1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

[Not curable - Sality] IE keeps poping up windows

Discussion in 'Malware and Virus Removal Archive' started by xxxmagic, 2011/03/21.

  1. 2011/03/21
    xxxmagic

    xxxmagic Inactive Thread Starter

    Joined:
    2010/01/10
    Messages:
    16
    Likes Received:
    0
    Hi guysIE keeps poping up windows
    My IE keeps poping up some error message windows and reopens itself when I close it.
    What can that be?

    Here all the needed logs:

    Malwarebytes (MBAM)
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6116

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    21/03/11 14:09:18
    mbam-log-2011-03-21 (14-09-13).txt

    Scan type: Quick scan
    Objects scanned: 135654
    Time elapsed: 12 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER
    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-21 14:25:50
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800JB-00JJC0 rev.05.01C05
    Running: 3b4m8kkk.exe; Driver: C:\DOCUME~1\Boris\LOCALS~1\Temp\ugxorpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 82A2D6A0 ZwCreateKey
    SSDT 829FA420 ZwCreateMutant
    SSDT 82A2C4A0 ZwCreateProcess
    SSDT 82A2C7A0 ZwCreateProcessEx
    SSDT 829FA7E0 ZwCreateSymbolicLinkObject
    SSDT 82A2EF40 ZwCreateThread
    SSDT 82A2DCA0 ZwDeleteKey
    SSDT 82A2E5A0 ZwDeleteValueKey
    SSDT 829FA9C0 ZwDuplicateObject
    SSDT 829FA120 ZwLoadDriver
    SSDT 82A2CAA0 ZwOpenProcess
    SSDT 82A2EB80 ZwOpenSection
    SSDT 82A2CDA0 ZwOpenThread
    SSDT 82A2DFA0 ZwRenameKey
    SSDT 82A2E2A0 ZwRestoreKey
    SSDT 829FA600 ZwSetSystemInformation
    SSDT 82A2D9A0 ZwSetValueKey
    SSDT 82A2D0A0 ZwTerminateProcess
    SSDT 82A2D3A0 ZwTerminateThread
    SSDT 82A2ED60 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF6BE2510]
    .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xEB711000, 0x2892, 0xE8000020]
    .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xEB734050]
    ? C:\DOCUME~1\Boris\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B4000A
    .text C:\WINDOWS\System32\svchost.exe[868] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B5000A
    .text C:\WINDOWS\System32\svchost.exe[868] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
    .text C:\WINDOWS\System32\svchost.exe[868] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0248000A
    .text C:\WINDOWS\System32\svchost.exe[868] USER32.dll!WindowFromPoint 7E41BD8E 5 Bytes JMP 0249000A
    .text C:\WINDOWS\System32\svchost.exe[868] USER32.dll!GetForegroundWindow 7E41BE4B 5 Bytes JMP 024E000A
    .text C:\WINDOWS\System32\svchost.exe[868] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D0000A
    .text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
    .text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
    .text C:\WINDOWS\Explorer.EXE[1820] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C9000C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F1A27F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82F1A27F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 82F1A27F

    AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJC0______________________05.01C05#5&36b30ae3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----


    MBRCheck
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0184001c

    Kernel Drivers (total 113):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EC000 \WINDOWS\system32\hal.dll
    0x82F51000 \WINDOWS\system32\KDCOM.DLL
    0xF7943000 \WINDOWS\system32\BOOTVID.dll
    0xF74E0000 ACPI.sys
    0xF7A2F000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF74CF000 pci.sys
    0xF752F000 isapnp.sys
    0xF7AF7000 pciide.sys
    0xF77AF000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF753F000 MountMgr.sys
    0xF74B0000 ftdisk.sys
    0xF7A31000 dmload.sys
    0xF748A000 dmio.sys
    0xF77B7000 PartMgr.sys
    0xF754F000 VolSnap.sys
    0xF7472000 atapi.sys
    0xF755F000 disk.sys
    0xF756F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7452000 fltMgr.sys
    0xF7440000 sr.sys
    0xF7429000 KSecDD.sys
    0xF739C000 Ntfs.sys
    0xF736F000 NDIS.sys
    0xF757F000 uagp35.sys
    0xF7354000 Mup.sys
    0xF76CF000 \SystemRoot\system32\DRIVERS\amdk7.sys
    0xF6CC8000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6CB4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF76DF000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF76EF000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF76FF000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6C91000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6C0F000 \SystemRoot\system32\drivers\ALCXWDM.SYS
    0xF6BEB000 \SystemRoot\system32\drivers\portcls.sys
    0xF770F000 \SystemRoot\system32\drivers\drmk.sys
    0xF6B8B000 \SystemRoot\system32\drivers\ALCXSENS.SYS
    0xF77D7000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6B68000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF77DF000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF77E7000 \SystemRoot\system32\DRIVERS\sisnic.sys
    0xF77EF000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF771F000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7A17000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF6B54000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF772F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF77F7000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF77FF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7BBF000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF773F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7A1B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6B3D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF774F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF775F000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7807000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6B2C000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF776F000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF780F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7817000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6AFB000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF777F000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7A4B000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6A9F000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7328000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF6EC8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF6EB8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7A59000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7AA7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF1777000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7AA9000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF1713000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF170B000 \SystemRoot\System32\drivers\vga.sys
    0xF7AAB000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7AAD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF1703000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF16FB000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF4992000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF0FD3000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF0F7B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF0F53000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF0F31000 \SystemRoot\System32\drivers\afd.sys
    0xF33BD000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF0F1C000 \SystemRoot\system32\DRIVERS\tmtdi.sys
    0xF0EF1000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF0E82000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF33AD000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF0E61000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF339D000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xEBE63000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEB3D5000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xEEA7D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xEB9D0000 \SystemRoot\System32\drivers\Dxapi.sys
    0xEBB16000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xEB7B2000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF7A07000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xEB012000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEBE33000 \SystemRoot\system32\drivers\sysaudio.sys
    0xEB44C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7AE1000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xEB555000 \SystemRoot\system32\DRIVERS\tmcomm.sys
    0xEB533000 \SystemRoot\system32\DRIVERS\tmevtmgr.sys
    0xEB516000 \SystemRoot\system32\DRIVERS\tmactmon.sys
    0xEB5ED000 \SystemRoot\system32\DRIVERS\srv.sys
    0xEB710000 \??\C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl
    0xEBC46000 \SystemRoot\System32\Drivers\HTTP.sys
    0xECFA4000 \SystemRoot\system32\drivers\kmixer.sys
    0xECF8B000 \??\C:\DOCUME~1\Boris\LOCALS~1\Temp\ugxorpog.sys
    0xEB827000 \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 38):
    0 System Idle Process
    4 System
    444 C:\WINDOWS\system32\smss.exe
    500 csrss.exe
    524 C:\WINDOWS\system32\winlogon.exe
    572 C:\WINDOWS\system32\services.exe
    584 C:\WINDOWS\system32\lsass.exe
    740 C:\WINDOWS\system32\svchost.exe
    800 svchost.exe
    868 C:\WINDOWS\system32\svchost.exe
    932 svchost.exe
    1092 svchost.exe
    1284 C:\WINDOWS\system32\spoolsv.exe
    1484 svchost.exe
    1520 C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
    1540 C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
    1556 C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
    1648 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1820 C:\WINDOWS\explorer.exe
    1984 C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    164 C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    112 C:\Program Files\TeamViewer\Version6\TeamViewer.exe
    1000 C:\WINDOWS\SOUNDMAN.EXE
    1128 C:\Program Files\CyberLink\Shared files\brs.exe
    1184 C:\Program Files\Google\Google Talk\googletalk.exe
    1336 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    1372 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    1388 C:\WINDOWS\system32\ctfmon.exe
    1440 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    1444 C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
    2624 C:\Program Files\TeamViewer\Version6\TeamViewer_Desktop.exe
    2976 C:\Program Files\TeamViewer\Version6\tv_w32.exe
    3440 C:\Documents and Settings\Boris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    3552 C:\Documents and Settings\Boris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    2884 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    2552 C:\Documents and Settings\Boris\Desktop\MBRCheck.exe
    3872 D:\Download\dds.scr
    1708 C:\WINDOWS\system32\cmd.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000a`40e15200 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800JB-00JJC0, Rev: 05.01C05

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

    DDS(2 logs)
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Boris at 14:03:32.71 on Mon 03/21/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.767.134 [GMT 2:00]
    .
    AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
    C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Cyberlink\Shared files\brs.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
    c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
    C:\Program Files\TeamViewer\Version6\tv_w32.exe
    C:\Documents and Settings\Boris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Boris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    D:\Download\dds.scr
    C:\Documents and Settings\Boris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Boris\Desktop\dds.pif
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.isra.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.google.co.il/
    uInternet Settings,ProxyServer = 208.94.243.44:8080
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: Israel Radio Toolbar: {5dc2c36d-747c-4fee-8bc3-e86c21981440} - c:\program files\israel_radio\prxtbIsr0.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Israel Radio Toolbar: {5dc2c36d-747c-4fee-8bc3-e86c21981440} - c:\program files\israel_radio\prxtbIsr0.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: Israel Radio Toolbar: {5dc2c36d-747c-4fee-8bc3-e86c21981440} - c:\program files\israel_radio\prxtbIsr0.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\boris\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe "
    mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL " "
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
    Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/25 19:49:01];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
    R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2010-12-6 196320]
    R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-10-26 2011944]
    R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-14 2250616]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-12-6 64080]
    R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-21 38224]
    S3 amsint32;amsint32;\??\c:\windows\system32\drivers\olgsn.sys --> c:\windows\system32\drivers\olgsn.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-03-21 11:59:30 -------- d--h--w- c:\windows\PIF
    2011-03-21 11:54:46 -------- d-----w- c:\docume~1\boris\applic~1\Malwarebytes
    2011-03-21 11:54:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-21 11:54:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-21 11:54:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-21 11:54:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-21 11:03:04 -------- d-----w- c:\windows\system32\appmgmt
    2011-03-21 10:07:46 388096 ----a-r- c:\docume~1\boris\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-03-21 10:06:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-21 10:06:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-03-21 09:48:35 -------- d-sh--w- C:\found.000
    2011-03-20 11:04:12 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
    2011-03-20 11:04:11 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2011-03-20 10:49:33 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2011-03-20 10:32:02 -------- d-----w- c:\docume~1\boris\locals~1\applic~1\Microsoft Help
    2011-03-17 08:31:42 -------- d-----w- c:\program files\MSECache
    2011-02-22 13:37:51 -------- d-----w- c:\docume~1\boris\locals~1\applic~1\Help
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800JB-00JJC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F1A439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f207d0]; MOV EAX, [0x82f2084c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F42AB8]
    3 CLASSPNP[0xF757005B] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005a[0x82FCDF18]
    5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x82FCC940]
    \Driver\atapi[0x82F35548] -> IRP_MJ_CREATE -> 0x82F1A439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJC0______________________05.01C05#5&36b30ae3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x82F1A27F
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 14:07:15.07 ===============


    DDS
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Boris at 13:59:21.60 on Mon 03/21/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.767.164 [GMT 2:00]
    .
    AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
    C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Cyberlink\Shared files\brs.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
    c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
    C:\Program Files\TeamViewer\Version6\tv_w32.exe
    C:\Documents and Settings\Boris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Boris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Documents and Settings\Boris\Desktop\MBRCheck.exe
    D:\Download\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.isra.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.google.co.il/
    uInternet Settings,ProxyServer = 208.94.243.44:8080
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: Israel Radio Toolbar: {5dc2c36d-747c-4fee-8bc3-e86c21981440} - c:\program files\israel_radio\prxtbIsr0.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Israel Radio Toolbar: {5dc2c36d-747c-4fee-8bc3-e86c21981440} - c:\program files\israel_radio\prxtbIsr0.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: Israel Radio Toolbar: {5dc2c36d-747c-4fee-8bc3-e86c21981440} - c:\program files\israel_radio\prxtbIsr0.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\boris\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe "
    mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL " "
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
    Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/25 19:49:01];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
    R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2010-12-6 196320]
    R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-10-26 2011944]
    R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-14 2250616]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-12-6 64080]
    R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-21 38224]
    S3 amsint32;amsint32;\??\c:\windows\system32\drivers\olgsn.sys --> c:\windows\system32\drivers\olgsn.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-03-21 11:59:30 -------- d--h--w- c:\windows\PIF
    2011-03-21 11:54:46 -------- d-----w- c:\docume~1\boris\applic~1\Malwarebytes
    2011-03-21 11:54:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-21 11:54:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-21 11:54:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-21 11:54:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-21 11:03:04 -------- d-----w- c:\windows\system32\appmgmt
    2011-03-21 10:07:46 388096 ----a-r- c:\docume~1\boris\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-03-21 10:06:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-21 10:06:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-03-21 09:48:35 -------- d-sh--w- C:\found.000
    2011-03-20 11:04:12 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
    2011-03-20 11:04:11 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2011-03-20 10:49:33 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2011-03-20 10:32:02 -------- d-----w- c:\docume~1\boris\locals~1\applic~1\Microsoft Help
    2011-03-17 08:31:42 -------- d-----w- c:\program files\MSECache
    2011-02-22 13:37:51 -------- d-----w- c:\docume~1\boris\locals~1\applic~1\Help
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800JB-00JJC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F1A439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f207d0]; MOV EAX, [0x82f2084c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F42AB8]
    3 CLASSPNP[0xF757005B] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005a[0x82FCDF18]
    5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x82FCC940]
    \Driver\atapi[0x82F35548] -> IRP_MJ_CREATE -> 0x82F1A439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJC0______________________05.01C05#5&36b30ae3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x82F1A27F
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 14:04:19.25 ===============
     
    xxxmagic,
    #1
  2. 2011/03/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm afraid I have very bad news.

    You are infected with a polymorphic file infector (SALITY). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
    *.exe
    *.scr
    *.htm
    *.html
    *.xml
    *.zip
    *.rar
    *.doc
    *.jpg
    *.pdf

    Backup all your documents and important items only.
    DO NOT backup any files mentioned above.

    I suggest you do the following immediately:

    * Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    * From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    * DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

    To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

    Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

    To find out more information about how you may have got infected in the first place, you can read this article.

    I am sorry I cannot give any better news.
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/03/22
    xxxmagic

    xxxmagic Inactive Thread Starter

    Joined:
    2010/01/10
    Messages:
    16
    Likes Received:
    0
    Hmm....
    Are you sure about that? For now the only problem I have is IE and if I not using that - the PC acting OK.

    Is there something I can try before taking the drastic step of reinstalling the OS ?
     
    xxxmagic,
    #3
  5. 2011/03/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Unfortunately not.

    Look at MBAM log:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality)
     
    broni,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...