Win32:Sality-AM everywhere

[Sir Ali]

Hi,

First of all, let me thank you guys for this great anti-virus application!

Now, I've got this Win32:Sality-AM in many files and I think they are all false alarms. For example, Windows Vista's backup (.vhd extension), .vdi files, some files I've downloaded that modifies graphics of football (soccer) game (were never reported as Win32:Sality-AM before), my keyboard's driver installation file, Alcohol 52% setup file, RapidShare Manager setup file, and Icon Extratction program, etc.

They all share the same Win32:Sality-AM.

Using Vista Business x64 SP1 BTW.

For some reason, the resident shield (high setting) doesn't accept the exclusions because they all run virtually under x64 environment. Sometimes the scanner detects them without running though.

How can I solve that?

[ggf31416]

AFAIK Sality is a file infector, so it's an actual infection.

[wyrmrider]

best post down in the Virus and Worms forum

Alias: Win32.Sality.AM.Gen [PCTools], Virus.Win32.Sality.z [Kaspersky Lab], W32.Sality.AE [Symantec], W32/Sality.ag [McAfee], PE_SALITY.EK [trend Micro], W32/Sality-AM [Sophos], Virus:Win32/Sality.AM [Microsoft]

can you install Windows Defender update run a scan and post back
and I'll check a few other tools for X64

what firewall? 
any other security software?

can you run rt click the ball and update>programs then run an avast scan in safe mode?
send any hits to Chest

I would like to see logs of at least two scans with your choice of 
MalwareBytesAntiMalware  update Check any hits and click FIX CHECKED
SuperAnitiSPY 
SpybotSearch and Destroy
A-Squared Anti Malware
with these 3 quarantine any hits do not delete/remove  (in case of false positives)  reboot if necessary
post the logs

whichever support x64  you will have to check their websites and see
let me know what you find out

[Sir Ali]

I have Windows Defender and SUPERAntiSpyware Free (On demand scanning).

Neither Windows Defender nor SAS detected anything with the files mentioned.

I have Windows Firewall and a hardware firewall running.

I will try an Avast scan in Safe mode and let you know.

[DavidR]

You could also check a few of the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[wyrmrider]

either configure the outbound security for windows firewall or find a third party one for xp64
really glad you have some proactive defense like windows defender and SAS is a good scanner
what browser?
If IE do you have Spywareblaster installed?
a hosts file would be helpful in cutting down the bad guys communications

[adi_dmj]

Pl. check with other online scanners Win32.Sality if present on your system then it infects almost all the files including system files.

It infected my system by simply doing a search on goole and clicking on resulted link windows defender is able to identify it as trojan genric however norton was not able to do so later after rerunnung live update it identified as win32.sality

Pl. be double sure if it is on your system you have no way but to clean ur system and do a reinstall.

Regards

Adi