Can't get rid of W32/Sality.AT

JohanF · July 31, 2012

Hi,

A friend came to me with his laptop with no icons apearing on the desktop. I managed to get them back by running explorer.exe via taskmanager, but suspected some malware infections as his anti-virus protection was outdated. I installed the Avira Free scanner, which detected thousands of files infected with W32/Sality.AT. A number of other trojans were also detected. After numerous reboot and re-scan attempts, and also a scan with MBAM, I still get the W32/Sality.AT virus as well as some other trojans like TR/Agent2, TR/Patched, TR/Crypt.XPACK and TR/Crypt.ZPACK.

Futhermore, a small AutoIt Error window pops up every time after a re-start with the message "Unable to open the script file"

Here are the DDS logs as well as the MBAM log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by User at 11:18:26 on 2012-07-31

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2902 [GMT 2:00]

.

AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r205445\stacsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ICO.EXE

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\WINDOWS\system32\ChgService.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\rpcnet.exe

C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://agriculture.kzntl.gov.za/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = proxy.kzntl.gov.za:3128

uInternet Settings,ProxyOverride = *.KZNTL.GOV.ZA; 10.200.188.*;<local>

mWinlogon: System=ziswin.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [WinApps] c:\documents and settings\user\application data\javainst.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [PMX Daemon] ICO.EXE

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe

mRun: [WinApps] c:\documents and settings\user\application data\javainst.exe

mRun: [MobileBroadband] c:\program files\vodafone\vodafone mobile broadband\bin\MobileBroadband.exe /silent

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mExplorerRun: [WinApps] c:\documents and settings\user\application data\javainst.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241690082484

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

TCP: Interfaces\{12EEDB33-EBF2-456A-9C3B-36CD89EFE58B} : NameServer = 196.43.1.11,196.25.1.11

TCP: Interfaces\{5B852397-714C-400B-85EC-DEFB87AD21CA} : NameServer = 196.43.1.11,196.25.1.11

Notify: igfxcui - igfxdev.dll

mASetup: {6FF1DCAB-A6BA-468D-A7AC-CFEBDECB9BCA} - c:\documents and settings\user\application data\javainst.exe

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-7-30 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-7-30 86224]

R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-7-30 110032]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-7-30 74640]

R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2011-10-14 135168]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]

R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\vodafone\vodafone mobile broadband\bin\VmbService.exe [2010-9-8 8704]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-2-10 112128]

R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-2-10 12840]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-2-10 32808]

R3 d553bus;Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver (WDM);c:\windows\system32\drivers\d553bus.sys [2009-2-10 300672]

R3 d553card;Dell Wireless 5530 HSPA Mobile Broadband Minicard i7;c:\windows\system32\drivers\d553card.sys [2009-2-10 378368]

R3 d553gps;Dell Wireless 5530 HSPA Mobile Broadband Minicard GPS Port;c:\windows\system32\drivers\d553gps.sys [2009-2-10 76328]

R3 d553mdfl;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Filter;c:\windows\system32\drivers\d553mdfl.sys [2009-2-10 14976]

R3 d553mdfl2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Filter;c:\windows\system32\drivers\d553mdfl2.sys [2009-2-10 14976]

R3 d553mdm;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Driver;c:\windows\system32\drivers\d553mdm.sys [2009-2-10 387200]

R3 d553mdm2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Driver;c:\windows\system32\drivers\d553mdm2.sys [2009-2-10 431616]

R3 d553nd5;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (NDIS);c:\windows\system32\drivers\d553nd5.sys [2009-2-10 25984]

R3 d553unic;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (WDM);c:\windows\system32\drivers\d553unic.sys [2009-2-10 402944]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-2-10 244368]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-2-10 110080]

R3 Sony_EricssonWWSC;Dell Wireless 5530 HSPA Mobile Broadband Minicard PC SC Port;c:\windows\system32\drivers\d553scard.sys [2009-2-10 25640]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-4 136176]

S3 amsint32;amsint32;\??\c:\windows\system32\drivers\gnmoh.sys --> c:\windows\system32\drivers\gnmoh.sys [?]

S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [2011-10-14 103424]

S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-8-2 114432]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-4 136176]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2011-8-2 100736]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]

.

=============== Created Last 30 ================

.

2012-07-31 05:43:14 -------- d-----w- c:\windows\system32\NtmsData

2012-07-30 11:19:36 -------- d-----w- c:\documents and settings\user\application data\Avira

2012-07-30 11:19:08 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2012-07-30 11:19:08 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2012-07-30 11:19:08 -------- d-----w- c:\program files\Avira

2012-07-30 11:19:08 -------- d-----w- c:\documents and settings\all users\application data\Avira

2012-07-30 10:37:13 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes

2012-07-30 10:37:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-07-30 10:37:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-30 10:37:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-18 14:10:39 -------- d-----w- c:\documents and settings\user\application data\tazebama

2012-07-01 17:24:08 -------- d-sh--r- c:\documents and settings\user\local settings\application data\Start

.

==================== Find3M ====================

.

2012-07-31 08:51:00 17408 ----a-w- c:\windows\system32\rpcnetp.exe

2012-07-31 08:50:58 58288 ----a-w- c:\windows\system32\rpcnet.dll

2012-07-31 08:09:11 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2012-07-30 15:48:43 143360 ----a-w- c:\windows\system32\igfxtray.exe

2012-07-30 11:21:57 471040 ----a-w- c:\windows\system32\AESTFltr.exe

2012-07-30 11:21:53 178712 ----a-w- c:\windows\system32\hkcmd.exe

2012-07-30 11:21:52 150040 ----a-w- c:\windows\system32\igfxpers.exe

2012-07-30 11:21:48 49152 ----a-w- c:\windows\system32\ico.exe

.

============= FINISH: 11:18:50.71 ===============

Attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 2009/02/27 05:27:27 PM

System Uptime: 2012/07/31 10:50:19 AM (1 hours ago)

.

Motherboard: Dell Inc. | | 0GY027

Processor: Intel® Core2 Duo CPU P8400 @ 2.26GHz | Microprocessor | 2260/266mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 112 GiB total, 89.22 GiB free.

D: is CDROM ()

E: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9

All Day Battery Life Configuration

Autorun Eater v2.5

Avira Free Antivirus

BioAPI Framework

Broadcom USH Host Components

BRU Report Writer version 9

Computer Basics

Computer Security and Privacy

Conexant HDA D330 MDC V.92 Modem

Dell 5530 Wireless Broadband Package

Dell Resource CD

Dell Security Device Driver Pack

Dell Touchpad

Digital Lifestyles

Digital Line Detect

Ericsson Wireless Manager

ESRI MapObjects 2 Runtime

Google Earth Plug-in

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Windows XP (KB945436)

Hotfix for Windows XP (KB949764)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB953955)

Hotfix for Windows XP (KB954434)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB958347)

Hotfix for Windows XP (KB959252)

Hotfix for Windows XP (KB961118)

Intel PROSet Wireless

Intel® Graphics Media Accelerator Driver

Intel® Network Connections 13.0.42.0

Intel® PRO Alerting Agent

Intel® PROSet/Wireless WiFi API

Intel® PROSet/Wireless WiFi Driver

Intel® Matrix Storage Manager

Java 6 Update 11

Java 6 Update 7

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Baseline Security Analyzer 2.1

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Office Professional Edition 2003

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Modem Diagnostic Tool

Mouse Suite for Laptop Computers

MSXML 4.0 SP2 (KB936181)

MSXML 6.0 Parser (KB933579)

NetWaiting

NICI (Shared) U.S./Worldwide (128 bit) (2.7.4-1)

PowerDVD

Productivity Programs

Roxio Activation Module

Roxio Creator Audio

Roxio Creator BDAV Plugin

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Drag-to-Disc

Roxio Express Labeler 3

Roxio Update Manager

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Media Player (KB952069)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB963027)

Sonic CinePlayer Decoder Pack

The Internet and the World Wide Web

Update for Windows XP (KB898461)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951618-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

VKOM 301USB version 5.458

Vodafone Mobile Broadband Lite

WebFldrs XP

WIDCOMM Bluetooth Software

Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows NT Messaging

Windows Presentation Foundation

XML Paper Specification Shared Components Pack 1.0

.

==== Event Viewer Messages From Past Week ========

.

2012/07/30 12:54:02 PM, error: PlugPlayManager [11] - The device Root\LEGACY_AMSINT32\0000 disappeared from the system without first being prepared for removal.

2012/07/30 11:35:56 AM, error: SCardSvr [610] - Smart Card Reader 'Broadcom Corp Contacted SmartCard 0' rejected IOCTL GET_STATE: The device has been removed.

2012/07/30 10:10:03 PM, error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 303 (0x12F).

2012/07/30 10:09:43 PM, error: ACPI [43] - The system sleep operation failed

2012/07/30 01:25:51 PM, error: Service Control Manager [7034] - The Avira Realtime Protection service terminated unexpectedly. It has done this 3 time(s).

2012/07/30 01:25:38 PM, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

2012/07/30 01:25:28 PM, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

2012/07/24 04:34:42 PM, error: Dhcp [1002] - The IP address lease 41.8.139.236 for the Network Card with network address 001E101F0815 has been denied by the DHCP server 41.9.76.109 (The DHCP Server sent a DHCPNACK message).

.

==== End Of File ===========================

MBAM Log:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.31.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

User :: EXTENSIONREC136 [administrator]

2012/07/31 12:27:25 PM

mbam-log-2012-07-31 (12-50-53).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 218584

Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 8

HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.

HKCR\TypeLib\{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.

HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.

HKCR\FunWebProductsInstaller.Start.1 (PUP.MyWebSearch) -> No action taken.

HKCR\FunWebProductsInstaller.Start (PUP.MyWebSearch) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> No action taken.

HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

I'm sure some clever person will be able to help me here! Thanks in advance!

Johan

LDTate · July 31, 2012

John, I hope you're getting paid for working on these

These show ->No action taken

Are you selecting to remove them?

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> No action taken.

HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> No action taken.

JohanF · July 31, 2012

John, I hope you're getting paid for working on these

If only I could get paid fro this! :angry: - there's another one waiting for me with some very nasties on it (attacked my flash drive and all the AV software on it!)

Somehow I thought that I was not suppose to remove any malware after submitting the DDS log. I'm currently scanning with MBAM again an will opt to remove them. Should I submit anything(log) after that?

LDTate · July 31, 2012

Yes, submit the log from MBAM when finished and a new DDS log as well

JohanF · July 31, 2012

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.31.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

User :: EXTENSIONREC136 [administrator]

2012/07/31 02:27:06 PM

mbam-log-2012-07-31 (14-27-06).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 218253

Time elapsed: 19 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 8

HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\TypeLib\{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProductsInstaller.Start.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProductsInstaller.Start (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.

HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by User at 15:05:28 on 2012-07-31

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2825 [GMT 2:00]

.

AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Anti-Virus *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\r205445\stacsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ICO.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\WINDOWS\system32\ChgService.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\rpcnet.exe

C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Internet Explorer\iexplore.exe