Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WM/Sality Virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 Joy Nandi

Joy Nandi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 February 2009 - 01:10 PM

I have the WM/Sality infection on my PC. I've gone to multiple blogs and done everything that is there to do (I think!) except reformat - which I would like to avoid if possible.

I have:
1. used netsh firewall set opmode enable to re-enable the disabled firewall
2. I have used another downloaded windows registry opener (since task manager and regedit were disabled) - to re-enable safeboot, regedit, taskmanager, and even changed back the registry entries for antivirus and firewall back to "0" (from the "1" that it had been changed to)
3. I've booted into safe mode - and used combofix, rm_sality.exe, CC_cleaner, VirusScan 8.0.0 Enterprise - to try and clean my system many times. Every single time (after scan completion and reboot), antivirus gets disabled, and I keep finding some infected file (including creation of autorun.inf files in some cases).

Is there anyway/any software which kills ALL the files? Also, the registry and .INI files - can they be restored back so that firewall is always enabled?

Attached my combofix log (run a second time, after the first time it again found some files and deleted them). Is there anything else I need to do?

ComboFix 09-02-17.02 - Kiran Negi 2009-02-18 23:13:13.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1598 [GMT 5.5:30]
Running from: c:\documents and settings\Kiran Negi\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-18 09:02 . 2009-02-18 09:02 <DIR> d-------- c:\program files\CCleaner
2009-02-17 21:15 . 2009-02-17 21:15 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2009-02-17 21:15 . 2006-04-20 08:33 303,740 --a------ c:\windows\system32\drivers\CVPNDRVA.sys
2009-02-17 21:15 . 2006-04-20 08:34 197,680 --a------ c:\windows\system32\vpnapi.dll
2009-02-17 21:15 . 2005-05-17 04:51 5,315 --a------ c:\windows\system32\drivers\CVirtA.sys
2009-02-12 00:47 . 2009-02-18 01:47 <DIR> d-------- c:\program files\Registry Workshop
2009-02-12 00:06 . 2009-02-12 00:06 118,784 --a------ c:\windows\system32\chg.exe
2009-02-11 23:52 . 2008-11-11 02:15 344,064 --a------ C:\rmsality_2.EXE
2009-02-11 23:52 . 2008-11-11 02:15 212,509 --a------ C:\rmsality_3.EXE
2009-02-11 23:52 . 2008-11-11 02:15 161,280 --a------ C:\rmsality.exe
2009-02-11 23:10 . 2009-02-11 23:10 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-11 22:45 . 2009-02-11 22:05 <DIR> d-------- c:\documents and settings\Himotpal\Application Data\SampleView
2009-02-11 22:45 . 2009-02-11 22:47 <DIR> d-------- c:\documents and settings\Himotpal
2009-02-11 19:33 . 2009-02-11 19:33 95,744 -r-hs---- c:\windows\system32\nmdfgds3.dll
2009-02-11 10:15 . 2008-04-14 05:42 69,120 --a------ c:\windows\AhnRpta.exe
2009-02-11 10:06 . 2009-02-11 10:06 89,600 -r-hs---- c:\windows\system32\cvnmhg0.dll
2009-02-09 23:54 . 2009-02-11 23:06 <DIR> d-------- c:\program files\SUPER
2009-02-09 23:54 . 2009-02-11 22:06 <DIR> d-------- c:\program files\AviSynth 2.5
2009-02-03 10:02 . 2000-10-19 14:05 25,088 --a------ c:\windows\system32\msxml3a.dll
2009-02-03 09:51 . 2009-02-11 23:00 <DIR> d-------- c:\program files\Business-in-a-Box

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 17:34 --------- d-----w c:\documents and settings\Kiran Negi\Application Data\HPAppData
2009-02-17 15:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 22:06 --------- d-----w c:\program files\iTunes
2009-02-11 18:21 --------- d-----w c:\program files\QuickTime
2009-02-11 17:37 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-11 17:36 --------- d-----w c:\program files\Motorola Phone Tools
2009-02-11 17:34 --------- d-----w c:\program files\LimeWire
2009-02-11 17:32 --------- d-----w c:\program files\Hewlett-Packard
2009-02-11 17:30 --------- d-----w c:\program files\Avanquest update
2009-02-11 17:30 --------- d-----w c:\program files\Apple Software Update
2009-02-11 16:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-02-17 1528880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BB4C402F-882A-4526-8C08-51278EA437C1}"= "c:\windows\system32\afmain0.dll" [2008-04-14 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BIBLauncher]
--------- 2008-11-12 15:34 613080 c:\program files\Business-in-a-Box\BIBLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PCA"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\WINDOWS\\system32\\IPCONFIG.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqbam08.exe"=
"c:\\Program Files\\Business-in-a-Box\\BIBLauncher.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowRedirect"= 1 (0x1)

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-11-06 59904]
R3 CTL518;Video Blaster WebCam (WDM);c:\windows\system32\drivers\wcvid.sys [2000-11-28 179608]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\rfoqif.sys --> c:\windows\system32\drivers\rfoqif.sys [?]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2008-09-16 6016]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-09-16 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-09-16 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-09-16 42112]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2008-09-16 23296]
S4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-16 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8adaa69-ab58-11dd-899f-00059a3c7800}]
\Shell\AutoRun\command - G:\qphdin.com
\Shell\open\Command - G:\qphdin.com
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-02-11 23:00]

2009-02-18 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Joy Nandi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kiran Negi\Application Data\Mozilla\Firefox\Profiles\q3tfr2lc.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 23:13:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-18 23:14:27
ComboFix-quarantined-files.txt 2009-02-18 17:44:26
ComboFix2.txt 2009-02-18 17:42:34

Pre-Run: 135,119,089,664 bytes free
Post-Run: 135,099,215,872 bytes free

165 --- E O F --- 2009-02-11 18:29:35

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:47 AM

Posted 23 February 2009 - 09:02 PM

Hello.

You do not have to do a format, but you can do a reinstall. Do you know how serious Sality can be? Take a look below. If you still wish to disinfect tell me and we will do so.

Hello.

Sality and file infectors are very nasty. The only possible reason why you may have got this infection again is because if you backed up any files it may have contained Sality or you visited a site that was malicious or you got re-infected again.

If you wish not to format/reinstall let me know.

Posted ImageSality File Infector Warning

Your system is infected with a polymorphic file infector called Sality. Sality is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean Reinstall or Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Sality can penetrate and infect .exe files inside compressed files too.

Tell me what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:47 AM

Posted 26 February 2009 - 04:38 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 Joy Nandi

Joy Nandi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 28 February 2009 - 03:35 AM

thanks for your advice ... will use the hp recovery tools that are there on my desktop and try to reinstall .... damn the backup before that! .... i have zip files/with .exe in them also, don't know how many files i have to go through to delete before backing up my personal files.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:47 AM

Posted 28 February 2009 - 07:48 AM

Hello.

Good luck on the format or reinstall then. Hope everything goes well.

Below are some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:47 AM

Posted 01 March 2009 - 02:59 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users