Infected with a malware (possibly sality)

Hello

I was infected with this malware few days ago, nothing could remove , so i installed a new windows.

Now i am hit with the same malware again, i guess it's some kinda of autorun method that infected me again, or it infected my program folder (i installed opera from an existing file on my computer).

Symptoms:
1-The system takes some time to load -after the windows welcome screen-.
2-My previous restore points are gone.
3-Task manager disabled, when i enable it (using third party program) it gets disabled after a moment.
4-Registry editor, the same as above.
5-"Do not show hidden files or folders" option is always on, whenever i select the other option, and open the menu again, it says "Do not show hidden files or folders".
6-I can't access antivirus/scanner sites (jotti/novirusthanks/virustotal/antivirus/drweb/technet microsoft) but the hosts file is normal "127.0.0.1 localhost".
7-Whenever i run an exe file it infects it, sometimes it run and sometimes it give a memory error.

8-After a while i get scvhost error (send|dont send) .
9-Explorer.exe restarts randomly, and sometimes the skin changes from the xp blue theme to the old win98 theme.
10-Task manager closes if i opened it for a while.



No attachment with logs was found (I checked both, the zipfiles were infected with both Conficker and Sality, so I removed both files. Please post new logs (preferably not attached). ~ Elise

Edited by elise025, 05 April 2010 - 07:59 AM.
Removed malware downloads and download links ~ Elise

Hello, as you can see I removed all links and attachments from your post, as explained.

Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

I know you are trying to help and my words can't really describe how gratefull i am and i don't wanna sound rude but did you actually check the files?
It had Attach.txt DDS.txt hijackthis.log ComboFix.txt gm1.log also Qoobox folder and the malware copies winvrrji.exe and lsgzhdk.dll.
anyway i will post the txt files here, i thought offering the infected and the malware executable and library would help.

I can format C:\ but i can't lose the other files/folders on the other partitions ,can't i install a new windows (clean install ofc) then just clean or scan afterwords.
Thanks a million.


btw i am on a linux live cd now ,no flash i can't upload anywhere i have no flash also can't attach for the same reason i guess.
So i will pastebin them.

Combofix log http://pastebin.com/rtknbU00
GMer log http://pastebin.com/NGkZyVP7
hijackthis log http://pastebin.com/NfGZs9gM
dds.txt http://pastebin.com/6ffzd2AU
attach.txt http://pastebin.com/xEFPFv0H

I can see the problem the service eabcdryme hijacking the svchost.exe running it's nasty stuff loading lsgzhdk.dll and hidserv and w/e.

So my question is can i install a new windows and remove that stuff off the other drives/partitions, thank you.

I know you are trying to help and my words can't really describe how gratefull i am and i don't wanna sound rude but did you actually check the files?
It had Attach.txt DDS.txt hijackthis.log ComboFix.txt gm1.log also Qoobox folder and the malware copies winvrrji.exe and lsgzhdk.dll.
anyway i will post the txt files here, i thought offering the infected and the malware executable and library would help.

I can format C:\ but i can't lose the other files/folders on the other partitions ,can't i install a new windows (clean install ofc) then just clean or scan afterwords.
Thanks a million.


btw i am on a linux live cd now ,no flash i can't upload anywhere i have no flash also can't attach for the same reason i guess.
So i will pastebin them.

Combofix log http://pastebin.com/rtknbU00
GMer log http://pastebin.com/NGkZyVP7
hijackthis log http://pastebin.com/NfGZs9gM
dds.txt http://pastebin.com/6ffzd2AU
attach.txt http://pastebin.com/xEFPFv0H

Sorry, I didn't explain myself clearly

I removed all uploaded files because the zipped archives were infected. Many users are browsing these forums and having a look. I deleted all infected stuff to prevent anybody from accidentally downloading it and so infecting their computer.

But since you want proof, here is a clear sign that you have indeed Sality:
This is from your Combofix log and as you can see here a clear sign of Sality.

Unfortunately formatting only C is not enough. You have to format all flashdrives and other partitions to make sure nothing is left. One single file is enough to reinfect everything again.

I advice you only to backup personal files (pics, documents) and burn these to a CD to make sure no autorun entries get created.

If you have more questions, please let me know.

Sorry i thought i can upload the malware sample

I thought i can get away with my hard drive contents
I should get another hard disk then and backup the data and start clean.

Thanks for your help kind sir.

We have indeed a malware upload channel, but thats not public, for the exact reason to protect our members from accidentaly downloading something..

I am now closing this topic. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.