I posted this in the security logs section by mistake yesterday. If a moderator could delete that post.
My father-in-law fell for Windows care phone call scam 2 weeks ago. I took the PC off the network, found the AMMYY and ran 2 additional sweeps, RKILL-->JRT-->Adwcleaner--> Malwarebytes; all clean. I told them they could put it back on the network on Monday after a third sweep.
Yesterday, on their laptop, MWB found Sality.....
I'm not going to mess around fighting the issue on the O/S, I'm not chasing a virus that can transpose networks. I told them the bad news that all of their PCs are getting wiped, Mother-In-Law very upset. I took 2 laptops, 2 workstations, a Windows Media Center PC, and their Windows Home Server and put them in quarentine. I thenTold Mother-In-Law that we might not be able to save the .JPG files off their "main" workstation; she was literally in tears. I have picture backups I made in September on external drives at my house, and reminded her of that. She has spent a lot of time in recent months sorting and cataloging pictures from the whole family, including scanning borrowed old photos. This could be hundreds of hours of lost work; but if there is any chance in re-infection it is gone.
I have read varied things about whether or not Sality can have *.JPG files infected. One poster to several forums, Broni has posts specifing JPGs can't be saved. A post here from Quietman7 does not specify that JPG files can be infected as long as you pay attention to file extention spacing tricks. I had not considered file injection before reading Quietman7s post; he may have saved us future heartache. I had started rebuilding the laptops from the built in recovery partitions before leaving their house after midnight. I'll be killing them again, all partitions gone, over the weekend. I have Windows 7 media for their workstations, can get the media for the Windows7/8 laptops, but their WHS box might be a brick now.
My thought is to stand up an offline fresh O/S "cleaning maching"; I can boot from the clean PC, scan the suspect hard drives, move the pictures to another fresh hard drive, then rebuild the PC that did the scanning again. I have found several specific Sality removal tools, but also plan on using additional scanners (copied from a thun drive which I will remove the partition prior to ejecting)
Is this approach safe or do I just need to forget about the pictures?
Thanks in advance for any input.