rnqjqn.exe and win32:sality

Hello everyone,

Any guidance on the following will be appreciated.

Here’s the background. My Mum’s laptop (Toshiba Satellite Pro, Windows XP Professional 2002 SP3, Intel Pentium Dual Core, 2.87 GB ram) had AVG free antivirus software but for a reason I won’t go into AVG was temporarily turned off. An infected USB memory stick borrowed from someone else (who had no security or firewall of any kind…) was inserted into her laptop, and her computer now has multiple infections (over 120 files) which have disabled almost all key programmes - windows explorer, firefox, ccleaner, task manager, system restore…

I downloaded SAS, MBAM and avast to the laptop. While they all could identify the infections, they could not remove them. Even when SAS and MBAM reported successful removal, the infections still showed up with every subsequent scan. Worse, both SAS and MBAM have been infected, and now won’t run. Avast can’t repair any of the files, and I can’t delete mopst of them because they’re essential. Avast also can’t send most of the infected files to the chest, because (a) the files include so many large .exe files that the chest fills up pretty quickly, and (b) many of the infected files won’t run from the chest, making the laptop a bit obsolete.

Anyway, the file on the USB key which seems to be the root of the problem is one called rnqjqn.exe, as identified and blocked by avast when the stick is connected, and reported by avast as Win32:sality.

Basically, I think my Mom’s machine is buggered… any suggestions as to how to remove the offending infections would be appreciated.

Thanks,
MP

I suggest you format the USB drive, then the laptop and do a fresh reinstall because Sality is very dangerous.

Virut and other file infectors - throwing in the towel?

When should I re-format? How should I reinstall?

Take care! Sality is a very dangerous virus. Backup what you can and even take care of the backuped files themselves.
If it is into an USB key and you can throw the contents away, go ahead, format!

Hi have had some success with Sality as it does not corrupt the system files to the same extent as Virut. Full instructions http://www.virusexperts.org/removal-tips-tools-and-videos/how-to-remove-and-fix-virus-win32-sality-win32sality-ah-win32sality-ag-with-kaspersky-tools/ but below is a synopsis of what needs to be done

Step 1. Preparation to disinfection:

Download the file http://support.kaspersky.com/downloads/utils/salitykiller.zip
Unpack the file SalityKiller.zip
Run the file SalityKiller.exe on each computer in turn

Step 2. Cleaning the registry of infected computers in the domain network:

download the file http://support.kaspersky.com/downloads/utils/sality_regkeys.zip
unpack the file Sality_RegKeys.zip
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip
You can also disable autorun from all devices by running the SalityKiller utility with parameter -a.

Click Yes to confirm adding the information to the registry

Step 3. Once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:
under Windows 2000 run the registry file SafeBootWin200.reg
under Windows XP run the registry file SafeBootWinXP.reg
under Windows 2003 run the registry file SafeBootWinServer2003.reg
under Windows Vista run the registry file SafebootVista.reg

On completion run Combofix

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks essexboy, you are a gem.
Before I follow your instructions, do I need to restore all the sality-infected files from avast’s virus chest, or will the Kaspersky tool still find and process them there?
MP

If they are system files then restore them - programme files would be better re-installing afresh

Here is the ComboFix.txt file.

MP

Here is the ComboFix.txt file.

MP

OK Combofix is not reporting an active file infector - What problems are you exeriencing at the moment ?

Keeping with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

[]Close any open programs
[
]Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

[*]Once the update is complete, click on Settings.
[*]Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases
[*]Click on My Computer under the green Scan bar to the left to start the scan. [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. [*]Click View report… at the bottom.
[*] Click the Save report… button.

http://perplexus.geekstogo.com/KasReport.png

[*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Thanks essexboy,

KasReport.txt attached

Salitykiller found and cured over 170 infected files, about the same number identified by MBAM and avast. Most of these were files that were in the avast virus chest and which I restored prior to the Salitykiller scan.*

Avast and MBAM now don’t see any infections, so I think that we’re back in business.

  • One thing I noticed: when I restore files form the virus chest, they don’t actually leave the chest - its as if a copy is made and placed in the original location. Any ideas why this is, or how I can restore files and actually remove them from the chest?

Thanks again essexboy, you are now permanently located at the top of my Christmas list.
MP

* One thing I noticed: when I restore files form the virus chest, they don't actually leave the chest - its as if a copy is made and placed in the original location. Any ideas why this is, or how I can restore files and actually remove them from the chest?
It is a copy, just in case....

http://forum.avast.com/index.php?topic=51652.0

OK one final stage now, just to confirm that the windows files are not corrupted.

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

Once you are happy I will remove my tools and tidy you up ;D

Thanks guys.

First, Pondus - many thanks for that info. In this case, the restored files were successfully disinfected after restoration, so is it safe to delete the “copy” from the chest? Sorry of that’s a dumb question…

Essexboy - that System File Checker scan ran its course and then nothing happened, so I assume it found no problems…

Nicely done - you can empty the chest

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

Thanks essexboy.

I’ll see how I get on over the next day or so and get back to you with any issues.

MP

Oh, just one more question:

I use CCleaner (weekly) and MyDefrag (monthly) to spring clean. Anyone have any comments on their performance vs others such as TFC / Puran Disc Defragmenter?

MP

TFC goes deeper and clears all caches (FF, Chrome, IE and one or two others) , all temp locations and flash cookies.

I just like Puran for no other reason than it will boot defrag

Thank you sir!