- Sality starts as a random.sys file, how can i identify which one it is
- here is the combofix log, which lines can help me identify that it was an attack by sality
ComboFix 10-06-25.02 - owner 06/26/2010 13:24:28.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.251 [GMT 5.5:30]
Running from: E:\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\install.exe
D:\pagal.cmd
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DAC970NT
-------\Service_dac970nt
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.
2010-06-26 08:00 . 2010-06-26 08:00 -------- d-----w- C:\FOUND.050
2010-06-26 07:40 . 2010-06-26 07:40 -------- d-----w- C:\FOUND.049
2010-06-26 07:09 . 2010-06-26 07:09 -------- d-----w- C:\FOUND.048
2010-06-26 06:56 . 2010-06-26 06:56 -------- d-----w- C:\FOUND.047
2010-06-26 06:52 . 2010-06-26 06:52 -------- d-----w- C:\FOUND.046
2010-06-26 06:40 . 2010-06-26 06:40 -------- d-----w- C:\FOUND.045
2010-06-26 06:33 . 2010-06-26 06:33 -------- d-----w- C:\FOUND.044
2010-06-26 06:06 . 2010-06-26 06:06 -------- d-----w- c:\program files\Exterminate It!
2010-06-26 05:59 . 2010-06-26 05:59 -------- d-----w- C:\FOUND.043
2010-06-26 05:52 . 2010-06-26 05:52 -------- d-----w- C:\FOUND.042
2010-06-26 05:35 . 2010-06-26 05:35 -------- d-----w- C:\FOUND.041
2010-06-26 05:24 . 2010-06-26 05:24 -------- d-----w- C:\FOUND.040
2010-06-26 04:59 . 2010-06-26 04:59 -------- d-----w- C:\FOUND.039
2010-06-26 04:43 . 2010-06-26 04:43 -------- d-----w- C:\FOUND.038
2010-06-26 03:38 . 2010-06-26 03:38 -------- d-----w- C:\FOUND.037
2010-06-26 02:57 . 2010-06-26 02:57 -------- d-----w- C:\FOUND.036
2010-06-26 02:40 . 2009-08-06 13:53 215920 ----a-w- c:\windows\system32\muweb.dll
2010-06-25 16:46 . 2010-06-25 16:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-06-25 12:32 . 2010-06-25 12:32 -------- d-----w- C:\FOUND.035
2010-06-25 10:28 . 2010-06-25 10:28 -------- d-----w- C:\FOUND.034
2010-06-22 05:43 . 2010-06-22 05:43 -------- d-----w- c:\program files\Conduit
2010-06-22 05:43 . 2010-06-22 05:43 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Conduit
2010-06-14 09:32 . 2010-06-14 09:32 -------- d-----w- C:\FOUND.033
2010-06-11 09:46 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 07:51 . 2010-06-26 07:51 13841 ----a-w- c:\windows\system32\drivers\abc.txt
2010-06-26 07:37 . 2005-12-12 08:04 90112 ----a-w- c:\windows\DUMP2dc6.tmp
2010-06-26 06:48 . 2005-12-12 08:04 90112 ----a-w- c:\windows\DUMP02d4.tmp
2010-06-26 04:47 . 2005-12-12 08:04 90112 ----a-w- c:\windows\DUMP119a.tmp
2010-06-21 02:58 . 2010-03-24 11:49 517640 ----a-w- c:\documents and settings\owner\Application Data\Real\Update\setup3.10\setup.exe
2010-05-26 15:34 . 2010-05-26 15:34 503808 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61c59fb1-n\msvcp71.dll
2010-05-26 15:34 . 2010-05-26 15:34 499712 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61c59fb1-n\jmc.dll
2010-05-26 15:34 . 2010-05-26 15:34 348160 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61c59fb1-n\msvcr71.dll
2010-05-26 15:33 . 2010-05-26 15:33 12800 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1f060b7b-n\decora-d3d.dll
2010-05-26 15:33 . 2010-05-26 15:33 61440 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1f060b7b-n\decora-sse.dll
2010-05-06 10:41 . 2001-08-23 06:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 06:30 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 10:58 . 2010-05-01 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2010-04-20 05:30 . 2001-08-23 06:30 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 09:58 . 2010-04-17 09:58 503808 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-44cff4c5-n\msvcp71.dll
2010-04-17 09:58 . 2010-04-17 09:58 499712 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-44cff4c5-n\jmc.dll
2010-04-17 09:58 . 2010-04-17 09:58 348160 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-44cff4c5-n\msvcr71.dll
2010-04-17 09:57 . 2010-04-17 09:57 12800 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-31139d12-n\decora-d3d.dll
2010-04-17 09:57 . 2010-04-17 09:57 61440 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-31139d12-n\decora-sse.dll
2010-04-12 11:59 . 2010-04-17 09:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-03 11:04 . 2010-04-03 11:04 0 ----a-w- c:\windows\nsreg.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
dslagent.exe USB [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 1026496 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 105904 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 03:36 88363 ----a-w- c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-10-13 10:30 57344 ----a-w- c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-10-21 12:14 2744832 ----a-w- c:\windows\ALCWZRD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GSICONEXE]
2002-08-02 08:56 90112 ------w- c:\windows\system32\gsicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-12 12:15 61952 ------w- c:\windows\system32\Hdaudpropshortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-06-06 06:11 118784 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-06-06 06:15 155648 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-07-16 12:50 1409136 ------w- c:\program files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1768960 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 05:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-03-04 16:16 172032 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-10-21 08:50 77824 ----a-w- c:\windows\SoundMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-24 16:38 271888 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"d:\\Program Files\\McAfee\\Common Framework\\UdaterUI.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
"c:\\PROGRA~1\\WinZip\\winzip32.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqsnotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Documents and Settings\\owner\\Desktop\\HijackThis.exe"=
S3 WDHTLOZHJ;WDHTLOZHJ;c:\docume~1\owner\LOCALS~1\Temp\WDHTLOZHJ.exe --> c:\docume~1\owner\LOCALS~1\Temp\WDHTLOZHJ.exe [?]
S4 HXV;HXV;c:\docume~1\owner\LOCALS~1\Temp\HXV.exe --> c:\docume~1\owner\LOCALS~1\Temp\HXV.exe [?]
S4 QVLOTG;QVLOTG;c:\docume~1\owner\LOCALS~1\Temp\QVLOTG.exe --> c:\docume~1\owner\LOCALS~1\Temp\QVLOTG.exe [?]
S4 QXR;QXR;c:\docume~1\owner\LOCALS~1\Temp\QXR.exe --> c:\docume~1\owner\LOCALS~1\Temp\QXR.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2009-12-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-23 16:48]
2010-06-26 c:\windows\Tasks\User_Feed_Synchronization-{F0F9143C-8B87-481B-B989-B31B7C5DEDC1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: AutorunsDisabled\mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} -
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\r8kyjcso.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -
BHO-{ff19b72a-36ed-4066-8865-a580ae938cce} - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
Notify-AutorunsDisabled - igfxsrvc.dll WgaLogon.dll
AddRemove-Hidden and Dangerous - d:\program files\Take2\Hidden and Dangerous\Uninst.isu
AddRemove-Vegas Games 2000 Demo - d:\program files\Vegas Games 2000 Demo\Uninst.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 13:31
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(180)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-06-26 13:33:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-26 08:03
Pre-Run: 8,967,553,024 bytes free
Post-Run: 8,830,779,392 bytes free
- - End Of File - - 307533364666DCC2339BA843378239E1