Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.If you can please print this topic
it will make it easier for you to follow the instructions and complete all of the necessary steps.
This is the only suspicious process found on your OTL log.
Did your run this process and know what it it?
C:\Documents and Settings\PC\My Documents\Downloads\80cm1856.exe
If not please scan it at Jotti and post the results.
This is my speech on Sality
I'm afraid I have very bad news. Win32/Sality
is a dangerous polymorphic file infector
which infects .exe, .scr files
, creates a peer-to-peer (P2P) botnet that compromises your computer
, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker. -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS
Symantec's Assessment of Win/32Sality
As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code...Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.
About Sality VirusSality
As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.
is commonly spread
via a flash drive
(usb, pen, thumb, jump) where it can infect executable files on local, removable and remote shared drives. The infection is often contracted by visiting remote
sites. These type of sites are infested with a smörgåsbord of malware
and a major source of system infection.
Since Win32.Sality is not effectively disinfectable
, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed
. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted
and anti-malware scanners cannot disinfect them properly.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat
and reinstall the OS. Please read:
Backdoors and What They Mean to You
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?
The only way to clean a compromised system is to flatten and rebuild. That's right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
If you wish to continue let me see the results of this scan.
I cannot promise you that we will completely remove all traces of this file infector.
ComboFix is not an infected program if downloaded from one of these sites.
Your Anti virus program may object to it. Makes sure it's disable. If you still have an old version you will be asked to update the tool. Please do so.
Please download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
- Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt
in your next reply.
Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.htmlDo not mouse click ComboFix's window while it's running. That may cause it to stall