Solved Help with some malware

[dominic025]

I found a lot of win32/heur and sality malwares in my computer and got rid of my firewall and task manager. So I decided to reformat my pc and decided to back-up my files in another drive but I think it got infected too.

I scanned with my avira free edition and found some files infected with sality and healed and remove them.

I just want to see if my drives are clean so I could get my back-up files. Here are the logs.

tnx

 

[Bobbye]

Welcome to TechSpot. I'll need the rest of the DDS log- you have only left the part named Attach.txt

When done, DDS will open two (2) logs:
DDS.txt... missing
Attach.txt

You can also go ahead and run the following 2 scans:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply. (split the log into 2 posts is too large for one)

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==============================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

You need to understand if any of the files you backed up were infected and you then add them back to a cleaned system, they can reinfect the system.

 

[dominic025]

Ok. I will scan with dds again and do those two.

My files were include in the scan. I have two hard disks, the files were in the slave and I deleted everything in the master and reinstalled the OS and other applications. My installers were in another usb drive.

ps. do I need to do the eset online scanner in internet explorer?

 

[Bobbye]

No, you can use Firefox.

 

[dominic025]

ComboFix 10-08-18.05 - Dominic S. Medalla 08/20/2010 23:13:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.673 [GMT 8:00]
Running from: c:\documents and settings\Dominic S. Medalla\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-20 12:48 . 2010-08-20 12:48 -------- d-----w- c:\documents and settings\Dominic S. Medalla\Application Data\Avira
2010-08-20 10:48 . 2010-08-20 10:48 -------- d-----w- c:\documents and settings\Dominic S. Medalla\Application Data\fltk.org
2010-08-20 10:14 . 2010-08-20 09:29 -------- d-----w- c:\documents and settings\Dominic S. Medalla\Application Data\Skype
2010-08-20 10:04 . 2010-08-20 10:04 0 ----a-w- c:\windows\nsreg.dat
2010-08-20 10:02 . 2010-08-20 10:02 -------- d-----w- c:\documents and settings\Dominic S. Medalla\Application Data\Malwarebytes
2010-08-20 10:02 . 2010-08-20 10:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 10:02 . 2010-08-20 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-20 09:54 . 2010-08-20 09:54 12328 ----a-w- c:\documents and settings\Dominic S. Medalla\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-20 09:54 . 2010-08-20 09:54 -------- d-----w- c:\program files\Avira
2010-08-20 09:54 . 2010-08-20 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-20 09:44 . 2010-08-20 09:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-20 09:35 . 2010-08-20 09:33 -------- d-----w- c:\program files\Nintendo DS
2010-08-20 09:33 . 2010-08-20 09:31 -------- d-----w- c:\program files\Playstation
2010-08-20 09:31 . 2010-08-20 09:31 12862 ----a-r- c:\documents and settings\Dominic S. Medalla\Application Data\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2010-08-20 09:29 . 2010-08-20 09:29 -------- d-----w- c:\program files\Google
2010-08-20 09:29 . 2010-08-20 09:29 -------- d-----r- c:\program files\Skype
2010-08-20 09:29 . 2010-08-20 09:29 -------- d-----w- c:\program files\Common Files\Skype
2010-08-20 09:29 . 2010-08-20 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-20 09:28 . 2010-08-20 09:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-08-20 09:28 . 2010-08-20 09:28 -------- d-----w- c:\program files\Yahoo!
2010-08-20 09:27 . 2010-08-20 09:27 -------- d-----w- c:\program files\VideoLAN
2010-08-20 09:26 . 2010-08-20 09:26 -------- d-----w- c:\program files\QuickTime
2010-08-20 09:26 . 2010-08-20 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-08-20 09:25 . 2010-08-20 09:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-20 09:25 . 2010-08-20 09:25 -------- d-----w- c:\program files\Apple Software Update
2010-08-20 09:25 . 2010-08-20 09:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-08-20 09:25 . 2010-08-20 09:25 -------- d-----w- c:\program files\Common Files\Java
2010-08-20 09:24 . 2010-08-20 09:25 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-20 09:24 . 2010-08-20 09:24 -------- d-----w- c:\program files\Java
2010-08-20 09:10 . 2010-08-20 08:36 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-20 09:07 . 2010-08-20 09:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-20 09:07 . 2010-08-20 09:06 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-20 09:01 . 2010-08-20 09:01 -------- d-----w- c:\program files\CONEXANT
2010-08-20 08:38 . 2010-08-20 08:38 -------- d-----w- c:\program files\microsoft frontpage
2010-08-20 08:34 . 2010-08-20 08:34 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-08-20 08:33 . 2010-08-20 08:33 -------- d-----w- c:\program files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]
"nwiz"="nwiz.exe" [2006-03-17 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-17 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/20/2010 5:54 PM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/20/2010 5:29 PM 136176]
.
Contents of the 'Scheduled Tasks' folder

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 09:29]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-20 09:29]
.
.
------- Supplementary Scan -------
.
TCP: {257E5BAD-1E47-492C-833C-E8F1ADCC4B9A} = 202.78.97.41 202.78.97.35
FF - ProfilePath - c:\documents and settings\Dominic S. Medalla\Application Data\Mozilla\Firefox\Profiles\d1ceb8tw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-08-20 23:16:58
ComboFix-quarantined-files.txt 2010-08-20 15:16

Pre-Run: 74,477,498,368 bytes free
Post-Run: 74,441,682,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7FBCC7931F43E0173429DAB81B921840

 

[dominic025]

I'm not yet done with the eset online scanner

 

[dominic025]

Here is the ESET online scanner log

 

[Bobbye]

So i decided to reformat my pc and decided to back-up my files in another drive but I think it got infected too.

Are you referring to Sality Virus which spreads by infecting exe and scr files? It also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader Trojan component that installs additional malware via the Web.

You were wise to reformat. Finding this Sality and Win32/Heur is a close second to Virut. What you have to determine now is if any of the files you saved were infected- or if the USB drive was used and infected. Either of these could reinfect the system if introduced back in to a clean system.

These logs look okay and of course the only activity is for 8/20/2010. You will need to disinfect the flash drive and I strongly recommend scanning each file you backed up.

• 
  [1]. Download Flash_Disinfector and save it to your Desktop.
  [2]. After downloading, double-click on Flash_Disinfector to run it.
  [3]. Just follow the prompts and continue until it begin scanning.
  
  
  
  [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
  [5]. It will scan removable drives, wait for the scan to finish. Done.

You have one entry which could be of concern if you were using it previously:
c:\documents and settings\Dominic S. Medalla\Application Data\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe


This is XFileSharingPro for file sharing script. You should ask if this could have been the source of the infection and also if using it previously, if you could have 'shared' your malware!

Make sure to change all of your passwords and monitor any online financial transactions.

 

[dominic025]

Thanks. Yes, I was referring to the sality virus it infected my exe files and it got removed when I scan my computer and the win32/heur which was never ending. It disabled my firewall and task manager that's why I decided to reformat my pc. I have two hard drives the one I reformatted was the master which was drive c: and I put my files in the slave which is partitioned into two. I reformatted drive d: and put the files in drive e:.

Were these included in the scan?
Is it safe to put them back to drive c:?
Is it ok to use usb disk security with an antivirus like avg or avira?

I like to change my antivirus to either avast pro 4.8 or avg internet security 9. which is better?

 

[Bobbye]

I thought you were referring to Sailty. There is a variant currently that is attacking systems with virulence! You did the right thing up front. The scans were on the C Drive so whatever was on that drive when the scans were done would have been included.

Keep this in mind:

What you have to determine now is if any of the files you saved were infected- or if the USB drive was used and infected. Either of these could reinfect the system if introduced back in to a clean system.

While the drive itself is now clean, I cannot tell if what you removed and now want to put back is clean.

As for antivirus: I'd like to give you a third alternative: Eset Nod32 I use this and have been very pleased with it. I usually get the paid version of my antivirus program. If you wanted the full Eset Security Suite, you can find it here: http://www.eset.com/store
My personal preference is free-standing programs rather than the suite. Of the other two programs, AVG and Avast, I don't have any experience with either of those suites.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  --------------------------------------
• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.
  Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  ----------------------------------
• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
-----------------------------------------------------
Tips for added security and safer browsing:

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
   [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
   [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
   
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
   
4. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   
5. Do regular Maintenance
6. Remove Temporary Internet Files regularly:
   [o]ATF Cleaner by Atribune
   OR
   [o]TFC
7. Disable and Enable System Restore:
   [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
   
8. Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Enjoy your computing experience! It's as good as you make it!