BleepingComputer.com: Win32/Sality. NAQ Virus

Hi

I am having an infection on my laptop.

These are some of the symptoms that I see:

1. I have ESET NOD32. On startup it says "

Threat Found
C:\windows\system32\drivers\mpfqn.sys

Threat : win32/sality.NAQ virus

2. I cant open msconfig or regedit or task manager

3. Any thumb drive placed into the laptop, automatically has folders like newfolder.exe

4. Can't even open bleepingcomputer.com/forums from the infected laptop. As soon as this page opens, the browser window (google chrome) automatically closes

Please, can some one help me fix it

I'm afraid I have very bad news. Your system is infected with a nasty variant of Win32/Sality. This family of malware is a polymorphic file infector which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

Please see Kaspersky's Threat Encyclopaedia of Win32.Sality.NAO.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Quote

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach.Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do

Since Win32.Sality is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Where to draw the line? When to recommend a format and reinstall?

Hello, can anyone please expand on Quietman7 qoute " Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection."
Basically, my computer has a recovery partition, as well as 3 recovery dvd's that I created.

So if I had virut or sality, would restoring the computer using the recovery dvd's to its factory settings, NOT guarantee the removal of the virus ?

Also I used the windows 7 utility to create an image of my pc, which is stored on an external hard drive, would restoring to that image,NOT guarantee the removal of the virus ?
Thank you very much for explaing ths to me, I would appreciate it.
Do the two methods I have mentioned, actually wipe the original hard drive, or just write on top, thus leaving the infection

If you're not sure how to reformat and reinstall Windows, please review:

• How to partition and format a hard disk in Windows XP
  
• Prepping for a Clean Install Windows XP

These links include specific step-by-step instructions with screenshots:

• XP Clean Install Interactive Setup
  
• Reformat and Install of Windows

Vista users can refer to these instructions:

• Windows Vista Clean Install
  
• How to Do a Clean Install and Setup with a Full Version of Vista
  
• How to Do a Clean Install with a Upgrade Version of Vista

Windows 7 users can refer to these instructions:

• How to Do a Clean Installation with Windows 7
  
• Windows 7 Clean Install Screens

Quote

Depends on whether the recovery partition itself was not infected. If so, you would need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recover disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.

If you have made a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistent to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

Many thanks Quietman7,I really appreciate your detailed answer and links.Very much appreciated

You're welcome.