Resolved Task manager, registry, command prompt close immediately

[nidhish007]

Hello respected members' of this forum please help me with my issue as I try to open task manager
or registry it closes immediately as I open it
I try to re install window but problem is as it is ,,,, increasing day by day
the virus is taking control over all administrative controls
help me please as I don't wanna zero format my pc

 

[Bobbye]

Welcome to TechSpot. I am reviewing your files now and will be back shortly.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Bobbye]

You have an unusual system! Can you tell me what 'Directory' you attempted to use to reinstall?
You haven't got any Services or drivers running except Avira and AVG is still running. There are 6 hard drives showing> are they partitions?.

Please either uninstall uTorrent or take it off of startup. Do not use it while I am heloing you clean the system.

I'd like you to try and run the following 2 programs:
Important: when you start Combofix, if you do not have a Recovery Console installed, you will be given the chance to install it. If you are asked to do it, please be sure to go ahead with it. You need this on the system

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[nidhish007]

hello sir thanks for your reply
i format C drive (OS containing partition)
actually i have 6 partition because i hav two hard drive installed three partition each
iam sry for late reply i will post both log file shortly

 

[nidhish007]

I am uploading both the log files u asked for
I hope I got your reply soon

 

[Bobbye]

You have a very bad malware infection on 3 of these drives: the E, G and H drives.> it's called the Sailty Virus. Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader Trojan component that installs additional malware via the Web.

Because of the extent of this, I would like you to do the following online special scan for the Virut Malware:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

The Saility family has almost the same characteristics and I suspect you will end up having to completely reformat and reinstall. But I'll know more after I see the scan results.

You are actively using uTorrent. Stay away from file sharing. Not only are you vulnerable, but files on your system that you are sharing are most probably infected. This is not something you want to pass on.

I also notice these in the Combofix log: Do you know what they are? All from same date> 2010-08-17 04:48
c:\windows\java\Packages\Data\9FVPF9B3.DAT
c:\windows\java\Packages\OTB5FZBL.ZIP
c:\windows\java\Packages\Data\1VXR17BP.DAT
c:\windows\java\Packages\Data\FBR7NZ1R.DAT
c:\windows\java\Packages\Data\IGFFHF5R.DAT
c:\windows\java\Packages\Data\GHFDFJL3.DAT
c:\windows\java\Packages\Data\ADB77BNR.DAT

I also see this Directory in Combofix: C:\Sharekhan which appears to be the Sharekhan Online Share Trading Portal in India. This is from 8/17/2010 also. Do not use this program now.

 

[nidhish007]

Here I' am uploading virscan log files

 

[Bobbye]

Okay, it's not Virut. But I don't think that's going to make much difference. Go ahead and run the following and leave the log it produces: The infection is in the Chkdsk:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  :Services
  :Reg
  :Files  
  E:\Angel PDA.exe	
  G:\FOUND.002\FILE3253.CHK	
  G:\FOUND.002\FILE3664.CHK	
  G:\FOUND.002\FILE3835.CHK	
  G:\FOUND.002\FILE4044.CHK	
  H:\Installers\Angel PDA
  H:\Installers\ccproxysetup.exe	
  H:\Installers\flvplayer_setup.exe	
  H:\Installers\install_flash_player.exe	
  H:\Installers\IPhone SW\ccproxysetup.exe	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I'll see what this returns before setting up any script. From what I've seen in Combofix, most of what's there would need to be removed! Understand that your chances of getting these drives clean are very low and you will most likely require a full reformat and clean install.

I highly recommend that you do not do any installing or file sharing with this system at this point. Do not attempt a System restore as the infection is also in the restore points.

 

[nidhish007]

ARE u asking me to do all 6 drives formatted?????
sir my pc has some important data that I don't wanna loose in any cost like pics and some other things, at this point if I move any file to any other removable drive then it gonna infected too ,,, please help me out so I can get my pics out then only I can do a zero level format if that's only way to remove that virus

 

[Bobbye]

I think it is likely that you infected the other drives or partitions by moving files and folders around. We try to encourage users to back up their important files before they have malware. The malware you have steals information like passwords, financial data and the like.

Please shut the system down because I want you to reboot and run a scan with Eset again. But I don't want you to use Restart. Close any open Windows or programs, including email, the click on Start> Shut Down and take the system completely down. Wait a minute or two to make sure everything shuts down properly, then reboot the computer.

When it has finished the startup, run the Eset scan again and post the log:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

The Ask Toolbar and Ask.com has almost taken over the system- you even have it scheduled to update. This usually comes bundled with other programs and is often pre-checked on a download site.

You opened a Directory for Sharekhan on 2010-08-17 04:58. This is an Online Share Trading Portal in India, Stock Brokers Company in India.
Two days later you downloaded uTorrent 2010-08-19 13:57: and then got data from it.
2010-08-19 13:57: c:\documents and settings\nidhish\Application Data\uTorrent

Your first log was posted on 8/20/2010 12:56:57 PM: mbam-log.txt.

 

[nidhish007]

Sir ,
I remove ask tool bar and yes sharekhan is trading portal in india
and this scan found 14 threats and also avira giving notification on two threats please tell me what to do
as u asked me not to remove any thing until u tell me to do so

 

[Bobbye]

I wanted you to run the antivirus scan to help you understand that you system is not cleanable. Entries that were removed previously are showing again because the malware:
H:\Installers\Angel PDA.exe
H:\Installers\flvplayer_setup.exe
H:\Installers\install_flash_player.exe
H:\Installers\antivirus\New Folder\Norton Antivirus 2009 Download Now #KEYGEN INSIDE#.zip
H:\Installers\VNC and VMVare\tightvnc-1.2.9-setup.exe

What also shows in the new log, is that you attempted to pirate Norton Antivirus 2009.
And you also now have H:\Installers\VNC and VMVare\tightvnc-1.2.9-setup.exe which is considered Riskware, a potentially unwanted program

While it's true that some of the can be identified and can be killed, the action of the Backdoor Trojan can enable the computer to be accessed and controlled remotely, the purpose of the backdoor being to bypass normal authentication procedures. Because of the auto-run feature, it will run every time you startup the computer.

The Sailty malware has so compromised your system that the only course of action would be a Complete Reformat and Reinstall. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
NOTE:

• Backup all your documents and important items only.
• DON'T backup any executable files (,exe .scr .html or .htm)
• DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files
  

And the fact that you are participating in file sharing, means you are putting all those you 'share' with at risk.
Consider this: A 'Cracker' is sitting at your keyboard- there’s almost no limit to what they can do.

You will find excellent reformat/reinstall instructions here: the choice is yours:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

 

[nidhish007]

Can i took backup of jpeg, videos and mp3 ?????????????what if backup file get's infected too??

 

[Bobbye]

If you backup files that are clean and then return them to the computer after the reformat/reinstall, they should be okay..But if any of the files you back up are infected and you return them to the system, they can reinfect the system. And if you return clean files to a system that is still infected, chances are high they could become infected.

The time to backup has always been when a system is clean. Backing up after a malware infection, especially the one you have, comes with risks.

 

[nidhish007]

can i take back up of files like jpeg from h drive , because there are some family pics that i don't wanna loose... give some suggestions how to make backup

 

[Bobbye]

I moved these files from the H drive that were in the first Eset scan:
H:\Installers\Angel PDA
H:\Installers\ccproxysetup.exe
H:\Installers\flvplayer_setup.exe
H:\Installers\install_flash_player.exe
H:\Installers\IPhone SW\ccproxysetup.exe
Additionally, I moved the following from the other drives:
E:\Angel PDA.exe
G:\FOUND.002\FILE3253.CHK
G:\FOUND.002\FILE3664.CHK
G:\FOUND.002\FILE3835.CHK
G:\FOUND.002\FILE4044.CHK
All were successfully moved.

The second Eset online scan shows the following: All on the H drive:
H:\Installers\Angel PDA.exe>> infected file, again
H:\Installers\flvplayer_setup.exe>> infected file, gain
H:\Installers\install_flash_player.exe>> infected file, again
H:\Installers\antivirus\New Folder\Norton Antivirus 2009 Download Now #KEYGEN INSIDE#.zip>> pirated antrivirus program, infected.
H:\Installers\VNC and VMVare\tightvnc-1.2.9-setup.exe>> new .exe file

Set up a folder for what you want to save. Put it all in a folder, then do a right click n the folder> Send to Desktop (Compressed.) Move the folder to a flash drive, if there is one you know isn't infected or a CD.

After you reformat/reinstall, run an antivirus scan on the folder before you put it back into the system.

I cannot guarantee these files are clean. But if you do not handle this problem soon, the system will likely become unbootable. The longer you wait, the more times you boot, the more files will become infected and your vulnerability becomes greater.

You put a pirated antivirus program on the system also and cannot count on it for any added protection.