1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Incredibly bad Sality-Gen infection!!!

Discussion in 'Virus & Other Malware Removal' started by gottarollwithit, Oct 15, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    Hi Folks,

    Unfortunately i'm back again. I've managed to stay clean of computer STD's for a year or so now, but somehow i've come up with a mongo infection of Sality Gen.
    I ran Avast last night and it kept popping up telling me that i have this Sality-Gen infection and that it couldn't repair the damage done. I might have something in addition too, but i'm not sure. The computer is plenty fast, but Avast was so bogged down by the Sality Gen infection that i couldn't get it to finish. I've uninstalled all of my malware/virus killer stuff to make way for the new ones you guys suggest.

    Also, now on start up i get this swath of messages about "No disk in drive. please insert distk into drive \device\harddisk1\ddr2"
    Plus, i installed and scanned with HJT about 10 min ago. Now it's like the program is corrupted. I reinstalled it to yield the following log:

    Thanks guys in advance!! Anything would be most greatly appreciated.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:09:55 PM, on 10/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cardinal.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

    127.0.0.1
    F2 - REG:system.ini: Shell=Explorer.exe "C:\DOCUME~1\user\LOCALS~1\Temp\winjVcaE.exe"
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

    C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - Startup: Event Reminder.lnk.disabled
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: hp psc 2000 Series.lnk.disabled
    O4 - Global Startup: hpoddt01.exe.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner -

    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris -

    C:\WINDOWS\System32\ccsrvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation -

    C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices,

    Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 3009 bytes
     
  2. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    Oh yes, i must add that whatever horribly bad infection i've acquired, it has disabled my "Task Manager". So i am now unable to CTRL-ALT-DEL and manually close processes.
     
  3. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    Bump!

    Sorry, i reported it too! The sticky says to report it, the report link says not to report it! Hope this didn't cause any trouble.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
  5. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    I'll try the scanner and get back to ya. So what do i do if the scanner doesn't work?
    This infection is horrible and it's worming up my computer. Is my only other option to reformat?
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    yes

    if the scanner won't fix it format is the only option

    sality infects all running files on the computer & that includes an antivirus
     
  7. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    Any other suggestions? The scanner won't even open b/c the site is down. The link you gave works, but everything after that is either overloaded at the moment or is just about down.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
  9. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    Ok, well instead of doing one of the online scanners, i used the modern day equiv of Ewido. I looked up a past thread here on this forum on Sality, and it said use Ewido then Panda.
    The AVG 8.0 - modern day Ewido, picked up a ton of stuff - thousands of viruses. It didn't say anything about Sality when scanning though. Attached is the report. I had to change the file extenstion from CSV to TXT form to allow it to upload. Change it back to CSV to view. Dunno what CSV is though. It might be Excel, but this horrible infection has disabled most programs on this computer. Excel is included in that. There was so much infected stuff that the "virus chest" overflowed so i went on a deleting rampage to help quell the infection. It is safe to delete "restore" and "temp" files, right??

    There were a few files that couldn't be added to my virus vault that i need, like C:unwise.exe and some printer drivers. Unwise.exe directly on the C: drive is a needed file, right???

    Please help me!!

    Here is my latest HJT log if it'll help.

    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cardinal.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: Shell=Explorer.exe "C:\DOCUME~1\user\LOCALS~1\Temp\winjVcaE.exe"
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - Startup: Event Reminder.lnk.disabled
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: hp psc 2000 Series.lnk.disabled
    O4 - Global Startup: hpoddt01.exe.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 3586 bytes








    Oh yea, i should add that my "task manager" and the safe mode option upon restart has been disabled. Dunno what to do for that too.
    So after looking at the AVG log, is it a Win32/Heur infection? or is that simply in addition to the Sality Gen? I noticed that whatever it is specifically attacks .EXE files
     

    Attached Files:

  10. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    Btw, what happens do the swaths of .exe files that couldn't be "healed" but i've put in the "virus vault"??. Can i still use them? Most of the .exe's the run most of my programs have been affected by this....

    Thanks!
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That has just complete messed up the computer as it has deleted the infected files instead of trying to disinfect them

    It will also have infected AVG as well

    its too late to do anything now except format & reinstall from scratch
     
  12. gottarollwithit

    gottarollwithit Thread Starter

    Joined:
    Aug 13, 2006
    Messages:
    22
    I only deleted the unneeded infected files, like stuff in the temp folder and the system restore files. All of the .exe's that i still use are just sitting in the virus vault.

    Any ideas besies format/reinstall? The machine doesn't feel all bogged down as it used to before the virus scan. With AVG i've brought it to a point where i have no infections after scanning. Did i even have a Sality infection at all, but instead had a Win32/Heur infection?
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That is sality

    Tanatos is AVG name for sality

    Win32/Heur is a heuristic detection & means infected

    That isn't going to fix properly because it attacks every antivirus you try to install

    it is also a password stealer that will have already transmitted all your info & paswords to wherever
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/759571

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice