Avast can't detect Sality!

[sophos]

Good morning, every1
My real name is Bayan. This's my 1st post!
I've a computer infected with 'Sality'!!
The problem is No Antivirus could detect it except 2: [Ikarus- Immunet protect free]
I installed Avast, full scan, nothing found!!!
I'd earlier managed to upload a file detected by Ikarus to virus total & threat expert:
http://www.virustotal.com/file-scan/report.html?id=7c9fc40df401c7fb9523babb31550a7256eaed46c5b74f730ddd9f8e979bdd8a-1285595292
http://virusscan.jotti.org/en/scanresult/b51afefb2dfe0540e9212ae34b17b88a167a72e2
http://www.threatexpert.com/report.aspx?md5=b64b498138739d9c18b69a77b360391b
-----------------------------------------------------
I'm definitely sure it's Not FALSE POSITIVE!
It's not only 1 file, ikarus & Immunet both detected more than 100 file!
the problem is: whenever i upload a detected file to virustotal, it comes out clean, even clean by ikarus on virustotal!!!
------------------------------------------------------
The virus manages somehow to recreate/ copy it's code to infect other files...
I hope we can explain how to remove it!
------------------------------------------------------

[Left123]

Just to let you know,there is not any av that can remove sality.Sality is a wellknown,nasty file infector.
Try to kill it with that
http://support.kaspersky.com/viruses/solutions?qid=208279889
Merry xmas

[Altarir.]

Actually... TE result you linked to isn't showing anything related to sality(e.g. that it modifies files, etc), VT has only Ikarus detection there - and Ikarus likes making false positives.

[sophos]

Just to let you know,there is not any av that can remove sality.Sality is a wellknown,nasty file infector.
Try to kill it with that
http://support.kaspersky.com/viruses/solutions?qid=208279889
Merry xmas

Thank you, dude!
Just to let u know,
i've already tried that & it didn't even find it!!
Merry Christmas, & A very happy New YEAR

[sophos]

Actually... TE result you linked to isn't showing anything related to sality(e.g. that it modifies files, etc), VT has only Ikarus detection there - and Ikarus likes making false positives.

Good evening, sir!
You're totally right about TE, but i want you to consider 2 things:
1- the same window (titled 'nsis' error) appears to me everytime i want to uninstall ANY software.
2- What makes me believe that it's not false positive is actually 2 things:
A) i'd a long time ago- scanned using kasper- it found sality & removed it, but after that, i couldn't browse any web page. i was able , however, to connect to the internet , but couldn't browse any webpage!!
B) both ikarus & Immunet found over 100 files infected with sality, a lot of files common between the 2, so i don't think it's false positive.
C) i once scanned with spyware Doctor, & it found worm.sality files in the registry, & all of these files contained the word 'legacy'!what does that mean?
I appreciate any help!!

[Left123]

Before you give up,try this one:
http://free.avg.com/us-en/win32-sality

[SafeSurf]

Hello sophos and welcome to the forum,

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs (save them as ANSI and not Unicode).  When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.  Post the MBAM log and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

If you are unable to perform the MBAM part, move on to the OTL part, which is more important.  The sooner we get your OTL log, the sooner we can work on your malware removal.

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless absolutely necessary; use a different machine to check email, sync your phone, etc.

***Please do not make any further changes to your machine once you have provided the logs.***

Let me know if you have any questions.  Thank you.

[13thSlayer]

Try this antivirus, it cleans all types of Sality

Net Protector AntiVirus 2011
[link cut]

download link:
[link cut]
OR
[link cut]

Do not, it's a huge scam.

[DavidR]

Try this antivirus, it cleans all types of Sality

Net Protector AntiVirus 2011
[link cut]
<snip>

Do not, it's a huge scam.

Not only that it is a spam post (and about to be history) as the user is promoting their own site.

[mkis]

Just to let you know,there is not any av that can remove sality.Sality is a wellknown,nasty file infector.
Try to kill it with that
http://support.kaspersky.com/viruses/solutions?qid=208279889
Merry xmas

I think a lot depends on the extent of the infection, and how soon after injekt the disinfection procedure is begun. If malware like Sality gets away on you, then the running state of the computer will be severely compromised, and almost certainly be marked with substandard performance / broken system. Sometimes windows Repair option can mend any performance loss in XP, but from what I gather the remnants of the infection are not removed in the process. Reformat is often the better option.

Also important - what is the strain of the malware?
For example, the attributes and makeup of the malware will differ by strain on a scale upwards to worst case scenario

Recently I had an encounter with sality that could've been worst case scenario, but fortunately the recovery process was commenced early. The malware was first detected when a USB was plugged into the computer (see image below of win32 sality). I disinfected the USB and scanned / cleaned system. But not sufficiently - here is notes on what to do about win32 sality - from a Kaspersky web page (sorry I didn't record the source url so I cannot cite).

http://docs.google.com/View?id=ah85g3kzb4tn_279d8f48k7q

from web page  http://support.kaspersky.com/viruses/solutions?qid=208279889  (as above in members quote)

Because I was rushed to do other things,  I allowed a user continue on the system. Malware atributes were still active but I guess not fully blown because the user didn't mention any performance loss. However, when I briefly ran the system that night to view the detection data, another malware file transferred, this time from within C: drive (see image Win32: Malware-gen). And I'm guessing a bit here - because I was so rushed, the recovery was stilted with no time to keep a record. The next day after boot the system performance quickly deteriorated, and I once again ran avast bootscan, which detected the Malware-gen file. (I have since run windows Repair option and uninstall/reinstall avast, so no more records of events are available).

Here is my posts from the time to avast forum
http://forum.avast.com/index.php?topic=52028.msg569527#msg569527

After avast boot scan, I ran ComboFix for the first times ever (twice), which seemed to help, and a general search and destroy throughout system and registry, the combined effect of which was to cripple the virus. Nevertheless, system response to disinfection had been hostile. I was unable to turn antivirus off for Combofix. Relentless obstruction included keylogger barriers, denials of service, reset group policies include file/folder ownership  refusal of permissions (to delete), modifications to config settings, and so on. Neither did I manage to get a whole picture because once crippled, the malware was truly spent, and regardless, I kept on wiping whatsoever toxic that remained.

By that stage I was fully involved in disinfection, and had put everything else to one side. I ran the Kaspersky recommendations, and for a couple of days tried to mend manually any incorrect modifications engineered by the virus. Then I followed an essexboy guide for removal of security tools, then uninstall avast, run windows Repair, and reinstall avast. Finally, work to build system to optimal performance.

As my post says, I usually run into small fry malware, so it doesn't bother me too much when a non-priority computer is threatened - often means I will get a bit of practice at malware fighting. And I can afford to lose a system (I have surplus, my overriding advantage when it comes to malware infections). This time I might have lost the system, and yet my intuition tells me that even with a case of virut, and as long as I strike reasonably early, I should be able to recover the system without recourse to reformat.

I'm sure there will be some on the forum that will not agree with this intuition. And that is a good thing because in today's environment, we should never underestimate the capabilities of malware and the bundled software packages that make up their force and effect.

(edit - document has been edited)

[SafeSurf]

@ sophos,

Essexboy is waiting for you to post your OTL logs per my instructions in my post above.  Please let me know if you have any questions.  Thank you.

[Left123]

Just to let you know,there is not any av that can remove sality.Sality is a wellknown,nasty file infector.
Try to kill it with that
http://support.kaspersky.com/viruses/solutions?qid=208279889
Merry xmas

I think a lot depends on the extent of the infection, and how soon after injekt the disinfection procedure is begun. If malware like Sality gets away on you, then the running state of the computer will be severely compromised, and almost certainly be marked with substandard performance / broken system. Sometimes windows Repair option can mend any performance loss in XP, but from what I gather the remnants of the infection are not removed in the process. Reformat is often the better option.

Also important - what is the strain of the malware?
For example, the attributes and makeup of the malware will differ by strain on a scale upwards to worst case scenario

Recently I had an encounter with sality that could've been worst case scenario, but fortunately the recovery process was commenced early. The malware was first detected when a USB was plugged into the computer (see image below of win32 sality). I disinfected the USB and scanned / cleaned system. But not sufficiently - here is notes on what to do about win32 sality - from a Kaspersky web page (sorry I didn't record the source url so I cannot cite).

http://docs.google.com/View?id=ah85g3kzb4tn_279d8f48k7q

from web page  http://support.kaspersky.com/viruses/solutions?qid=208279889  (as above in members quote)

Because I was rushed to do other things,  I allowed a user continue on the system. Malware atributes were still active but I guess not fully blown because the user didn't mention any performance loss. However, when I briefly ran the system that night to view the detection data, another malware file transferred, this time from within C: drive (see image Win32: Malware-gen). And I'm guessing a bit here - because I was so rushed, the recovery was stilted with no time to keep a record. The next day after boot the system performance quickly deteriorated, and I once again ran avast bootscan, which detected the Malware-gen file. (I have since run windows Repair option and uninstall/reinstall avast, so no more records of events are available).

Here is my posts from the time to avast forum
http://forum.avast.com/index.php?topic=52028.msg569527#msg569527

After avast boot scan, I ran ComboFix for the first times ever (twice), which seemed to help, and a general search and destroy throughout system and registry, the combined effect of which was to cripple the virus. Nevertheless, system response to disinfection had been hostile. I was unable to turn antivirus off for Combofix. Relentless obstruction included keylogger barriers, denials of service, refusal of permissions (to delete), modifications to config settings, and so on. Neither did I manage to get a whole picture because once crippled, the malware was truly spent, and regardless, I kept on wiping whatsoever toxic that remained.

By that stage I was fully involved in disinfection, and had put everything else to one side. I ran the Kaspersky recommendations, and for a couple of days tried to mend manually any incorrect modifications engineered by the virus. Then I followed an essexboy guide for removal of security tools, then uninstall avast, run windows Repair, and reinstall avast. Finally, work to build system to optimal performance.

As my post says, I usually run into small fry malware, so it doesn't bother me too much when a non-priority computer is threatened - often means I will get a bit of practice at malware fighting. And I can afford to lose a system (I have surplus, my overriding advantage when it comes to malware infections). This time I might have lost the system, and yet my intuition tells me that even with a case of virut, and as long as I strike reasonably early, I should be able to recover the system without recourse to reformat.

I'm sure there will be some on the forum that will not agree with this intuition. And that is a good thing because in today's environment, we should never underestimate the capabilities of malware and the bundled software packages that make up their force and effect.

(edit - document has been edited)

Yes i totally agree.Same thing for tdds,my brother had tdds in his pc for about 2 weeks,it rly messed up MBR.I ran tdss killer on his pc and it said it succesfully cured bla bla.Next restart was blue screen fo death and the only solution was reformat ;s.

[sophos]

Try this antivirus, it cleans all types of Sality

Net Protector AntiVirus 2011
[link cut]

download link:
[link cut]
OR
[link cut]

THANKS ALOT 13thSlayer, i appreciate it!
BY THE WAY< I ONLY DOWNLOAD TRUSTED SOFTWARE!
FYI: MALWAREBYTES TOLD ME: NO ANTIVIRUS CAN CLEAN SALITY!!

Do not, it's a huge scam.

[sophos]

Before you give up,try this one:
http://free.avg.com/us-en/win32-sality

I"VE ALREADY TRIED IT!!!
IT COULDN'T EVEN FIND IT...
NOW EVEN IKARUS CAN'T FIND IT!!
THE ONLY ANTIVIRUS THAT CAN FIND IT IS
'IMMUNET PROTECT FREE' BY ITS CLOUD ENGINE 'SPERO'

[sophos]

Hello sophos and welcome to the forum,

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs (save them as ANSI and not Unicode).  When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.  Post the MBAM log and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

If you are unable to perform the MBAM part, move on to the OTL part, which is more important.  The sooner we get your OTL log, the sooner we can work on your malware removal.

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless absolutely necessary; use a different machine to check email, sync your phone, etc.

***Please do not make any further changes to your machine once you have provided the logs.***

Let me know if you have any questions.  Thank you.

THANK you a lot, sir
just to let you know, i've already tried everything related to sality , but nothing seems to work!!
NO ANTIVIRUS CAN DETECT IT EXCEPT "IMMUNET"!!