Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sality virus


  • Please log in to reply
15 replies to this topic

#1 jon2

jon2

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 16 March 2009 - 09:11 AM

I'm infected all of my exe's are infected how can i repair or heal infected files while my scanner suggests to delete it.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 16 March 2009 - 10:28 AM

Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web...

About Sality Virus
Win32/Sality Family

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before co

There is no guarantee the infection can be completely removed. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Should you decide not to follow that advice, you can try the AVG Win32/Sality Remover. It was last updated in June 2007 and is not always effective for the reasons I indicated above. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights.
alternate download

Since this infection is often spread via USB Flash drives, I recommend you also do the following:

Please download Flash_Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run the tool and follow any prompts that may appear.
  • If asked to insert your USB flash drive and other removable drives, please do so and allow the utility to clean up them as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Then download Sysclean Package and the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number) and save them to your desktop.
  • Be sure to print out and follow the instructions provided in the How to Use System Cleaner for performing a scan.
  • If you get a message that "required files are missing", click Ok and wait for sysclean.com to unpack them.
  • This tool generates a log file (sysclean.log) in the same folder where you ran it - C:\Sysclean.
-- When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

-- Some anti-virus programs will alert you of a virus attack when running sysclean so it's best to disable them before performing a scan.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 16 March 2009 - 10:32 PM

my counterspy already deleted the autorun but my hard disk is always checking everytime i reboot. My partitioned drive is always checking for errors every windows startup even I turn off my computer properly.

#4 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 16 March 2009 - 11:05 PM

what do you think? I can't afford to reformat now because I haven't backup all of my files btw do you think this virus spreaded already after the detection of my scanner. I disabled autoplay and did not open the usb. some of the installer inside it has been infected and has been deleted by my scanner. I also used noobkiller to delete autoruns inside removable drives.

#5 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 16 March 2009 - 11:06 PM

my only problem now is whether my connection is secured and my drive D is always checking for errors after rebooting. How can i fix it. Is it another type of malware?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 17 March 2009 - 07:44 AM

There is no guarantee your computer can be trusted for the reasons previously explained.

Is it another type of malware?

Hard to determine. Malware such as Sality is known to download other types of malicious files which in turn create their havoc on a system. Did you follow the instructions I provided?

My partitioned drive is always checking for errors every windows startup

Check Disk - Disk Checking Runs Upon Boot.

This issue can occur if the System registry hive or the Software registry hive is damaged, or if both of the following conditions are true:
You use a Hewlett Packard (HP) ScanJet 5100c scanner with the HP driver.
You have not updated the scanner driver to the Windows XP version that is available from Hewlett Packard.

MS Article ID: 316506: Chkdsk Runs Each Time That You Start Your Computer
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 March 2009 - 08:44 AM

my pc runs fine now after rebooting and after using sys cleaner. Do I need to post the log? I also ran noobkiller and it identified 6 infected svchost. Flash disinfector created several autorun.inf folder is it normal? I usually install various malware scanner then after disinfecting i will uninstall it and try another to be sure if it will catch other things. What I'm curious about is what firewall should I use. I used threatfire before and it identified malicious behaviour whenever a worm or virus multiplies itself but I think it cannot detect all. I used kaspersky bitdefender trendmicropccillin,nod32,avast,avg,spybot,sas,malwarebytes,counterspy,avira,mcafee,norton,comodo,kerio,outpost,advanced system protect.

Checkdisk is not running now after the reboot. My windows startup is fine now and faster. I uninstalled temporarily all of my firewall and antivirus. Should I burn my data to cd and reformat? BTW all the installers infected by sality inside my usb flash drive has been deleted by avira. All infected files are exe's. What do you think the rest of my files? yesterday I cannot connect to internet or something is slowing down my connection to be able to use bleepingcomputer but after scanning and uninstalling my protection I can connect now. I think my scanners has been modifies so I decided to uninstall them. Sys cleaner identifed 5 viruses. I can't finish scanning using malwarbytes it is so slow.

Should I stick to counterspy and avira? I'm using outpost firewall because comodo is slowing down my pc.

bitdefender and kaspersky didn't catch up sality should I stick to avira?

#8 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 March 2009 - 08:55 AM

Btw, the computer i have used yesterday has bwawe.exe virus which disables taskmanager but i cleaned it in another computer but my usb catch up another infection in a computer shop with something says that update has finished and the system needs to reboot then i cleaned it again and the last infection is sality before going home and decided to clean up my usb using my pc then after inserting (i disabled all autoplays) and did a scan, avira identified infected exe's but did not delete autorun, malwarebyte did not detect anything. Counterspy and noobkiller deleted autorun.inf.

I need a better firewall that will block unwanted popups and will protect my internet. I have used spysweeper before and I think it can block popups but I can't update so I switched to counterspy. Should I use spywareblaster or spybot? I also wanna try SAS not the trial version but I think it will eat up so much memory. I only have 256 RAM and this combo avira outpost counterspy runs fine with my pc with slight slowing down.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 17 March 2009 - 09:12 AM

Flash disinfector created several autorun.inf folder is it normal?

Yes. Flash Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it to help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files

Should I burn my data to cd and reformat?

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instance the malware may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. Should you decide to reformat, you can back up all your important documents, personal data files, photos to a CD, external hard drive or USB drive. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.PHP, .ASP, and .HTML) files because they may be infected by malware. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

The free version of SAS does not provide real-time protection or scheduled scanning so there is no need for it to run at startup...disable that feature and use it as a separate stand-alone on-demand scanner.

While not free, I recommend using Malwarebytes Anti-Malware and taking advantage of the Protection Module which uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology monitors every process and stops malicious processes before they can infect your computer. The database that defines the heuristics is updated as often as there is something to add to it. Enabling the Protection Module feature requires reqistration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as it utilizes few system resources and should not conflict with other scanners or anti-virus programs.

SpywareBlaster is a program that blocks spyware tracking cookies in Internet Explorer and any browsers that use the Internet Explorer engine, including: AOL web browser, Avant Browser, Slim Browser and Maxthon (formerly MyIE2). It also provides protection for Mozilla Firefox, Netscape, Seamonkey, and Flock. SpywareBlaster restricts the actions of potentially dangerous sites by adding a list of sites and domains associated with known spyware, advertisers and marketers to the browser's "Restricted Sites Zone" and prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. SpywareBlaster does not run in the background. Instead it only requires installation and then enabling of all protection. After that you only have to check periodically for database updates using the built-in "Check for Updates" feature and then enable all protection again.

mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products). Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth.

Free firewalls:
Comodo Free Firewall
Online Armor Free
Zone Alarm Free Basic Firewall
PC Tools Firewall Plus
Ashampoo FireWall Free
Outpost Firewall Free
Kerio Personal Firewall (available in a full and limited free edition)

Choosing a firewall is a matter of personal preference, your technical ability/experience, features offered, the amount of resources utilized, how it may affect system performance and what will work best for your system. A particular firewall that works well for one person may not work as well for another. You may need to experiment and find the one most suitable for your use.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 March 2009 - 10:44 AM

do i still need to install threatfire running in background... the problem is it can detect realtime but not on on-demand scan basis. so i cannot use it to identify previous infections. Can spyware terminator with realtime protection(free)replace malwarebytes (registered version)? How about a squared anti malware?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 17 March 2009 - 11:19 AM

Can spyware terminator with realtime protection(free)replace malwarebytes (registered version)?

No but it can supplement it. I use both myself. Threatfire would probably be overkill.

How about a squared anti malware?

Too many false positives IMO.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 March 2009 - 12:48 PM

can i use in spywaredoctor with antivirus as realtime (but memory sucker) or mbam pro and avira antivir or vipre/counterspy realtime and on demands are avira, spywaredoctor,mbam, SAS,gmer? what about dr.web cure it and defense wall i read good reviews?

#13 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 March 2009 - 12:51 PM

can i run 2 parallel realtime protection like mbam + any other combination? do i still need a firewall anyway i still get infected with or without firewall. Threatfire is first line of defense and it is included as an add on in spywaredoctor but eat so much RAM. vipre can remove known threats. Still can't decide because of my RAM

#14 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 March 2009 - 12:54 PM

i think i want to keep mbam running on background because it only uses 1 mb ram but still not contented because sometimes it fails me so i need another one like counterspy/vipre (satisfied with it but scanning and cleaning is slow) and avira (very impressed).

#15 jon2

jon2
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 March 2009 - 01:39 PM

why does my clock keeps on switching between military format then back again ?It all happened after using smitfraud.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users