Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OMG!! A Patching Virus FROM HELL, IT JUST WONT DIE.


  • Please log in to reply
4 replies to this topic

#1 vladmir21

vladmir21

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 02 November 2009 - 04:10 AM

Hi all, im at a friends place, and have run Avast antivirus.
It removed a sality virus files from system restore, but some wierd virus is still remaining, which dosent allow me to open regedit.
Well i ram MBAM and then i can open regedit, but still cant to to my computer/properties to turn off system restore.
It also wont let me open the Security Center in XP, and it has switched off my windows firewall.
I have run rootrepeal, but while trying to scan for hidden services, the scan abruptly stops.

Im at a loss, i cant even access add/remove programs.

Edit: i have downloaded and run Dr. Web's cureit, it says no virus found, but tells me my hosts file has been infected.
And asks me would i like to restore it.
I of course say yes.
Problems with opening my computer/properties ; Xp security center remain.

I can run hijackthis. At first i removed F2 rundll32.exe
It hasnt shown up since in the hijackthis scan, but rundll32.exe was interferring with my installation of Avira etc.
Its rundll32.exe that stops me from opening stuff.

Edited by vladmir21, 02 November 2009 - 05:49 AM.


BC AdBot (Login to Remove)

 


#2 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 02 November 2009 - 04:32 AM

I downloaded Win32/Virut Remover 1.2.0.453 from here:
http://www.softpedia.com/get/Antivirus/Win...t-Remover.shtml
It found no infected files.

I also downloaded Win32-Sality-Remover
http://www.softpedia.com/get/Antivirus/Win...y-Remover.shtml
It found no infected files.

Im most certainly infected.

#3 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 02 November 2009 - 07:30 AM

hmm, i think i fixed it.
just did a search for rundll32.exe, and deleted the files.
Bam, i could access security center etc.

Please close this thread, thank you.

Edited by vladmir21, 02 November 2009 - 07:31 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 AM

Posted 02 November 2009 - 12:37 PM

Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 03 November 2009 - 01:06 AM

Thanks quietman7, i will let him know.
For now i have installed 2 applications.
One is Avast! 60 day trial, with all shields on.
You see this virus gets on his laptop thru the "my network places" option.
I think the virus is sitting somewhere on the LAN and trying to infect other pc's on the network.
DefenseWall HIPShas a particular option to "Run from local area network as untrusted" and i think this is exactly what i want.

The reason i feel the virus couldnt do much damage (although stealing passwords is @#$%^&* serious) was because in each of the drives,
there was beforehand a undeleteable folder named AUTORUN.INF creater by the application USB Disk Security.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users