Jump to content

Recommended Posts

Previus topic: https://forums.malwarebytes.com/topic/269862-the-powerful-trojan-sality-sinkhole/

Now this malware/trojan or whatever, its same but more efficient, and make some archives corrupt or weird, even destroying the logic of the OS in the System32/SysWOW

Even i cant run the fix by Microsoft

unknown.png

The log of the error: 

---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.351, (build 1.351.782.0)
Started On Thu Oct 21 02:46:52 2021

Failed to submit MAPS report: 0x80510002
Failed to submit clean hearbeat MAPS report: 0x80510002

Exception Caught: 0x800700B6
Microsoft Safety Scanner Finished On Thu Oct 21 02:57:57 2021

Return code: 1 (0x1)
0002
Failed to submit clean hearbeat MAPS report: 0x80510002

Exception Caught: 0x800700B6
Microsoft Safety Scanner Finished On Thu Oct 21 02:53:00 2021

Return code: 1 (0x1)

---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.351, (build 1.351.782.0)
Started On Thu Nov 18 02:39:21 2021

Failed to submit MAPS report: 0x80510002
Failed to submit clean hearbeat MAPS report: 0x80510002

Exception Caught: 0x800700B6
Microsoft Safety Scanner Finished On Thu Nov 18 03:00:51 2021

Return code: 1 (0x1)

I dont see the error "800700B6" or "80510002" in https://support.microsoft.com/en-us/topic/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner-6cd5faa1-f7b4-afd2-85c7-9bed02860f1c

It can infect USB making 2 files "Autorun.inf" and "randomchars.pif"

In the local disk C, its "autorun.inf" and "randomchars.exe", so when i use unlocker to delete both, Unlocker show me the process that is using the files (process infected that make the use the 60% of CPU)

The autorun have this: 

In USB

[AutoRun]
;kbPiaEipbdxByVuLjynMJ iogXx
;hYLsHklSNssidvcdEbHvrumkjlXrWmrjfYnjJxLkFjq esea
Open = aptprw.pif
;
sHell\eXplore\COmMaNd = aptprw.pif
;
shElL\OpEN\DefAUlt=1
sheLL\OpeN\comMaND= aptprw.pif
;bkPoLhrbajwoBltFmcxQVtJ qDxjXePiWvXnwkOhrsag 
sheLl\AutoPLay\COmmAnd = aptprw.pif

In PC

[AutoRun]
;LgYXwkYcvH IDhsaSwkku CbdifpBwJ
shell\OpeN\COmMand = plif.exe
;CcRcSj kxprwtDrwIVikiRi 
sheLl\open\defaulT=1
;beEupdWAxGM
shelL\eXplOrE\CommAnD = plif.exe

;
opeN= plif.exe
;XsJIP jyoN
SheLl\AutOpLaY\cOMmAnd=plif.exe
;

I did an manual vaccine named "autorun.inf" with all permissions denied to prevent the read/write in the local disk "C:", but even without the files "autorun.inf (original from malware) and some.exe", some process can be infected same and make it use the 60% of CPU

So, where the script is executed?

The "Task Scheduler" is clean

Malwarebyte only detect the autorun and the executables and pif with random chars and track and block weird sites from this malware

But it cannot destroy the malware of root like Microsoft Safety Scanner

kevinf80

 

Link to post
Share on other sites

Hiya ShiroNaomi

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The tool will also make a log named (Addition.txt) Please also attach that log to your reply.


Also do the following if necessary:

Disable smart screen ONLY if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed ONLY if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....

Thank you,

Kevin
Link to post
Share on other sites

  • Root Admin

Good day @ShiroNaomi

 

What you really need to do is backup your data and do a clean fresh install of Windows. The computer can never be trusted again for any type of critical operations such as banking, medical, business.

You are continuing to place your privacy and safety of the system and data at risk by not formatting the drive and reinstalling Windows.

 

Below is the safe, prudent, logical thing that should be done, and stop wasting your time playing games with this hit-and-miss cleanup.

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

Link to post
Share on other sites

29 minutes ago, AdvancedSetup said:

What you really need to do is backup your data and do a clean fresh install of Windows. The computer can never be trusted again for any type of critical operations such as banking, medical, business.

Hi
It wouldn't really help me at all
Mainly because i think there is some infected file out of thousands and thousands that i have and use on a daily basis
So if i reinstall windows 7 (which is the one i use and is extremely comfortable for me), i would end up in the same thing by running the infected file
No anti malware would detect it and when scanning it will give false executable threats devices as they all do
Better to affront the malware than to reinstall the operating system and get infected again.

Link to post
Share on other sites

  • Root Admin

Sorry but installing Windows 7 from CD/DVD and installing new software from authorized vendors software is not going to reinfect the computer.

You should not be backing up computer programs and reinstalling them as yes they can be infected.

Again, up to you but I could not fathom spending years of my life running a known infected computer and knowing that it's nothing better than a glorified tool to run notepad because nothing else would be secure to run on this system.

It's your life and your computer so you can certainly do as you wish but don't expect others to spend countless hours over and over cleaning a known trashed system.

 

Remove the partition, Format the drive, install Windows 7 from CD/DVD. Upgrade all of it.
https://forums.malwarebytes.com/topic/274496-how-to-update-windows-7-to-the-latest-security-updates/

Then install a good legacy antivirus program such as Kaspersky or ESET and have them do FULL scans of ALL saved data and remove ALL infected items found.

Download new installers for any software you wish to install again. Do not use old installers that have potentially already been infected. Those should be deleted.

 

 

Link to post
Share on other sites

46 minutes ago, AdvancedSetup said:

Download new installers for any software you wish to install again. Do not use old installers that have potentially already been infected. Those should be deleted.

Its what i do
Download the programs from the original site, like Winrar

Not necessary must be an executable, can be a file like a .txt infected

I am aware of the solutions you give me, but as i said, if you dont know how to destroy this malware, i would be getting infected again and again
Winows 10 is not an exception
With concern i made this topic because with malwarebyte, it does not give me solution and that is one of the most powerful there is
The Microsoft tool that Kevin told me, could fix it before by destroying the malware root, but my external hard drive was infected and got infected again when running a file

It seems that this malware evolved, and every time i destroy everything shallow manually, it seems to evolve and destroy the logic of some files on the system
Thank you so much for the link of the topic that you did about "How to update Windows 7 to the latest Security Updates", i will apply all that, but when i will reinstall win 7, because of course i will after destroy this malware to save the files cleaned.

 

Link to post
Share on other sites

  • Root Admin
16 minutes ago, ShiroNaomi said:

I am aware of the solutions you give me, but as i said, if you dont know how to destroy this malware, i would be getting infected again and again

 

 

I've personally removed this and it has not returned. So yes I do know exactly what I'm talking about. I've been doing computer support for 30 years and malware removal for almost 15 years.

If you follow the instructions I provided it will not return. If you skip directions it might return

 

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

I've personally removed this and it has not returned. So yes I do know exactly what I'm talking about. I've been doing computer support for 30 years and malware removal for almost 15 years.

If you follow the instructions I provided it will not return. If you skip directions it might return

Its ok

But i reinstalled win 7 with Malwarebyte before and i get infected again opening one of my documents/media

And with all updates of Win update installed

If i reinstall again win 7 following the topic that you did, even if i open again a infected file like a .txt, the malware won work anymore?

I would really like to clean the infected files before reinstalling windows 7 following your security topic.

Link to post
Share on other sites

  • Root Admin

I'm sorry but I'm going to go ahead and stop following this topic. If @kevinf80 wishes to continue to assist you then by all means please do.

 

I've provided the steps that you should do to stop this.

  1. Format the hard drive
  2. Boot from CD/DVD into the Windows 7 installer (do not boot from USB as it could be infected)  Do a custom install and remove the partitions, then allow the installer to set and create the partition and install Windows
  3. Update to the latest Windows 7 updates (do not install anything else, do not connect any other external drives, etc)
  4. After all updates have been installed. Then install a Kaspersky Total Security trial version and update it and do a full scan of the current computer.
  5. Disable Autorun and Autoplay on the system
  6. Connect your external USB hard drive to the computer (do not run or click on anything) then have Kaspersky do a FULL scan of the external USB drive and fix or delete anything bad it finds
  7. Connect one at a time ALL of your USB thumb drives to the computer and again have Kaspersky do a FULL scan of the USB drives. If you have 15 thumb drives, scan them all and repair them all
  8. The same thing with other external USB drives. If you have several, make sure ALL external drives are FULLY scanned and cleaned by Kaspersky
  9. Temporarily disable Kaspersky Total Security and run a Microsoft Safety Scan and again do a Full scan of all drives
  10. Now install the Firefox browser and add the uBlock Origin content blocker to the browser
  11. Download verified vendor installers for any programs or games you want to use. Do not use ANY installers you've previously saved regardless if it was scanned or not. Get fresh new ones from the Vendor
  12. Keep Kaspersky Total Security enabled at all times. Once the trial has ended decide if you want to keep it or try another vendor such as ESET or Avast. Regardless, at this point if you want to stay on Windows 7 you'll need to pay for a good antivirus as the one from Microsoft is not good enough on Windows 7. It is a pretty good program on Windows 10 but not on Windows 7.

 

If you follow the advice above you should not see this infection again on this system unless you once again either download a crack or pirated software which is more than likely where it came from in the past. Do not use P2P torrenting software.

Review the information here to help keep the computer safe.
https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/

 

Virus:W32/Sality information F-Secure

 

  • Keep Your Security Software Up to Date
  • Do Not Download Suspicious Attachments
  • Limit User Privileges (don't use an Admin account for day to day use of the computer)
  • Avoid Pirated Software
  • Avoid P2P Torrenting programs

 

 

Link to post
Share on other sites

  • 4 months later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.