Jump to content


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

About FZWG

  • Rank
    In Memory of FZWG, Rest in Peace

Contact Methods

  • Website URL
  • ICQ

Profile Information

  • Gender

Previous Fields

  • System Specifications:
    An old eMachine!!
  • Teams:
    Nothing Selected
  1. On Kasperski AntiVirus, you can remove the program. It is not a good idea to run two AntiVirus programs, anyway. On AdAware, it is probably best to uninstall the program, and then re-install it. Sality damage to the program is hard to determine, and it may not do its job correctly. HijackThis, you can remove. The NetWatch program should also be available for XP. Your best bet for Network questions and help is the Networking forum: http://forums.pcpitstop.com/index.php?showforum=8 That is probably the case. W98 does not have the services which show up as O23 in a HijackThis log. Malware also uses services to infect a computer. For your printer problem, go to the following forum for help: http://forums.pcpitstop.com/index.php?showforum=3 Also, I do not respond to PMs. If you have a problem, post it in the appropriate forum instead.
  2. Sality spreads through Network shares, and infected files. So, if you have shared resources on a Network, beware. I am not certain about the exact source of Sality, but it is associated with certain URLs, and contacts certain domains. The fact that you run a system which is not kept updated leaves you out in the open like a magnet looking for metal shavings!!
  3. The HijackThis log appears clean, and the other reports do not show indications of Sality. Clean out the Restore Points, though. AdAware showed some malware in them also: Go to Start > Run< in the Open area type in (or copy): control sysdm.cpl,,4 Press: Enter Check the box: Turn off System Restore on all drives Click: Apply > OK Now, turn on System Restore by removing the check on: Turn off System Restore on all drives Click: OK ==== You can connect the computer back to its cable or telephone line, however, you must do the following: 1. Install an AntiVirus program. If McAfee was your previous AV program, you need to re-install it. Some of its files were affected, and it may not work properly. If you wish to use some other AV program, there are free ones: Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php avast! 4 Home: http://www.avast.com/eng/avast_4_home.html AntiVir Personal Edition: http://www.free-av.com/ 2. Install a software Firewall. It provides the ability to restrict malevolent outgoing traffic from your computer. Some good free choices are: ZoneAlarm: http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za Sunbelt Kerio: http://www.sunbelt-software.com/Kerio.cfm OutPost: http://www.agnitum.com/products/outpostfree/download.php ==== 3. Now, head for the Microsoft Windows Updates website: http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us Even using an Antivirus and a Firewall does not prevent malware from getting through. Have your system scanned, and download/install all Critical Updates on offer. ==== Next, what you need to deal with is damage recovery. Panda disinfected all sorts of files, but after the exe's are disinfected, some programs may no longer work properly. You will need to reinstall them. ==== Good luck, wirosari!!
  4. Since you are using names of different regions of Indonesia (Menteng, Wirosari), are you the same person? There is no need to hide. It serves no purpse... As far as the information goes, take your time, and post the data as you are able to. I have a Doctor's appointment tomorrow morning, so cannot stay up late this evening. Also, probably will not be able to reply to whatever is posted until sometime in the afternoon. FZ
  5. How are things in Jakarta? Monday morning. If the computer was on during the weekend, the malware may have returned. Even if it was off, do the following: 1. Before you start the computer, unplug the cable or telephone line from the back of the computer. You do not want it connected to anything that gives an avenue to the Internet. Sality downloads information from a set of preconfigured URLs, and that is how it plants and executes all those files in: C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe 2. Start in Safe Mode, run the previously updated Kaspersky Anti-Virus 6.0, perform a full system scan, and disinfect every file it finds. If it produces a report, please provide it in your reply. 3. Now, restart the computer normally, but do not connect the cable or telephone line!! 4. Check system.ini once again to make sure nothing has changed. Provide its contents in you reply. 5. Go to the Desktop, and double click aalst.bat to make sure the values you removed from the following Registry key are still gone: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List To make sure, do a manual check also. 6. To remove any files (C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe0, you can use the batch file in Post #10 (clean.bat should still be on the Desktop), and then manually check they are gone, or just remove them manually. 7. Then, to see if a new Sality random.sys file was created (Earlier in the game it looked like: C:\WINDOWS\System32\drivers\rgoqmn.sys), please do the following: Go to Start > Run, and copy/paste the following in the Open area: C:\Windows\System32\drivers Up in the Menu bar, click View > Details Then in the right hand pane, double click Date Modified to arrange files by date from 2007 and down. Please provide the names of the .sys files created since January 2007. There should only be a few. 8. The random.sys also installed a system service with the service name and display name of: NdisFileServices32 Please go to Start > Run, copy/paste the following, one at a time, and click OK after each: sc stop NdisFileServices32 sc delete NdisFileServices32 9. Run HijackThis and Scan. 10. Also provide a StartupList as instructed in Post # 12 Provide the following: The Kasperski Anti-Virus 6.0 report The contents of the system.ini file The contents of the aalst.bat (Registry key) The names of any .sys files created since January 2007 A new HijackThis log A new StartupList Do not plug the cable or telephone line back to the computer!!!! Hopefully, you will have access to another computer. Connect with it, and provide the information requested.
  6. If you turn off the computer and turn it back on, go to Safe Mode (no networking). It appears that Sality does not like Safe Mode. Maybe that is why it disables the Safe Mode Registry keys. (I'm just guessing! ) ==== Do the following for now. I do not think we are dealing with a Rootkit, so do not run that type of program as previously instructed. I believe these entries: C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe are the ones that show under the following Registry key to bypass the Windows Firewall: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Please open Notepad (Start > Run, type in: notepad) Copy and paste all the information in blue below to it. regedit /e aalst.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" aalst.txt Go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: use drop arrow to select Desktop File Name: aalst.bat Save as type: All Files Exit Notepad Go to the Desktop, and double click aalst.bat It generates a text file called aalst.txt. Copy the contents of aalst.txt to your reply. ==== Since the system.ini file still has the bogus entries, and a 'Disinfection failed' notice appears next to several of the online scanner entries, we can assume Sality prevails. What we eventually need to do is: 1. Restart the computer in Safe Mode with Networking, and download Kasperski Anti-Virus 6.0 This is not the online scanner!! http://www.kaspersky.com/trials?chapter=146481750 Make sure you update the program. When done, reboot to just Safe Mode (No networking!! We do not want Sality to have a connection available!). 2. Edit the system.ini file to get rid of: [MCIDRV_VER] DEVICEN1=95215658363 __h=18 __dr=12 [iDslow] IDVer32666=988281 IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 3. Backup the Registry: Go to Start > Run, and type: Regedit On the left side, click and highlight My Computer Go to the File menu (at the top) Select: Export Save in: Desktop File Name: BackUp Save As Type: leave as Registration Files Click: Save Then go to File > Exit (This saves a backup copy of the Registry.) 4. Remove the bogus values under the Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List The bogus values will show as the following, and there will be several of them: C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe The win*.exe files may have changed. 5. In addition, the bogus files, like the one below, need removal with Killbox, or, Avenger with a ‘Files to Delete’ script. C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe 6. Disable your current AntiVirus program since it may not be compatible with Kaspersky Anti-Virus 6.0. 7. In Safe Mode, let Kaspersky perform a full system scan and disinfect every infected exe file it finds! ==== I get the impression that you are very computer knowledgeable, so, if you think you can do the above, press on. Since we appear to have a significant time difference, based on the times when you post, you can be working while I am sleeping, since that is what I plan to do very shortly (2:00AM here). If you do not want to proceed, sometime in the daylight morning hours I’ll prepare more detailed instructions for you with the information you provide from the aalst batch file. One last word. You are dealing with a bomb of a virus. I am doing this in good faith, but in a worse case scenario, trying to get rid of this infection may result in the loss of significant code in the system. I do not know if this will be the case, but there is risk involved, and it is up to you to decide what to do.
  7. I am assuming you only posted part of the report, but that is OK. You are dealing with the Sality virus, which can infect legit executables in your system. The damage it causes is extensive: http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=52797 Legit and necessary executables cannot be deleted like malware files. The executables need to be disinfected. However, it may happen that after the exe's are disinfected, some programs may no longer work. If you wish to do a format and install a clean Operating System ana the programs you use, it is a good idea. However, you can also press on and run another online scan with Kasperski, and provide its results. It has a good track record for this infection, and may pick up anything left over. The log produced should not be as large. The following is a link to several online scanners, including Kasperski: http://dir.yahoo.com/Computers_and_Interne...Virus_Scanners/ Also, please provide the contents of system.ini once again. Need to know if the disinfection had any effect on it.
  8. Well, here is a sign of Sality: [MCIDRV_VER] DEVICEN1=95215658363 Then, there is Troj/Spmbot-B: [iDslow] IDVer32666=988281 And whatever these are, maybe the same Spmbot-B: IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 Editing system.ini is an option, but if the infection is active, there may be serious results... ==== If this ’thing’ is residing in memory, it may have the capability to disable any virus or spyware protection. So let’s go with online-scanners. However, boot to Safe Mode with Networking to download and use the scans: Panda ActiveScan: http://www.pandasoftware.com/products/ActiveScan.htm BitDefender Online Scanner: http://www.bitdefender.com/ Please post the results for both online scans. ==== Also download Clean.zip to the Desktop http://www.malekal.com/download/clean.zip, Right click and Extract In the Clean folder created, click on clean.cmd When the command window (black screen) opens, select Option 1, and press: Enter Allow the scan to complete, press any key, and post the contents of the Clean text in you reply. ==== Next, download RustBFix by ejvindh: http://www.uploads.ejvindh.net/rustbfix.exe Save it to the Desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you are asked to reboot the computer. The reboot will probably take a while, and perhaps 2 reboots are needed, but this happens automatically. After the reboot(s) 2 log files open: Avenger.txt and a Pelog.txt Please post both log files in your reply. ==== Also, click here to download AVG Anti Rootkit and save it to the Desktop. Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it. Click "I Agree" to agree to the EULA. By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta". Click "Next" to begin the installation then click "Install". It will then ask you to reboot now to finish the installation. Click "Finish" and your computer will reboot. After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on the Desktop. Click on the "Perform in-depth search" button to begin the scan. The scan will take a while so be patient and let it complete. When the scan is finished, click the "Save result to file" button. Save the scan results to the Desktop, and provide the AVG_AntiRootkit results in your reply. ==== One last item, can you install a software Firewall? Some good free choices are: ZoneAlarm: http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za Sunbelt Kerio: http://www.sunbelt-software.com/Kerio.cfm OutPost: http://www.agnitum.com/products/outpostfree/download.php In summary, need the following in your reply: The Panda ActiveScan results The BitDefender results The contents of the Clean report The RustBFix Avenger.txt and a Pelog.txt The AVG_AntiRootkit results
  9. Did not see what I was looking for... This infection may have an entry that hides in system.ini Please go to Start > Run, and type: System.ini Click: OK The System.ini file text is displayed. Please provide its contents in your reply. Also,need the results of SDFix.
  10. Looks as if this infection has an entry that hides, so, please do the following: Open HijackThis Click on Open Misc Tools Section Make sure that both boxes beside "Generate StartupList Log" are checked: --List all minor sections(Full) --List Empty Sections(Complete) Click: Generate StartupList Log Click Yes at the prompt. A text file opens. Please provide the entire contents of the StartupList. ==== Also, please post another AdAware report. ==== Also, download SDFix and save it to the Desktop. Right click the SDFix.zip folder Select: Extract All to extract it to its own folder on the Desktop. ~~~~ Start the computer in Safe Mode : -When the machine first starts again, tap the F8 key before Windows starts -You are presented with a Windows XP Advanced Options menu. -Select the option for Safe Mode using the arrow keys. -Press Enter to boot into Safe Mode. ~~~~ Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script. Type Y to begin the cleanup process. The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot. Press any key to restart the PC. When the PC restarts the SDFix will run again and complete the removal process It then displays Finished Press any key to end the script and load the Desktop icons. Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt. ~~~~ Please provide the StartupList, another AdAware report, and the contents of the SDFix Report.txt.
  11. Let's get rid of what is in this Temp folder: C:\Documents and Settings\TresnaTan\Local Settings\Temp Please launch Notepad, (Start > Run, type in: notepad) Copy/paste the blue text below to it: del %windir%\temp\*.* /f del C:\Documents and Settings\*\local settings\temp\*.* /f In Notepad, go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: Desktop File Name: clean.bat Save as Type: All files Click: Save Exit out of Notepad. Next, on the Desktop, double click on clean.bat ==== To remove the bogus driver and file: 1. Please download The Avenger by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to the Desktop 2. Copy the blue text below by highlighting it and pressing (Ctrl+C): Files to Delete C:\WINDOWS\system32\wmdrtc32.dll Drivers to delete rgoqmn.sys 3. Now, start The Avenger program by clicking on its icon on the Desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which opens a new window titled "View/edit script" Paste the blue text copied into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger automatically does the following:It restarts the computer, and in cases where the code to execute contains Drivers to Unload, the Avenger actually restarts the system twice. On reboot, it briefly opens a black command window on the Desktop, and this is normal. After the restart, it creates and opens a log file with the results of Avenger’s actions. This log file is located at C:\avenger.txt The Avenger also backs up all the files, etc., it deletes, and zips them and moves the zip archives to C:\avenger\backup.zip Please provide the content of C:\avenger.txt in your reply along with a new HJT log .
  12. Which files is it detecting??? Please run the AdAware program again, and post its Full System Scan results. Also, you are still in the hole...you have not installed SP1. If you do not, we are just doing this routine for exercise. You will be infected again, and again, and again, and again, and again, and again......
  13. HaxFix did its thing. Next, post the SuperAntiSpyware log, and a new HijackThis log when you can. By the way, you have some serious infections on that system as a result of not keeping Windows updated!! The malware has exploited the security holes in an unpatched version of XP and may be impossible to fix permanently. Please go to the Windows Update site and install Service Pack 1a followed by all available critical and security patches: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx Reboot after applying the update.
  14. Please download HaxFix.exe Save it to the Desktop. Double click on haxfix.exe to install. Check: "Create a desktop icon" Click: "Next" When the installation is completed, make sure "Launch HaxFix" is checked. Click "Finish" A red "DOS window" opens with options:1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option Option 2, Run auto fix by typing 2 and then pressing Enter Haxfix starts scanning the computer, and performs a reboot When finished, a logfile opens: haxlog.txt Please copy the contents of the logfile and provide them in your reply. (c:\haxfix.txt) ====Next, download SuperAntiSpyware Home Edition Free Version http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE Install the program Run SuperAntiSpyware and click: Check for updates Once the update is finished, on the main screen, click: Scan your computer Check: Perform Complete Scan Click Next to start the scan. Superantispyware scans the computer, and when finished, lists all the infections found. Make sure everything found has a check next to it, and press: Next Click Finish It is possible that the program asks to reboot in order to delete some files. Obtain the SuperAntiSpyware log as follows: Click: Preferences Click the Statistics/Logs tab Under Scanner Logs, double-click SuperAntiSpyware Scan Log It opens in your default text editor (such as Notepad) ==== Please post the contents of C:\haxfix.txt, the SuperAntiSpyware log, and a new HijackThis log.
  15. We need to find out if there is also a Rootkit involved. Please download GMER.zip (450kB) to the Desktop: http://gmer.net/files.php Right click the zipped file and select: Extract all Follow the Extracton Wizard prompts Start the program by double clicking: GMER.exe If a security warning appears, allow the program to run If GMER detects rootkit activity, you are prompted to scan immediately Click Yes to begin the scan If you are not prompted to Scan: In the Rootkit tab, make sure all the boxes on the right of the screen are checked, except for "Show All" Then, click the Scan button. Once the scan is done, click: Copy. ==== Please provide the contents of the GMER report in your reply.
  • Create New...