TechSpot

[Not curable - Sality] How can I clean my pc from this Virus?

By Lukaazz
Jun 14, 2011
  1. Hi Guys,

    i have a virus that disables me to access any Antivirus Websites , can't download or setup any antiviruses , i downloaded allot of spyware programs like ( spyware cease 2011 , SUPERAntiSpyware , Malwarebytes' Anti-Malware , Trojan remover and stopZella this ) I also Checked My host file it was clean but i deleted every entry except
    127.0.0.1 localhost
    I Also Downloaded ComboFix but I stopped the operation because after it downloaded Windows Recovery Console nothing happened for like 2 hours
    so i stopped it. now i can't start it again or even uninstall it .
    And i can't open windows in safe mode it keeps restarting itself.

    [HJT log removed - Broni]

    anyone have any idea ? and ah sorry for my bad English xP
     
  2. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================================

    How are you actually posting, since you say, your computer keeps restarting?
     
  3. Lukaazz

    Lukaazz TS Rookie Topic Starter

    i meant it keeps restarting itself when i choose the safe mode option but i fixed that by downloading Safe Mode Repair reg file i can now access to safe mode .
    so what do you recommend me to do and is my computer badly infected ?
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Complete as many steps, as you can.
     
  5. Lukaazz

    Lukaazz TS Rookie Topic Starter

    Thanks for your attention Bro , i followed all the steps listed on there and here they are the 3 Logs

    hope you tell me something usefull

    Mawarebytes' Anti-malware log



    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6863

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/15/2011 10:56:13 AM
    mbam-log-2011-06-15 (10-56-13).txt

    Scan type: Quick scan
    Objects scanned: 134745
    Time elapsed: 9 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    Gmer log




    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-15 11:49:12
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00JHC0 rev.05.01C05
    Running: l9yur9mk.exe; Driver: C:\DOCUME~1\luuk\LOCALS~1\Temp\pxqcykob.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7E74446 ZwCreateKey
    SSDT F7E7443C ZwCreateThread
    SSDT F7E7444B ZwDeleteKey
    SSDT F7E74455 ZwDeleteValueKey
    SSDT F7E7445A ZwLoadKey
    SSDT F7E74428 ZwOpenProcess
    SSDT F7E7442D ZwOpenThread
    SSDT F7E74464 ZwReplaceKey
    SSDT F7E7445F ZwRestoreKey
    SSDT F7E74450 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    ? hhxcpoec.sys The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----




    DDS log


    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by luuk at 11:54:58 on 2011-06-15
    Microsoft Windows XP Professional 5.1.2600.3.1256.20.1033.18.479.81 [GMT -7:00]
    .
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{4D6209EB-E820-4155-8C94-AEE85901B430} : DhcpNameServer = 192.168.2.1
    SecurityProviders: msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-3-13 13616]
    R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-3-13 5632]
    R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-3-13 13616]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-15 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-15 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-15 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-15 61960]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-15 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-15 22712]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-15 39984]
    .
    =============== Created Last 30 ================
    .
    2011-06-15 17:42:10 -------- d-----w- c:\documents and settings\luuk\application data\Malwarebytes
    2011-06-15 17:41:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-15 17:41:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-06-15 17:41:46 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-15 17:41:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-15 15:22:55 -------- d-----w- c:\windows\system32\NtmsData
    2011-06-15 15:20:51 -------- d-----w- c:\documents and settings\luuk\application data\Avira
    2011-06-15 14:41:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-15 14:41:28 -------- d-----w- c:\program files\Avira
    2011-06-15 14:41:28 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-06-15 14:23:04 -------- d-----w- c:\documents and settings\luuk\local settings\application data\bdch
    2011-06-14 18:32:57 -------- d-----w- c:\program files\MSSOAP
    2011-06-14 17:35:02 -------- d-----w- c:\documents and settings\luuk\application data\QuickScan
    2011-06-14 17:34:01 -------- d-----w- c:\program files\common files\BitDefender
    2011-06-14 17:33:32 414074 ----a-w- c:\documents and settings\all users\application data\bdinstall.bin
    2011-06-14 15:23:22 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
    2011-06-14 15:23:22 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
    2011-06-14 15:23:21 577536 ----a-w- c:\windows\soundman.exe
    2011-06-14 15:23:21 49152 ----a-w- c:\windows\system32\ChCfg.exe
    2011-06-14 15:23:21 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
    2011-06-14 15:23:20 18804736 ----a-w- c:\windows\system32\alsndmgr.cpl
    2011-06-14 15:22:07 -------- d-----w- c:\program files\Realtek AC97
    2011-06-14 15:22:03 315392 ----a-w- c:\windows\alcupd.exe
    2011-06-14 15:22:03 217088 ----a-w- c:\windows\Alcrmv.exe
    2011-06-14 15:17:52 3583 ----a-w- c:\windows\SiSport.sys
    2011-06-14 15:17:52 32768 ----a-w- c:\windows\SIS_LIB.DLL
    2011-06-14 15:17:50 36992 ----a-r- c:\windows\system32\drivers\SISAGPX.SYS
    2011-06-14 15:17:50 -------- d-----w- c:\windows\system32\ReinstallBackups
    2011-06-14 15:17:35 304128 ----a-w- c:\windows\IsUninst.exe
    2011-06-14 15:17:33 -------- d-----w- c:\documents and settings\luuk\WINDOWS
    2011-06-14 15:13:58 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
    2011-06-14 15:13:58 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
    2011-06-14 15:13:43 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
    2011-06-14 15:13:43 4096 ----a-w- c:\windows\system32\ksuser.dll
    2011-06-14 15:13:43 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
    2011-06-14 15:13:43 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
    2011-06-14 15:13:43 129536 ----a-w- c:\windows\system32\ksproxy.ax
    2011-06-14 15:13:42 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
    2011-06-14 15:13:42 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
    2011-06-14 15:12:55 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
    2011-06-14 15:12:55 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
    2011-06-14 15:12:55 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
    2011-06-14 15:12:54 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
    2011-06-14 15:12:54 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
    2011-06-14 15:12:45 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
    2011-06-14 15:12:45 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
    2011-06-14 15:11:08 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
    2011-06-14 15:07:43 184320 ------w- c:\windows\system32\SiSApCom.dll
    2011-06-14 15:07:43 110592 ------w- c:\windows\system32\TVMode.dll
    2011-06-14 15:07:16 331776 ----a-w- c:\windows\system32\sistray.exe
    2011-06-14 15:07:14 -------- d-----w- c:\windows\SiS
    2011-06-14 15:02:32 -------- d-sh--w- c:\documents and settings\luuk\IECompatCache
    2011-06-14 15:01:19 -------- d-sh--w- c:\documents and settings\luuk\PrivacIE
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 11:56:24.85 ===============



    attach log



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/14/2011 7:42:47 AM
    System Uptime: 6/15/2011 10:58:16 AM (1 hours ago)
    .
    Motherboard: | | SiS-661
    Processor: Intel(R) Celeron(R) CPU 2.66GHz | Socket 478 | 2667/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 20 GiB total, 15.48 GiB free.
    D: is FIXED (NTFS) - 55 GiB total, 13.094 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Parallel Port
    Device ID: PCI\VEN_10B9&DEV_5458&SUBSYS_54582002&REV_00\3&61AAA01&0&48
    Manufacturer:
    Name: PCI Parallel Port
    PNP Device ID: PCI\VEN_10B9&DEV_5458&SUBSYS_54582002&REV_00\3&61AAA01&0&48
    Service:
    .
    ==== System Restore Points ===================
    .
    RP1: 6/14/2011 8:00:08 AM - System Checkpoint
    RP2: 6/14/2011 8:13:13 AM - Installed Realtek AC'97 Audio
    RP3: 6/14/2011 8:20:17 AM - Removed Realtek AC'97 Audio
    RP4: 6/14/2011 8:22:02 AM - Installed Realtek AC'97 Audio
    RP5: 6/15/2011 9:13:25 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Avira AntiVir Personal - Free Antivirus
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 2.0 Service Pack 1
    Microsoft SOAP Toolkit 3.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Realtek AC'97 Audio
    SiS VGA Utilities
    WebFldrs XP
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/15/2011 7:25:32 AM, error: Service Control Manager [7034] - The BitDefender Virus Shield service terminated unexpectedly. It has done this 1 time(s).
    6/15/2011 11:09:21 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    6/15/2011 11:00:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: uagp35
    6/15/2011 10:58:49 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    6/14/2011 7:43:26 AM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
    6/14/2011 10:35:02 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    6/14/2011 10:35:02 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\luuk\LOCALS~1\Temp\bdtempdir01\quar.dll. Reference error message: The operation completed successfully. .
    6/14/2011 10:35:02 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    6/14/2011 10:33:54 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\luuk\LOCALS~1\Temp\bdtempdir01\bdfltdp.dll. Reference error message: The operation completed successfully. .
    .
    ==== End Of File ===========================
     
  6. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    I'm afraid I have very bad news.

    You are infected with a polymorphic file infector (Sality). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
    *.exe
    *.scr
    *.htm
    *.html
    *.xml
    *.zip
    *.rar
    *.doc
    *.jpg
    *.pdf

    Backup all your documents and important items only.
    DO NOT backup any files mentioned above.

    I suggest you do the following immediately:

    * Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    * From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    * DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

    To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

    Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

    To find out more information about how you may have got infected in the first place, you can read this article.

    I am sorry I cannot give any better news.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.