W32 sality

Hi :

Highly unusual for Adobe Reader to be a "Running Process", as indicated in your
HijackThis log . This MAY be the Source of your infection because Researchers found a new hackertoolkit that uses nothing but Adobe securityleaks in order to infect systems. "PDF Xploit Pack" ( http://www.trustedsource.org/blog/15...e-PDF-Exploits )adds all kind of exploits to PDF-files. When a certain exploit has successfully infected the OS, the IP address is sent to the attackers, so they need to try again. This to reduce the time it takes to manage the bots.

Use of PDF-files is becoming more and more popular amongst malcreants, this because other toolkits also have PDF exploits now. A year ago only 3% of the exploits were PDF directed.

After uninstalling Adobe, seriously consider using the safer "Foxit Reader" .

i uninstall adobe reader but it does not solve my problem. task manager and regedit still disabled. when i boot my laptop and i try to log into my user account, it says "The group policy client failed to log on, The media is write protected" and then i automatically restart after showing the message for 0.5 second.

Hi :

I see other problems, but doubt resolving them would change your "Situation" .
Since no one else is responding, I suggest you ask the experienced, certified,
"Microsoft Most Valuable Professionals" on the Support Forums at
http://aumha.net for help . And do NOT post a HijackThis Log that has been run
in "Safe Mode" unless "Normal Mode" will not run .

ok thnx. anyway i used group policy to enable my regedit. inside HKCU\software\microsoft\windows\currentversion\policies\System, disabletaskmgr and disableregedit is set to 1. so i set it to 0 and off regedit. but after i close regedit, it will automatically set to 1 again and regedit is disabled by adminstrator again. So i guess it is the virus that cause this to happen.

Download RatsCheddar

It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, Double click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.

to kimsland

hey. eh that ratscheddar is useful at the first time. after that once i open regedit and close it. taskmgr and regedit is disabled again and ratscheddar dun work anymore. anyway more importantly is that my OS cant boot normally. when i tried to log in, its says "The group policy client failed to log on, The media is write protected" and then it automatically restart after showing the message for 0.5 second. i have to boot and press F8 and select boot from last known good configuration in order to log into windows.

Please tick and fix these entries in HJT

C:\Program Files\Internet Explorer\iexplore.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: AntiSpyware Scanning Engine (AntiSpywareSrv) - Unknown owner - C:\Program Files\AntiSpywareApp\AntiSpyware.srv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe (file missing)

Click to expand...

it seems like im unable to delete it. i click fix checked. and then rescan again, the thing is there again.

Can you try Startup Control Panel and remove it from there
Also are you in an Administrator account

i try uninstalling antispyware, it says fatal error occured removing driver: uninstallFilterDriver : LoadLib : The specified module could not be found. i cant seems to find AVG7 things in my add and remove programs.

file missing

Click to expand...

Means AVG7, files (well the above HJT log files), are gone
By removing them in a new HJT scan, all should be ok

What Antivirus are you presently using?

yup im in adminstrator account. what u mean by "Means AVG7, files (well the above HJT log files), are gone
By removing them in a new HJT scan, all should be ok" im using adaware, spybot search and destroy, malwarebytes, Superantispyware, SDfix.

im using adaware, spybot search and destroy, malwarebytes, Superantispyware, SDfix

Click to expand...

I'm referring to Post#11 above

Run HijackThis again, and remove those entries

Also part of the New Preliminary Removal Instructions was to install (and update) an Antivirus.

I tell you what, do the following:

Uninstall any live protecting programs like Spybots S&D, then download Avira free Antivirus.
Do a full update. Then do a full scan

Please do these steps (which are also part of the New Preliminary Removal Instructions you completed, you did complete those steps, didn't you??)

hmm im unable to delete these hijackthis entries. everytime i delete it keep coming back.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe (file missing)

i did follow the New Preliminary Removal Instructions as u can see from post #4, after doing it i posted the logs of malwarebytes, Superantispyware and hijackthis.
i uninstalled Spybot S&D and installed avira, im going to do a full scan now. thnx

i ran avira scan and it detect almost all my .exe files as W32\sality.

Almost all as in referring to on your system? I once encountered a problem like this, and I would recommend a reformat to be ultimately safe, especially if it keeps coming back through different program exe's.

I ended up cleaning and uninstalling almost every important program/software/game on my system because apparently such trojans infect exe files, and perpetuates its codes on other exe files. As such, you can delete/clean the original bad trojan file, but the infection remains stuck on your system.

There's no knowing which files have been infected and are just lying dormant waiting to be run and infect more exe files on your system.

to momok

hmm i have thought of reformatting but im using vista and i duno how to do a reformat. all i have is a Windows vista recovery DVD. but everytime i boot up with the with recover DVD inside or choose repair my computer, it will hang at a black screen after loading for awhile. i waited for 1 hour but nothing happened. System restore is also not working. everytime i do system restore and restart my laptop, it will say the system restore had failed.

Well the System Restore fail, is not that shocking. Once you get Virus/Trojan/Malware issues, usually System Restore is one of the first areas to also be effected.

But the DVD Recovery image is the bigger concern.
I'd say all attention should be on getting this to work, otherwise you'll never be able to re-install Windows (Repair, or a preferred Clean install)

Your first option would be to check the DVD for scratches/marks, and either clean or replace it (through your manufacture)
Next would be to run Memtest on your Ram
Failing (or rather passing) that, I would say run a HardDrive diagnostics test
Lastly, laptops have always had the issue of poor quality DVD players, you could run a disc cleaner through it, or possibly install an external DVD Drive (although I'm not sure how this will effect the Restore process)

i repeat New Preliminary Removal Instructions in safe mode and now my regedit and task manager is working again. my laptop is booting back to normal again! thnx techspot people! i guess my problem is solved!

chunx said:

everytime i boot up with the with recover DVD inside or choose repair my computer, it will hang at a black screen

Click to expand...

Glad it's resolved
Please continue to disregard my last post, until one day when you will need to re-install or repair Windows

yup i will. thnx kimsland! =)