Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Got infected by my biggest enemy online : Sality

  • This topic is locked This topic is locked
2 replies to this topic

#1 Tyson_08


  • Members
  • 8 posts
  • Local time:06:50 AM

Posted 26 April 2012 - 12:04 PM

Well, a year back sality was into my system for the first time. It took me almost 2 weeks to get rid of it and the infected files as well... but this time, the scenario is different. I've got around 200GB of Data which includes a lot of executable files, which most probably got infected by Sality as well.

I removed most of Sality + many infected files using AVG Sality Remover, Kaspersky SalityKiller, Malwarebytes and avast! Boot Scan. The virus is inactive right now, but it still makes me feel as if its hiding somewhere on my system. I want to get rid of it, completely! Another thing I want gone, is the infected files themselves. Like, I had ComboFix on my desktop, it got corrupt as well but no anti-virus/anti-rootkit detects it as malicious. But the size of the ComboFix file has gone down to 26kb & avast auto-sandboxes it saying 'avast! is analyzing a suspicious program - We did not find enough evidence to identify the file as malware, however, you should use extreme caution when accessing it.' So, I'm a bit happy with the help from avast - other's didn't even care about it being executed. ;)

Virustotal Scan here :

Anubis Scan here :

This is what mostly happened to all my executable files, all decreased to size below 1 Mb and acting weird, showing corrupt/damaged setup messages, NSIS and NCRC file error messages, etc.
I repeat once again, it seems Sality itself is inactive but the infected files are still everywhere on my system.
I want to get rid of them, and no antivirus is actually helping me up in detecting them.
Also, is there a utility that can actually detect such file [infected by sality]?
I'm fine with formatting once again, but I don't want to lose all my data (I can't take an online backup, neither do I have something for offline backup).

A few samples of files which got infected (don't download if you don't know what you're doing) :

I'm attaching GMER (IAT/EAT unchecked) & OTL (quick scan) logs, if any more logs are needed please let me know... :)

Attached File  GMER 26 april.txt   157.58KB   2 downloads
Attached File  OTL 26 april.Txt   128.82KB   2 downloads

Thanks in advance,

Edited by Tyson_08, 27 April 2012 - 11:22 AM.
Link obfuscated

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 39,899 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:50 AM

Posted 01 May 2012 - 09:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

This is the only suspicious process found on your OTL log.

Did your run this process and know what it it?

C:\Documents and Settings\PC\My Documents\Downloads\80cm1856.exe

If not please scan it at Jotti and post the results.

This is my speech on Sality

I'm afraid I have very bad news.

Win32/Sality is a dangerous polymorphic file infector which infects .exe, .scr files, creates a peer-to-peer (P2P) botnet that compromises your computer, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.


As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code...Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.

Symantec's Assessment of Win/32Sality

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

Sality is commonly spread via a flash drive (usb, pen, thumb, jump) where it can infect executable files on local, removable and remote shared drives. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

Since Win32.Sality is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That's right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

If you wish to continue let me see the results of this scan.
I cannot promise you that we will completely remove all traces of this file infector.

ComboFix is not an infected program if downloaded from one of these sites.
Your Anti virus program may object to it. Makes sure it's disable. If you still have an old version you will be asked to update the tool. Please do so.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

#3 nasdaq


  • Malware Response Team
  • 39,899 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:50 AM

Posted 07 May 2012 - 10:22 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users