[janmaroh]

Help

My computer has gone crazy after i got this Win32/Heur and Win32/Sality.nar, i have done a lot of scans with different anti-virus, at first AntiVir Scanned and deleted some virus but ESET Nod32 could still find some Win32/Sality.nar. Then i did a lot of things cleaning my pc until now the ESET Nod32 and AntiVir could not detect a virus anymore. I'm not sure if my pc is cleaned already, and now I'm Scared to take risk installing some program from my last infected drives, this virus might infect my pc again.. could someone help me check if my pc if it is cleaned now..

Thank you..

Edited by janmaroh, 05 November 2010 - 05:26 AM.

[Advertisements]

please anyone help me.. i just want to make sure that my pc is clean now before i run any of my exe files in my drives..

Edited by janmaroh, 06 November 2010 - 06:31 PM.

[janmaroh]

please anyone help me.. i just want to make sure that my pc is clean now before i run any of my exe files in my drives..

Edited by janmaroh, 06 November 2010 - 06:31 PM.

[Essexboy]

Hi there lets do a final check

Step 1. Preparation to disinfection:

Download the file Sality.zip
Extract SalityKiller.exe
Run the file SalityKiller.exe

Step 2. Registry repair: (Allow the files to merge when requested)

Download Sality_regkeys.zip
Extract the file Sality_RegKeys.zip
Run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

Step 3. Finalising :(Allow the files to merge when requested)

From the archive Sality_RegKeys.zip run the file of the registry key:

• under Windows 2000 run the registry file SafeBootWin200.reg
• under Windows XP run the registry file SafeBootWinXP.reg
• under Windows 2003 run the registry file SafeBootWinServer2003.reg
• under Windows Vista / 2008 run the registry file SafebootVista.reg
• under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

FULL SCAN

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

ANALYSIS LOG

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  
  
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[janmaroh]

im sorry sir but i can't seem to download the dr.web..is there any other site?

[Essexboy]

Were you able to run the sality fix ?

If so then

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[janmaroh]

yes i was able to run sality fix.. i'll post the result with the combofix a.s.a.p.. thanks again..

[janmaroh]

ComboFix 10-11-03.04 - pawing 11/09/2010 7:33.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1613 [GMT -8:00]
Running from: c:\documents and settings\pawing\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.

2010-11-07 08:18 . 2010-11-07 22:03 -------- d-----w- C:\iDate
2010-11-05 04:30 . 2010-11-05 04:39 -------- d-----w- C:\ESRI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-06 281768]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/3/2010 7:58 AM 135336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]
S3 XDva312;XDva312;\??\c:\windows\system32\XDva312.sys --> c:\windows\system32\XDva312.sys [?]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\pawing\Application Data\Mozilla\Firefox\Profiles\wew53zm9.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-09 07:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-09 07:37:50
ComboFix-quarantined-files.txt 2010-11-09 15:37
ComboFix2.txt 2010-11-06 09:04

Pre-Run: 48,029,949,952 bytes free
Post-Run: 48,031,674,368 bytes free

- - End Of File - - 32A57D43D339E4C9D5445E4BC4F32FB2

[Essexboy]

How is the computer running now ? Any problems ?

[janmaroh]

i think it's ok.. but i still haven't tried running my some of my exe files.. lol I probably got phobia for "exe" files.. anyway thanks for the help.. more power to geekstogo..

Thanks Essexboy.

[Essexboy]

Looking at that I am a happy bunny I can see no further malware signs

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
  Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

[janmaroh]

ok thank you again.. I'll do what you've told me with your last reply.. thanks..

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.