Jump to content

Change Mode


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

About FZWG

  • Rank
    In Memory of FZWG, Rest in Peace

Contact Methods

  • Website URL
  • ICQ

Profile Information

  • Gender

Previous Fields

  • System Specifications:
    An old eMachine!!
  • Teams:
    Nothing Selected
  1. On Kasperski AntiVirus, you can remove the program. It is not a good idea to run two AntiVirus programs, anyway. On AdAware, it is probably best to uninstall the program, and then re-install it. Sality damage to the program is hard to determine, and it may not do its job correctly. HijackThis, you can remove. The NetWatch program should also be available for XP. Your best bet for Network questions and help is the Networking forum: http://forums.pcpitstop.com/index.php?showforum=8 That is probably the case. W98 does not have the services which show up as O23 in a HijackT
  2. Sality spreads through Network shares, and infected files. So, if you have shared resources on a Network, beware. I am not certain about the exact source of Sality, but it is associated with certain URLs, and contacts certain domains. The fact that you run a system which is not kept updated leaves you out in the open like a magnet looking for metal shavings!!
  3. The HijackThis log appears clean, and the other reports do not show indications of Sality. Clean out the Restore Points, though. AdAware showed some malware in them also: Go to Start > Run< in the Open area type in (or copy): control sysdm.cpl,,4 Press: Enter Check the box: Turn off System Restore on all drives Click: Apply > OK Now, turn on System Restore by removing the check on: Turn off System Restore on all drives Click: OK ==== You can connect the computer back to its cable or telephone line, however, you must do the following: 1. Install an AntiV
  4. Since you are using names of different regions of Indonesia (Menteng, Wirosari), are you the same person? There is no need to hide. It serves no purpse... As far as the information goes, take your time, and post the data as you are able to. I have a Doctor's appointment tomorrow morning, so cannot stay up late this evening. Also, probably will not be able to reply to whatever is posted until sometime in the afternoon. FZ
  5. How are things in Jakarta? Monday morning. If the computer was on during the weekend, the malware may have returned. Even if it was off, do the following: 1. Before you start the computer, unplug the cable or telephone line from the back of the computer. You do not want it connected to anything that gives an avenue to the Internet. Sality downloads information from a set of preconfigured URLs, and that is how it plants and executes all those files in: C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe 2. Start in Safe Mode, run the previously updated Kaspersky Ant
  6. If you turn off the computer and turn it back on, go to Safe Mode (no networking). It appears that Sality does not like Safe Mode. Maybe that is why it disables the Safe Mode Registry keys. (I'm just guessing! ) ==== Do the following for now. I do not think we are dealing with a Rootkit, so do not run that type of program as previously instructed. I believe these entries: C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe are the ones that show under the following Registry key to bypass the Windows Firewall: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  7. I am assuming you only posted part of the report, but that is OK. You are dealing with the Sality virus, which can infect legit executables in your system. The damage it causes is extensive: http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=52797 Legit and necessary executables cannot be deleted like malware files. The executables need to be disinfected. However, it may happen that after the exe's are disinfected, some programs may no longer work. If you wish to do a format and install a clean Operating System ana the programs you use, it is a good idea. However, you can
  8. Well, here is a sign of Sality: [MCIDRV_VER] DEVICEN1=95215658363 Then, there is Troj/Spmbot-B: [iDslow] IDVer32666=988281 And whatever these are, maybe the same Spmbot-B: IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 Editing system.ini is an option, but if the infection is active, there may be serious results... ==== If this ’thing’ is residing in memory, it may have the capability to disable any virus or spyware protection. So let’s go with online-scanners. However, boot to Safe Mode with Networking to download and use the scans: Panda ActiveScan: http://w
  9. Did not see what I was looking for... This infection may have an entry that hides in system.ini Please go to Start > Run, and type: System.ini Click: OK The System.ini file text is displayed. Please provide its contents in your reply. Also,need the results of SDFix.
  10. Looks as if this infection has an entry that hides, so, please do the following: Open HijackThis Click on Open Misc Tools Section Make sure that both boxes beside "Generate StartupList Log" are checked: --List all minor sections(Full) --List Empty Sections(Complete) Click: Generate StartupList Log Click Yes at the prompt. A text file opens. Please provide the entire contents of the StartupList. ==== Also, please post another AdAware report. ==== Also, download SDFix and save it to the Desktop. Right click the SDFix.zip folder Select: Extract All to extract it
  11. Let's get rid of what is in this Temp folder: C:\Documents and Settings\TresnaTan\Local Settings\Temp Please launch Notepad, (Start > Run, type in: notepad) Copy/paste the blue text below to it: del %windir%\temp\*.* /f del C:\Documents and Settings\*\local settings\temp\*.* /f In Notepad, go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: Desktop File Name: clean.bat Save as Type: All files Click: Save Exit out of Notepad. Next, on the Desktop, double click on clean.bat ==== To remove the bogus driver and file: 1. Please do
  12. Which files is it detecting??? Please run the AdAware program again, and post its Full System Scan results. Also, you are still in the hole...you have not installed SP1. If you do not, we are just doing this routine for exercise. You will be infected again, and again, and again, and again, and again, and again......
  13. HaxFix did its thing. Next, post the SuperAntiSpyware log, and a new HijackThis log when you can. By the way, you have some serious infections on that system as a result of not keeping Windows updated!! The malware has exploited the security holes in an unpatched version of XP and may be impossible to fix permanently. Please go to the Windows Update site and install Service Pack 1a followed by all available critical and security patches: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx Reboot after applying the update.
  14. Please download HaxFix.exe Save it to the Desktop. Double click on haxfix.exe to install. Check: "Create a desktop icon" Click: "Next" When the installation is completed, make sure "Launch HaxFix" is checked. Click "Finish" A red "DOS window" opens with options:1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option Option 2, Run auto fix by typing 2 and then pressing Enter Haxfix starts scanning the computer, and performs a reboot When finished, a logfile opens: haxlog.txt Please copy the contents of the logfile and provide them in your reply. (c:\haxfix.txt)
  15. We need to find out if there is also a Rootkit involved. Please download GMER.zip (450kB) to the Desktop: http://gmer.net/files.php Right click the zipped file and select: Extract all Follow the Extracton Wizard prompts Start the program by double clicking: GMER.exe If a security warning appears, allow the program to run If GMER detects rootkit activity, you are prompted to scan immediately Click Yes to begin the scan If you are not prompted to Scan: In the Rootkit tab, make sure all the boxes on the right of the screen are checked, except for "Show All" Then, click the Sc
  • Create New...