[amrith92]

Hi!

First: Virus Details ; Platform: Win XP

My laptop is affected by some sort of virus, and as it destroyed my AVG 8.5 free installation, I downloaded Avira Free antivirus software. This virus didn't let me install it (It blocked out all antivirus websites) and keeps downloading small 8.50 kb files (randomly named) into this directory - C:\Documents and Settings\username\Local Settings\Temp\ - besides which, it creates a folder named "Qoobox" in C:\, and different Executables in C:\WINDOWS, namely SED.exe, NIRCMD.exe, GREP.exe, TASKMAN.exe, SWSC.exe, SWREG.exe, vfind.exe, zip.exe.

I have been fighting this virus for the past 14 hours, manually altering registry keys that were infected using a satndalone registry editor(Not the one windows provides, as both regedit and taskmgr have been disabled, and I cannot permanently set their reg keys back to 0x00). HijackThis showed two DPF's (O16) that were probably infected (I'll upload the log if you require it), apart from which it showed an O10 - unknown file in winsock LSP - : c:\windows\system32\nwprovau.dll (I have left this as I have NetBIOS installed). After taking the log, and fixing the above said, I ran ComboFix. The log showed some infected registry keys, all of which deals with infecting Removable drives. I have manually fixed these. I have attached this log as well. The striking thing to me was that the virus made ComboFix unworkable after I used it! It now gives an error message when I open it.

The virus also renders some applications useless, for eg, I cannot run some .exe files. I looked up how the process starts using Process Explorer, and found that these programs start and then are stopped suddenly, and I just can't figure out why (or how). At first it didn't let me install Avira, so I had to carry out a manual installation, which involved extracting the setup files with WinRAR and then heading out from there. Eventually, I got it running, and did a scan of my C:\ drive, and here are the results (I'm not sure of what to do with these as it lists some very important core windows files as being infected with the w32/Sality.Y variant of virus.), which are attached below. (Its way too large to be posted)

I have also scanned my whole computer with Malwarebytes' Anti-Malware, but that didn't show anything. Atribune's VundoFix also returned a negative.

Could somebody help me with this?

*ANY* help is appreciated!

Thanks for your time,

Amrith

[amrith92]

Hi!

Update: I got the Task Manager and regedit up and running, but the virus is still there ...

Update 2: Uninstalled Avira... Sorry about that, but when I restarted the computer, it sort of went haywire - It kept popping up lots of windows asking me whether I should run a certain program/process and it also was adamant that its own setup file was a W32/Sality.Y ... But still, I could use some help on this...

PS: should this thread be moved to another location in light of my recent changes/updates?

[blitzkreig]

yea,
I would recommend this thread being in the malware removal and hijackthis forum.