[Not curable - Sality] How can I clean my pc from this Virus?

Lukaazz · Jun 14, 2011

Hi Guys,

i have a virus that disables me to access any Antivirus Websites , can't download or setup any antiviruses , i downloaded allot of spyware programs like ( spyware cease 2011 , SUPERAntiSpyware , Malwarebytes' Anti-Malware , Trojan remover and stopZella this ) I also Checked My host file it was clean but i deleted every entry except
127.0.0.1 localhost
I Also Downloaded ComboFix but I stopped the operation because after it downloaded Windows Recovery Console nothing happened for like 2 hours
so i stopped it. now i can't start it again or even uninstall it .
And i can't open windows in safe mode it keeps restarting itself.

[HJT log removed - Broni]

anyone have any idea ? and ah sorry for my bad English xP

Broni · Jun 14, 2011

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================================

How are you actually posting, since you say, your computer keeps restarting?

Lukaazz · Jun 14, 2011

i meant it keeps restarting itself when i choose the safe mode option but i fixed that by downloading Safe Mode Repair reg file i can now access to safe mode .
so what do you recommend me to do and is my computer badly infected ?

Broni · Jun 14, 2011

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.
Complete as many steps, as you can.

Lukaazz · Jun 15, 2011

Thanks for your attention Bro , i followed all the steps listed on there and here they are the 3 Logs

hope you tell me something usefull

Mawarebytes' Anti-malware log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6863

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/15/2011 10:56:13 AM
mbam-log-2011-06-15 (10-56-13).txt

Scan type: Quick scan
Objects scanned: 134745
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Gmer log

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-15 11:49:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00JHC0 rev.05.01C05
Running: l9yur9mk.exe; Driver: C:\DOCUME~1\luuk\LOCALS~1\Temp\pxqcykob.sys

---- System - GMER 1.0.15 ----

SSDT F7E74446 ZwCreateKey
SSDT F7E7443C ZwCreateThread
SSDT F7E7444B ZwDeleteKey
SSDT F7E74455 ZwDeleteValueKey
SSDT F7E7445A ZwLoadKey
SSDT F7E74428 ZwOpenProcess
SSDT F7E7442D ZwOpenThread
SSDT F7E74464 ZwReplaceKey
SSDT F7E7445F ZwRestoreKey
SSDT F7E74450 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

? hhxcpoec.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS log

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by luuk at 11:54:58 on 2011-06-15
Microsoft Windows XP Professional 5.1.2600.3.1256.20.1033.18.479.81 [GMT -7:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4D6209EB-E820-4155-8C94-AEE85901B430} : DhcpNameServer = 192.168.2.1
SecurityProviders: msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-3-13 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-3-13 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-3-13 13616]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-15 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-15 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-15 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-15 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-15 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-15 22712]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-15 39984]
.
=============== Created Last 30 ================
.
2011-06-15 17:42:10 -------- d-----w- c:\documents and settings\luuk\application data\Malwarebytes
2011-06-15 17:41:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-15 17:41:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-15 17:41:46 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-15 17:41:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-15 15:22:55 -------- d-----w- c:\windows\system32\NtmsData
2011-06-15 15:20:51 -------- d-----w- c:\documents and settings\luuk\application data\Avira
2011-06-15 14:41:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-15 14:41:28 -------- d-----w- c:\program files\Avira
2011-06-15 14:41:28 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-06-15 14:23:04 -------- d-----w- c:\documents and settings\luuk\local settings\application data\bdch
2011-06-14 18:32:57 -------- d-----w- c:\program files\MSSOAP
2011-06-14 17:35:02 -------- d-----w- c:\documents and settings\luuk\application data\QuickScan
2011-06-14 17:34:01 -------- d-----w- c:\program files\common files\BitDefender
2011-06-14 17:33:32 414074 ----a-w- c:\documents and settings\all users\application data\bdinstall.bin
2011-06-14 15:23:22 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2011-06-14 15:23:22 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2011-06-14 15:23:21 577536 ----a-w- c:\windows\soundman.exe
2011-06-14 15:23:21 49152 ----a-w- c:\windows\system32\ChCfg.exe
2011-06-14 15:23:21 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2011-06-14 15:23:20 18804736 ----a-w- c:\windows\system32\alsndmgr.cpl
2011-06-14 15:22:07 -------- d-----w- c:\program files\Realtek AC97
2011-06-14 15:22:03 315392 ----a-w- c:\windows\alcupd.exe
2011-06-14 15:22:03 217088 ----a-w- c:\windows\Alcrmv.exe
2011-06-14 15:17:52 3583 ----a-w- c:\windows\SiSport.sys
2011-06-14 15:17:52 32768 ----a-w- c:\windows\SIS_LIB.DLL
2011-06-14 15:17:50 36992 ----a-r- c:\windows\system32\drivers\SISAGPX.SYS
2011-06-14 15:17:50 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-06-14 15:17:35 304128 ----a-w- c:\windows\IsUninst.exe
2011-06-14 15:17:33 -------- d-----w- c:\documents and settings\luuk\WINDOWS
2011-06-14 15:13:58 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2011-06-14 15:13:58 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2011-06-14 15:13:43 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2011-06-14 15:13:43 4096 ----a-w- c:\windows\system32\ksuser.dll
2011-06-14 15:13:43 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2011-06-14 15:13:43 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2011-06-14 15:13:43 129536 ----a-w- c:\windows\system32\ksproxy.ax
2011-06-14 15:13:42 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2011-06-14 15:13:42 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2011-06-14 15:12:55 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
2011-06-14 15:12:55 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
2011-06-14 15:12:55 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
2011-06-14 15:12:54 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
2011-06-14 15:12:54 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
2011-06-14 15:12:45 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
2011-06-14 15:12:45 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
2011-06-14 15:11:08 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-06-14 15:07:43 184320 ------w- c:\windows\system32\SiSApCom.dll
2011-06-14 15:07:43 110592 ------w- c:\windows\system32\TVMode.dll
2011-06-14 15:07:16 331776 ----a-w- c:\windows\system32\sistray.exe
2011-06-14 15:07:14 -------- d-----w- c:\windows\SiS
2011-06-14 15:02:32 -------- d-sh--w- c:\documents and settings\luuk\IECompatCache
2011-06-14 15:01:19 -------- d-sh--w- c:\documents and settings\luuk\PrivacIE
.
==================== Find3M ====================
.
.
============= FINISH: 11:56:24.85 ===============

attach log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/14/2011 7:42:47 AM
System Uptime: 6/15/2011 10:58:16 AM (1 hours ago)
.
Motherboard: | | SiS-661
Processor: Intel(R) Celeron(R) CPU 2.66GHz | Socket 478 | 2667/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 20 GiB total, 15.48 GiB free.
D: is FIXED (NTFS) - 55 GiB total, 13.094 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Parallel Port
Device ID: PCI\VEN_10B9&DEV_5458&SUBSYS_54582002&REV_00\3&61AAA01&0&48
Manufacturer:
Name: PCI Parallel Port
PNP Device ID: PCI\VEN_10B9&DEV_5458&SUBSYS_54582002&REV_00\3&61AAA01&0&48
Service:
.
==== System Restore Points ===================
.
RP1: 6/14/2011 8:00:08 AM - System Checkpoint
RP2: 6/14/2011 8:13:13 AM - Installed Realtek AC'97 Audio
RP3: 6/14/2011 8:20:17 AM - Removed Realtek AC'97 Audio
RP4: 6/14/2011 8:22:02 AM - Installed Realtek AC'97 Audio
RP5: 6/15/2011 9:13:25 AM - System Checkpoint
.
==== Installed Programs ======================
.
Avira AntiVir Personal - Free Antivirus
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft SOAP Toolkit 3.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Realtek AC'97 Audio
SiS VGA Utilities
WebFldrs XP
.
==== Event Viewer Messages From Past Week ========
.
6/15/2011 7:25:32 AM, error: Service Control Manager [7034] - The BitDefender Virus Shield service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 11:09:21 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
6/15/2011 11:00:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: uagp35
6/15/2011 10:58:49 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
6/14/2011 7:43:26 AM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
6/14/2011 10:35:02 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
6/14/2011 10:35:02 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\luuk\LOCALS~1\Temp\bdtempdir01\quar.dll. Reference error message: The operation completed successfully. .
6/14/2011 10:35:02 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
6/14/2011 10:33:54 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\luuk\LOCALS~1\Temp\bdtempdir01\bdfltdp.dll. Reference error message: The operation completed successfully. .
.
==== End Of File ===========================

Broni · Jun 15, 2011

I'm afraid I have very bad news.

You are infected with a polymorphic file infector (Sality). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
*.exe
*.scr
*.htm
*.html
*.xml
*.zip
*.rar
*.doc
*.jpg
*.pdf

Backup all your documents and important items only.
DO NOT backup any files mentioned above.

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.

TechSpot

[Not curable - Sality] How can I clean my pc from this Virus?

Lukaazz Newcomer, in training

Broni Malware Annihilator

Lukaazz Newcomer, in training

Attached Files:

hijackthis.log

Broni Malware Annihilator

Lukaazz Newcomer, in training

Broni Malware Annihilator