Jump to content

Anti-rootkit won't work help.

Jeysound123

By Jeysound123
in Resolved Malware Removal Logs

 Share

Recommended Posts

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Let me have you try this tool please.

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please run MBAM and check for updates, then do a Quick Scan and post back that new log.

 

Next, Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!


 

Link to post
Share on other sites
Jeysound123

Jeysound123

Posted
  • Author
Posted
Results of screen317's Security Check version 0.99.77  

 Windows XP Service Pack 3 x86   

 Internet Explorer 8  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Please wait while WMIC is being installed.d 











ECHO is off.





ECHO is off.






ECHO is off.










ECHO is off.




ECHO is off.

 Antivirus up to date!  

`````````Anti-malware/Other Utilities Check:````````` 

 Spybot - Search & Destroy 

 Malwarebytes Anti-Malware version 1.75.0.1300  

 CCleaner     

 Java 7 Update 45  

 Adobe Flash Player 11.9.900.170  

 Adobe Reader XI  

 Google Chrome 31.0.1650.57  

 Google Chrome 31.0.1650.63  

 Google Chrome plugins...  

````````Process Check: objlist.exe by Laurent````````  

 ESET NOD32 Antivirus ekrn.exe  

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbamgui.exe  

 Malwarebytes' Anti-Malware mbamscheduler.exe   

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:: 28% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay please run this and post a new log.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites
Jeysound123

Jeysound123

Posted
  • Author
Posted

People are telling me combofix is a W32.Sality virus.

 

 

Virus Systems Affected: Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
 
W32.Sality is an entry-point obscuring (EPO) polymorphic file infector. It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. 

Infection 
W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file. 

In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts. 


Functionality 
The W32.Sality family of threats has been around for some time as the first versions surfaced in 2003 and may have originated in Russia. At that time, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality. 

Over the years the core functionalities remained the same but it has become more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate. 

2006-011714-3948-99.1.png 

As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code. 

It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file. 

The threat participates in a P2P botnet and receives URLs of additional files to download. Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host. 

The threat also attempts to disable security software and modify security configurations. It alters the safe mode functionality to ensure it remains on the compromised computer. To help hide its presence and ensure continuity of execution, it will inject itself into all running processes except processes that belong to the system, the local service or the network service. 
Link to post
Share on other sites
Jeysound123

Jeysound123

Posted
  • Author
Posted

SHA256 Hashes of known affected versions are:


4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

 

My friend is telling me to ask you this lol.Do I have those versions?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

There was a version of Combofix that was out for about an hour months ago that was infected by the Sality infection.  That was pulled very quickly and has not had an issue since.
Please uninstall ALL versions of Java from your Control Panel, Add/Remove and then run the following.
 

 

Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

 

 

Also uninstall Pando Media Booster as well.

 

Run MSCONFIG and set it back to NORMAL and reboot.  MSCONFIG is a diagnostic tool not a start up manager.  When using it as a start up manager you can no longer use it as a diagnostic tool.  Microsoft Autoruns can be used for that or WinPatrol if wanted.

 

 

Then run a Disk Check on your system.  Click on START - RUN and type in CMD.EXE and click OK

Then type the following and press the Enter key.

 

CHKDSK C: /R

 

The system will tell you it cannot lock the drive and ask if you want to check after restart.  Press the Y key and then the Enter key.

 

 

Now go ahead and restart the computer and let the disk check run.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The logs show that some parts of Java are still running and MSCONFIG is not set to NORMAL

It also shows that you did not disable your antivirus while running Combofix.

 

Please review and remove any items from Startup for Java and run MSCONFIG again and reset to NORMAL and reboot the computer.

 

Please copy the event for the disk check and post it back on your next reply.

How to view and manage event logs in Event Viewer in Windows XP

 

When that is all done then disable your antivirus and run combofix again and post back the new log please.

 

 

PLEASE NOTE:  It is Christmas tomorrow and Holiday Season so response times can take a while.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.