Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trying to remove Win32/Sality


  • Please log in to reply
4 replies to this topic

#1 ferreria

ferreria

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabang, Muntinlupa
  • Local time:01:48 PM

Posted 21 January 2010 - 05:02 AM

OS: Windows XP Professional SP3

VIRUS: Win32/Sality (as far as I know...)

ANTIMALWARE: uninstalled Virus Chaser, replaced with Microsoft Security Essentials

DETAILS/RANT:
I've been trying to get rid of this Win32/Sality on my work computer for about a week now; browsing through forums will only get one so far... :thumbsup: I'm a total noob at this, so if there's any additional info you need please let me know.

So, here's how it's gone so far.

*Finally* succeeded in getting one of the IT guys to reformat this piece of junk this morning. I remembered to ask him to repartition it as well. I'm not quite sure how to find the specs of this thing; all i know for sure is they installed Windows XP SP3. Most of my other programs are in Korean; I teach English online and basically have to just download the video, phone and messenger programs from the company sites.

The first thing I noticed after the reformat was I couldn't seem to access any microsoft websites on Internet Explorer. Got Google Chrome instead and everything worked fine from there.

Uninstalled "Virus Chaser" (this weird security program they installed from an old CD)

DLd Microsoft Security Essentials, updated it, plugged in my external hard drive and scanned it. It found "Win32/Sality.gen!p" on E:\Seagate\Registration\Seagate-Release.exe. I picked Disinfect and got back an error message:

Microsoft Security Essentials couldn't apply the action(s) you selected... Error code 0x80501001.

No idea what that means; I tried the Security Essentials forums but so far SOL :flowers: Was getting the same error before the reformat. Is this a false positive or a real virus? Now what? Any help would be appreciated.

I will be running a full scan with MSE in a few seconds, and probably reDL Malwarebytes or SuperAntispyware.

BC AdBot (Login to Remove)

 


#2 certifiednerd

certifiednerd

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 21 January 2010 - 07:41 AM

it sounds like the infection is on an external drive. if in fact you do have an external drive connected, dissconnect it and scan again and see if it comes up. if you dont have an external drive(or flashdrive) connected, and your bringing up drive e, you may have some issues with a reload.

but if it is on an external. pull the info you need off of it and run a full format on it

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:48 PM

Posted 21 January 2010 - 02:32 PM

What is drive E?
Sality is a polymorphic type of virus and it's NOT curable.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#4 ferreria

ferreria
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabang, Muntinlupa
  • Local time:01:48 PM

Posted 22 January 2010 - 03:05 AM

it's an external hard drive. Seagate Expansion 500GB. I ran the scan again and selected "Remove" this time; seems to have worked.

What is polymorphic virus, anyhow? in layman's terms, please; I just googled it and wikipedia just melted my brain:

"If a Dog is commanded to speak(), it may emit a bark, while if a Pig is asked to speak(), it may respond with an oink. Both inherit speak() from Animal, but their subclass methods override the methods of the superclass, known as overriding polymorphism. Adding a walk method to Animal would give both Pig and Dog objects the same walk method."

LOL :D what??

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:48 PM

Posted 22 January 2010 - 12:50 PM

Let's try in layman terms :thumbsup:
The two most known type of Polymorphic File Infector viruses are Virut and Sality.
Regular viruses simply create executable some file(s) on your computer and then proceed with all kind of damaging action, they're programmed to do.
Virut and Sality have very same target, but they work in very different way.
They actually replace parts of code of legitimate, vital Windows system files, mostly exe and scr type of files (explorer.exe, svchost.exe, userinit.exe, etc.).
Some other type of files may be affected too, like htm, html, asp and php files.
In case of regular virus, curing action is pretty straightforward; using all kind of special tools, you eliminate files created by said virus.
In case of polymorphic virus, you'd have to start replacing all legit system files with healthy one. In theory....Practically, it's impossible to replace all infected files at once.
How to make sure, every single infected file has been replaced?

I tried, in layman terms....
More info: http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users