Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Sality. NAQ Virus


  • Please log in to reply
5 replies to this topic

#1 asterias

asterias

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 05 April 2010 - 12:04 AM

Hi

I am having an infection on my laptop.

These are some of the symptoms that I see:

1. I have ESET NOD32. On startup it says "

Threat Found
C:\windows\system32\drivers\mpfqn.sys

Threat : win32/sality.NAQ virus

2. I cant open msconfig or regedit or task manager

3. Any thumb drive placed into the laptop, automatically has folders like newfolder.exe

4. Can't even open bleepingcomputer.com/forums from the infected laptop. As soon as this page opens, the browser window (google chrome) automatically closes

Please, can some one help me fix it

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,384 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:49 PM

Posted 05 April 2010 - 07:34 AM

I'm afraid I have very bad news. Your system is infected with a nasty variant of Win32/Sality. This family of malware is a polymorphic file infector which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

Please see Kaspersky's Threat Encyclopaedia of Win32.Sality.NAO.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.
 

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach.Because your computer was compromised please read:

Since Win32.Sality is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards.

 

That's why most security experts say the best course of action is to wipe the drive clean, reformat and reinstall the OS.

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

 

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

 

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MMMM2424

MMMM2424

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 29 December 2010 - 11:35 AM

Hello, can anyone please expand on Quietman7 qoute " Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection."
Basically, my computer has a recovery partition, as well as 3 recovery dvd's that I created.

So if I had virut or sality, would restoring the computer using the recovery dvd's to its factory settings, NOT guarantee the removal of the virus ?

Also I used the windows 7 utility to create an image of my pc, which is stored on an external hard drive, would restoring to that image,NOT guarantee the removal of the virus ?
Thank you very much for explaing ths to me, I would appreciate it.
Do the two methods I have mentioned, actually wipe the original hard drive, or just write on top, thus leaving the infection

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,384 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:49 PM

Posted 29 December 2010 - 05:25 PM

If you're not sure how to reformat and reinstall Windows, please review:These links include specific step-by-step instructions with screenshots:Vista users can refer to these instructions:Windows 7 users can refer to these instructions:

So if I had virut or sality, would restoring the computer using the recovery dvd's to its factory settings, NOT guarantee the removal of the virus ?

Depends on whether the recovery partition itself was not infected. If so, you would need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recover disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.

If you have made a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistent to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 MMMM2424

MMMM2424

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 30 December 2010 - 02:12 PM

Many thanks Quietman7,I really appreciate your detailed answer and links.Very much appreciated

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,384 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:49 PM

Posted 30 December 2010 - 04:31 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users