Win32:Sality Help

Just got a new hard drive installed on my computer with Windows 7 x64 Ultimate preloaded. Soon after, I found out that the technicians who set it up somehow managed to get it infected with Sality. I would prefer to avoid reinstalling - there may be very little installed on the new drive, but this machine has been through so many reformats, I’m getting a bit tired of the recovery process. Avast seems to have found and removed all of the infected files - most of them were in an install of Nero, which I also removed - but I’m concerned about stability with so many files moved to the chest.

Not sure how to retrieve the actual log files and post full copies of the text here, if that’s even possible, but the boot scan I just ran tossed up at least a dozen errors claiming various CAB files were corrupt (although most of them seemed to have other extensions). Presumably, it would be easier to determine whether the problem can be solved with individual software reinstallations if they were all listed.

Files infected, as far as I know - taken manually from the log viewer, because I don’t see an export button:

Win32:Sality:
C:\Config.Msi\1c5222.rbf
C:\Config.Msi\1c5228.rbf
C:\Config.Msi\1c58dc.rbf
C:\Config.Msi\1c5a27.rbf
C:\Config.Msi\6d1343.rbf
C:\Config.Msi\cebb4f.rbf
C:\Config.Msi\cebb50.rbf
C:\Config.Msi\cebb55.rbf
C:\Config.Msi\cebb5f.rbf
C:\Config.Msi\cebb66.rbf
C:\Program Files (x86)\Common Files\LightScribe\LSLauncher.exe
C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe
C:\System Volume Information_restore{6DE539DA-CFBA-4562-B4E4-9B0FCF5390C9}\RP457\A0122539.exe
(Note: These following files are listed twice in the Chest for some reason)
C:\Windows\Installer$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ACECNFLT.EXE
C:\Windows\Installer$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DRAT.EXE
C:\Windows\Installer$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVE.EXE
C:\Windows\Installer$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVECLEAN.EXE
C:\Windows\Installer$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEMIGRATOR.EXE
C:\Windows\Installer$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVESTDURLLAUNCHER.EXE

Win32:Sality-GR:
C:\Users*snip*\AppData\Local\Temp\winnvwrc.exe|>[UPX]
C:\Users*snip*\AppData\Local\Temp\xapksp.exe|>[UPX]

If there’s a way to view all the details of the scans performed, and more importantly, to recover fully without reformatting the drive, more info about it would be much appreciated.

follow the guide here and attach (not copy and paste) logs from Alwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

sality is a file infector, and that often means a reinstall…but lets see what Essexboy say first

here is some info on file infectors
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Here are the logs. There didn’t seem to be much in here.

Firstly how is the computer behaving ?

Lets clear the temp files where it usually hides. Also the MD5’s on the system files are good

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

That’s the thing. In the few days I’ve had this Windows 7 drive, I’ve had very few errors - Aero crashed once and the calendar widget went blank another time, but I haven’t had any repeat incidents. The other issues were related to graphics drivers. Actually, most of the “CAB archive corrupt” errors were from Temp folders, if I remember correctly. Beyond that, I haven’t noticed any odd behavior.

Speaking of which, just cleared my temp files with the tool and rebooted.

Does that mean this is good to go, apart from possibly having to reinstall some software?

As far as I can see yes… If you still had Sality on the system Avast would be screaming blue murder as files were being infected

But let it run for another day or so to be sure, and if all is OK I will then remove my tools ;D

It seems I forgot about this topic… mainly because I haven’t had any virus-related problems ever since, apparently. I suppose this means that the system is clean.

Just posting to ask for this to be locked and/or marked as solved, if that’s the general policy here. Oh, and a thank-you to essexboy and Pondus for the prompt responses.