Win32.Sality

Every antivirus detects every .exe file in the “new” netbook as win32.sality. Finally, I ended up turning off all security software to prevent them from quarantining these files. I removed some of them, but the others are very important (to me at least), I just left them there. What do I do now? I couldn’t say it’s a false positive since every antivirus i’ve tried makes the same detection including Hitman, ESET Nod32, Avast, Avira, McAfee, Norton and Comodo. I really need your guidance on this one. None among my family believes me saying it’s fresh from the box (although strangely enough, a usb-bourne virus is in it. I have my usb to prove it too).

I think that win 32 sality has spread all over the computer infecting all .exe files…

Same thing happened to my friend… Do a full system scan with Your antivirus in safe mode and clean all files…

After this do an Malwarebytes scan… I think that this will fix the computer…

Probably safe mode is not going to get rid of them, a better solution to keep your files and get rid of sality is Dr Web.

use dr web live cd to desinfect them here: http://www.freedrweb.com/livecd/?lng=en

NOTE: Use an uninfected PC to download the image and burn it into a CD. You can use windows 7 image burner or download something like Poweriso to burn the image to a CD PowerISO - Create, Burn, Mount, Edit, Compress, Encrypt, Split, Extract ISO file, ISO/BIN converter, Virtual Drive, DAA File

is there really no other way than to quarantine those files? :frowning: i appreciate your help. will do these, but i have to be sure there’s really no other way.

Dr Web is probably the only one that doesnt quarentine sality.
It cures the file, meaning it deletes the part of the file where the infection is hiding.

I’m afraid reading your post Spainach. Do you really mean the netbook and the USB stick were both brand new? Surely you can return them to the shop, no?

I see. That’s a good thing then.

No reason to be afraid there. Yes, yes, we can most certainly do that. Problem is, none among my family believes me since my brother claims he is sure this is just a false positive. However, it seems rather interesting to find all these antivirus products making the same detections, the files in my USB (the USB isn’t new) had increased in size, and not restarting, ten minutes after installation of the comodo firewall triggers avast to quarantine ALL of its executables classifying them as win32:sality. This is too much for a coincidence and highly unlikely for all reputed antiviruses to make the same “false positives”. They wouldn’t want me to do that since as they say, it is too troublesome and makes no difference, and that i already changed it (though i only switched antiviruses and kept the rest of it virtually untouched save for the history). They’re right about it, though, this is truly troublesome, and I haven’t even gone to the store to trade/negotiate it for another model! Cruel life indeed. :frowning:

You could maybe try “USB drive antivirus” http://www.usbantivirus.net/ to help you exit this calamity.

Hi spainach_12

1st, you did not provide any decent info re: the infection starting from your initial post

Then how many time that was discussed here in this forum & in other places? - You have a protection of any USB (if that’s in the package) and most importantly - you do not ever use use USB unless you are convinced that all Auto-runs are disabled on that particular system where you are going to use’em

Boy or boy! how many times ?

If that is your PC that is not excusable ! Period!
If you are going to use USB on alien PC , please have the Software that allows you to check 1st whether the alien PC do not have Autoruns enabled … IF the latter - apply the script and do the favour to that unknown PC

It seems that your brother is quite right about FP. This is just the 6th feeling, and sure has to be investigated … but how many security flagged Sality that is not Sality? ha?

Then re: Dr.Web and “healing” - I have real doubts that the latter security, which really good in many areas is doing what was said above.

Healing is basically evaporated - there is no such thing in contemporary security wold anymore
That would be bizarre surprising if so

If you will PM me more info about the detections (including the security[-ies] that flagged the items) I will talk in Russian with the developers of Dr.Web (not the 1st time I’ve done that)

Cheers!

Thanks for your help! Dr. Web CureIt did the trick, although like Siberlynx here, I was also doubtful it could do what is claims to do. But it did.

To Siberlynx: unfortunately, I’ve already carried out the “curing” so to speak of dr. web. Sadly, I wasn’t able to read your post beforehand. if you are really dubious about it, then give it a whirl. talk to the developers if you like, then tell us how it went. ;D

as for the usb thing, i needed to see if it is fresh so i left it as it is. sadly it isn’t since a trojan was there. i already cleaned it. I still remember the solution you told me. the cd thing. This netbook, if there are any with one, doesn’t have a cd-rom. as for the autorun, my USB doesn’t have one. The netbook’s autoruns were already quarantined. As for the logs, sadly i can’t provide them any longer. I removed all the previous antiviruses. After dr. web, i reinstalled avast!, and surely enough, no more detection. Neither does hitman, trend micro housecall, emsisoft malaware, eset online scanner, bitdefender quickscan, and dr. web of course. ccleaner works well too :stuck_out_tongue:

Have you tried the W32.Sality healer tool by AVG?

Run it on Drive C: and see if it doesn’t help repair those files instead of quarantining the whole drive. :slight_smile:

Well, it does concentrate on usb’s only. If you want this infection gone, you could use Dr. Web CureIt!. It does the job perfectly, however slowly. Or you could try

Other av vendors also provide their own set of tools. Though I suggest you get a whole emergency scanner rather than a specialized tool. Just to be sure no other infection is around.

Nice to see all is resolved, hope lesson learned on the whole autoruns thing? :slight_smile:

To those reading this:

You’ve probably come across this forum topic because you’re having the same problem. I haven’t visited this for a while and was reminded of it when someone PM’ed me about having a Win32.sality infection as well. I’ll do my part to help out:

  1. Make sure that it is indeed a win32.sality infection. In my case, I have verified the infection with no less than ten AV’s (emsisoft, eset, mcafee, avast, avira, dr. web, panda, bitdefender, kaspersky, vipre, trend micro [i had a license for the titanium version good for a year], microsoft security essentials).

  2. Also do research on the nature of the infection. According to my research back then, it was supposed to increase the size of the executables. Since the *notebook (they say a netbook is different from a notebook and what I had was a notebook. I had no idea about that before since the salesman kept saying netbook) was assumed infected, i went to a clean pc and copied small executable files (most of them portable games), noted their sizes and the overall available memory in the usb, and then inserted it on the notebook (hence, explains why I put in a usb without turning off the autorun. I’m very well aware of the risks even before I had this issue). Noted size changes confirmed my research.

  3. Now, you may proceed to cleaning. Dr. Web CureIt does a spectacular job, but it is remarkably slow in scanning. You may choose dedicated tools from other vendors if you like.

But to prevent all these from happening, ensure that the notebook/laptop you are going to buy has not indeed been used. I realized that the notebook had been used before, and that the source of infection came from a usb upon using USBDeview and seeing records of usb’s which dated back weeks before the notebook was bought. Quite possibly (though this is a mere hunch), the salesman tried to update the software installed in the notebook (it came with the then latest version of firefox which in my knowledge was released only a day or two before we bought the notebook) via an infected USB.

Have the salepeople to install the av’s for you and do a quick scan right there and then. Most malls come with wifi so updating wouldn’t be much of a problem. The notebook had no av installed though a mcafee trial installer came with it.

If there are a few other things you would like to know not mentioned in this thread, then pm me or make a post (the latter is favored over the former since you’ll be given a much broader perspective and a variety of opinions on the topic. Furthermore, I am no expert at these kinds of things. I’m merely an enthusiast).

Have a good day.