Inactive [Not curable-Sality] Bad Image Virus Problem

ESET log :
C:\Users\User\AppData\Roaming\IDM\DwnlData\User\1325820360f75_0\1325820360f75HTML/ScrInject.B.Gen virusdeleted - quarantined
C:\Users\User\AppData\Roaming\IDM\DwnlData\User\1325820384f76_0\1325820384f76HTML/ScrInject.B.Gen virusdeleted - quarantined
C:\Users\User\AppData\Roaming\IDM\DwnlData\User\1326145445f15_0\1326145445f15HTML/ScrInject.B.Gen virusdeleted - quarantined
C:\Users\User\AppData\Roaming\IDM\DwnlData\User\1326231936f3_0\1326231936f3HTML/ScrInject.B.Gen virusdeleted - quarantined
C:\Users\User\Downloads\Programs\codec_pack_607209_ch.exeWin32/Adware.1ClickDownload.AC applicationcleaned by deleting - quarantined
C:\Users\User\Downloads\Programs\downloadmanager_Setup.exea variant of Win32/Adware.iBryte.G applicationcleaned by deleting - quarantined
D:\TitaniumBackup.rara variant of Android/Adware.AirPush.G applicationdeleted - quarantined
D:\2013-04-12-21.21.26\data.ext3.tara variant of Android/Adware.AirPush.G applicationdeleted - quarantined
D:\TitaniumBackup\com.androidlab.gpsfix-544a0e7cc232333e48ce3d02e74db080.apk.gza variant of Android/Adware.AirPush.G applicationdeleted - quarantined

There is two options now,
1 - Uninstall application on close
2 - Delete quarantined files
Both of them are unchecked, so should I check any of them and close the window?
 
redtarget.gif
Keep Eset for future use.
You can delete quarantined files.

redtarget.gif
Update Adobe Flash Player: http://get.adobe.com/flashplayer/
Make sure you UN-check Yes, install McAfee Security Scan Plus

NOTE 1: Beginning with Adobe Flash Version 11.3, the universal installer includes the 32-bit and 64-bit versions of the Flash Player.
NOTE 2: While installing make sure you UN-check any extra garbage which wants to install alongside.

redtarget.gif
Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

redtarget.gif
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

===================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.
 
In step two, while downloading adobe flash player, after I choose my OS and browser, It indicated that it is a 16MB file but the file appeared in IDM was only 2mb, I downloaded it but nothing happened after I tried to install the file, I checked my download directory but didn't find the file, I redownload the file, this time when I try to run it, It says "Only a single instance of this application can run" I scanned it with that anti-malware but it showed nothing
Afterwards, I tried to install Adobe reader, exact things happened(Even the file was only 2mb)
What should I do now?
 
I found something...
After running task manager in the processes tab, I found both "install_flashplayer11x32ax_mssd_aih" and "install_reader11_en_mssd_aih" I locate them and both of them were in C:\Users\User\AppData\Local\Temp
I end processesed both of them changed their location to desktop and tried to install them again but nothing happened again, also they were moved to directory I just mentioned,
Another thing I just noticed was, in the processes tab there is an Image : winlogon.exe(PID : 852) I dunno whether it's ok or not but the User Name and Description fields are empty
 
I found something...
After running task manager in the processes tab, I found both "install_flashplayer11x32ax_mssd_aih" and "install_reader11_en_mssd_aih" I locate them and both of them were in C:\Users\User\AppData\Local\Temp
I end processesed both of them changed their location to desktop and tried to install them again but nothing happened again, also they were moved to directory I just mentioned,
Another thing I just noticed was, in the processes tab there is an Image : winlogon.exe(PID : 852) I dunno whether it's ok or not but the User Name and Description fields are empty
 
Any particular reason you're using IDM?
Try different browser to download both files.
 
I turned off my IDM and opened firefox (my internet explorer is not working It's about some time that I have this issue internet explorer shows me "Internet Explorer Cannot Display The Webpage" whenever I want to open any website so I can't us IE) I downloaded the installation file (It was 2mb again) and ran it, but nothing happened again
 
Are you downloading those files to your computer before trying to install?
What happens when you double click on installation files?
 
Bingo!
You told me what happens when you double click on installation files, This time I didn't, I right clicked them and ran them as administrator, that worked!
 
I ran all the steps but I don't find the last log to post it to you,
But anyway, I think my computer is now running so much smoother even before when I oticed it's infected,
So thank you very very much, It was a lot of pleasure in doing your guides step by step,
I will Donate as soon as I can, thank you again
Yours
 
Dear Broni
sry to replay again, but I received another bad image error again, today when I was trying to install bit defender av,
actually this is the error I received before I made this thread, and I forgot to check if it is solved or not, but today when I tried to install bitdefender, I encountered this error again
Though this error happens, my installer will continue after I click ok, I dunno if it is virus or not,
 
Here is Malwarebytes log :
Also I removed avast free antivirus before I tried to install bitdefender, it is still uninstalled
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.20.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-PC [administrator]

Protection: Enabled

5/21/2013 8:26:07 PM
mbam-log-2013-05-21 (20-26-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227016
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
I've got another problem, when I right click anywhere on desktop or anywhere else, instead of right click menu, a blackbox appears, till I hover over it, then the buttons appear one by one
 
I'm scanning my computer with ESET online that you mentioned before, so far the results show that I'm affected by a virus named Win32/Sality.NBA, I will send the log when scan finished
 
I found the file that installed this virus on my pc, I opened that file right after I uninstalled my avast av, that was *****ic :(
 
Unfortunately this is very bad news...

You are infected with a polymorphic file infector (Sality). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
*.exe
*.scr
*.htm
*.html
*.xml
*.zip
*.rar
*.doc
*.jpg
*.pdf

Backup all your documents and important items only.
DO NOT backup any files mentioned above.

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.
 
OK,I will reformat and reinstall my windows, about backups, Is it possible to move my important files(including rar, pdf, htm) to an external hard drive, and after reinstalling windows, scan the whole external hard drive, and delete all the viruses so I can use them?
 
You must log in or register to reply here.

Similar threads

Cal Jeffrey
Your outdated version of Windows Media Player 6 will still work after the Y2K38 bug ends...
Replies
6
Views
138
dangh
dangh
Cal Jeffrey
Fake Disney posters prompt Microsoft to reprogram Bing Image Creator
Replies
7
Views
507
GoldenGoat
GoldenGoat
midian182
Former Microsoft dev says Windows Start menu's performance is "comically bad," even with monster PC
2 3
Replies
51
Views
532
ZedRM
ZedRM

Latest posts

Back