Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a malware (possibly sality)


  • This topic is locked This topic is locked
6 replies to this topic

#1 aywa

aywa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 05 April 2010 - 01:17 AM

Hello whistling.gif

I was infected with this malware few days ago, nothing could remove , so i installed a new windows.

Now i am hit with the same malware again, i guess it's some kinda of autorun method that infected me again, or it infected my program folder (i installed opera from an existing file on my computer).

Symptoms:
1-The system takes some time to load -after the windows welcome screen-.
2-My previous restore points are gone.
3-Task manager disabled, when i enable it (using third party program) it gets disabled after a moment.
4-Registry editor, the same as above.
5-"Do not show hidden files or folders" option is always on, whenever i select the other option, and open the menu again, it says "Do not show hidden files or folders".
6-I can't access antivirus/scanner sites (jotti/novirusthanks/virustotal/antivirus/drweb/technet microsoft) but the hosts file is normal "127.0.0.1 localhost".
7-Whenever i run an exe file it infects it, sometimes it run and sometimes it give a memory error.
CODE
AppName: combofix.exe     AppVer: 0.0.0.0     ModName: combofix.exe
ModVer: 0.0.0.0     Offset: 00027621

8-After a while i get scvhost error (send|dont send) .
9-Explorer.exe restarts randomly, and sometimes the skin changes from the xp blue theme to the old win98 theme.
10-Task manager closes if i opened it for a while.



No attachment with logs was found (I checked both, the zipfiles were infected with both Conficker and Sality, so I removed both files. Please post new logs (preferably not attached). ~ Elise

Edited by elise025, 05 April 2010 - 07:59 AM.
Removed malware downloads and download links ~ Elise


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 PM

Posted 05 April 2010 - 08:01 AM

Hello, as you can see I removed all links and attachments from your post, as explained.

Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

QUOTE
As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.
About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 aywa

aywa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 05 April 2010 - 10:44 AM

I know you are trying to help and my words can't really describe how gratefull i am and i don't wanna sound rude but did you actually check the files?
It had Attach.txt DDS.txt hijackthis.log ComboFix.txt gm1.log also Qoobox folder and the malware copies winvrrji.exe and lsgzhdk.dll.
anyway i will post the txt files here, i thought offering the infected and the malware executable and library would help.

I can format C:\ but i can't lose the other files/folders on the other partitions ,can't i install a new windows (clean install ofc) then just clean or scan afterwords.
Thanks a million.


btw i am on a linux live cd now ,no flash i can't upload anywhere i have no flash also can't attach for the same reason i guess.
So i will pastebin them.

Combofix log http://pastebin.com/rtknbU00
GMer log http://pastebin.com/NGkZyVP7
hijackthis log http://pastebin.com/NfGZs9gM
dds.txt http://pastebin.com/6ffzd2AU
attach.txt http://pastebin.com/xEFPFv0H

I can see the problem the service eabcdryme hijacking the svchost.exe running it's nasty stuff loading lsgzhdk.dll and hidserv and w/e.

So my question is can i install a new windows and remove that stuff off the other drives/partitions, thank you.

#4 aywa

aywa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 05 April 2010 - 10:46 AM

I know you are trying to help and my words can't really describe how gratefull i am and i don't wanna sound rude but did you actually check the files?
It had Attach.txt DDS.txt hijackthis.log ComboFix.txt gm1.log also Qoobox folder and the malware copies winvrrji.exe and lsgzhdk.dll.
anyway i will post the txt files here, i thought offering the infected and the malware executable and library would help.

I can format C:\ but i can't lose the other files/folders on the other partitions ,can't i install a new windows (clean install ofc) then just clean or scan afterwords.
Thanks a million.


btw i am on a linux live cd now ,no flash i can't upload anywhere i have no flash also can't attach for the same reason i guess.
So i will pastebin them.

Combofix log http://pastebin.com/rtknbU00
GMer log http://pastebin.com/NGkZyVP7
hijackthis log http://pastebin.com/NfGZs9gM
dds.txt http://pastebin.com/6ffzd2AU
attach.txt http://pastebin.com/xEFPFv0H


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 PM

Posted 05 April 2010 - 11:13 AM

Sorry, I didn't explain myself clearly smile.gif

I removed all uploaded files because the zipped archives were infected. Many users are browsing these forums and having a look. I deleted all infected stuff to prevent anybody from accidentally downloading it and so infecting their computer.

But since you want proof, here is a clear sign that you have indeed Sality:
QUOTE
-------\Legacy_ABP470N5
-------\Service_abp470n5
This is from your Combofix log and as you can see here a clear sign of Sality.

QUOTE
I can format C:\ but i can't lose the other files/folders on the other partitions ,can't i install a new windows (clean install ofc) then just clean or scan afterwords.
Unfortunately formatting only C is not enough. You have to format all flashdrives and other partitions to make sure nothing is left. One single file is enough to reinfect everything again.

I advice you only to backup personal files (pics, documents) and burn these to a CD to make sure no autorun entries get created.

If you have more questions, please let me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 aywa

aywa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 05 April 2010 - 10:35 PM

QUOTE(elise025 @ Apr 5 2010, 11:13 AM) View Post
Sorry, I didn't explain myself clearly smile.gif

I removed all uploaded files because the zipped archives were infected. Many users are browsing these forums and having a look. I deleted all infected stuff to prevent anybody from accidentally downloading it and so infecting their computer.

Sorry i thought i can upload the malware sample wacko.gif
QUOTE(elise025 @ Apr 5 2010, 11:13 AM) View Post
Unfortunately formatting only C is not enough. You have to format all flashdrives and other partitions to make sure nothing is left. One single file is enough to reinfect everything again.

I advice you only to backup personal files (pics, documents) and burn these to a CD to make sure no autorun entries get created.

I thought i can get away with my hard drive contents in_love.gif mellow.gif
I should get another hard disk then and backup the data and start clean.

Thanks for your help kind sir.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 PM

Posted 06 April 2010 - 02:04 AM

We have indeed a malware upload channel, but thats not public, for the exact reason to protect our members from accidentaly downloading something..

I am now closing this topic. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users