Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Sality.NAO Virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 justinthedudest

justinthedudest

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 22 February 2009 - 08:38 AM

I have a really bad infection called Sality.NAO on my computer. It spreads every exe file on my computer and even my last updated nod32 antivirus can't able to remove it completely.I did reformat my computer but it did not work , same virus again with its same infections!!! Please Help me! Here is the Log.



DDS (Ver_09-02-01.01) - NTFSx86
Run by hede at 15:18:47,75 on 22.02.2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1033.18.1022.399 [GMT 2:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dwwin.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\TELNET.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\hede\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1055
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Oturum Açma Yardım Aracı: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [LClock] c:\program files\lclock\LClock.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_06\bin\jusched.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
TCP: {349E02C1-AC33-461F-8C9A-02E760029B20} = 4.2.2.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hede\applic~1\mozilla\firefox\profiles\v3qkn1vn.default\
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-5-9 33800]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-5-9 472320]
R3 aic32p;aic32p;\??\c:\windows\system32\drivers\hlpso.sys --> c:\windows\system32\drivers\hlpso.sys [?]

=============== Created Last 30 ================

2009-02-22 14:30 <DIR> --d----- c:\docume~1\hede\applic~1\True Sword
2009-02-22 14:29 356,352 a------- c:\windows\eSellerateEngine.dll
2009-02-22 14:29 81,920 a------- c:\windows\eSellerateControl350.dll
2009-02-22 14:29 <DIR> --d----- c:\program files\True Sword 5
2009-02-22 03:08 <DIR> --d----- c:\program files\ESET
2009-02-21 22:52 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-02-21 22:51 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-02-21 22:51 6,400 a------- c:\windows\system32\drivers\enum1394.sys
2009-02-21 22:50 74,240 a------- c:\windows\system32\usbui.dll
2009-02-21 22:50 8,832 a------- c:\windows\system32\drivers\wmiacpi.sys
2009-02-21 22:50 10,240 a------- c:\windows\system32\drivers\compbatt.sys
2009-02-21 22:50 14,208 a------- c:\windows\system32\drivers\battc.sys
2009-02-21 22:50 13,952 a------- c:\windows\system32\drivers\CmBatt.sys
2009-02-21 22:50 4,128 a------- c:\windows\system32\drivers\INFCACHE.1
2009-02-21 22:49 <DIR> --d----- c:\program files\common files\ODBC
2009-02-21 22:49 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-02-21 22:49 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-02-21 22:48 <DIR> --d----- c:\windows\system32\CatRoot2
2009-02-21 22:48 <DIR> --d----- c:\windows\system32\CatRoot
2009-02-21 22:48 2,749,977 a------- c:\windows\setupapi.log.0.old
2009-02-21 22:48 630 a------- C:\DPsFnshr.ini
2009-02-21 22:48 0 a------- C:\ATICCC.ins
2009-02-21 22:48 <DIR> --d----- C:\Documents and Settings
2009-02-21 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2009-02-21 22:46 849 a------- c:\windows\system32\$winnt$.inf
2009-02-21 22:45 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2009-02-21 22:42 32,592 a------- c:\windows\system32\msonpmon.dll
2009-02-21 22:37 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-02-21 22:36 <DIR> --d----- c:\documents and settings\hede\Contacts
2009-02-21 22:32 <DIR> --d----- c:\docume~1\hede\applic~1\BSplayer Pro
2009-02-21 22:32 <DIR> --d----- c:\program files\Webteh
2009-02-21 22:31 <DIR> --d----- c:\program files\Messenger Plus! Live
2009-02-21 22:30 <DIR> --d----- c:\program files\MSN Messenger
2009-02-21 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-02-21 21:55 <DIR> --d----- c:\program files\ATI Technologies
2009-02-21 21:52 <DIR> --d----- c:\docume~1\hede\applic~1\Intel
2009-02-21 21:49 <DIR> --d----- c:\program files\CONEXANT
2009-02-21 21:48 <DIR> --d----- c:\program files\Modem Helper
2009-02-21 21:46 <DIR> --d----- c:\program files\Synaptics
2009-02-21 21:44 <DIR> --d----- c:\program files\SigmaTel
2009-02-21 21:40 <DIR> --d----- c:\program files\Dell
2009-02-21 21:36 <DIR> --d----- c:\docume~1\hede\applic~1\Styler
2009-02-21 21:34 <DIR> --d----- c:\documents and settings\hede\7zS1EEB.tmp
2009-02-21 21:34 <DIR> --d----- c:\documents and settings\hede\_ir_sf7_temp_0
2009-02-21 21:31 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-02-21 21:29 <DIR> --d----- c:\program files\Alky for Applications
2009-02-21 21:29 <DIR> --d----- c:\program files\Kristanix
2009-02-21 21:29 <DIR> --d----- c:\program files\Resource Hacker 3.4.0
2009-02-21 21:29 <DIR> --d----- c:\program files\common files\Stardock
2009-02-21 21:29 <DIR> --d----- c:\program files\Stardock
2009-02-21 21:27 <DIR> --d----- c:\program files\CCleaner
2009-02-21 21:25 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-02-21 21:25 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-02-21 21:25 <DIR> --d----- c:\program files\Online Services
2009-02-21 21:24 <DIR> --d----- c:\program files\common files\MSSoap
2009-02-21 21:20 <DIR> --d----- c:\program files\VistaExperience.org
2009-02-21 21:17 <DIR> --d----- c:\program files\Styler
2009-02-21 21:16 <DIR> --d----- c:\program files\Desktop
2009-02-21 21:15 <DIR> --d----- c:\program files\LClock
2009-02-21 21:15 <DIR> --d----- c:\program files\HashTab Shell Extension
2009-02-21 21:15 <DIR> --d----- c:\program files\Unlocker
2009-02-21 21:15 <DIR> --d----- c:\program files\Microsoft PowerToys
2009-02-21 21:15 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-02-21 21:52 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-02-21 21:50 5 a------- c:\windows\system32\drivers\DELL__.MRK
2009-02-21 21:50 5 a------- c:\windows\system32\drivers\1028_DELL__.MRK
2009-02-21 21:25 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-21 21:23 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 15:19:06,06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 justinthedudest

justinthedudest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 22 February 2009 - 10:18 AM

now I can't even open windows live messenger and the most of the programms , any help would be soo nice for my situation!!!

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 AM

Posted 23 February 2009 - 08:53 PM

Hello.

Sality and file infectors are very nasty. The only possible reason why you may have got this infection again is because if you backed up any files it may have contained Sality or you visited a site that was malicious or you got re-infected again.

If you wish not to format/reinstall let me know.

Posted ImageSality File Infector Warning

Your system is infected with a polymorphic file infector called Sality. Sality is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean Reinstall or Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Sality can penetrate and infect .exe files inside compressed files too.

Tell me what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 justinthedudest

justinthedudest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 24 February 2009 - 07:08 PM

first of all thank you for your answer extremeboy.

Now ,I think I found a solution for this Sality.NAO virus on my computer.I downloaded a program called "rescuecd" of avira antivirus system and i made a cd of that program. Then I booted my pc from cd rom drive and it started scanning. IT FOUNDS 33675 File infected!! and that process took my 4 hours. But it did not completely delete these files, it just made a rename of their file types (.xxx instead of .exe or .scr, to not get infected again and it also grants an ability for antivirus systems to delete the virus). I also downloaded a programm called sality.NAO deleter from same place , and after I used the rescuecd I restarted my computer and started windows, then I used that deleter to delete those .xxx type files.

Now It looks like I completely got rid of that virus and my latest updated nod32 did not find anything after scanning.

But now , I have a problem again too. I can not open task manager and I can not start my pc on safe mode. These were the effects of the virus and now I am really sure I got rid of that virus but these problems keep staying.

Can You help me about that please ???

#5 justinthedudest

justinthedudest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 24 February 2009 - 07:09 PM

And I also found the source of that virus on my external HDD drive and I completely remove them too!

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 AM

Posted 24 February 2009 - 08:06 PM

Hello.

Sality is very nasty and it also has backdoor functions so your machine is already compromised now. Also 33675 files were infected and removed, don't you want to format/reinstall?

If not, let me know.

With Regards,
Extremeboy

Edited by extremeboy, 24 February 2009 - 08:34 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 justinthedudest

justinthedudest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 25 February 2009 - 10:30 AM

But what I say is that those files are the unnecessary .exe files I mean the virus made thousands of copies of win32 system's unnecessary files, I dont even have 33k files on my computer but virus made them in volume control file of windows.

And I believe that I rescued my computer and dont want to format again (because I lost my xp cd actually).
So What can I do for that task manager problem and the safe mode , can you help for this extremeboy?

Thanks for your help.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 AM

Posted 25 February 2009 - 04:01 PM

Hello.

Please run Combofix and GMER. I would like to see how well the infection got cleared out.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 justinthedudest

justinthedudest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 25 February 2009 - 06:47 PM

well thanks extremeboy but I think I am gonna format my computer somehow, because combofix and gmer don't work , i double click on them and it doesn't respond I think u were right about how nasty this virus is. I am gonna find a xp cd and reformat again.
Thank you for your help.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 AM

Posted 25 February 2009 - 08:03 PM

Hello.

You lost it and now you are going to find it. Good luck on that.. :)

Below are some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 AM

Posted 27 February 2009 - 04:12 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users