Good morning, every1
I’m definitely sure it’s Not FALSE POSITIVE!
The virus manages somehow to recreate/ copy it’s code to infect other files…
Just to let you know,there is not any av that can remove sality.Sality is a wellknown,nasty file infector.
Try to kill it with that
http://support.kaspersky.com/viruses/solutions?qid=208279889
Merry xmas
Actually… TE result you linked to isn’t showing anything related to sality(e.g. that it modifies files, etc), VT has only Ikarus detection there - and Ikarus likes making false positives.
Thank you, dude! 
Just to let u know,
i’ve already tried that & it didn’t even find it!! :o
Merry Christmas, & A very happy New YEAR 
Good evening, sir!
You’re totally right about TE, but i want you to consider 2 things:
1- the same window (titled ‘nsis’ error) appears to me everytime i want to uninstall ANY software.
2- What makes me believe that it’s not false positive is actually 2 things:
A) i’d a long time ago- scanned using kasper- it found sality & removed it, but after that, i couldn’t browse any web page. i was able , however, to connect to the internet , but couldn’t browse any webpage!!
B) both ikarus & Immunet found over 100 files infected with sality, a lot of files common between the 2, so i don’t think it’s false positive.
C) i once scanned with spyware Doctor, & it found worm.sality files in the registry, & all of these files contained the word ‘legacy’!what does that mean?
I appreciate any help!!
Before you give up,try this one:
http://free.avg.com/us-en/win32-sality
Hello sophos and welcome to the forum,
Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.
Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs (save them as ANSI and not Unicode). When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post the MBAM log and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).
If you are unable to perform the MBAM part, move on to the OTL part, which is more important. The sooner we get your OTL log, the sooner we can work on your malware removal.
I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. I will continue to provide assistance in the meantime, then remain in the background while he works with you.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless absolutely necessary; use a different machine to check email, sync your phone, etc.
Please do not make any further changes to your machine once you have provided the logs.
Let me know if you have any questions. Thank you.
Do not, it’s a huge scam.
Not only that it is a spam post (and about to be history) as the user is promoting their own site.
I think a lot depends on the extent of the infection, and how soon after injekt the disinfection procedure is begun. If malware like Sality gets away on you, then the running state of the computer will be severely compromised, and almost certainly be marked with substandard performance / broken system. Sometimes windows Repair option can mend any performance loss in XP, but from what I gather the remnants of the infection are not removed in the process. Reformat is often the better option.
Also important - what is the strain of the malware?
For example, the attributes and makeup of the malware will differ by strain on a scale upwards to worst case scenario
Recently I had an encounter with sality that could’ve been worst case scenario, but fortunately the recovery process was commenced early. The malware was first detected when a USB was plugged into the computer (see image below of win32 sality). I disinfected the USB and scanned / cleaned system. But not sufficiently - here is notes on what to do about win32 sality - from a Kaspersky web page (sorry I didn’t record the source url so I cannot cite).
http://docs.google.com/View?id=ah85g3kzb4tn_279d8f48k7q
from web page http://support.kaspersky.com/viruses/solutions?qid=208279889 (as above in members quote)
Because I was rushed to do other things, I allowed a user continue on the system. Malware atributes were still active but I guess not fully blown because the user didn’t mention any performance loss. However, when I briefly ran the system that night to view the detection data, another malware file transferred, this time from within C: drive (see image Win32: Malware-gen). And I’m guessing a bit here - because I was so rushed, the recovery was stilted with no time to keep a record. The next day after boot the system performance quickly deteriorated, and I once again ran avast bootscan, which detected the Malware-gen file. (I have since run windows Repair option and uninstall/reinstall avast, so no more records of events are available).
Here is my posts from the time to avast forum
http://forum.avast.com/index.php?topic=52028.msg569527#msg569527
After avast boot scan, I ran ComboFix for the first times ever (twice), which seemed to help, and a general search and destroy throughout system and registry, the combined effect of which was to cripple the virus. Nevertheless, system response to disinfection had been hostile. I was unable to turn antivirus off for Combofix. Relentless obstruction included keylogger barriers, denials of service, reset group policies include file/folder ownership refusal of permissions (to delete), modifications to config settings, and so on. Neither did I manage to get a whole picture because once crippled, the malware was truly spent, and regardless, I kept on wiping whatsoever toxic that remained.
By that stage I was fully involved in disinfection, and had put everything else to one side. I ran the Kaspersky recommendations, and for a couple of days tried to mend manually any incorrect modifications engineered by the virus. Then I followed an essexboy guide for removal of security tools, then uninstall avast, run windows Repair, and reinstall avast. Finally, work to build system to optimal performance.
As my post says, I usually run into small fry malware, so it doesn’t bother me too much when a non-priority computer is threatened - often means I will get a bit of practice at malware fighting. And I can afford to lose a system (I have surplus, my overriding advantage when it comes to malware infections). This time I might have lost the system, and yet my intuition tells me that even with a case of virut, and as long as I strike reasonably early, I should be able to recover the system without recourse to reformat.
I’m sure there will be some on the forum that will not agree with this intuition. And that is a good thing because in today’s environment, we should never underestimate the capabilities of malware and the bundled software packages that make up their force and effect.
(edit - document has been edited)
@ sophos,
Essexboy is waiting for you to post your OTL logs per my instructions in my post above. Please let me know if you have any questions. Thank you.
Yes i totally agree.Same thing for tdds,my brother had tdds in his pc for about 2 weeks,it rly messed up MBR.I ran tdss killer on his pc and it said it succesfully cured bla bla.Next restart was blue screen fo death and the only solution was reformat ;s.
I"VE ALREADY TRIED IT!!!
IT COULDN’T EVEN FIND IT…
NOW EVEN IKARUS CAN’T FIND IT!!
THE ONLY ANTIVIRUS THAT CAN FIND IT IS
‘IMMUNET PROTECT FREE’ BY ITS CLOUD ENGINE ‘SPERO’
THANK you a lot, sir
just to let you know, i’ve already tried everything related to sality , but nothing seems to work!!
NO ANTIVIRUS CAN DETECT IT EXCEPT “IMMUNET”!!
THANK you ALOT ,mkis, for sharing your useful experience with us!!
MERRY CHRISTMAS & A HAPPY NEW YEAR FOR ALL OF YOU!!
NOW JUST FOR YOUR INFO: I TRIED THE FOLLOWING & THEY ALL FAILED TO DETECT SALITY (except IMMUNET of course):
KASPER virus removal tool- nod32 on-demand scanner- escan toolkit utility- avast- avira- mcafee- norton- trendmicro housecall- malwarebytes (free & paid)- lavasoft- ASHAMPOO- ikarus (though it detected it @ first, but now it doesn’t)- bitdefender- panda- :‘( :’(- VBA32- SALITY REMOVAL BY AVG- SALITY KILLER by KASPER- etc…
NONE COULD DETECT IT!!
@ the same time, i’m definitely sure it’s not false positive!!
HAPPY 2011 EVERY1!
…So you don’t have any sality and immunet is kidding you. Whee!
I WISH it Were Kidding, but it’s not!
Imagine:
When i scanned using emsisoft emergency kit with userinterface: no thing detected,but
when i scanned using emsisoft commandline scanner, it detected ‘sality’ in a running process
c:/program files/ adobe reader 9.0/ reader/ reader_sl.exe!!!
Everything(.exe files) should be marked as a virus since sality infect .exe files.
Well, allright, when you’re infected with sality, in addition to what Left123 said, you also get lotsa errors on programms which used to run smoothly(since sality spoils them), you might get occasional BSODs, too…
Judging by what you said in this topic, you might have something not-so-good in your system, but sality? If ALL sality-removing tools but some stuff from emsisoft(which has some FPs, I assume) failed to detect sality? I think not.