Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.AgentSD6! and many more


  • This topic is locked This topic is locked
4 replies to this topic

#1 NLV

NLV

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 02 April 2009 - 02:31 PM

I'm having this problem for the past few days..
First it started with services.exe strangely getting started in the windows startup. I saw my modem flickering always and felt that there is some connection always being active. So i installed NetLimiter to track the connections and found that services.exe sending lots of outgoing connections. I denied connections for services.exe using NetLimiter and the problem got solved temporarily.
Two days back i found that my task manager getting disabled repeatedly. So i again started working on the processes and found Winlogon.exe sending abundant outgoing connections. Each time when windows starts Spware Doctor does an Intelli Scan and finds worm.sality 66 infections and deletes them. If i enable my taskmanager by restoring windows default settings using other tools its just getting reverted back and gets disabled.
I hate having these worms and want to clean my system. How to remove these malwares in winlogon.exe and services.exe?

i've ubuntu and i manually checked all the drives for any hidden folders and any autorun files and it seems to be clean..i'm sure that the viruses are also in the drives other than my OS drive because i formatted my C: drive today morning but unfortunately i again the viruses came back..

I've removed some considerable amount of viruses myself but not able to remove this one..

I've attached my HJT log..

It seems all the important processes are affected..taskmanager.exe, winlogon.exe,explorer.exe etc are trying to have some outgoing connections...I'll patiently wait for a solution and hope you can give me one..


Regards
NLV

Attached Files


Edited by NLV, 02 April 2009 - 02:32 PM.


BC AdBot (Login to Remove)

 


#2 NLV

NLV
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 04 April 2009 - 12:31 AM

hmm..no idea for anybody? :thumbup2:

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 10 April 2009 - 05:17 PM

Hello.

This infection (Sailty) is only ONE way to go ------> Format and start over.

Posted ImageSality File Infector Warning

Your system is infected with a polymorphic file infector called Sality. Sality is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Sality can penetrate and infect .exe files inside compressed files too.

More information on Sality can be found over here and here

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 13 April 2009 - 12:25 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 15 April 2009 - 03:37 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users