Win32:Sality

No way I can repair this and it dl onto my desktop, when I ck the folder and only cks the exe and then its dl and I cannot run the program without avast picking up exe file.

what am I suppose to do?

I just got a warning on this too, in a program I’ve been running for months that doesn’t run via the net. I see that it’s an old virus from 2003 (if I’m reading the Knowledge Base correctly). Is this a false positive? If so what do I do?
???

pause the standard shield and send the files to www.virustotal.com analysis… post the scan results here and we’ll see :wink:

ok after I copied the files there there no indication of an issue however I still get the viruse detected when uploading the patch to mu files also since this happened I am unable to open my e-mail unless I turn it off and I am very reluctant to do so

The server responded with an error. Account: ‘incoming.verizon.net’, Server: ‘incoming.verizon.net’, Protocol: POP3, Server Response: ‘-ERR concurrent connections limit in avast exceeded(pass:20, processes:avp.exe[19], msimn.exe[1]), there is a collision with another program’, Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC90

what is avp.exe, and why would it require a mail connection ?

My googling returns that it is part of Kaspersky Internet Security ?
So do you still have this on your system as it would appear that it is still checking your email, hence the “there is a collision with another program” part of the error message ?

If so, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

Either that or this is malware (trojan on your system), http://www.liutilities.com/products/wintaskspro/processlibrary/avp/.

You could also check the offending/suspect file avp.exe at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

ok I took care of the avp. removed but I still get the win32:sality from trying to exe patch programs from the internet and not able to patch programs due to this

My response was only related to the problem you experienced with your email.

You don’t say if removing avp.exe resolved that problem with the email ?
Probably more importantly you didn’t answer the question about if you have K.I.S. ?
If you don’t have K.I.S. did you upload it to virus total and if so what were the results ?

We ask questions to gather information to be able to help, if you don’t answer them we are working in the dark.

Maxx suggested you pause the Standard Shield and upload the file to VT and post the results, did you do that ?

What is the infected/suspect file name that keeps getting detected, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

the virustotal analysis looks clean… can you post here last few lines of your warning.log file? you can find it under the avast directory…

6/12/2008 3:35:17 PM SYSTEM 848 Sign of “Win32:Sality” has been found in “C:\Program Files (x86)\Paradox Interactive\Take Command - 2nd Manassas\TC2M.exe” file.

note: it doesnt matter what site I get this patch from they r all like this. I have to do anything not understanding what is happening

If it is indeed a false positive (and it looks that way, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If it is indeed a false positive (and it looks that way, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

DavidR: I’m not that computer savy but I open standard shield, customize, advanced, but I do not find Program Settings, exclusion

Here’s the results for the first file - there are about 8 total, all related to the same application - Strat-O-Matic computer baseball. Their tech support told me “the Win32 message is a false positive, people have seen it with our EXE files for a while now.” Should I continue to scan and report the rest?

File SomBB.exe received on 06.13.2008 02:29:46 (CET)
Result: 3/32 (9.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.0 2008.06.12 -
AntiVir 7.8.0.55 2008.06.12 -
Authentium 5.1.0.4 2008.06.12 -
Avast 4.8.1195.0 2008.06.12 Win32:Sality
AVG 7.5.0.516 2008.06.12 -
BitDefender 7.2 2008.06.13 -
CAT-QuickHeal 9.50 2008.06.12 -
ClamAV 0.92.1 2008.06.12 -
DrWeb 4.44.0.09170 2008.06.12 -
eSafe 7.0.15.0 2008.06.12 -
eTrust-Vet 31.6.5870 2008.06.13 -
Ewido 4.0 2008.06.12 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.12 -
Fortinet 3.14.0.0 2008.06.12 -
GData 2.0.7306.1023 2008.06.12 Win32:Sality
Ikarus T3.1.1.26.0 2008.06.13 -
Kaspersky 7.0.0.125 2008.06.13 -
McAfee 5316 2008.06.12 -
Microsoft 1.3604 2008.06.13 -
NOD32v2 3182 2008.06.12 -
Norman 5.80.02 2008.06.12 -
Panda 9.0.0.4 2008.06.12 -
Prevx1 V2 2008.06.13 -
Rising 20.48.32.00 2008.06.12 -
Sophos 4.30.0 2008.06.13 -
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.13 -
TheHacker 6.2.92.346 2008.06.12 -
VBA32 3.12.6.7 2008.06.12 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.12 Virus.Win32.FileInfector.gen (suspicious)
Additional information
File size: 3010560 bytes
MD5…: d5fdd74905237698cac52e53a5996760
SHA1…: f80d565619d480c86b84ef3e475dbaab639024e4
SHA256: ec442f6239b9a786509a9bcf5fc0b3493a181ccf4d577866b8dad9f88af30352
SHA512: bd7d9b849b0c47bd45c0dc50681f7e9d6321c0071a2d56e257b10d4768d4e10b
ec8bfe2eb17a37a5fcccc62b2bb6b53a67967e155811392aa87a13d52a53cf95
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x70c4b0
timedatestamp…: 0x47c2f283 (Mon Feb 25 16:53:23 2008)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1d7a5e 0x1d8000 8.00 2c76eabd4cdd9718bd702e59b3069758
.rdata 0x1d9000 0x24f62 0x25000 7.98 8eec34f50f3279ab8d2aada4ed471841
.data 0x1fe000 0x7c3a8 0x44000 8.00 b31062ce786c09a39c69d7115a6b9343
.rsrc 0x27b000 0x9cc90 0x9d000 5.33 c520f2c71a5ebff6344065aaa1d09c3b

( 2 imports )

KERNEL32.dll: ExitProcess, LoadLibraryA, FreeLibrary, GetProcAddress, CreateFileA, CloseHandle
USER32.dll: MessageBoxA

( 0 exports )

Hi, DavidR is refering to 2 separate exclusion lists

Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

The first is the on access

Standard Shield, Customize, Advanced, Add

the second is the on demand

Program Settings, Exclusions

To reach the on demand lis, right click the “a” icon, click program settings, then exclusions.

send some samples to virus[at]avast[dot]com as DavidR suggested… we’ll analyse the files and fix the detection…

Ok I put the infected file into both exclusions, and I ran the program seems to work fine atm

Now how long shall I wait till I send the file to you after restoring it? and also ck the file in the chest ??

Send the sample to avast now (you are only sending a copy), there is no need to wait, the sooner they get samples the sooner they can analyse them and correct the problem.

Leave checking the file in the chest for a couple of days and check every couple of days. It may be reported in this topic that the FP has been corrected by a VPS update, do a manual update and then check the file in the chest.

I think I’ve confused the issue by piggy-backing on the original thread, because I’m not sure who is talking to whom here. Anyway, I’ve identified 7 different exe files that are associated with the Strat-O-Matic computer baseball game. I’ll send them to the Avast virus report. Strat-O-Matic has told me that the report of Win32:Sality is a false positive that has been reported to them “for a while now”. I’ve excluded them from my scan as you explained (thank you!), and the program is running again. I ran them all through VirusTotal, and they all had a similar result - I think the highest report was maybe 12%. If that is of interest here I can post the results for each file, but I don’t want to clog up the board if it isn’t worthwhile.

Thank you for the help - I was able to get the application running again and am confident that the virus report was false. Great board! :slight_smile:

Update: I’ve discovered that three of the files are too large to send my email. They all report the same virus, and I’ve sent the ones that I could. Will that be helpful, or is there another way I can submit the large files (ranging from 2.7 to 3 MEG)?

There has been a VPS update recently so I would suggest you do a manual update and rescan the files and see if they might have been corrected before doing anything else.

Whilst 12% is high and still suspect, it depends on what scanner detected it and what the malware name was, it might be that those detections were heuristic (prone to FP), so it might be worthwhile posting the results of the VT scans for those with 12%.

All files should be sent for analysis and hopefully correction at which point you can remove the exclusion.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.