TechSpot

[Closed]Help me i got Win32/Heur and Win32/Sality.nar

By brogun
Nov 5, 2010
  1. Help

    My computer has gone crazy after i got this Win32/Heur and Win32/Sality.nar, i have done a lot of scans with different anti-virus, at first AntiVir Scanned and deleted some virus but ESET Nod32 could still find some Win32/Sality.nar. Then i did a lot of things cleaning my pc until now the ESET Nod32 and AntiVir could not detect a virus anymore. I'm not sure if my pc is cleaned already, and now I'm Scared to take risk installing some program from my last infected drives, this virus might infect my pc again.. could someone help me check if my pc if it is cleaned now..

    Thank you..
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. Bad news though. If you did have a Sality malware infection, you most likely will still have it. Let's check and see what your status is:

    Open VirusTotal
    • Open Windows Explorer: Windows key + E> Go to Tools> Folder Options> View tab> Cleck 'show hidden files and folders.'> Apply> OK
    • At the upload site, click once inside the window next to Browse.
    • Press Ctrl+V to paste each of the following, one at a time into the window

      1. [*]explorer.exe (Path is C:Windows)
        [*]userinit.exe (Path is C:Windows System32
        [*]svchost.exe (Path is C:\Window\System32
    • Click on the Upload button.
    • IF file shows 'already analyzed' press Reanalyze now button[/b]

    When scans have all been done, please go back and check 'do not show hidden files and folders'> Apply> OK.

    Please post the scan results in your next reply.
    ======================================
    Also, please run the Eset Online virus scan. You should have rebooted the computer following your efforts to remove this> if you have not, please do so before runnng the scans.

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    This is the malware that exploits the .lnk vulnerability. Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web

    It then creates and starts a service to load the driver. The driver blocks access to a variety of security software vendor web sites.The virus then disables security software services and ends security software processes. It also disables registry editing and the task manager.

    [b]http://www.symantec.com/connect/blogs/all-one-malware-overview-sality[/b]
    The exploit works even when AutoRun and AutoPlay -- two functions that have previously been used by attackers to commandeer PCs using infected flash drives -- are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7, ...

    Because of these actions, We recommend you do a reformat/reinstall. Attempts to clean this virus to include the backdoor capability usually fail.
     
  3. brogun

    brogun TS Rookie Topic Starter

    Thank you for the reply Bobbye

    I have already reformat my Drive C: and haven't opened any of my drives until I'm sure my extra drives are cleaned.

    I'll post the result for Online Antivirus Scan as soon its done.

    thank you again.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So after you found the malware, you reformated and reinstalled- the C drive? Leave the logs when you're ready. If you do online banking, monitor that carefully and be sure to change all of your passwords.
     
  5. brogun

    brogun TS Rookie Topic Starter

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=b7d72621da1f7246b983bb1cf237b558
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-11-04 10:42:08
    # local_time=2010-11-04 02:42:08 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16774105 100 93 0 47843581 0 0
    # compatibility_mode=8199 39157077 100 100 0 46442024 0 0
    # scanned=233087
    # found=13
    # cleaned=13
    # scan_time=37640
    # nod_component=V3 Build:0x30000000
    C:\Documents and Settings\pawing\Desktop\ESET NOD32 Antivirus & Smart Security 4.0.437 x32 & x64\[LATEST] box, mara-fix v1.1\ESET fix\ESET fix.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\pawing\My Documents\Downloads\avast! Pro AV + IS 5.0.594 Final + Crack (Till 2020) [RH]\aAVPro.IS.5.0.594_[RH].rar a variant of Win32/Packed.VMProtect.AAA trojan (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\pawing\My Documents\Downloads\avast! Pro AV + IS 5.0.594 Final + Crack (Till 2020) [RH]\avast! Pro AV + IS 5.0.594 Final + Crack (Till 2020)\Crack\ashBase.dll a variant of Win32/Packed.VMProtect.AAA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Program Files\ESET\ESET NOD32 Antivirus\ESET fix.exe multiple threats (deleted (after the next restart) - quarantined) 00000000000000000000000000000000 C
    C:\Program Files\SmileyCentral_1vEI\Installr\9.bin\1vEIPlug.dll a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{5D316880-374E-4109-8F64-9E8CB07029E1}\RP15\A0007014.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{5D316880-374E-4109-8F64-9E8CB07029E1}\RP15\A0007015.dll a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{5D316880-374E-4109-8F64-9E8CB07029E1}\RP4\A0001188.dll a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{5D316880-374E-4109-8F64-9E8CB07029E1}\RP9\A0001343.dll a variant of Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{5D316880-374E-4109-8F64-9E8CB07029E1}\RP9\A0001346.exe a variant of Win32/Adware.HotBar.E application (deleted - quarantined) 00000000000000000000000000000000 C
    D:\Installer\Nero 7.11.6.0+Keygen\Nero-7.11.6.0_all_update.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
    I:\Software\Nero 7.11.6.0+Keygen\Nero-7.11.6.0_all_update.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
    I:\Software\Programming\Apache, PHP and MySQL (Windows)\Win32\PHP\phpdesigner2007_setup\keygen.exe a variant of Win32/Keygen.AG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    # version=7
    # IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=b7d72621da1f7246b983bb1cf237b558
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-11-05 11:16:18
    # local_time=2010-11-05 03:16:18 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16774105 100 93 0 47950296 0 0
    # compatibility_mode=8199 39157141 100 100 0 46548739 0 0
    # scanned=140784
    # found=1
    # cleaned=1
    # scan_time=19374
    # nod_component=V3 Build:0x30000000
    C:\System Volume Information\_restore{5D316880-374E-4109-8F64-9E8CB07029E1}\RP15\A0007828.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=b7d72621da1f7246b983bb1cf237b558
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-06 01:11:23
    # local_time=2010-11-06 05:11:23 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16774105 100 93 0 48008464 0 0
    # compatibility_mode=8199 39157141 100 100 0 46606907 0 0
    # scanned=235655
    # found=0
    # cleaned=0
    # scan_time=11318
    # nod_component=V3 Build:0x30000000
     
  6. brogun

    brogun TS Rookie Topic Starter

    yes i have reformated drive C, i got a partitioned Hard Drive, i partitioned it into 4, i got 3 Slave Drives, C is my OS. As soon as got the Malware and couldn't get rid of it with the System Restore and other Virus Scan and cmd then i decided to reformat my drive C and install fresh OS. btw I'm Using Windows XP.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you use cracks and keygens to pirate programs, you are going to end up paying for it!

    avast! Pro AV + IS 5.0.594 Final + Crack> It was not avast that caused a problem. It was because you downloaded it on a site that steals programs by giving serial numbers out to activate, instead of you paying the charge for the program.

    Same story for D:\Installer\Nero 7.11.6.0+Keygen\Nero, I:\Software\Nero 7.11.6.0+Keygen and I:\Software\Programming\Apache, PHP and MySQL (Windows)\Win32\PHP\phpdesigner2007_setup\keygen.exe-

    Additionally, SmileyCentral is most likely where you picked up MyWebSearch and HotBar.

    I can't help but wonder if the operating system was pirated too.

    We do not support piracy. This thread is closed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...