Help ! Virus.....

Hi, I am a new member here and I am posting this thread with a hope for a solve (Because I heard from my friend that this forum is good).

Problem 1 :

My problem started like 1/2 months ago. I think I got an UNKNOWN virus (I have not found any definition for the virus) from a pen drive. Because, after removing the pen drive I got “DESKTOP.INI” Only in the places mentioned below :

“C:\Documents and Settings\LocalService\Local Settings”
“C:\Documents and Settings\LocalService\Local Settings\History”
“C:\Documents and Settings\LocalService\Local Settings\History\History.IE5”
“C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5”
“C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5”
“C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\CVWOGE6A”
“C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\HLYQFPBR”
“C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\O99NJYA5”
“C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\SSQUJH4O”
“C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files”
“C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5”
“C:\Documents and Settings\NetworkService\Local Settings”
“C:\Documents and Settings<Username>\Local Settings” [This is only on my user account]

These files are only in the “C:/Documents and settings”. NOT ANYWHERE ELSE
The “DESKTOP.INI” files read :

[.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21774

I tried to clean them by “Start>Search” and delete them by “Shift+Delete”. But it comes back after every reboot. My PC is slower then ever. I checked the Microsoft support center solve (http://support.microsoft.com/kb/330132) but it didn’t work. Is there a solve for this problem?

Problem 2 :

After the attack of “DESKTOP.INI” the view of my windows folder has changed into a normal folder and the menu commands are missing. I could not install any new fonts on my operating system. I checked the Microsoft support center solve (http://support.microsoft.com/kb/133725) but it didn’t work. Is there a solve for this problem?

Problem 3 :

I got “WIN32:SALITY” on my PC. It is changing the *.exe files and disabling them. When I try to start the file it gives this message :

“ is not a valid Win32 Application.”

Then the virus was stacking the infected files into the System restore folder. I stopped system restore points. Still the files are changing.

The virus has also disabled the “Regedit” and “Task Manager”. But later on I used the program “ComboFix”. It released the “Task Manager” and “Regedit”. But my PC is still infected by Virus.

I am using Avast 4.8 Home Edition(Virus Definition Up-To-Date). It first detected the Virus but couldn’t disinfected the files and failed to remove the source file. I scheduled a Boot scan with Avast and it detected many exe files as infected and moved to virus chest. Then I made a mistake and uninstalled Avast without deleting the infected file and installed Kaspersky Antivirus 2009. It failed to detect any infected or source file. I installed McAfee Total Protection 2008. It also failed to detect any infected or source file. I reinstalled the Avast and with all my sorrow it failed to detect infected files. My PC is still slower then ever. I think the virus still in my PC. What should I do?

I am giving my PC Configuration for your Evaluation.

Processor : Intel Celeron D 2.66 Ghz, 256 KB L2 Cache, 533MHZ Front side bus
Motherboard : Gigabyte S-Series 945GZM-S2
Ram : 2 * 512 MB DDR2 (Bus Speed 533)
HDD : Samsung 160 GB SATA

Any one please give an advise and release me from virus attack.

Sality searches for and terminates any processes which match a list contained in its code; the following is an example of such a list:

AVXQUAR
ICSUPP
ICSSUPPNT
ESCANH
AVLTMAIN
VSMAIN
TRJSCAN
PROTECTX
PORTDETECTIVE
PINGSCAN
PERISCOPE
NPFMESSENGER
MCAGENT
LOCKDOWN
DRWTSN32
DRWATSON
CLEANER
BLACKICE
BIPCP
BIDSERVER
BIDEF
AVPROTECT
AVGSERV
ATGUARD
AVSYNMGR
AUTOTRACE
SAVSCAN
RTVSCAN
NUPGRADE
NPROTECT
MGUI
MCUPDATE
NMAIN
ANTI
NOD32
ZONEALARM
OUTPOST
DRWEB
KAV
AVP
NAV

Sality searches subdirectories on drives C:\ to Y:\ for files with the following extensions:

.vdb
.avc

Files located are deleted. This is presumably to disable or impair certain AV products.

Infected files can be healed by using of Win32/Sality removal tool.
Download the following three files ( rmsality.exe, rmsality.nt, rmsality.dos) and run the rmsality.exe file.

  1. http://www.grisoft.cz/softw/70/filedir/u
  2. http://www.grisoft.cz/softw/70/filedir/u
  3. http://www.grisoft.cz/softw/70/filedir/u

You can also specify the disks (or partitions) to heal as a command parameters, e.g.: “rmsality C: D:”. If the command is used without parameters, it heals all disks (partitions) on computer.

Note:
Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmsality.nt and rmsality.dos into the same folder as rmsality.exe. After the healing process please run the antivirus to make sure your computer is virus-free.

Hope that works. :-\

Sorry to bother again but the link doesn’t work. The server shows 404 : file not found.

And if there any solve for the problem 1 please post.

Which one?

try this one http://www.filecluster.com/Antivirus-Spyware/Antivirus/Download-Win32-Sality-Remover.html

Strange… site is there and up.
Can you test from another computer?

Sorry to bother you again. I downloaded the file and run a scan. It failed to open some files and there were no infected files ACCORDING to the tool. Please let me know what to do next.

I am giving you the link to the SCAN Complete LOG file of rmsality.exe

Follow the link : http://www.MegaShare.com/879662

Thank you from KSS123

I suggest the general cleaning procedure:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.

Thanks for the Tools. I am downloading the tools right now.

But recently I am facing another problem. At this moment Windows Data Execution Prevention (DEP) is closing down Generic Host Process for Win32 Services. Windows is giving an error message and try to send a message to Microsoft. Every time after the boot the same thing occurs. I am not sure if this is a problem or not.

And AVAST is detecting a worm named “C:\Windows\System32\Win32:confi[wrm]\X” and "C:\WINDOWS\System32\x[UPX]"each time the windows boots. I delete it every time but it comes back every time windows boot. What should I do?

Thats conficker, It will replicate it self, but they should know how to remove it. And if you have used that computer for online banking or any other private info, I suggest to monitor them, conficker is a info stealer.