Win32/Sality

Good day!

How can I get rid of this Win32/Sality (Avast!) Win32/Sality.NAO (ESET) virus/worm?

'Cause almost all of my .exe files are infected, and I can’t play games.

I tried running avast! 4.8 Home but it has an unusual behavior, sometimes it will run successfully, and sometimes it’s stuck at the splash screen, and it once gave me a BSOD…

Please help me. Thank you!

As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

http://www.bleepingcomputer.com/forums/topic220586.html

Hi Gantrithor,

Have you try to scan with avast?
Becasue so far our customer in INdonesia which ever infected by sality could removed from their system. And i also keep this virus variant in my desktop and could detected by avast.

Holy hell…

A reformat?!

@ Yanto.Chiang
I can’t scan…avast! is messed up…

found this, may be worth a try

How Clean A Patching Virus (Virut or Sality) http://www.youtube.com/watch?v=FGDl-IMOt1g

http://forum.emsisoft.com/Default.aspx?g=posts&t=6440

if you clean using a removal tool, it will remove all infected files. i’m afraid it might have infected system files. you may have to do a format.

you can give dr.web live cd a try. it claims to disinfect but that depends on which variant it is, well I can’t find out which variant it is. get the live cd(the latest one. check the last modified column) here , from another the system which is free from virus, burn it to a cd and boot from it. in the options menu, you will have a option to enable disinfection, select that. get the manual and go through it : ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf , please.

you might not be able to boot if any required system files are missing.

post back later.

nmb

[font=Segoe UI]Step 1: Windows Disk Cleanup Utility ============

1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK

Step 2: avast! Boot Time Scan ============

1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan…
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step3: Malwarebytes Antimalware (MBAM) ============

1 Download Malwarebyes’ Antimalware here
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes’ Antimalware and Run Malwarebytes’ Antimalware checked
4 Malwabytes’ Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Hijack This (HJT) ============

1 Download Trend Micro Hijack This here
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on your desktop
6 Go back here on your topic and start a reply. On the Reply window, click Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
NOTE: Do not have HJT fix anything yet.

Hi Gantrithor,

I don’t understand what is wrong ith your system, but to be honest we had faced this trouble more than 1 time to fight with sality.
Sometimes we faced with legion (Legion = more than 1 devil in bible means) of malware like sality, conficker, and the hard one is yuyun conficker.
But so far we could solved it at least 80% from all of customers.

If you have a virus sample, you could sent to virus@avast.com or you can try to scan with virusscan.jotti.org

if you are not able to start any applications, then surely the virus is active in memory and hence you will not be able to open any new applications. including mbam, etc etc. only possibility is rescue disk or format hdd.

nmb

Hi may be you try this it help also like dr.web:
http://support.kaspersky.com/viruses/solutions?qid=208279889
maybe this help
http://support.kaspersky.com/viruses/avptool