Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't deal with "Sality" on my own


  • This topic is locked This topic is locked
8 replies to this topic

#1 Destroyer140

Destroyer140

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hungary
  • Local time:09:09 AM

Posted 31 August 2012 - 12:22 PM

Hi!

So I were helping my neighbour get a driver for his new VGA and in trade (since he knew I just put together a PC for my self a week ago and I help him all the time he don't understand something) he offered me one of his old HDDs and a DvD reader so I took it home and installed both. Now the problem is that shortly after that I noticed that my control panel not opens up since it say that the it's been disabled by the system administrator. I didn't remember that I would done such thing and my PC is protected with password so no one else could do it. So I decided to open up regedit and re enable it what turned out to be also restricted. At that point I got suspicious and decided to check the files on the HDD I just brought home and noticed that "show hidden files" also went turned off while I always had it on enabled with "unhide OS's hidden files" also. Then I noticed that there was an autorun.inf and a randomly named exe in the new HDD. At that point I started to feel silly for not having an AV software installed what I tought useless just because the PC haven't got an internet connection anyway so I grabbed my pendrive and went to my other PC for the newest version of combofix and rkill "so I will deal with it in 15 min and can start move my stuff to the new HDD etc...". Now that doesn't exactly went as planned, at first as soon as I connected the pendrive to the other PC AVG instantly noticed an autorun.inf and a randomly named .pif file what it recognized as "Sality", so I tought that it will be even easier since that must be some virus from the stoneage. So after I got back to the PC that was infected I copyed the 2 program to the desktop and started with rkill so it disable whatever is runing on the PC but actually it was rkill that got shot down by the virus but I decided that combofix might still be able to deal with it on it's own what was also unsuccessful because 1: I haven't had an internet connection so combofix couldn't grab microsoft recovery console 2 it froze at the part when it says it will begin the searching and it might take more than 10min on badly infected machines. At that point that malware didn't looked as hilarious as 10 minute before so I tried to get it with other "normal" antiviruses. Started with spybot search and destroy what failed since it couldn't get the newest virus database for itself without internet connection, then AVAST simply not installed because the installation process were kept getting terminated then I managed to install MBAM that found it in 10+ location and said it will need the PC restarted to finish it but in the end it was still there. So after that I went back to the other PC and googled on the name of the virus and what I found looked even worse then I thought but in the comments I seen someone linking to a removal tool AVG created specially against this virus what altrough disinfected 20+ exe that has been infected by the virus also failed to remove it. So that was the part I realized that patiently trying different things not gonna work because the more time it's on the PC the more EXE it can infect and it's time to ask help from professionals.

tl;dr
Got a new HDD with a virus hiding on it, can't access controlpanel and regedit since the virus restricted them and every 1-2 minute it takes off the checkmark from show hidden files.

Also I were only able to make the DDS logs. When I try to run scan with GMER after I set up the checkmarks properly it throws me out to BSOD (same resoult with multiple attempt). I don't know if it helps but the BSOD error is this:
PAGE_FAULT_IN_NONPAGED_AREA

Technical Information:
***Stop: 0x00000050 (0XFEE2D008,0x00000000, 0xB7B163B3, 0x00000000)

*** kwaoikod.sys - Address B7B163B3 base at B7B12000, DataStamp4e21f298

Posting log from here as requested:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Mothership Zeta at 15:08:22 on 2012-08-31
Microsoft Windows XP Professional 5.1.2600.3.1250.36.1038.18.255.48 [GMT 2:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sound Station\SNXUACP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mothership Zeta\Asztal\pendrive rip\Process Explorer\procexp.exe
.
============== Pseudo HJT Report ===============
.
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\indtpu~1\sounds~1.lnk - c:\program files\sound station\SNXUACP.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mothership zeta\application data\mozilla\firefox\profiles\qrcpzaz4.default\
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-7-30 239168]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\pmmon.sys --> c:\windows\system32\drivers\pmmon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ALS4KMF;ALS4KMF;c:\windows\system32\drivers\mf.sys [2004-8-4 63744]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-30 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-25 113120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2012-08-31 11:22:33 -------- d-s---w- C:\ComboFix
2012-08-31 09:01:57 103140 --sh--r- C:\sxlj.pif
2012-08-31 08:38:04 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-08-30 17:51:42 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-08-30 17:35:24 -------- d-----w- c:\documents and settings\mothership zeta\application data\Malwarebytes
2012-08-30 17:35:05 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-08-30 17:35:04 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 17:35:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-30 17:33:55 -------- d-----w- c:\program files\HitmanPro
2012-08-30 17:33:48 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-08-30 16:39:48 -------- d-----w- c:\windows\system32\XPSViewer
2012-08-30 16:37:58 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-08-30 16:37:28 14048 ------w- c:\windows\system32\spmsg2.dll
2012-08-30 16:25:40 -------- d--h--w- c:\windows\PIF
2012-08-30 15:54:59 -------- d-----w- c:\windows\XSxS
2012-08-30 15:54:59 -------- d-----w- c:\program files\Xenocode
2012-08-30 15:54:59 -------- d-----w- c:\documents and settings\mothership zeta\local settings\application data\Xenocode
2012-08-30 13:54:55 -------- d-----w- c:\program files\Spybot - Search & Destroyy
2012-08-30 13:01:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-08-30 13:01:55 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-08-30 12:30:15 98816 ----a-w- c:\windows\sed.exe
2012-08-30 12:30:15 518144 ----a-w- c:\windows\SWREG.exe
2012-08-30 12:30:15 256000 ----a-w- c:\windows\PEV.exe
2012-08-30 12:30:15 208896 ----a-w- c:\windows\MBR.exe
2012-08-15 23:35:11 -------- d-----w- c:\windows\pss
2012-08-15 22:22:29 -------- d-----w- c:\documents and settings\mothership zeta\application data\Image-Line
2012-08-15 22:16:52 -------- d-----w- c:\program files\ASIO4ALL v2
2012-08-15 22:15:57 225280 ----a-w- c:\windows\system32\rewire.dll
2012-08-15 22:15:57 -------- d-----w- c:\program files\VstPlugins
2012-08-15 22:14:19 1554944 ----a-w- c:\windows\system32\vorbis.acm
2012-08-15 22:14:07 -------- d-----w- c:\program files\Outsim
2012-08-15 22:06:25 -------- d-----w- c:\program files\FL Studio 10
2012-08-15 22:03:58 -------- d-----w- c:\program files\Image-Line
2012-08-15 22:01:45 -------- d-----w- c:\program files\PaintTool SAI English Pack
2012-08-10 06:58:14 -------- d-----w- C:\No mans land
.
==================== Find3M ====================
.
2012-07-30 16:56:24 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-07-25 01:02:40 0 ----a-w- c:\windows\ativpsrm.bin
2012-07-24 21:14:18 1295360 ----a-w- C:\apploc.msi
.
============= FINISH: 15:09:03,20 ===============

Thanks for taking the time to read all this and for helping me.

Dest

P.S.: Sorry for my grammar/typos (typing this from a laptop soo I'm sure there will be some)

Edit: Seems like the end of the description wasn't got posted since it was too long: Soo i ran into the first malware "Rkill/Combofix" combo can't cut.

Edit 2: Also forgot to mentoin that trying to boot to safe mode also leads to BSOD with it suggesting to do a virus check

Attached Files


Edited by Destroyer140, 31 August 2012 - 01:14 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:09 AM

Posted 04 September 2012 - 06:50 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

I'm afraid I have very bad news. The system is infected with a nasty variant of Win32/Sality. This family of malware is a polymorphic file infector which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

Please see Kaspersky's Threat Encyclopaedia of Win32.Sality.NAO.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach.Because your computer was compromised please read:Since Win32.Sality is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
Posted Image
m0le is a proud member of UNITE

#3 Destroyer140

Destroyer140
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hungary
  • Local time:09:09 AM

Posted 05 September 2012 - 01:26 PM

Hi!

I believe I have successfully dealt with the infection. Since I'm a bit stubborn when it comes to "accept that I lost" and seen that I will probably will need to wait about 5 day before I will have a reply I decided that I could keep trying meanwhile, since the system is offline the virus have a disadvantage of not being able to update itself and connect any site that it was programed to. So after some more and more reading I ran into a comment saying that Kaspersky's "Sality killer" was working for him. So after about half minute of googleing I found the program together with a guide https://support.kaspersky.com/faq/?qid=208279889 . I saved down both files it said, the webpage in HTML (so I can follow the guide even trough I didn't had internet access on the infected machine) and brought everything to the infected machine on my pendrive. Then I followed trough the guide exactly as it said. The program first terminated the running malware process, then fixed things in the registry so I once more had access to regedit and control panel then started to scan trough both of the HDD. Shame it didn't saved a log, apparently the virus really tried anything, it had multiple infected files in system32, it was also there in some form of driver, it infected multiple system restore points (altrough it was disabled on both HDD)and the best part: it crawled in any .exe file it ran into just as the review sites said. Altrough all those exes were disinfected it left some program unable to run (luckily nothing not replaceable). After the scan was finished I ran 2 reg keys the 2nd thing I needed to download contained, 1 disabled every single way that enabled autorun.inf to work, (I not even liked autorun anyway, and if something then this virus is a perfect example why to have it off) the other one fixed my safe mode so it no longer boots to BSOD. After that I did a restart to see if the virus just reinstalls itself somehow again or will everything will be alright. Luckily signs are that it's gone (i haven't got restricted out from anywhere, "show hidden files" check mark stayed in it's place and my pendrive no longer had autorun and .pif/.exe file getting copied on it every single time. Interesting thing however is that the tool left the last copy of autorun.inf and exe/pif file in C:\ and D:\ but by that time they weren't running so I was able to delete the one in D:\ simply by "delete+enter" and I added the one in C:\ to a rar file, named it as AVG recognized it (Sality.AG variant), striped the compressed thing from it's .rar extension and put it onto my "trophy collection" pendrive (that's another one then the one I normally use) along with other things I dealt with. After that I ran a full system scan with a normal Kaspersky antivirus program as the guide said but it already didn't found anything else.

So as of yet everything seems to be normal (save that GMER still BSOD at the same part if I try to create a log with it) and I haven't seen any sign of the infection re appearing. I also installed and get my wifi antene working (I ironically got it on the day I got infected) what I weren't using since I got somewhat confident that the infection is gone since I didn't wanted to play with the risk that it starts spreading between everything in touch with our WIFI router. First thing I did was that I downloaded and installed every possible security update that windows update can find.

So is there a way to fix GMER so that I could post all 3 log ensuring that nothing left behind?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:09 AM

Posted 05 September 2012 - 07:36 PM

I'm glad that you found the Sality Killer worked for you. I'm no quitter either but with Sality it is difficult to clean it completely and the policy is to take no chances and reformat and reinstall. Why your Gmer still won't run I don't know but it is a rootkit scanner and Sality is a file infector.

Try aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Destroyer140

Destroyer140
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hungary
  • Local time:09:09 AM

Posted 05 September 2012 - 08:27 PM

You didn't mentoined if I need to get the avast database for the scan soo I went with yes (I hope this doesn't created too much useless thing in the log). Here is the log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-06 02:51:42
-----------------------------
02:51:42.734 OS Version: Windows 5.1.2600 Szervizcsomag 3
02:51:42.734 Number of processors: 2 586 0x401
02:51:42.734 ComputerName: MOTHERSHIP_ZETA UserName: Mothership Zeta
02:51:44.328 Initialize success
03:08:10.265 AVAST engine defs: 12090502
03:09:05.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-f
03:09:05.984 Disk 0 Vendor: Maxtor_31024H2 BAC51KJ0 Size: 9541MB BusType: 3
03:09:06.000 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-17
03:09:06.000 Disk 1 Vendor: QUANTUM_FIREBALL_CX6.4A A3F.0B00 Size: 6149MB BusType: 3
03:09:06.015 Disk 0 MBR read successfully
03:09:06.015 Disk 0 MBR scan
03:09:09.734 Disk 0 Windows XP default MBR code
03:09:09.750 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 9531 MB offset 63
03:09:13.250 Disk 0 scanning sectors +19519920
03:09:14.312 Disk 0 scanning C:\WINDOWS\system32\drivers
03:09:58.625 Service scanning
03:10:33.609 Modules scanning
03:10:55.218 Disk 0 trace - called modules:
03:10:55.234 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
03:10:55.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x813146c0]
03:10:55.234 3 CLASSPNP.SYS[f92a1fd7] -> nt!IofCallDriver -> \Device\00000062[0x813155d0]
03:10:55.234 5 ACPI.sys[f9218620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-f[0x81316d98]
03:10:56.140 AVAST engine scan C:\WINDOWS
03:11:10.281 AVAST engine scan C:\WINDOWS\system32
03:15:47.671 AVAST engine scan C:\WINDOWS\system32\drivers
03:16:09.828 AVAST engine scan C:\Documents and Settings\Mothership Zeta
03:17:12.765 AVAST engine scan C:\Documents and Settings\All Users
03:17:27.843 Scan finished successfully
03:17:49.171 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mothership Zeta\Asztal\MBR.dat"
03:17:49.171 The log file has been saved successfully to "C:\Documents and Settings\Mothership Zeta\Asztal\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:09 AM

Posted 06 September 2012 - 02:48 PM

That looks fine. I think we'll leave it alone. If anything returns then post back, after 5 days I will close the thread. From here, it looks pretty good but I haven't done a full scan and only time will tell.

You okay with that?
Posted Image
m0le is a proud member of UNITE

#7 Destroyer140

Destroyer140
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hungary
  • Local time:09:09 AM

Posted 06 September 2012 - 05:00 PM

I felt somewhat confident that I got rid of the infection, but hearing from an expert that even the logs looks clean makes me feel safe enough. One day I have to learn how to make sense from this logs soo I could see when and what caused the infection and what it changed. I'm fine with the "wait and see" thing, I will contact you if anything happen. In the case nothing happens to re comment: Thank you for reassuring me that my PC looks clear and for the time you put in to read trough my logs ^^

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:09 AM

Posted 06 September 2012 - 07:43 PM

Thanks, let's hope I never hear from you again :wink:
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:09 AM

Posted 10 September 2012 - 06:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users