[Not curable - Sality] Antivirus not installing, Safe Mode, Online Scan

moussa · 2010/12/25

Hello,
I followed the steps in order to post here

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5392

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/25/2010 5:32:34 PM
mbam-log-2010-12-25 (17-32-34).txt

Scan type: Quick scan
Objects scanned: 130431
Time elapsed: 1 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Documents and Settings\Yayo\Local Settings\Temp\wininew.exe (Trojan.Agent) -> Delete on reboot.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-25 17:46:03
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-00DKA0 rev.77.07W77
Running: cw2kpdkg.exe; Driver: C:\DOCUME~1\Yayo\LOCALS~1\Temp\kxtdapog.sys

---- Kernel code sections - GMER 1.0.15 ----

? nefax.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA51A340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]
? C:\WINDOWS\system32\drivers\ljppq.sys The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----

moussa · 2010/12/25

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75F7000 nefax.sys
0xF7508000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74F7000 pci.sys
0xF7607000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7617000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798D000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7627000 VolSnap.sys
0xF749A000 atapi.sys
0xF7637000 disk.sys
0xF7647000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7468000 sr.sys
0xF7444000 Fastfat.sys
0xF742D000 KSecDD.sys
0xF7400000 NDIS.sys
0xF787D000 Mup.sys
0xF7657000 agp440.sys
0xF7687000 \SystemRoot\system32\DRIVERS\SMBios.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA51A000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xBA506000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF773F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA4E2000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\dlkfet5b.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF774F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7757000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7913000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA4CE000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF75C6000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA40B000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA37D000 \SystemRoot\system32\drivers\smwdm.sys
0xBA359000 \SystemRoot\system32\drivers\portcls.sys
0xF75B6000 \SystemRoot\system32\drivers\drmk.sys
0xBA341000 \SystemRoot\system32\drivers\aeaudio.sys
0xF775F000 \SystemRoot\system32\drivers\sf.sys
0xF7AC2000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF75A6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF791B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA32A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7596000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7586000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7767000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA319000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7576000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF776F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7777000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA2E9000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7566000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF777F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF798F000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA263000 \SystemRoot\system32\DRIVERS\update.sys
0xF792F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7556000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7546000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7995000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7787000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7997000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A67000 \SystemRoot\System32\Drivers\Null.SYS
0xF7999000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7797000 \SystemRoot\System32\drivers\vga.sys
0xF799B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF799D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF779F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77A7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA7E4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB90B8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB905F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB9037000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9015000 \SystemRoot\System32\drivers\afd.sys
0xBA7C8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB8F4A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB8EDA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA7B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA7A8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB8E94000 \SystemRoot\System32\Drivers\usbvideo.sys
0xBA788000 \SystemRoot\system32\drivers\usbaudio.sys
0xBA714000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA778000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA710000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA768000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB8E7C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79A1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA2D9000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77BF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A7D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xB7CEF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB7276000 \SystemRoot\system32\drivers\wdmaud.sys
0xB7D93000 \SystemRoot\system32\drivers\sysaudio.sys
0xB6F1C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79F1000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB6E52000 \SystemRoot\system32\DRIVERS\srv.sys
0xB6C59000 \SystemRoot\System32\Drivers\HTTP.sys
0xB6CDA000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xF79F7000 \??\C:\WINDOWS\system32\drivers\ljppq.sys
0xB90F3000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB6AC6000 \SystemRoot\system32\drivers\kmixer.sys
0xB62AE000 \??\C:\DOCUME~1\Yayo\LOCALS~1\Temp\kxtdapog.sys
0xB6288000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 25):
0 System Idle Process
4 System
540 C:\WINDOWS\System32\SMSS.EXE
616 csrss.exe
640 C:\WINDOWS\System32\winlogon.exe
684 C:\WINDOWS\System32\services.exe
696 C:\WINDOWS\System32\lsass.exe
860 C:\WINDOWS\System32\svchost.exe
928 svchost.exe
1020 C:\WINDOWS\System32\svchost.exe
1076 svchost.exe
1188 svchost.exe
1388 C:\WINDOWS\System32\spoolsv.exe
1596 C:\WINDOWS\Explorer.EXE
1784 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
1792 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
1812 C:\WINDOWS\System32\ctfmon.exe
208 C:\WINDOWS\System32\nvsvc32.exe
240 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
336 C:\WINDOWS\System32\svchost.exe
1744 C:\WINDOWS\System32\svchost.exe
1564 C:\Documents and Settings\Yayo\Local Settings\Temp\winqiwhno.exe
968 C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
2604 wmiprvse.exe
2852 F:\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000004`e22d6a00 (FAT32)

PhysicalDrive0 Model Number: WDCWD400BB-00DKA0, Rev: 77.07W77

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

DDS (Ver_10-12-12.02) - FAT32x86
Run by Yayo at 17:50:35.93 on Sat 12/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1256.961.1033.18.1279.983 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DOCUME~1\Yayo\LOCALS~1\Temp\winqiwhno.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.msn.com
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: EnableLUA = 0 (0x0)

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yayo\applic~1\mozilla\firefox\profiles\epeyto68.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R3 amsint32;amsint32;\??\c:\windows\system32\drivers\ljppq.sys --> c:\windows\system32\drivers\ljppq.sys [?]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ljppq.sys --> c:\windows\system32\drivers\ljppq.sys [?]

=============== Created Last 30 ================

2010-12-25 15:10:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-25 15:10:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 15:10:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-25 13:30:18 -------- d-sh--w- C:\FOUND.003
2010-12-25 05:42:20 -------- d-sh--w- C:\FOUND.002
2010-12-25 01:21:54 -------- d-sh--w- C:\FOUND.001
2010-12-25 00:41:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-25 00:41:11 -------- d-----w- c:\docume~1\yayo\applic~1\SUPERAntiSpyware.com
2010-12-24 23:01:17 -------- d-----w- c:\docume~1\yayo\applic~1\Malwarebytes
2010-12-24 23:01:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-24 22:23:04 -------- d-sh--w- C:\FOUND.000
2010-12-24 22:19:20 -------- d-----w- c:\windows\system32\LogFiles
2010-12-24 22:10:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-12-24 22:06:39 -------- d-----w- c:\docume~1\yayo\locals~1\applic~1\Mozilla
2010-12-24 22:04:54 77824 ----a-w- c:\windows\system32\dllcache\spcommon.dll
2010-12-24 21:56:55 -------- d-sh--w- c:\documents and settings\yayo\PrivacIE
2010-12-24 21:51:09 79872 ------w- c:\windows\system32\msxml6r.dll
2010-12-24 21:51:09 79872 ------w- c:\windows\system32\dllcache\msxml6r.dll
2010-12-24 21:51:09 1306624 ------w- c:\windows\system32\msxml6.dll
2010-12-24 21:51:09 1306624 ------w- c:\windows\system32\dllcache\msxml6.dll
2010-12-24 21:51:04 102912 ------w- c:\windows\system32\dllcache\dpcdll.dll
2010-12-24 21:51:00 9728 ------w- c:\windows\system32\rwnh.dll
2010-12-24 21:51:00 9728 ------w- c:\windows\system32\comsdupd.exe
2010-12-24 21:51:00 46592 ------w- c:\windows\system32\drivers\irbus.sys
2010-12-24 21:51:00 10752 ------w- c:\windows\system32\smtpapi.dll
2010-12-24 21:49:48 -------- d-----w- c:\windows\ServicePackFiles
2010-12-24 21:49:38 364544 ------w- c:\program files\windows media player\dlimport.exe
2010-12-24 21:49:36 294912 ------w- c:\windows\system32\dllcache\dlimport.exe
2010-12-24 21:34:23 -------- d-sh--w- c:\documents and settings\yayo\IETldCache
2010-12-24 21:33:13 -------- d-sh--w- C:\Recycled
2010-12-24 21:32:45 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-12-24 21:32:11 -------- d--h--w- c:\windows\ie8
2010-12-24 21:15:10 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-12-24 21:12:47 36484 ----a-w- c:\windows\system32\drivers\SMBios.sys
2010-12-24 21:12:44 -------- d-----w- C:\TempEI4
2010-12-24 21:12:00 -------- d-----w- c:\program files\D-Link
2010-12-24 21:00:50 -------- d-s---w- c:\windows\system32\Microsoft

==================== Find3M ====================

============= FINISH: 17:50:52.10 ===============

moussa · 2010/12/25

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/7/2005 6:24:05 PM
System Uptime: 12/25/2010 5:33:16 PM (0 hours ago)

Motherboard: Intel Corporation | | D865PERL
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | J2E1 | 2660/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 20 GiB total, 12.218 GiB free.
D: is FIXED (FAT32) - 18 GiB total, 2.647 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_2000&DEV_2800&SUBSYS_28000801&REV_02\4&2E98101C&0&18F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_2000&DEV_2800&SUBSYS_28000801&REV_02\4&2E98101C&0&18F0
Service:

==== System Restore Points ===================

RP1: 12/24/2010 11:02:54 PM - System Checkpoint
RP2: 12/24/2010 11:11:58 PM - Installed D-Link DFE520TX
RP3: 12/24/2010 11:28:56 PM - Installed WinZip 14.0
RP4: 12/24/2010 11:32:47 PM - Installed Windows Internet Explorer 8.
RP5: 12/24/2010 11:47:05 PM - Installed Windows XP Service Pack 3.

==== Installed Programs ======================

D-Link DFE520TX
D-Link PCI Fast Ethernet Adapter
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.12)
NVIDIA Display Driver
SoundMAX
WebFldrs XP
Windows Internet Explorer 8
Windows XP Service Pack 3
WinZip 14.0

==== Event Viewer Messages From Past Week ========

12/25/2010 7:44:59 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 b7b5e316, parameter3 ba336894, parameter4 00000000.
12/25/2010 7:30:27 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 b7bde316, parameter3 b64f0894, parameter4 00000000.
12/25/2010 4:53:28 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
12/25/2010 4:53:28 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
12/25/2010 3:31:09 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 b7bde316, parameter3 b7b13894, parameter4 00000000.
12/25/2010 3:24:33 AM, error: System Error [1003] - Error code 10000050, parameter1 fffffff0, parameter2 00000000, parameter3 804e9fbf, parameter4 00000000.
12/25/2010 2:15:21 AM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
12/25/2010 2:15:17 AM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
12/25/2010 2:15:17 AM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
12/25/2010 2:15:17 AM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
12/25/2010 2:15:17 AM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
12/25/2010 12:27:30 AM, error: Service Control Manager [7034] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 3 time(s).
12/25/2010 12:27:22 AM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
12/25/2010 12:27:17 AM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
12/25/2010 12:15:09 AM, error: Service Control Manager [7034] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 5 time(s).
12/25/2010 12:15:09 AM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
12/25/2010 12:15:09 AM, error: Service Control Manager [7001] - The Avira AntiVir MailGuard service depends on the Avira AntiVir Guard service which failed to start because of the following error: After starting, the service hung in a start-pending state.
12/25/2010 12:13:14 AM, error: Service Control Manager [7034] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 4 time(s).
12/25/2010 12:13:14 AM, error: Service Control Manager [7001] - The Avira AntiVir WebGuard service depends on the Avira AntiVir Guard service which failed to start because of the following error: After starting, the service hung in a start-pending state.
12/25/2010 12:09:23 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
12/25/2010 12:09:23 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Yayo\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
12/25/2010 12:09:23 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
12/25/2010 12:05:35 AM, error: Service Control Manager [7000] - The abp470n5 service failed to start due to the following error: The system cannot find the file specified.
12/25/2010 1:35:25 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
12/25/2010 1:33:56 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/25/2010 1:32:22 AM, error: PlugPlayManager [11] - The device Root\LEGACY_AMSINT32\0000 disappeared from the system without first being prepared for removal.
12/24/2010 11:30:55 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file winlogon.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.2180.
12/24/2010 11:15:31 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\usbui.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
12/24/2010 11:06:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/24/2010 11:05:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
12/24/2010 11:05:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/24/2010 10:59:59 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

==== End Of File ===========================

additional info:
I used to have Avira Antivirus, when it stopped working, I uninstalled it. When I tried to re-install, the installation file opened for a second then closed without any error message appearing. So currently I don't have an antivirus.

broni · 2010/12/25

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

Download Bootkit Remover to your Desktop.

You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/

After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.

moussa · 2010/12/25

There you go

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

broni · 2010/12/25

I have to apologize for not paying attention (Christmas Day, I guess), but in MBAM log we can see this:
Virus.Sality

I'm afraid I have very bad news.

You are infected with a polymorphic file infector (Sality). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
*.exe
*.scr
*.htm
*.html
*.xml
*.zip
*.rar
*.doc
*.jpg
*.pdf

Backup all your documents and important items only.
DO NOT backup any files mentioned above.

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.

moussa · 2010/12/25

I have C:\ and D:\
I already formatted C:\ and installed new copy of windows but this actually did not work.
So now I have to format C: and D: in order to remove this virus?

broni · 2010/12/25

It depends...
What is D? Separate drive? A partition of a same drive? What do you have on D?

moussa · 2010/12/25

depends on what? I'm kind of creeped out by this virus.
I have 2 partitions, C and D.
On C: i have windows and program files, on D i have my own stuff like music etc..
What do you think i should do? and what is the origin of this virus

broni · 2010/12/25

When you formatted C drive, you either moved some infected files from D to C, or the virus simply jumped from D to C drive.

If you have some important stuff on D drive, I suggest, you move all of it to an external drive, or USB flash drive(s) and you disconnect it from your main computer.

Now, format C and D drives, reinstall Windows.

Before you do anything else, install this on on your fresh Windows installation:

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine

Now, you're safe to reconnect your external drive.
Scan it well with your updated AV program and updated MBAM before moving any of backed up files to your computer.

moussa · 2010/12/25

this is true because i copied some files from D: to C:
anyways I'll do the format tomorrow,
I know how to format C: from windows setup
but is there any idea how to format D: ?
and is it okay to copy any file extension from D: to external hard drive? like .exe or .zip files?

broni · 2010/12/25

but is there any idea how to format D: ?
Click to expand...

During Windows installation, you'll get an option to remove all (2) partitions, which you'll do.
Then, if you wish, you can again create two partitions, format both of them and install Windows on one of them.

Log in or Sign up

[Not curable - Sality] Antivirus not installing, Safe Mode, Online Scan

moussa Inactive Thread Starter

moussa Inactive Thread Starter

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

[Not curable - Sality] Antivirus not installing, Safe Mode, Online Scan

moussa Inactive Thread Starter

moussa Inactive Thread Starter

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

moussa Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches