Kinky situation with Win32:Sality...any ideas?

Situation:

Ok, I managed to infect my laptop with Win32:Sality while trying to help my colleagues rid their usb pens of viruses. I am at sea and can not connect my laptop to the internet. I can transfer things via usb from a pc that is connected. Connection speed is VERY limited (like isdn and divided on several computers). I also won’t be going ashore for the next two months so I really need my laptop =(

As of now I have managed to contain it I think. I have avast 4.8 currently installed with latest definitions and the last scan managed to find alot of infected files (avast 4.7 with 2 month old definitions didn’t find anything despite the virus being several years old). I have used a sality removal tool…but I can’t see that it didn’t anything helpful at all? It ran a scan and said “ok” to a lot of files, but never did it do anything for the virus problem. I have tried Mbam also (I don’t need to update it if I installed the newest version I hope?) and it found a few registry entries.

The problem now:

Upon infection it turned all my folders on D:\ into exe files and hid all my original folders (not on C:\ for some reason). When I restarted windows I was also asked to log on to my name although I have never used log on or a password.

In safe mode and logging in as administrator I was able to set a password for my account and can now log in. I can not log in as administrator unless I use safe mode. I tried to set my account to allow everything and be an admin account, but it seems to revert itself afterwards. When logged in as myself I can not view my folders, and I can not go to “folder settings” (it’s gone). There are also some weird attributes on them. -SHR I think, but I can’t change them through the cmd line even.

When logged on as administrator in safe mode I can view my folders, and folder settings. I try to remove “read only” and “hidden” but it just reverts back.

So…anyone have any ideas I can try? Is it the virus that’s still messing things up or is this just a windows problem I need to fix now?

Hi Dos,

If looking from your issues that i am affraid that your system has been also infected by win32 too.
And if that’s happened with your system, no other way you need to re-install again your Windows to fix all of infected system.

But to sure there is some strategy need to do:

  1. Please go to check your registry with open : Start - Run - Type “Regedit” - Go to : HKLM → Software → Microsoft → Windows → Current Version → Run (If you have capability to detect which the real system still running in your system and correct one, that is being your advantage point to you)

  2. You also could check your startup windows with : Start - Run - Type “Msconfig” - Please check your system startup is there other foreign application will run after your boot up the windows

  3. You also could check your Windows folder at: Drive C (based on your installation windows) - Windows. Please make sure that your whole windows folder was in normal size or have differential size?

  4. Please do the boot time scan with your avast, and if found the foreign attacked please move it to chest.

Please do those steps first…and then back to us if still not solved yet

I have no xp cd or ubuntu with me so I will avoid reinstall at all costs =/

I will try these steps in a few hours when I am off duty and get back to you.

  1. After Run, what is it exactly I should be looking for?

  2. I tried looking here before but it was hard to determine which files were necessary and which were not

  3. I don’t know the exact size it was to begin with :frowning: There are however 3 suspicious files in my c:\ folder named “autoexec.bat, io.sys and config.sys”. They were all 0kB, with the same modified date as the other “fake” files the virus created so I deleted io.sys. I now see on this other windows install that they actually belong there. Windows still worked fine afterwards though.

  4. I tried the boot time scan before and it found alot of infected files. I chose delete all, even system files, and windows still worked fine afterwards.

You can use Dr. Web CureIt.

Hi Dos,

Answered your:

  1. Please search what is the application that running out of Windows System 32, and after that please make sure is that the real application that you using for run something in your system?

  2. Just wisely to check with internet to make sure that your file .exe is real one

  3. Anyway, could you go to safemode with your currently OS condition? Do you able to log in using username : Localhost without password?

  4. Have you ever tried it again to scan with avast at boot time scan?
    Please try to download Malwarebytes and then update first after that do the malwarebytes scanning.

Then please using HijackThis Tool to scan your system. And then please submit hijackthis log report in here. Let us help you to found this trouble.

W32/Sality info http://www.norman.com/security_center/virus_description_archive/55905/no

if you are able to download this, it should remove it http://www.norman.com/support/support_tools/58732/no

Thanks alot for the help guys, I made some progress :slight_smile:

  1. Everything looks fine here, no unknown apps

  2. Everything looked good here too, recognized all apps

  3. I can log in in safe mode as administrator. I will try to log in as Localhost…if that works what can I do from there?

  4. I ran HJT and it found the registry entry that denied access to folder options in my account. Removed it and now I can access folders options and view the hidden folders! However, I still can’t change the attributes (readonly, hidden and system).

If I can download an update for malwarebytes I can transfer the file by usb, but I can’t connect directly with my laptop. Is there such an update? I have the newest malwarebytes version. I will post my HJT log later today.

Pondus: Thanks. I will try Norman if this doesn’t work, but the file is very big so I may not be able to download.

If I can download an update for malwarebytes I can transfer the file by usb, but I can't connect directly with my laptop. Is there such an update? I have the newest malwarebytes version. I will post my HJT log later today.

http://www.gt500.org/malwarebytes/

Ok, I have scanned with avast (boot), sality removal app (boot) and malwarebytes and they don’t find any more infections.

I can not log in as Localhost in safe mode.

So, I’m hoping this is now a windows related problem. I still can’t change the attributes (shr) on the folders :frowning:

Here is my HTJ log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:08, on 11.11.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [TDispVol] TDispVol.exe
O4 - HKLM..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QT Lite\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Program Files\nordicbetMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 6647 bytes

Hi Dos,

I am very sorry that currently i am not able to access to hijackthis and generate the information.
But in case to know about your system status, you could visit to : hijackthis.de and then you could see the generated report which is bad file at your system.
:frowning:

Sality is file infector lol try to goto safemode restart your pc, then click F5 or F8 to go in safemode…

then run this:

http://download.avg.com/filedir/util/avg_rem_sup.dir/rmsality/rmslt.exe

hope they can help you…

I think HJT will not help when the system is infected with sality or in general file infectors…

nmb

Oki, thanks anyway. I tried to paste my logfile and press analyze this, but the next page won’t seem to load. Maybe my connection? Can anyone else try to paste my logfile and see what it says?

I will try this later today and let you know what it says.

HijackThis Auto Analyze

http://hjt.networktechs.com/parse.php?log=716600

For file infectors, salvage the files with Live Linux to USB key or portable HDD and format the entire thing. Otherwise you’ll never trully win the fight.

Yes, I was terribly naive when I came across one of those threads about file infectors for the first time. :-[

Hi Dos,

Today i just try it again, and could generate the analyze report :

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

You could fixed this missing file, and i didn’t found any harmful application at your system. Maybe like as NMB mentioned that HJT not really helpful in to analyze the infected file.

Sadly, it’s not only nmb but also L’arc, RejZoR, essexboy and some other forum members. It seems to be common sense that HJT is not effective against file infectors considering their nasty nature. I had been optimistic, too, till I knew the nature of the file infectors. :frowning:
[Edit]I don’t like to sound discouraging but I cannot but admit that this is a logical conclusion… :'([/Edit]

Unfortunately Sality and Virut due to their nature tend to corrupt windows system files. Although the system may run, you will keep experiencing errors, slowdowns and in extreme cases BSOD’s. Plus you are open to other infections more easily than a fully working system