Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Malware.Packed.Gen Virus.Sality


  • This topic is locked This topic is locked
2 replies to this topic

#1 coinba

coinba

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 08 August 2010 - 04:09 PM

This is my sec. topic about the same problem, made it cuz my previous 1 was posted wrong.
I got infected by this virus few days ago. First i tried to remove it with Malwarebytes' Anti-Malware and Nod32 but everytime i went scan my computer would restart. After few tries i couldnt start up Windows XP, normal nor safe mode so i decided to format C and reinst Windows.
Well my problem is still here, only difference is scanning doesnt restart my computer. I tried to delete virus but i didnt make it.

This is the window that shows up when i start scanning
http://img12.imageshack.us/img12/8964/malwscn1.jpg

and these are infections i cant delete
http://img695.imageshack.us/img695/764/malwscn2.jpg

DSS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 22:41:49,68 on ned 08.08.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2189 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ved25wr0.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 Protec;PHASE WDM Audio;c:\windows\system32\drivers\Protec.sys [2010-8-8 49472]
S3 amsint32;amsint32;\??\c:\windows\system32\drivers\ijmhl.sys --> c:\windows\system32\drivers\ijmhl.sys [?]

=============== Created Last 30 ================

2010-08-08 18:35:26 103140 --sh--r- C:\pwft.pif
2010-08-08 18:35:25 236 --sh--r- C:\autorun.inf
2010-08-08 18:16:29 0 d-sha-r- C:\cmdcons
2010-08-08 18:15:55 98816 ----a-w- c:\windows\sed.exe
2010-08-08 18:15:55 77312 ----a-w- c:\windows\MBR.exe
2010-08-08 18:15:55 256512 ----a-w- c:\windows\PEV.exe
2010-08-08 18:15:55 161792 ----a-w- c:\windows\SWREG.exe
2010-08-08 18:15:49 0 d-----w- C:\ComboFix
2010-08-08 18:12:09 8 --sha-r- c:\documents and settings\administrator\ntuser.pol
2010-08-08 18:09:39 0 d--h--w- c:\windows\system32\GroupPolicy
2010-08-08 18:05:48 0 d-----w- c:\program files\RegistryFix8
2010-08-08 16:03:29 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-08 16:03:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 16:03:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-08 16:03:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 16:03:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 15:23:10 0 d-----w- c:\program files\uTorrent
2010-08-08 15:22:31 0 d-----w- c:\docume~1\admini~1\applic~1\uTorrent
2010-08-08 15:17:58 974848 ------w- c:\windows\system32\mfc70.dll
2010-08-08 15:17:58 487424 ------w- c:\windows\system32\msvcp70.dll
2010-08-08 15:17:58 344064 ------w- c:\windows\system32\msvcr70.dll
2010-08-08 15:17:58 0 d-----w- c:\program files\TerraTec Electronic GmbH
2010-08-08 15:17:28 77824 ----a-r- c:\windows\system32\AsioPTec.dll
2010-08-08 15:17:28 49472 ----a-r- c:\windows\system32\drivers\Protec.sys
2010-08-08 15:05:33 0 d-----w- c:\program files\common files\ATI Technologies
2010-08-08 15:04:59 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-08 15:04:59 3518304 -c--a-w- c:\windows\system32\dllcache\ati3duag.dll
2010-08-08 15:04:59 3518304 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-08 15:04:58 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-08-08 15:04:58 4425216 -c--a-w- c:\windows\system32\dllcache\ati2mtag.sys
2010-08-08 15:04:58 4425216 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-08-08 15:04:58 294912 ----a-w- c:\windows\system32\ATIODE.exe
2010-08-08 15:04:58 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-08 15:04:58 172032 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-08 15:01:35 0 d-----w- c:\program files\ATI Technologies
2010-08-08 15:01:33 0 d-----w- c:\program files\ATI
2010-08-08 14:08:45 0 d-sh--w- c:\documents and settings\all users\DRM
2010-08-08 14:08:27 0 d--h--w- c:\program files\WindowsUpdate
2010-08-08 14:07:38 0 d-----w- c:\program files\common files\MSSoap
2010-08-08 14:05:52 0 d-----w- c:\program files\Online Services
2010-08-08 14:05:44 0 d-----w- c:\program files\Messenger
2010-08-08 14:05:39 0 d-----w- c:\program files\MSN Gaming Zone
2010-08-08 14:04:51 0 d-----w- c:\program files\Windows NT
2010-08-08 06:24:38 0 d-----w- c:\program files\common files\ODBC
2010-08-08 06:24:35 0 d-----w- c:\program files\common files\SpeechEngines
2010-08-08 06:24:12 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-08-08 14:06:08 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 22:42:04,32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 coinba

coinba
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 10 August 2010 - 08:54 AM

OK, i cant w8 any longer, i gonna try to do something by myself, tnx
u can close topic

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:00 PM

Posted 10 August 2010 - 04:30 PM

Topic closed. Please send a PM to a Moderator if you would like the topic reopened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users