Ok, I managed to infect my laptop with Win32:Sality while trying to help my colleagues rid their usb pens of viruses. I am at sea and can not connect my laptop to the internet. I can transfer things via usb from a pc that is connected. Connection speed is VERY limited (like isdn and divided on several computers). I also won’t be going ashore for the next two months so I really need my laptop =(
As of now I have managed to contain it I think. I have avast 4.8 currently installed with latest definitions and the last scan managed to find alot of infected files (avast 4.7 with 2 month old definitions didn’t find anything despite the virus being several years old). I have used a sality removal tool…but I can’t see that it didn’t anything helpful at all? It ran a scan and said “ok” to a lot of files, but never did it do anything for the virus problem. I have tried Mbam also (I don’t need to update it if I installed the newest version I hope?) and it found a few registry entries.
The problem now:
Upon infection it turned all my folders on D:\ into exe files and hid all my original folders (not on C:\ for some reason). When I restarted windows I was also asked to log on to my name although I have never used log on or a password.
In safe mode and logging in as administrator I was able to set a password for my account and can now log in. I can not log in as administrator unless I use safe mode. I tried to set my account to allow everything and be an admin account, but it seems to revert itself afterwards. When logged in as myself I can not view my folders, and I can not go to “folder settings” (it’s gone). There are also some weird attributes on them. -SHR I think, but I can’t change them through the cmd line even.
When logged on as administrator in safe mode I can view my folders, and folder settings. I try to remove “read only” and “hidden” but it just reverts back.
So…anyone have any ideas I can try? Is it the virus that’s still messing things up or is this just a windows problem I need to fix now?
If looking from your issues that i am affraid that your system has been also infected by win32 too.
And if that’s happened with your system, no other way you need to re-install again your Windows to fix all of infected system.
But to sure there is some strategy need to do:
Please go to check your registry with open : Start - Run - Type “Regedit” - Go to : HKLM → Software → Microsoft → Windows → Current Version → Run (If you have capability to detect which the real system still running in your system and correct one, that is being your advantage point to you)
You also could check your startup windows with : Start - Run - Type “Msconfig” - Please check your system startup is there other foreign application will run after your boot up the windows
You also could check your Windows folder at: Drive C (based on your installation windows) - Windows. Please make sure that your whole windows folder was in normal size or have differential size?
Please do the boot time scan with your avast, and if found the foreign attacked please move it to chest.
Please do those steps first…and then back to us if still not solved yet
I have no xp cd or ubuntu with me so I will avoid reinstall at all costs =/
I will try these steps in a few hours when I am off duty and get back to you.
After Run, what is it exactly I should be looking for?
I tried looking here before but it was hard to determine which files were necessary and which were not
I don’t know the exact size it was to begin with There are however 3 suspicious files in my c:\ folder named “autoexec.bat, io.sys and config.sys”. They were all 0kB, with the same modified date as the other “fake” files the virus created so I deleted io.sys. I now see on this other windows install that they actually belong there. Windows still worked fine afterwards though.
I tried the boot time scan before and it found alot of infected files. I chose delete all, even system files, and windows still worked fine afterwards.
Please search what is the application that running out of Windows System 32, and after that please make sure is that the real application that you using for run something in your system?
Just wisely to check with internet to make sure that your file .exe is real one
Anyway, could you go to safemode with your currently OS condition? Do you able to log in using username : Localhost without password?
Have you ever tried it again to scan with avast at boot time scan?
Please try to download Malwarebytes and then update first after that do the malwarebytes scanning.
Then please using HijackThis Tool to scan your system. And then please submit hijackthis log report in here. Let us help you to found this trouble.
Thanks alot for the help guys, I made some progress
Everything looks fine here, no unknown apps
Everything looked good here too, recognized all apps
I can log in in safe mode as administrator. I will try to log in as Localhost…if that works what can I do from there?
I ran HJT and it found the registry entry that denied access to folder options in my account. Removed it and now I can access folders options and view the hidden folders! However, I still can’t change the attributes (readonly, hidden and system).
If I can download an update for malwarebytes I can transfer the file by usb, but I can’t connect directly with my laptop. Is there such an update? I have the newest malwarebytes version. I will post my HJT log later today.
Pondus: Thanks. I will try Norman if this doesn’t work, but the file is very big so I may not be able to download.
If I can download an update for malwarebytes I can transfer the file by usb, but I can't connect directly with my laptop. Is there such an update? I have the newest malwarebytes version. I will post my HJT log later today.
Ok, I have scanned with avast (boot), sality removal app (boot) and malwarebytes and they don’t find any more infections.
I can not log in as Localhost in safe mode.
So, I’m hoping this is now a windows related problem. I still can’t change the attributes (shr) on the folders
Here is my HTJ log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:08, on 11.11.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
I am very sorry that currently i am not able to access to hijackthis and generate the information.
But in case to know about your system status, you could visit to : hijackthis.de and then you could see the generated report which is bad file at your system.
Oki, thanks anyway. I tried to paste my logfile and press analyze this, but the next page won’t seem to load. Maybe my connection? Can anyone else try to paste my logfile and see what it says?
For file infectors, salvage the files with Live Linux to USB key or portable HDD and format the entire thing. Otherwise you’ll never trully win the fight.
Today i just try it again, and could generate the analyze report :
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
You could fixed this missing file, and i didn’t found any harmful application at your system. Maybe like as NMB mentioned that HJT not really helpful in to analyze the infected file.
Sadly, it’s not only nmb but also L’arc, RejZoR, essexboy and some other forum members. It seems to be common sense that HJT is not effective against file infectors considering their nasty nature. I had been optimistic, too, till I knew the nature of the file infectors.
[Edit]I don’t like to sound discouraging but I cannot but admit that this is a logical conclusion… :'([/Edit]
Unfortunately Sality and Virut due to their nature tend to corrupt windows system files. Although the system may run, you will keep experiencing errors, slowdowns and in extreme cases BSOD’s. Plus you are open to other infections more easily than a fully working system