Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by win32/Sality.nba and win32/browseFox.B


  • Please log in to reply
17 replies to this topic

#1 chaj

chaj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 02:16 PM

Hello,

 

A couple of days ago, I've made a stupid mistake. I've downloaded and installed a software from the internet without checking everything first. This software apparently installed in the same time, and without my consent, Iminent start search bar.

When the installation ended, my browser (chrome) crashed immediately. I've tried to open it again, new crash. 

Freaked out, I've used the system save to come back to a previous version of the computer. My last copy was from the day before. 

I thought it would be enough. But after a doubt yesterday evening, I've run a quick scan with malwarebytes. It found 530 malware in the system.

I've then looked in panic all over the web to find a solution and found this thread : http://www.bleepingcomputer.com/forums/t/486024/cannot-get-rid-of-iminent/

 

I've done :

TDSS killer - nothing found

Farbar's MiniToolBox - useless

AdwCleaner by Xplode - Search for Adware - 2 things on browser found and deleted

Junkware Removal Tooll by thisisu - found secret sauce file

 

Then, I thought it was all good. But tonight I run a new scan with the other software of the thread.

 

ESET online scanner

 

For the time being, it found 11 files infected with win32/sality.nba , win32/browseFox.B application, and sality worm for other drivers.

 

I'm totally freaked out, the scan doesn't seem to work anymore and is blocked on 43% for 10 minutes now. What do I do ? Do I restore the whole system tomorrow ? (I don't have the files on me right now) 

 

OS : windows 7


Edited by chaj, 10 January 2014 - 02:18 PM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 10 January 2014 - 02:29 PM

Hi,

 

Sality is polymorphic file infector. Virus:Win32/Sality.AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. It also terminates various security products, prevents certain Windows utilities from executing and attempts to download additional files from a predefined remote Web server.

 

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again.

 

Sality is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted, and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS.

 

See here for more information about Sality. Trying to clean a sality infection is notoriously hard. The choice is yours, but it is much easier and quicker just to reformat, and be certain your computer is clean.

 

xXToffeeXx~


Edited by xXToffeeXx, 10 January 2014 - 02:29 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 chaj

chaj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 02:42 PM

Thank you for you quick answer. You said than even after reformat it may still be there. How can I check that ? Do I have to buy a new computer in the end ?

 

By the way, the scan is blocked on the same file for 50 minutes now. Does it mean it has failed ?


Edited by chaj, 10 January 2014 - 02:45 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 10 January 2014 - 02:56 PM

Hi,

 

No, that's not what I said. I said it would be best to not clean this infection, and a full reformat is the only way to be completely sure this infection is gone. There is no need to buy a new computer.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 chaj

chaj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 02:59 PM

Ok, thank you :)

About the reformat, how should I do it ? Because if I do it with the part saved on my computer that's enables to reformat, it will just enables the virus to stay. And if anyone connects a device to my computer, the worm will copy the virus.

I'm a bit lost here.



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 10 January 2014 - 03:32 PM

Hi,

 

I would have a look if you have a Windows CD or recovery partition. Either of those would allow you to reinstall Windows. What make is your computer? I'll see if I can find whether your computer has a recovery partition.

Do you have any data which want to save, as formatting your computer will remove everything?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 chaj

chaj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 03:36 PM

I have a recovery partition I think. I don't have any CD. My computer is a hp pavillon dv6 with windows 7 for family and students. I don't know how to use the recovery partition (to activate it). And I don't have the drivers anywhere.

 

I don't have any data to save. And as there is a worm, I can't connect any external disk to my computer without infecting it.


Edited by chaj, 10 January 2014 - 03:37 PM.


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 10 January 2014 - 03:51 PM

Hi,

 

That's fine. I was thinking of using a linux-based boot disk if you wanted to recover anything since Sality would not work in a non-windows enviroment.

 

See here on how to do a factory restore, try the startup method first. Factory restore includes drivers, it restore your computer to factory conditions.

I would suggest making sure you have your Windows product key before attempting this though.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 chaj

chaj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 03:59 PM

Thank you.

 

Step 2 doesn't work. I've had someone reformat my computer 2 months ago. It's possible he didn't put that back (recovery manager). I don't know how to do.


Edited by chaj, 10 January 2014 - 03:59 PM.


#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 10 January 2014 - 04:10 PM

Hi,

 

Do you know how he reformatted the computer? It's very likely he may have gotten rid of the partition.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 chaj

chaj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 04:14 PM

He deleted everything. Then created 2 parts C and D. The computer automatically created a small part with important information for recovery I think. My computer is in French, I've found a recovery window (the one I used to recover the previous day but it didn't work). But it says that to reformat everything, I need a CD to install windows after the reformat. And as you know, I don't have any CD. It says I don't have any image of the system.  



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 10 January 2014 - 05:14 PM

Hi,

Yes, that would have deleted the recovery partition. All is not lost however, confirm you have some blank CDs and another clean computer to work from, and them give me some time.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 chaj

chaj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 05:20 PM

I don't have any of that right now. It's 11:18 PM here. I'll have blank CD's and a clean computer to work from tomorrow. So in about 16 hours. Will it be good ?

 

Thank you very much for taking the time to help me. 



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:13 PM

Posted 10 January 2014 - 05:23 PM

Hi,

Perfectly fine by me, it will take a little while for me to get the instructors and plus it's late here too so sometime tomorrow.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 chaj

chaj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 January 2014 - 05:26 PM

Ok, I'll get everything tomorrow then. Thank you :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users