# Solved: Plz anyone help me WIN 32 SALITY.NAM VIURS will destroy my pc



## ABOTALEB (Nov 14, 2007)

help me plz

this the last forum for me

my pc infected

by wmdrtc32.dll

and WIN 32 SALITY.NAM

IHAVE NOD32 ANTIVURS EVERYTIME HE CUGHT THE VIURS IPREES DELTE HE DELTE HIM THEN HE BACK AGAIN and be more danger plz anyone help

iused torjan remover and spyware nuker but noway he dont delte plz help me

and this caps


----------



## JSntgRvr (Jul 1, 2003)

Hi, *ABOTALEB* 

Welcome.

Please go to* Start*->*Run*, type *System.ini* and click Ok.

Copy and Paste the contents of the *System.ini* file in your next reply.

Also:








*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## ABOTALEB (Nov 14, 2007)

thank you very much JS for reply

that what igot from System.ini

for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[MCIDRV_VER]
DEVICEN1=84726832578
__h=1
__dr=15
[MCI_DPI32]
DRV_VER=3B5F450D52
[IDslow]
IDVer32=1591868

and that what igot from HJTInstall.exe

Logfile of HijackThis v1.99.1
Scan saved at 1:11:28 AM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Nuker\swnxt.exe
C:\Program Files\AntiARP Stand-alone Edition\AntiArp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = %USERNAME%
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [AntiARPStandalone] C:\Program Files\AntiARP Stand-alone Edition\AntiArp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\WINDOWS\system32\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\WINDOWS\system32\IECatcher.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: MSN Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *ABOTALEB* 

Please run *System.ini* again. This time remove the following lines from the file and save it:

*[MCIDRV_VER]
DEVICEN1=84726832578
__h=1
__dr=15
[MCI_DPI32]
DRV_VER=3B5F450D52
[IDslow]
IDVer32=1591868*

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * on your next reply.
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._)
Under "*Configuration and Preferences*", click the *Preferences* button.
Click the *Scanning Control* tab.
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._
_Scan for tracking cookies._
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen.
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*.
On the left, make sure you check *C:\Fixed Drive*.
On the right, under "*Complete Scan*", choose *Perform Complete Scan*.
Click "*Next*" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
Make sure everything has a checkmark next to it and click "*Next*".
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked if you want to reboot, click "*Yes*".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._
_Please copy and paste the Scan Log results in your next reply along with a Hijackthis log._

Click *Close* to exit the program.


----------



## ABOTALEB (Nov 14, 2007)

hi JS iforget to remove the follwoing lines from system.ini then iruned combofix and igot log file after that iremmberd to remove the lines from system.ini and iremoved them then runed combofix again so igot 2 log files one b4 iremove the lines from system.ini and one after iremoved them the two on attachement


also SUPERAntiSpyware Scan Log in attachment


----------



## JSntgRvr (Jul 1, 2003)

Hi, *ABOTALEB* 

Remove *Spyware Nuker* from your computer.

Please download and run the following utility:

http://72.52.136.82/sectools/sUBs/SafeBootKeyRepair.exe


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\WINDOWS\system32\wmdrtc32.dll
> 
> Registry::
> ...












Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report along with a Hijackthis log.


----------



## ABOTALEB (Nov 14, 2007)

hmm ok that will take along time?


----------



## ABOTALEB (Nov 14, 2007)

sorry icant do anything more coz pc restart automict also clock changed sorry idont know what happend ineed to know one way to know my pc infected again or what


----------



## ABOTALEB (Nov 14, 2007)

and this Hijack log file at attchment


----------



## JSntgRvr (Jul 1, 2003)

Hi, *ABOTALEB* 

The last three post are confusing. *Can you explain what the problem is?*

The computer seemed not to be able to boot in *Safe Mode*.

Please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
*Are you able to boot in Safe Mode now?* *Were you able to run CFScript as requested above.*

Please run* Combofix* once again and post its report.


----------



## ABOTALEB (Nov 14, 2007)

big thanks iused kapsersky and the viurs gone big thanks for your time JS


----------



## JSntgRvr (Jul 1, 2003)

Can I see a *Combofix* log?


----------



## ABOTALEB (Nov 14, 2007)

did ido new text and post

File::
C:\WINDOWS\system32\wmdrtc32.dll

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er\Run]
"Altap"=-
"LongClock"=-

or only run Combofix and give you the log and the clock its worth here every time itry to make it its back again worth


----------



## ABOTALEB (Nov 14, 2007)

ok idone every thing you said in your last post i done new text and and irunned combofix on safmode this combofix log om attchement

iam clear now?


----------



## JSntgRvr (Jul 1, 2003)

Hi, *ABOTALEB*. 

The log looks clear, congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the */U*, it needs to be there.










 If the disclaimer notice is displayed, *select "2"* and press Enter

The above procedure will:
 Delete the following:
 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:\Deckard folder, if present
 The C:_OtMoveIt folder, if present

 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Set a new, clean Restore Point.

*Create a Restore point* (If the above process fails):

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## ABOTALEB (Nov 14, 2007)

THANKS JS for your help


----------

