Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Odd changes taking place ...

  • Please log in to reply
1 reply to this topic

#1 Pyratepig


  • Members
  • 2 posts
  • Local time:02:26 AM

Posted 25 December 2011 - 03:44 PM

So a few days ago, I downloaded several things such as cracking tools, thinking they were safe as I scanned them on Anubis and VirusTotal. Nothing really happened. They worked fine and Norton and MBAM didn't say anything about the file so I thought it was all good. Then yesterday when I logged on, I noticed the theme changed back to like, Windows 98 or something and Malwarebytes Anit-Malware wouldn't start and an error popped up as if it was terminated before it could start all the way. Then when I signed in to Skype, I entered a conversation with a group of my friends from a website to tell them what's up and when I looked at the conversation window with the connection time thing for the webcams and microphones, I realized it was unusably red, unlike before when it would always be green. I clicked on it and it said the sound card couldn't be found. I freaked a little and went into my iTunes to see if the sound would work. Sure enough, it didn't. It wouldn't let me play any of my songs because of the sound card. I tried looking into it but got no where with it. My last option is to use the OS disk to reinstall the operating system but I'm not allowed to since apparently it will mess the router up, which I don't think it would.

Also, Norton would pop up and sat that a security risk would be found something like, "W32.Sality.AE" or something along those lines.

Theme now:
Posted Image

Sound card:
Posted Image

Malwarebytes at start up:

Posted Image

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,754 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 27 December 2011 - 11:37 PM

Win32/Sality is a dangerous polymorphic file infector which infects .exe, .scr files, creates a peer-to-peer (P2P) botnet that compromises your computer, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.


As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code...Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.

Symantec's Assessment of Win/32Sality

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

Sality is commonly spread via a flash drive (usb, pen, thumb, jump) where it can infect executable files on local, removable and remote shared drives. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

Since Win32.Sality is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users