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-10-23 06:15 . 2007-07-30 18:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-10-23 06:15 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-10-23 06:15 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-10-23 06:15 . 2007-07-30 18:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-23 06:13 . 2008-10-23 06:13 <DIR> d--hs---- C:\Documents and Settings\eosInfinityX\UserData
2008-10-23 06:12 . 2008-10-23 06:12 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-10-23 06:06 . 2008-10-23 06:06 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-10-23 06:06 . 2008-10-23 06:06 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-10-23 06:06 . 2008-10-23 06:06 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-10-23 06:04 . 2008-04-13 11:17 83,072 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-10-23 06:04 . 2008-04-13 10:45 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-10-23 06:04 . 2006-08-01 14:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-10-23 06:04 . 2008-04-13 10:45 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-10-23 06:03 . 2008-10-23 06:03 <DIR> d-------- C:\Program Files\Realtek
2008-10-23 06:02 . 2008-10-23 06:02 <DIR> d-------- C:\Program Files\Driver
2008-10-23 06:02 . 2006-09-12 13:34 499,712 --a------ C:\WINDOWS\RtlExUpd.dll
2008-10-23 06:02 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-10-23 06:01 . 2008-10-23 06:01 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-10-23 06:01 . 2008-10-28 11:13 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-10-23 06:01 . 2008-10-23 06:01 1,024 --a------ C:\.rnd
2008-10-23 06:01 . 2008-10-23 06:01 22 --a------ C:\WINDOWS\FileName
2008-10-23 06:00 . 2006-08-29 15:29 446,464 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2008-10-23 06:00 . 2006-08-13 22:51 363,008 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-10-23 06:00 . 2006-08-13 22:51 363,008 -ra------ C:\WINDOWS\system32\idecoi.dll
2008-10-23 06:00 . 2006-08-06 22:07 208,896 --------- C:\WINDOWS\system32\nvuide.exe
2008-10-23 06:00 . 2006-08-13 22:51 105,344 -ra------ C:\WINDOWS\system32\drivers\nvata.sys
2008-10-23 06:00 . 2006-08-06 22:08 35,840 -ra------ C:\WINDOWS\system32\NVCOI.DLL
2008-10-23 06:00 . 2006-05-31 23:32 1,570 --------- C:\WINDOWS\system32\nvide.nvu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 14:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-23 13:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-22 10:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 10:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 10:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 10:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 10:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 10:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 10:05 48,640 ------w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 10:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 10:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 10:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 09:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-06 00:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-02-28 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-02-28 86016]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-09-25 1370000]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinGuard Pro"="C:\WINDOWS\system32\wgp.exe" [2006-10-18 282624]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-02-28 C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Garena\\Garena.exe"=
"C:\\Program Files\\Dragonfly\\Special Force\\specialforce.exe"=
"C:\\ComboFix\\nircmd.com"=
"C:\\WINDOWS\\system32\\wgp.exe"=

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-15 13696]
R3 abp470n5;abp470n5;C:\WINDOWS\system32\drivers\gklfir.sys [ ]
S3 XDva059;XDva059;C:\WINDOWS\system32\XDva059.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c77b1fe-a8f9-11dd-bb60-00e04d1f06c4}]
\sHeLl\AutoPlay\COMmANd - D:\hmivvu.pif
\sHeLl\AutoRun\command - D:\hmivvu.pif
\sHeLl\ExPlore\COMMAnd - D:\hmivvu.pif
\sHeLl\oPEN\COmManD - D:\hmivvu.pif

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\eosInfinityX\Application Data\Mozilla\Firefox\Profiles\un9nxcwn.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 21:32:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-02 21:35:07
ComboFix-quarantined-files.txt 2008-11-03 05:35:05

Pre-Run: 44,811,882,496 bytes free
Post-Run: 44,820,832,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

219 --- E O F --- 2008-10-28 07:50:19

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 02 November 2008 - 03:15 PM

Hello harbingerx,

Do you know what is this folder?
C:\ijji

For a business pc, i can see a lot of games installed.
How comes?
----------------------------------------------
Yes you are infected by sality.

It is possible you won't be able to download tools at your pc.
We will need to download other tools also to fix this infection, so if you are not be able to download tools, we'll need a USB to transfer the tool from another pc.

For now, follow these instructions.

Let me know if you have problems.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/175441/unknown-virus-unable-to-remove-it/?p=994339
    
    Collect::
    C:\WINDOWS\system32\drivers\gklfir.sys
    D:\hmivvu.pif
    
    DirLook::
    C:\Documents and Settings\eosInfinityX\UserData
    C:\Program Files\Driver
    C:\WINDOWS\FileName
    
    Driver::
    abp470n5
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c77b1fe-a8f9-11dd-bb60-00e04d1f06c4}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 harbingerx

harbingerx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 02 November 2008 - 03:31 PM

It is an Internet Cafe, thats Why I have Games. :thumbsup:

I did as you told, Dragged the CFScript.txt to combofix and nothing happened. Just showed a status bar like its installing
or something but thats about it.

#12 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 02 November 2008 - 04:00 PM

C:\ijji << Is this a game?

So Combofix didn't run?

Ok let's try this.

If you can't download on this pc, transfer the tools with a USB.

It would be usefull if you saved all the instructions in Notepad, and transfer them with the USB as well, so you'll know what to do.

Read all my post carefully.

If you will need to use a USB, dowload all the tools, and then transfer them on the infected pc.
----------------------------------------------
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://downloads.malwareremoval.com/BillCa...FixPolicies.exe
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.
----------------------------------------------
SAFE BOOT REPAIR

Download & run this tool SafeBootKeyRepair-CF.

It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply.
----------------------------------------------
Now re-do the step with Combofix which i posted before.

Let me know what happened, if any reports, please post them back.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#13 harbingerx

harbingerx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 02 November 2008 - 11:22 PM

I did as you instructed but I am gettingf the message " Windows cannot access the specified device path or file. You may not have approriatepermisssion to access the
item. Should I give up ? and reformat ?

#14 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 03 November 2008 - 01:22 AM

Which tool gives you that message and when?

Let me know exactly what you did, as per my instructions so i will understand.

Have some read here about sality infection.

For sure the best method would be to reformat all the network.

Edited by chryssi2001, 03 November 2008 - 03:37 AM.
add a link

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#15 harbingerx

harbingerx
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 04 November 2008 - 10:03 AM

Thank you for the reply and all help , I really appreciate it. however I just ended up reformatting. But this should not be the case , this malware is destructive and evil I wish there is an existing Anti-Virus that
can truly remove and clean this virus. So far none of the avaialable antivirus software I knwo of works.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users