Jump to content

Virus.Sality


Recommended Posts

I'm new to malwarebytes forums and my computer has been really messed up lately. I'll get rid of three fourths of all the infections and then they all come back. I curreently have: Malware.Packer.Gen, Backdoor.Bifrose, Worm.Spambot, Trojan.Spambot, Bifrose.Trace, Backdoor.Bot, Virus.Sality, and there are multiple of all listed. I ran ComboFix which will take a lot of them out but then they all come back.

Here is the log for my scan with ComboFix. Thanks.

ComboFix 10-12-18.01 - Administrator 12/18/2010 16:14:08.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.461 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

c:\windows\system\javapc.dll

.

---- Previous Run -------

.

C:\Autorun.inf

c:\windows\system\java.exe

c:\windows\system\javapc.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3360PR

-------\Service_amsint32

-------\Service_asc3360pr

-------\Legacy_ASC3360PR

-------\Service_amsint32

-------\Service_asc3360pr

((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))

.

2010-12-18 03:49 . 2010-12-18 03:52 -------- d-----w- c:\program files\Active PC Optimizer

2010-12-18 02:48 . 2010-12-18 02:48 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-12-18 02:30 . 2010-02-22 15:37 147456 ----a-w- c:\windows\system\java.exe

2010-12-17 18:59 . 2010-12-17 18:59 7475200 ----a-w- c:\windows\system32\rmslt.nt

2010-12-17 18:38 . 2010-12-17 18:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert

2010-12-17 17:14 . 2010-12-17 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\DriverCure

2010-12-17 17:14 . 2010-12-17 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\ParetoLogic

2010-12-17 17:13 . 2010-12-17 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2010-12-17 04:18 . 2010-12-17 04:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Deployment

2010-12-15 22:12 . 2010-12-15 22:24 -------- d-----w- c:\windows\system32\MpEngineStore

2010-12-14 21:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-12 22:33 . 2010-12-12 22:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-12-12 22:33 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-12 22:33 . 2010-12-12 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-12 22:33 . 2010-12-12 22:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-12 22:33 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-10 17:55 . 2010-12-15 21:55 -------- d-----w- c:\program files\Microsoft IntelliType Pro

2010-12-10 17:33 . 2010-12-10 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2010-12-10 17:15 . 2010-09-11 06:46 887912 ----a-w- c:\windows\system32\nvdispco32.dll

2010-12-10 17:15 . 2010-09-11 06:46 813672 ----a-w- c:\windows\system32\nvgenco32.dll

2010-12-09 03:58 . 2010-12-09 03:58 -------- d-----w- c:\program files\Bonjour

2010-12-09 03:43 . 2010-12-09 03:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2010-12-09 03:43 . 2010-12-09 03:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2010-12-09 03:43 . 2010-12-09 03:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2010-12-09 03:43 . 2010-12-09 03:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2010-12-09 03:43 . 2010-12-09 03:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-12-09 03:43 . 2010-12-09 03:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-12-09 03:43 . 2010-12-09 03:43 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-12-08 17:31 . 2010-12-08 23:46 -------- d--h--w- c:\windows\msdownld.tmp

2010-12-08 14:05 . 2010-12-08 14:05 -------- d-----w- c:\program files\Common Files\xing shared

2010-12-08 14:04 . 2010-12-08 14:05 -------- d-----w- c:\program files\real

2010-12-08 01:33 . 2010-12-08 01:33 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\SoftGrid Client

2010-12-08 01:33 . 2010-12-08 11:58 -------- d-----w- c:\documents and settings\Guest\Application Data\SoftGrid Client

2010-12-01 16:59 . 2010-12-01 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-18 21:31 . 2010-03-02 18:53 9216 ----a-w- c:\windows\base64.exe

2010-12-16 00:03 . 2009-05-15 13:02 90112 ----a-w- c:\windows\DUMP606f.tmp

2010-12-14 22:20 . 2007-04-09 16:32 93696 ----a-w- c:\windows\system32\Ctxfihlp.exe

2010-12-08 14:05 . 2006-07-11 22:35 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-11-18 18:12 . 2009-05-15 17:49 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-15 22:20 . 2010-11-15 22:20 138 ---ha-w- c:\documents and settings\Administrator\Application Data\lakerda1967.sys

2010-11-15 22:20 . 2010-11-15 22:20 360580 ----a-w- c:\windows\eSellerateEngine.dll

2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2009-05-18 13:50 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2009-05-18 13:50 1853312 ----a-w- c:\windows\system32\win32k.sys

2010-10-21 22:44 . 2010-11-10 19:15 438976 ----a-w- c:\windows\system32\Mshflxgd.ocx

2010-10-21 22:44 . 2010-11-10 19:15 212240 ----a-w- c:\windows\system32\Richtx32.ocx

2010-10-21 22:44 . 2010-11-10 19:15 196608 ----a-w- c:\windows\system32\Utility.dll

2010-10-21 22:44 . 2010-11-10 19:15 117507 ----a-w- c:\windows\system32\msinet.ocx

2010-10-21 22:44 . 2010-11-10 19:15 139264 ----a-w- c:\windows\system32\gswin32c.exe

2010-10-19 20:51 . 2010-11-04 17:28 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-12 15:11 . 2010-10-01 17:33 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp

2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-27 39408]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 200192]

"ares"="c:\program files\Ares\Ares.exe" [2010-07-21 4185088]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 458752]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 278528]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 139264]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 114688]

"SetDefPrt"="c:\program files\Brother\Brmfl05b\BrStDvPt.exe" [2005-01-26 122880]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2010-12-14 1081344]

"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 126976]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1028096]

"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2007-01-03 147456]

"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe" [2010-12-14 122880]

"ScanSoft PDF Professional 4-reminder"="c:\program files\ScanSoft\PDF Professional 4.0\Ereg\Ereg.exe" [2006-11-16 107520]

"CTxfiHlp"="CTXFIHLP.EXE" [2010-12-14 93696]

"CTHelper"="CTHELPER.EXE" [2009-06-23 89088]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 330256]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 136192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 242688]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 99840]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 1004544]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1159168]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-08 274608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 495616]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-09-11 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-09-11 13851752]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1824256]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-03-26 1433600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"shdocvw"="wscript.exe" [2008-05-08 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 393216]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-19 884736]

QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe [2009-5-25 192512]

Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB600N\WUSB600N.exe [2007-12-14 6991872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\mrtMngr.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"=

"c:\\program files\\real\\realplayer\\RealPlay.exe"=

"c:\\Program Files\\Microsoft IntelliType Pro\\itype.exe"=

"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

"c:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe"=

"c:\\Program Files\\Brother\\Brmfl05b\\BrStDvPt.exe"=

"c:\\Program Files\\Ares\\Ares.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Intuit\\QuickBooks\\Components\\QBAgent\\QBDAgent.exe"=

"c:\\WINDOWS\\system\\java.exe"=

"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Program Files\\Google\\Update\\1.2.183.39\\GoogleCrashHandler.exe"=

"c:\\Program Files\\Real\\RealUpgrade\\realupgrade.exe"=

"c:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"=

"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=

"c:\\WINDOWS\\stsystra.exe"=

"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

"c:\\Program Files\\Microsoft IntelliType Pro\\dpupdchk.exe"=

"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Update\\1.2.183.39\\GoogleCrashHandler.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

"c:\\Program Files\\Linksys\\WUSB600N\\WUSB600N.exe"=

"c:\\Program Files\\Common Files\\Logishrd\\KHAL2\\KHALMNPR.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=

"c:\\Program Files\\NVIDIA Corporation\\nView\\nwiz.exe"=

"c:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe"=

"c:\\WINDOWS\\system32\\CTHELPER.EXE"=

"c:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DW20.EXE"=

"c:\\USBStorage\\USBDetector.exe"=

"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=

"c:\\Program Files\\Logitech\\SetPoint\\LU\\LULnchr.exe"=

"c:\\Documents and Settings\\Administrator\\Desktop\\ComboFix.exe"=

"c:\\WINDOWS\\system32\\cmd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 2:33 AM 821664]

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [5/19/2009 12:53 PM 45824]

R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [4/24/2010 1:10 AM 483688]

R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 4:25 PM 14080]

R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 4:25 PM 36352]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 12:34 PM 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 12:34 PM 555032]

R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [6/23/2009 12:36 PM 18840]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 12:34 PM 566296]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [5/19/2009 12:53 PM 56960]

R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [5/19/2009 4:32 AM 91830]

R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 554344]

R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 211432]

R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]

R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]

R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [4/24/2010 1:10 AM 209768]

R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 4:25 PM 77056]

S1 khichjfa;khichjfa;\??\c:\windows\system32\drivers\khichjfa.sys --> c:\windows\system32\drivers\khichjfa.sys [?]

S1 tuptnchl;tuptnchl;\??\c:\windows\system32\drivers\tuptnchl.sys --> c:\windows\system32\drivers\tuptnchl.sys [?]

S1 xugkgpwf;xugkgpwf;\??\c:\windows\system32\drivers\xugkgpwf.sys --> c:\windows\system32\drivers\xugkgpwf.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/28/2010 12:22 AM 212480]

S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [5/15/2009 1:51 PM 20160]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 12:34 PM 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [9/29/2009 10:13 PM 157184]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 12:34 PM 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 12:35 PM 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 12:35 PM 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 12:34 PM 566296]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4710912]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 7:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASC3360PR

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-28 05:22]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-28 05:22]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-220523388-839522115-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 04:27]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-220523388-839522115-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 04:27]

2010-12-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1645522239-220523388-839522115-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2010-12-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1645522239-220523388-839522115-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2010-12-18 c:\windows\Tasks\User_Feed_Synchronization-{DE3F6AD8-35DF-4765-8202-9AB46C8BB149}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: Copy to &Lightning Note - c:\program files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: Open with ScanSoft PDF Converter 4.1 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100

IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-18 16:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-220523388-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,e4,ad,53,a1,b5,3c,48,a3,76,59,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,e4,ad,53,a1,b5,3c,48,a3,76,59,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2448)

c:\windows\system32\WININET.dll

c:\windows\system32\ctagent.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\brsvc01a.exe

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\windows\system32\brss01a.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PSIService.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\stsystra.exe

c:\windows\system32\CTHELPER.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\mrtMngr.EXE

c:\windows\system\java.exe

c:\program files\real\realplayer\RealPlay.exe

.

**************************************************************************

.

Completion time: 2010-12-18 16:36:38 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-18 21:36

ComboFix2.txt 2010-12-17 17:04

Pre-Run: 54,478,782,464 bytes free

Post-Run: 54,561,247,232 bytes free

- - End Of File - - F4BA7FE55C20F810C47F99FCC5D2EC33

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have some very bad news...

Sality is what we call a file-infector.

These are particularly malicious, in that they infect all of your legitimate programs.

The problem is... the virus is very buggy, so it does not do a good job of infecting your files, so any attempt to disinfect and possibly save your files would be futile, in that, due to the buggy virus, we cannot properly disinfect your files.

What I highly recommend now is a reformat and a reinstallation of Windows XP.

Please let me know if you are prepared to do so.

You may backup and save all files except programs (meaning pictures and documents are okay), because if you backup any applications, they will transfer to your clean system, and you will be reinfected.

-screen317

Link to post
Share on other sites

If I were to take it into the shop and pay for them to fix it would they tell me the same thing? The reason being this is the family computer and my uncle wants me to take it into a shop. I would prefer to fix it myself and save the money, I currently do not have my xp cd but I do have my xp upgrade cd to upgrade to windows xp professional.

Link to post
Share on other sites

  • 5 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.