Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible "Sality" virus infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 pepps

pepps

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 18 January 2009 - 04:33 AM

Hi all, I believe i'm infected with the sality virus.

The symptoms are:
Unable to open task manager of registry editor.
Unable to start in safe mode.
Unable to download anti virus software which are supposed to destroy sality.
3 Random .exe files run from my temp folder, eg. winhyach.exe (when you delete them more appear soon after)
Hidden files are changed to hidden immediatly after you change them back.

I have tried running combofix and many other programs which i have on my laptop but none can detect it.

These sound like all the symptoms of sality, although i have looked at many sites of how to manually delete the sality virus and they always tell you to search for files with the word "sality" in them and delete two or three .dll files affiliated with the virus, however i can never find these files and so the virus remains.

I hope someone can help. Thanks, Pepps



DDS (Ver_09-01-07.01) - NTFSx86

Run by eadams at 3:30:04.89 on 18/01/2009

Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_03

Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.190.71 [GMT 0:00]





============== Running Processes ===============



C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\acs.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\HPConfig.exe

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe

C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\eadams\Desktop\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.google.co.uk/

uDefault_Search_URL = hxxp://srch-us4nb.hpwis.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://srch-us4nb.hpwis.com/

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/info/e-center-p

uInternet Settings,ProxyServer = 218.11.207.244:80

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [CARPService] carpserv.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\cardbus f5d701f\wireless utility\Belkinwcui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link\airplus g wireless adapter utility\AirPlus.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~2.lnk - c:\program files\d-link\airplus g wireless adapter utility\Reg.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE

uPolicies-system: **del.DisableTaskMgr =

uPolicies-system: DisableTaskMgr = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

AppInit_DLLs: fbenyj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL



================= FIREFOX ===================



FF - ProfilePath -



============= SERVICES / DRIVERS ===============



R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-1-15 821856]

R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-1-15 4224]

R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-1-15 27776]

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-1-15 10760]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\fdijjm.sys --> c:\windows\system32\drivers\fdijjm.sys [?]

R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;c:\windows\system32\drivers\BLKWGNv7.SYS [2007-7-8 303616]

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2003-4-8 291328]

R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2003-4-8 244608]

R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2003-4-8 16512]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2007-7-8 13532]

R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-9-25 574808]

R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-1-15 4960]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]

S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-1-15 418816]

S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-1-15 49664]

S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-1-15 406528]



=============== Created Last 30 ================



2009-01-17 06:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-17 03:59 <DIR> --d----- C:\Deckard

2009-01-09 10:22 <DIR> --d----- C:\MSNCleaner



==================== Find3M ====================



2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys

2008-10-29 18:31 459,920 a------- c:\windows\system32\PerfStringBackup.TMP

1998-12-09 02:53 186,368 a------- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL



============= FINISH: 3:30:52.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pepps

pepps
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 21 January 2009 - 03:58 AM

I have fixed the problem by browsing throw the forum and finding an old post with the same problem, i followed the steps and the virus has been removed.

Thanks to everyone at bleepingcomputer anyway, you can delete or close this thread now.

:thumbup2:

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:54 PM

Posted 21 January 2009 - 11:19 AM

Thanks for informing us.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users