The problems still persist even after completion of READ & RUN ME FIRST.

Please do the following from the Read and Run First instructions:

Not disabling your dameon tools may be giving a false positive for an MBR infection.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

 

* Please download TDSSKiller to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

 

Thats the shortest log I have ever seen. Something is reporting an MBR infection. Let's try one other thing before we go about it the old way.

Please run this: GMER - running with a random name and attach the log from GMER.

 

You will need to boot to the Recovery Console to remove this infection.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


Then boot back into normal mode.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

 

Let me ask you one more time; did you disable your disc emulation software?

 

If you have removed Dameon, just re-run the C:\MGtools\GetLogs.bat and attach the new log. It will show if the MBR report was a FP due to the Dameon tools.

 

Nope, it is still showing an MBR infection. Please go ahead and boot into the recovery console and run the fixmbr.

Let me know if you have any problems with that.

 

I don't think you have an MBR infection. I believe that Daemon Tools did not uninstall all the junk it puts on your system and this is the cause of the false indications. You just have a couple of minor registry keys to fix up and let's get a new scan from a new version of MGtools.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell us how things are working now! Are you having any malware problems now? Any Google redirects?

 

Okay I went back thru your logs and I see the reason for this. You have a W32/Sality infection which you can read more about in the below links:

http://vil.nai.com/vil/content/v_149269.htm

http://www.bitdefender.com/VIRUS-1000406-en--Win32.Sality.OG.html


This may not be fixable! Do you have all important data backed up before we try to continue?

 

Note that your USB drive and and system it was plugged into, is likely infected.

Put the below two files into a ZIP file and attach it to your next message:

Code:

C:\Qoobox\Quarantine\Registry_backups\
legacy~1.dat 2010-06-15 1220 "Legacy_ABP470N5.reg.dat"
servic~1.dat 2010-06-15 2548 "Service_abp470n5.reg.dat"

Download the below files and save them to the C:\MGtools folder:

http://forums.majorgeeks.com/chaslang/files/Sality/SalityFix.reg

http://forums.majorgeeks.com/chaslang/files/Sality/system.ini


Now double click the C:\MGtools\SalityFix.reg file and allow it to be added into the registry. Make sure you receive a success message. Tell me whether you do or not.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I had a typo in the system.ini file I had you download.

Manually edit your C:\Windows\system.ini file and you will see the below. I want you delete the text that is shown in RED and then save the file.

Tell me if edit and save works. Reload the file and make sure that text is gone.


As a note to you and TimW, you will see that the MBR infection no longer shows since I deleted the driver for Daemon Tools.

 

What is the below?

"GAZ"="c:\program files\Gaz\Startup" [X]

 

Perhaps after another reboot if we don't find all the roots of the infection.


Okay those files I had you attach, showed me the name of a driver file used by the infection. Let's see if we can delete this in the next fix. Also you need to keep checking your C:\Windows\system.ini file to make sure that the below do not come back. They are part of the infection.

So you will have to check after the reboot cause by ComboFix.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes because the driver file is changing at each reboot. The C:\WINDOWS\system32\drivers\fqkrnl.sys we deleted in the last fix was already renamed to something else before you ran the last fix.

Let's try a automatic tool from Kaspersky to see if it can help before we try to continue manually. In many cases, the only cure is a reinstall. Please download the below file to your Desktop:

http://support.kaspersky.ru/downloads/utils/sality_off.zip

Then extract the sality_off.exe file from the ZIP to your Desktop. Now run the sality_off.exe file by double clicking on it. Reboot and see where things stand. If still having a problem, run the below procedure also from Kaspersky:

http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889

 

Try rebooting a couple of times to see if any of it returns.

After a couple reboots, run C:\MGtools\GetLogs.bat again and attach the new MGlogs.zip log.

 

Yes it did. This infection is rarely fixable which is why back in message # 21 I said "It may not be fixable". I'm sorry, but your course is clear now. You will have to reinstall to be able guarantee that you can remove all aspects of this infection. During the reinstall, make sure that this time you properly protect this PC. You had no protection installed when you first came here. Refer to the below:

How to Protect yourself from malware!

 

Not just them!!!! Any other PC they were plugged into and any PC networked to the infected PC could be infected. You could try using a fully protected clean PC that has autoruns disabled doing a full scan with an antivirus program on these removable devices and hope that it is able to detect and remove any pieces of the infection if present.

Yes.