Win32:Sality-AI

system · 2007-07-07T03:36:55.000Z

Hi all,

Please I need help to get rid of this virus I catched for an unknown way.
File: C:\WINDOWS\system32\vcdgcw32.dll
Virus: Win32:Sality-AI
Type: Virus/Ver ( worm )
VPS Version: 000754-4, 2007-07-06

I tried to delete it, repared it, put it in quarantine, etc… it always ome back each time I reboot.

Please help me!!!

Thank you

system · 2007-07-07T05:21:59.000Z

Try an avast! boot scan, making sure to use the clean (or repair) option on any detections.

system · 2007-07-07T05:43:38.000Z

Thanks I will try that.

Lisandro · 2007-07-07T12:09:08.000Z

CaptCom post:1:

it always ome back each time I reboot.

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

system · 2007-07-07T14:32:40.000Z

Thanks Tech. I will try that because the first solution failed. The Cleaner never found it.

Lisandro · 2007-07-07T14:40:16.000Z

CaptCom post:5:

The Cleaner never found it.

avast The Cleaner?
It’s not a full antivirus, just a removal tool. It won’t detect more than avast antivirus, on contrary, will detect just few cleanable malwares.

system · 2007-07-07T14:44:47.000Z

I saw that. The antivirus ( Avast ) found it and before I do anything I start the cleaner.
I will do what you suggested

system · 2007-07-07T18:14:04.000Z

Sality is a file infector of exe’s that also drops a backdoor in the windows folder. The backdoor is safe to delete, but deleting the infected exe’s may cause problems. These should be cleaned instead, and if avast! isn’t successfull then maybe an online scan will help.

Are there more files that just C:\WINDOWS\system32\vcdgcw32.dll detected?

system · 2007-07-07T18:49:24.000Z

Thanks for your answer.

So far all I tried failed.

Are there more files that just C:\WINDOWS\system32\vcdgcw32.dll detected?

I don’t think so but I’m not 100% sure because Avast found it when I boot and even if I try to delete it, it comes back another time with the same warning message and I have to delete it again. Then its ok.

Lisandro · 2007-07-07T23:10:37.000Z

CaptCom post:9:

I don’t think so but I’m not 100% sure because Avast found it when I boot and even if I try to delete it, it comes back another time with the same warning message and I have to delete it again.

Did you try the steps I’ve posted on #3 just above?

Announcements