win32:sality-gen worm?

hi…

i recommended to some friends that they use avast! as their AV. they all do not have stable online access yet, so i downloaded the 4.8 free home edition kit and installed offline, with the latest version of the program, no updates on the virus databases though, and used that.

i ran an avast first-time scan on boot, on two computers now, that had nothing in common, and both scans came out as having detected huge quantities of infected files, with a few trojans (that were being detected by other programs, such as malwarebyte’s antimalware and taken care of), but mostly with a win32:sality-gen worm.
i quarantined the infected files until i ran out of space, then just deleted them all, and even though some of the system files were detected and presumably deleted too, the system seems to work just fine on one of the computers (on the other one i had to re-install windows xp just to be able to install avast!, because someone had tampered with the user accounts and i couldn’t even start installation).

i can’t get the reports to post since these people are living rather far and can’t contact me fast, nor are they computer-savvy to do it on their on, but i am wondering if this is a normal occurrence.

even the kit that i had copied on the desktop prior to the install was detected on boot as carrying this sality-gen, and the file had just been downloaded and NOT detected on my own computer.

the computers i installed avast on were really out of date, they had been used mainly for gaming and one hadn’t had an AV for ages, so the first time i wasn’t surprised, but then i started worrying that it may be a false positive.
one of the persons in the matter has a kid that uses yahoo!messenger when her connection works, and she tells me that about each and every message she gets is being detected as infected, with avast! active, firewall on, no strange features used on Y!M. is this normal?!

what am i doing wrong? (aside from not updating the database, the program can’t do that until the connection is changed and i can’t do anything about that.)

help!

You’ve done correctly.

Not good… you can increase the Chest space and the size of the chested file.
Delete does not allow recovering the file…

Well… dangerous as you could seen by the consequences…

Well, which antivirus they used before avast?

Are you using the same virus database?

Depends… difficult to say… which is the virus being detected in the messages?

Download the update here: http://files.avast.com/iavs4pro/vpsupd.exe

Or copy 400.vps and clnr0.dll files from an updated avast installation to a USB stick and transfer them to the \Data folder of the off-line computer (having disabled the avast self-defence module first).

i know :frowning: but it was a boot-scan and i didn’t know to expand the chest while it was scanning in that mode. plus, if all the infections were real, i think i would’ve needed a 5 GB chest. sigh

… but the system doesn’t appear to have suffered terminal problems. i mean, it didn’t even cry out the norm, the “this-and-that dll is missing” or given any sign of malfunction.

the computer with the Y!M problem had mcaffee, and i cleaned that with mcaffee’s recommended cleaner (i got it on their site), after uninstalling it (because i wanted to make sure there won’t be any interference), and the other had a cracked-up nod32 that the owner had no idea how it ended up on his computer, and if it ever worked. there were some quarantined viruses in it, and i tried deleting then uninstalling the soft; the viruses were reported deleted, but avast! found them on boot scan (i noticed the same paths), and the soft wouldn’t go because it was corrupted. i had to use fileassassin on them, because i didn’t know he had nod32 and look for a remover.

my AV and its database are up to date and running. it’s not avast! here, though (it’s my computer at work) but AVG 8.0 free edition. it didn’t have a problem with the avast! install kit. there shouldn’t have been one anyway, i hope. i downloaded the kit from avast! website yesterday.

the same win32:sality-gen worm, on the majority, and a trojan the kid couldn’t name cause she wasn’t paying attention. is there some news on attacks on yahoo! website? i am pretty sure what it was detected was linked to the cookies set by the site… not 100 % sure though.

thank you, i’ll use that and re-run a deep scan. is that file updated daily or is it the whole virus database, updated peridically but not daily?

thanks again, i’ll let you know if that detection comes again after the DB is on.

Win32:Sality and Win32:Sality-gen are families of very dangerous file infectors… it’s not easy to disinfect the infected files, cause there are many different variants… i’m not happy to say that, but the way to be sure is to backup non-PE files and reinstall the OS… DrWeb CureIt may also help, but i can’t confirm this information… it’s always better to prevent the infection by using an up to date AV, than trying to clean these widespread infections “post-mortem”…

Well, Maxx said what I’ve trying to say… it’s a complex infection, not only terminal but unrecoverable ones.

Sooner or later the antivirus is broken during an update… definitively it’s not an application to be cracked. By the way, avast free does a better job.

So… it was not an avast fault… and we’ll not be able to further help as we are avast specialists.

And does AVG lose all that infections pass through? ;D :cry:

The .exe file is updated each time the database is updated, generally, daily.

i know… that’s what he had though.

i sure hope not… but i don’t get to change all the AVs in my work place, and it’s kind’of not legal use anyway, because AVG free should be run on a home computer as far as i know and here we have a LAN. eh well. not my problem.

anyway, i’ve given the DB to the ex-nod32 guy and asked him to intall and do another boot scan. i hope it’ll come out clean cause i installed a clean XP and formatted the second partition just to keep it safe.

the ex-mcaffee guy is on tomorrow… if what you said about the killer infection proves true then i’ll wipe his OS and re-install it too… the problem is that he has 4 partitions (it made me go crazy when i first saw it…) and he only has a cdwriter, so we have an important files back-up problem.

is there a way to go around having to format the other partitions and still get the worm?