Win32/Sality

[erocker]

Have you tried googling it ?

So you have tried googling it ?

I take it googling didn`t help then m8 ?

Perhaps you just need to not say anything. You are being exactly the opposite of a helpful member. Please don't do this any further.

 

[Bokteelo]

Thanks to erocker for infracting francis511.

Alright, I just spoke to my cousin. He's using Windows Vista, but his older brother is using Windows XP. I'll be asking for permission to install Kaspersky onto his computer to clean my drive. I'll update you guys with information as soon as I can a reply!

Thanks a lot, you've all been extremely helpful. Feel free to post comments and alternative methods of clearing up my mess if you know of any. I will read and reread every post.

 

[lemonadesoda]

It cannot infect the other computer because the virus won't start unless Windows tells it to. Since it's not your Windows that's loading, it won't be told to start.

CAREFUL.

If you expore (browse) that HDD, then if it has an autorun.inf it can get itself going!

Advice

I really would suggest you get a new HDD. Do a fresh windows install on the new HDD. Then after you have "locked down" the PC, you can install the old drive via USB or as secondary drive to copy across important data.

Be warned that the HOURS you spend trying to clean up a computer may well leave it with a damage ACL/security policies that can only be fixed by reinstall anyway.

In my experience a virus that has got full hold of the OS is best removed via reformat. YES, you can spend hours and the rest of the weeks trying to clean it... but you have a 50/50 your registry and ACL will be damaged.

 

[Bokteelo]

God... this virus has been stressing me out for over a month now... UGH! I honestly don't want to reformat if there are other methods of disinfecting my system without wiping my drive... even if there's the slightest chance of cleaning it without wiping my entire HDD I'm going to try it.

If all fails, fine, I'll use KillDisk to wipe my drive completely and reinstall Windows XP Media Edition using the recovery CDs I ordered off HP not long ago at the advice of a staff member of TechSupportForum. (He advised me to use KillDisk, but I've been putting it off because he met an accident resulting in heavy injuries and I intended on waiting for him to recovery to continue guiding me. Finally he's back in shape, but I'm reluctant to wipe my hard drive so here I am seeking other methods.)

 

[lemonadesoda]

A HDD is cheap. Please check post 28 again. There is no need to reformat and lose data. Just swap the HDD out with a new one then run the recovery CDs. Then hook up the old HDD and recover whatever data you need.

 

[Bokteelo]

Let me get this straight:

1. I purchase another hard drive and install windows on it.
2. I lock it down. (How?)
3. Install the old drive.
4. Copy across data. (How?)

 

[Wile E]

CAREFUL.

If you expore (browse) that HDD, then if it has an autorun.inf it can get itself going!

Advice

I really would suggest you get a new HDD. Do a fresh windows install on the new HDD. Then after you have "locked down" the PC, you can install the old drive via USB or as secondary drive to copy across important data.

Be warned that the HOURS you spend trying to clean up a computer may well leave it with a damage ACL/security policies that can only be fixed by reinstall anyway.

In my experience a virus that has got full hold of the OS is best removed via reformat. YES, you can spend hours and the rest of the weeks trying to clean it... but you have a 50/50 your registry and ACL will be damaged.

Easy enough. Look for an autorun in the root of the drive.

 

[Bokteelo]

Easy enough. Look for an autorun in the root of the drive.

I think you should tell me where to find this before I kill my cousin's computer!

Edit: Why does this even matter? Even if the virus decides to run, Kaspersky is capable of stopping it in it's tracks for me to disinfect it right? So either way, as long as Kaspersky is installed, the virus can't harm the other computer? Right?

 

[DRDNA]

If you can get Malwarebytes installed http://download.cnet.com/3001-20_4-10804572.html?spi=2fefa24deb6c7cd23213e33d960ab19b and get updated Then you could for sure get it clean(in safe mode).....If your current account is to hosed to do anything then try creating another admin account and get on it quick and install Malwarebytes and update it fast before that account gets too hosed ...then clean her up in safe mode.GL

 

[Bokteelo]

If you can get Malwarebytes installed http://download.cnet.com/3001-20_4-10804572.html?spi=2fefa24deb6c7cd23213e33d960ab19b and get updated Then you could for sure get it clean(in safe mode).....If your current account is to hosed to do anything then try creating another admin account and get on it quick and install Malwarebytes and update it fast before that account gets too hosed ...then clean her up in safe mode.GL

The free version of Malwarebytes can clean Win32.Sality? If so, I'll download the .exe on my laptop, put it in a USB, drag it onto my new admin account and take the USB out before it's infected.

I know of 3 AVs that can cure Sality: Kaspersky, BitDefender, and ShieldDeluxe. I'm not sure about MalwareBytes, but I know I've read about it someone. (I've done extensive research on this virus.)

 

[lemonadesoda]

Let me get this straight:

1. I purchase another hard drive and install windows on it.
2. I lock it down. (How?)
3. Install the old drive.
4. Copy across data. (How?)

Point 2./

1.Install your antivirus software at the HIGHEST settings
2.Turn off autoplay (google this)
3.Install malwarebytes
4.Create a user account with STANDARD priviledges not admin.

Then install the old HDD

Point 4./

1.Log in as a standard user, NOT admin
2.Using explorer "Open", do not double click, on the old HDD
3.Search for autorun.inf
4.Delete any and all you find
5.Using explorer find the files you want to keep, and copy them to your new drive

 

[lemonadesoda]

Easy enough. Look for an autorun in the root of the drive.

No it aint "that easy". If the user is in explorer and has autorun feature turned on, then double clicking the drive to explore it will automatically run the autorun.inf and WHAM you could be reinfected.

You need to be very careful in "exploring". Must right click and "open" any drive or folder, and NOT double click.

There shouldnt really be any autoruns on a HDD, so searching and deleting them all is a good way to start.

 

[Wile E]

I think you should tell me where to find this before I kill my cousin's computer!

Edit: Why does this even matter? Even if the virus decides to run, Kaspersky is capable of stopping it in it's tracks for me to disinfect it right? So either way, as long as Kaspersky is installed, the virus can't harm the other computer? Right?

If it was in there, it would be in C:

At any rate, if you get Kaspersky fully installed and updated before attaching the drive you should be fine.

But just to be safe, disable autorun on your cousins computer. You can use a simple reg key to do it.

I've attached one. Just change the file extension from .txt to .reg and double click it. Answer yes when it asks if you want to continue.

 

[Wile E]

No it aint "that easy". If the user is in explorer and has autorun feature turned on, then double clicking the drive to explore it will automatically run the autorun.inf and WHAM you could be reinfected.

You need to be very careful in "exploring". Must right click and "open" any drive or folder, and NOT double click.

There shouldnt really be any autoruns on a HDD, so searching and deleting them all is a good way to start.

I meant for him to find it before swapping drives.

 

[Bokteelo]

If you can get Malwarebytes installed http://download.cnet.com/3001-20_4-10804572.html?spi=2fefa24deb6c7cd23213e33d960ab19b and get updated Then you could for sure get it clean(in safe mode).....If your current account is to hosed to do anything then try creating another admin account and get on it quick and install Malwarebytes and update it fast before that account gets too hosed ...then clean her up in safe mode.GL

I can't boot into safe mode, I just tried again. (MalwareBytes installed with no problems though. Too bad I can't say the same for BitDefender/Kaspersky.)

If it was in there, it would be in C:
At any rate, if you get Kaspersky fully installed and updated before attaching the drive you should be fine.
But just to be safe, disable autorun on your cousins computer. You can use a simple reg key to do it.
I've attached one. Just change the file extension from .txt to .reg and double click it. Answer yes when it asks if you want to continue.

Just that one script will disable autorun? (Do I still need to do any exploring?) Hell, how exactly do I explore? Do I press ctrl+F in My Computer?

Edit: MalwareBytes is currently performing a scan on another user account.

 

[Wile E]

I can't boot into safe mode, I just tried again. (MalwareBytes installed with no problems though. Too bad I can't say the same for BitDefender/Kaspersky.)



Just that one script will disable autorun? (Do I still need to do any exploring?) Hell, how exactly do I explore? Do I press ctrl+F in My Computer?

Edit: MalwareBytes is currently performing a scan on another user account.

Just click on My Computer in the start menu to explore your drives.

And yeah, that script will disable the autorun feature. By autorun feature, I mean how CDs or flash drives automatically start running you you plug/load one in.

 

[lemonadesoda]

And yeah, that script will disable the autorun feature. By autorun feature, I mean how CDs or flash drives automatically start running you you plug/load one in.

... in fact, ANY folder that contains an autorun.inf (with autorun enabled).

 

[paulm]

... in fact, ANY folder that contains an autorun.inf (with autorun enabled).

I wasn't aware that a folder with an autorun.inf file and autorun enabled would actually "auto-run". Never happened to me when I was playing around with some uncompressed Windows disks...

Regardless, OP should probably backup any data that he absolutely needs and just re-format. Wiping the drive is unnecessary in this situation. Viruses don't often (never to my knowledge) survive a single pass overwrite. Just get your data to an external drive or flash drive and start over. First thing you should do after doing that is download a good A/V, malware/spyware scanner, and firewall.

I like the combination of Avira Antivir Premium (with heuristics on high) , COMODO Firewall (without defense+ or whatever they call it), and Malwarebytes. Seems to work very well for me, and isn't too heavy on the resources.

 

[Bokteelo]

Alright, I have a buddy who has both a blank CD for me to burn KillDisk on AND a computer that I can possibly put my drive in.

I've yet to try a system reformat since I don't have a Windows XP CD, what I have is a set of recovery discs I ordered directly from HP's website, specifically made for my computer. My computer does have the recovery partition built in, but the virus survived the 2-3 system recoveries that I've done.

I'll see what I can do about this tomorrow when I'm over at my buddy's house, whether to wipe my drive and/or swap drives.

 

[lemonadesoda]

... in fact, ANY folder that contains an autorun.inf (with autorun enabled).

Just checked this statement. It depends. Networked or mapped folders will do this. Roots on drives can do this. Folders within drives should not unless the folder itself is networked mapped.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q136214

 

[Bokteelo]

Both friend and cousin wouldn't let me put my drive in their rig, and my sister's old computer is SLOWWW. BitDefender had it lagging out of it's case... ended up using KillDisk.

KillDisk + Complete system recovery finished in about 3 hours. Now installing Windows Updates and all software I use the most! The antivirus can come last, but I will be very careful from now on. Going to consider some of the firewall/antivirus recommendations given somewhere in this thread!

 

[lemonadesoda]

LOL

Antivirus should be installed FIRST. Goodness knows what might be on your install disks/CDs and your legitimate set of serials numbers keygens.

BEFORE you go anywhere near the internet, get the AV installed. Then get it updated to latest definitions. The *only* internet action you should take is Windows Update before you have completely locked down the PC. Better to even do that after you have antivirus installed. It's just good practice.

 

[Bokteelo]

Lol! lemonade, I got these discs off HP, they're recovery discs made specifically for my computer model! No worries on my part! (It does come with a 2006 trial of Norton, so it'll do for now until I get everything else installed.)

 

[temp02]

Warning: This virus is like no "normal" virus!
It infects all the executables it can find on the C: drive of your computer, and when I said infect I mean that it copies itself to inside each .exe it finds, so no "normal" methods of "Safe boot" or "remove autorun.ini" will work beacuse it's everywhere.

How to Fix:
* Download a copy of Norton (any version I guess, but make sure it is a full version, not a demo, don't bother buying it, you probably will uninstall it later so...);
* Update it using one of the setups in this webpage
* Left your computer FULLY scanning overnight;
* When you wake up, all that is left to do is scan every external drives you own (this included CDs/DVDs, because the virus might still be there);
* Uninstall Norton (worst AV ever IMO, but does it's job);

My story:
I found that I was infect by this about a year ago when I was "playing around" with Process Explorer (I tend to do this somtimes, beacuse I don't use any antivirus software), when I sudently found a quite funny Handle name CUCU (or KUKU don't remember, also it's not the only handle the virus creates). Well, that turned out not that funny when I found that ALL running processes created the same handle. Still using process explorer I tracked down the virus to a specific filename: vcmgdr32.dll (if I remmember) that sit on system32 folder. Deleting it was no good because all the running processes where infected and recreated the file everytime I deleted it.
So I decided to reinstall windows, copied "my stuff" to a temp folder on C, seleced "keep files" instead of "quick format" and a new Windows Instalation was born. The bad thing was that when I instaled the first program (Daemon Tools ) the virus dll file appeared again on the windows folder, because the daemon setup was previously infected by it. My attemps to clean the virus have failed, for the first time I was unnable to remove a virus "by hand" I really thought I would loose all my data beacuse of the infection.
Until I remmembered that when I bought my computer (far way back) it came with Norton, wich had a "Fix" feature (it first tries to Fix if it fails either it Quarentines the file or Deletes it). So, with my infected computer, I downloaded a Norton version, uploaded to the latest version (using not the auto-update but a complete update package that Symantec updates weekly on its site) and left my computer over night "healing" itself. In the morning after I scanned every external drive, I uninstalled Norton, and up until today I was abble to not need an antivirus again .

 

[Bokteelo]

temp02, I'm not exactly sure how Norton was able to rid you of the virus... The virus penetrates and takes control of your operating system including Windows files, so if Norton deletes them wouldn't your computer be running haywire?

And yes, this is by no means a normal virus. It's lethal and once infected, almost impossible to deal with.