Avast WEBforum

Other => Viruses and worms => Topic started by: kjcdude on December 17, 2009, 09:08:39 AM

Title: Removing Win32/Sality - Win32/Tanatos
Post by: kjcdude on December 17, 2009, 09:08:39 AM

I'm looking for some support on a very large infection with Win32/Sality and Win32/Tanatos across our entire network of about 160 pcs.

I've used the following removal tools which have all failed.
http://www.avg.com/us-en/virus-removal.ndi-67769
http://www.avg.com/us-en/virus-removal.ndi-90825

For those not familiar with sality it's good to know that it kills a lot of common anti-virus processes.
I've been unsuccessful with installing avast or even getting a console only version to run.  Ideally I'd like to get avast installed on all 160 machines and have it run on next launch before windows loads.
I have been able to get clamwin installed and have ran that with the following paramaters.  'clamscan1.exe --database="C:\Program Files\ClamWin\bin" --recursive Z:\ -k -u -i --move="C:\virus" --memory'

I have found around 200-400 infected files on some computers.  Again no matter what I run it will still not fully remove the infected files and still exists on the next restart.

If anyone has any suggestions or has a company/consultant that I could talk to in regards to this large problem that would be fantastic.

Thanks,
Kyle

Title: Re: Removing Win32/Sality - Win32/Tanatos
Post by: Jtaylor83 on December 18, 2009, 05:03:21 AM

Cleansing Win32:Sality requires a total format and a clean reinstall on all PCs because not only it infects files but it can drop a keylogger as well.

Win32/Tanatos, another name for Win32:BugBear, is a worm that drops a trojan with keylogging and backdoor capabilities.

You could use Dr. Web CureIt (http://www.freedrweb.com/cureit/?lng=en).

Once you rid yourself of Sality and Tanatos, you will need a firewall (including a network firewall).

Title: Re: Removing Win32/Sality - Win32/Tanatos
Post by: Pondus on December 18, 2009, 08:55:36 PM

Virut and other File infectors - Throwing in the Towel?
http://miekiemoes.blogspot.com/search?q=virut

How Clean A Patching Virus (Virut or Sality)
http://www.youtube.com/watch?v=FGDl-IMOt1g

Title: Re: Removing Win32/Sality - Win32/Tanatos
Post by: YoKenny on December 18, 2009, 09:40:44 PM

Quote from: Pondus on December 18, 2009, 08:55:36 PM

How Clean A Patching Virus (Virut or Sality)
http://www.youtube.com/watch?v=FGDl-IMOt1g

That video was done on May 26, 2009 and the infection has mutated several time since then so I would go with what miekiemoes recommends.