Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP infected with Virus.Sality,PUM.Hijack.Regedit, PUM.Hijack.TaskManager


  • This topic is locked This topic is locked
5 replies to this topic

#1 vp17

vp17

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 27 May 2014 - 03:18 AM

Hello!

 

 

As per Malwarebytes Anti-Malware scan results, my pc is infected with the following

 

PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),,[15346897017956e03bc6c763917352ae]

PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),,[4bfe4eb14337d264758def3bb74d3ac6]

PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),,[4306689786f4f73fab5882a8877d21df]

PUM.Hijack.TaskManager, HKU\S-1-5-21-2000478354-179605362-682003330-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableTaskMgr, 1, Good: (0), Bad: (1),,[69e042bdf28891a5c728da51e1237a86]

PUM.Hijack.Regedit, HKU\S-1-5-21-2000478354-179605362-682003330-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableRegistryTools, 1, Good: (0), Bad: (1),,[dc6db34c314924124548f238798bf20e]
 

 

Please note:

 

1. The virus came through an infected pen drive

 

2. I am unable to boot the computer in safe mode. It keeps going in a loop.

 

3. I have used Combofix, Hitmanpro, Avast, MBAM, Anvi smart defender to remove the infections. But the infections keep coming back. Now, Combofix, Hitmanpro, Avast have become corrupt and unuseable.

 

4. The taskmanager and registry editing have been disabled. I tried to enable taskmanager by going into that Group Policy thing but that didn't work.

 

5. PC works fine except for the MBAM giving infection results in the scan

 

6. Also, tried removing infections using Windows MRT. Used it thrice since 25/5/14, but infections keep coming back.

 

 

Please guide me in removing the infections.

 

 

 



BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:21 AM

Posted 27 May 2014 - 04:45 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi vp17,
 
This doesn't sound good, but I would like to confirm it is Sality before I give you some bad news.
 
What detected Sality? Do you have a log for that program?
 
Also, please go to the root of your drive (normally C:) and you should see a text file named Combofix.txt. Please copy and paste that into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:21 AM

Posted 31 May 2014 - 04:29 AM

Hi vp17,
 
This is a 3 day bump:
 
It has been 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 vp17

vp17
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 31 May 2014 - 05:25 AM

Dear Ms Toffee,

 

Virus Sality was detected by Malware Bytes Anti Malware. I had seen it in one of the scan reports. 

 

I ran MRT again and after restarting the computer post scan, I found that I was able to open the Registry Directory.  I deleted the registries corresponding to the following, at the given address:

 

PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),,[15346897017956e03bc6c763917352ae]

PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),,[4bfe4eb14337d264758def3bb74d3ac6]

PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),,[4306689786f4f73fab5882a8877d21df]

PUM.Hijack.TaskManager, HKU\S-1-5-21-2000478354-179605362-682003330-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableTaskMgr, 1, Good: (0), Bad: (1),,[69e042bdf28891a5c728da51e1237a86]

PUM.Hijack.Regedit, HKU\S-1-5-21-2000478354-179605362-682003330-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableRegistryTools, 1, Good: (0), Bad: (1),,[dc6db34c314924124548f238798bf20e]
 

After deleting, I ran MRT, MBAM again. 

Nothing detected this time. 

 

I went to some other website and tried downloading some other free antivirus (I dont recollect the name). While doing that "Crossrider" came into my computer and post that, my PC shut down. On starting it I found that, the PC had begun to continuously  restart as soon as the windows page would come. So, I had the PC formatted by a computer technician. It's working fine now. 

 

 

Thanks for the prompt response!!



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:21 AM

Posted 31 May 2014 - 08:46 AM

Hi vp17,
 
You're welcome.
Just for the record, it wasn't the adware known as crossrider which likely caused the continuous restart behavior. Sality is a polymorphic virus which makes it pretty much impossible to clean properly. With enough time, system files become infected by sality which makes the system unstable. Any attempt to clean them can end up with an unbootable computer too, which you experienced.
 
I suggest changing all your passwords though, as Sality will steal them. If you do banking on that computer then it would be wise to alert your bank and keep a close eye on your accounts.
 
I have also compiled a list of links which you may be interested in:

This topic will be left open for 3 days in case you have any problems, otherwise it will closed after that time.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:21 AM

Posted 03 June 2014 - 10:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users