# Win32/Sality



## Bokteelo (Mar 13, 2009)

I've been infected with this for a while now, and can't get rid of it... I know of a method where I have to take my hard drive out, put it on a another system with Kaspersky, and rid myself of the virus; but is there an easier way?

Update: The symptoms of this virus are: Locked registry, task manager, and something else I forgot. I've used a tool to unlock my task manager for about 5 seconds allowing me access the task manager and leave it open. I've noticed that if left unchecked, my computer would have multiple .exe's running with the names "win[random letters here].exe" in them. The amount of .exe's reached over 260 at one point, causing me heavy computer lag.

I cannot visit certain websites, an example would be Kaspersky's website nor can I install antivirus software downloaded.


----------



## francis511 (Mar 13, 2009)

Have you tried googling it ?


----------



## 95Viper (Mar 13, 2009)

Try these:http://www.softpedia.com/get/Antivirus/Win32-Sality-Remover.shtml and http://www.avg.com/virus-removal.ndi-67769


----------



## Bokteelo (Mar 16, 2009)

francis511 said:


> Have you tried googling it ?



No sorry, I just decided to post here without looking up any background information and/or possible solutions in the 2 months that I've been infected so that people like you could get a free post count increase. 



95Viper said:


> Try these:http://www.softpedia.com/get/Antivirus/Win32-Sality-Remover.shtml and http://www.avg.com/virus-removal.ndi-67769


Viper, I've tried both methods, not only that but I've tried Combofix with custom written scripts by the wonderful volunteers of TechSupportForum as well. I have a recovery kit from HP, but I would like to see if there are any possible ways of cleaning my PC without turning my hard drive to 0's.

Edit: Updating post #1.


----------



## Marineborn (Mar 16, 2009)

do you have another harddrive, if so make the other one your primary boot up into safe mode have the infected one as a slave, and remove it with kaspery


----------



## Bokteelo (Mar 16, 2009)

Marineborn said:


> do you have another harddrive, if so make the other one your primary boot up into safe mode have the infected one as a slave, and remove it with kaspery



This is a similar method to what I mentioned in my first post, removing the virus with Kaspersky so long as I have another hard drive. It's a little bit too advanced for me, seeing as I've yet to even put together a computer.


----------



## sneekypeet (Mar 16, 2009)

Bokteelo said:


> This is a similar method to what I mentioned in my first post, removing the virus with Kaspersky so long as I have another hard drive. It's a little bit too advanced for me, seeing as I've yet to even put together a computer.



Do you have a second PC to do this on?  Does it have kaspersky on it already? 
It really isnt that tough of an opperation to do. Im sure we could talk you through it.


----------



## Marineborn (Mar 16, 2009)

oh, its not really complicated...well, i guess it could be, um....just reformatt, or boot up in safe mode, go into program files, kaspery folder, open up there scanner manually and run a scan and remove it in safe mode, make sure to unplug your ethernet cable, run it again, then again, reboot back into normal mode keep ethernet unplugged and then run scan again, plug in your cable run scan again, make sure to enable deep scan in kaspery in under settings in the full scan area


----------



## Bokteelo (Mar 16, 2009)

I have 4 working computers at home, 2 of which are laptops, 1 is my sister's very vintage desktop. Perhaps I could install Kaspersky on my sister's desktop, but taking apart both computers and installing my drive in her computer then going into the bios and turning my drive into a "slave" drive scares me a little. I have complete faith in TPU and know that if I'm willing to, someone would be willing to walk me through it no problem. I'm afraid I'll need to have live support through AIM/MSN/Yahoo Messenger or whatever during the entire process.


----------



## Marineborn (Mar 16, 2009)

its dangeroud and i really dont recommend it at all, if its a virus that can jump networks, but hook on of your laptops to the same network that computer is on and scan its hardrives with the laptop!~ not reccomened if my last one wasnt good enough! THAT VIRUS CANT LOAD IN SAFE MODE! DO A MANUAL SCAN!


----------



## Bokteelo (Mar 16, 2009)

I'm not sure if it can jump networks as you say, but I've read on a blog that putting my drive into somebody else's computer does work, so long as I have Kaspersky to clean it up.

When you say "same network" do you mean internet connection? I'm not really sure, and I'm completely lost when you say scan my hard drives with the laptop.

Edit: I've tried booting into the safe mode by tapping F8 during bootup and selecting safe mode, but my computer simply won't allow it. It will reboot and give me the message saying hard drive did not boot up correctly and give me the menu to select which mode to boot up again, and I'll have to select normal.


----------



## Marineborn (Mar 16, 2009)

bok, when your computer starts hit keep hitting f8 now dont be alarmed a black screen some come up with options now go up to the one that says safe mode, hit enter on it, now all kinds of prompts will scroll dont worry thats support to happen windows will boot up, this way itll only boot up the windows core processors nothing else it might take a minute, now go my computer your c drive then program files, then the folder that says kaspery lab open that, open the folder inside that one then go to the avp that looks like the icon of K double click on that, it should bring up your scanner and do a full system deep scan at this point. this is all the guidance i can give you at this time


----------



## Bokteelo (Mar 16, 2009)

When you say "your" computer, you mean the clean computer that I will be putting my infected hard drive in right? Because my computer cannot boot into safe mode, I tried yesterday using your method, and I cannot install Kaspersky or BitDefender due to the virus.


----------



## francis511 (Mar 16, 2009)

So you have tried googling it ?


----------



## Marineborn (Mar 16, 2009)

do you have a jump drive that you could install kaspery on and do the scan on your hardrive from that jumpdrive on your infected computer


----------



## Bokteelo (Mar 16, 2009)

francis511 said:


> So you have tried googling it ?


I've answered your question, and I don't plan on answering again. Reported for spamming x2.



Marineborn said:


> do you have a jump drive that you could install kaspery on and do the scan of your hardrive of your jump drive? its only 34mbs



Do you mean a USB/flash drive? If so, yes I do but how exactly do I install Kaspersky on a flash drive?


----------



## Marineborn (Mar 16, 2009)

you just pick it as the drive you want to install it on when your installing it, its simple just when kaspery asks where you want to install it browse, pick the flash drive bam it installs it on there


----------



## Bokteelo (Mar 16, 2009)

Okay, so let me get this straight.

1. I download Kaspersky on a clean computer and install it onto my flash drive.
2. Do I scan in normal mode or safe mode?
3. How do I start a scan from the flash drive?

If possible, could I use a CD instead? I was in the bios yesterday and saw that I could make the CD drive the first thing to boot up. Does that mean I can create a bootable CD with Kaspersky installed onto it? I didn't see the option of booting into the flash drive first, just hard drive and CD.


----------



## Marineborn (Mar 16, 2009)

once its on the flash drive you put it in the infected computer the computer says heres a flash drive you open the installed folder from the flash drive up pick the avg scanner, then itll say scan what...full scan will find the hardrives and then scan


----------



## Bokteelo (Mar 16, 2009)

Are flash drives infectable? If they are would my flash drive be infected if things don't go as planned? (It's my sister's drive and she's home from college for about a week and I don't want to infect her drive.)


----------



## Marineborn (Mar 16, 2009)

unless your extremly words about a jump drive, then no its can be easily formatted easily fixed its a usb jumpdrive its alot simpler then swapping harddrive, and looks to be your only option at this point, im going to bed, goodluck


----------



## francis511 (Mar 16, 2009)

I take it googling didn`t help then m8 ?


----------



## Yin (Mar 16, 2009)

Why is this in the network section? maybe i am missing something?
but sounds like you need process explorer.


----------



## Wile E (Mar 16, 2009)

The Flash drive won't work.

First you should try booting to safe mode, and manual scan with Kaspersky. If Kaspersky can't get rid of it in safe mode, there are only a couple other options. You might be able to boot from a BartPE CD with Kaspersky loaded on it, or you can just put the Hard Drive in another computer, boot to the computers normal drive, and then scan the drive you added.

It cannot infect the other computer because the virus won't start unless Windows tells it to. Since it's not your Windows that's loading, it won't be told to start.


----------



## Bokteelo (Mar 16, 2009)

Wile E said:


> The Flash drive won't work.
> 
> First you should try booting to safe mode, and manual scan with Kaspersky. If Kaspersky can't get rid of it in safe mode, there are only a couple other options. You might be able to boot from a BartPE CD with Kaspersky loaded on it, or you can just put the Hard Drive in another computer, boot to the computers normal drive, and then scan the drive you added.
> 
> It cannot infect the other computer because the virus won't start unless Windows tells it to. Since it's not your Windows that's loading, it won't be told to start.



I'd have to be able to install Kaspersky onto my computer before booting into safe mode and performing the manual scan, and that's a problem. 

What exactly is a PartPE CD?

I've read about putting my drive onto someone else's computer, and thanks for letting me know that it's completely safe for the other system because I don't want to infect my sister's/friend's computer. Although I do have a question: Once I put my drive into someone else's computer, how will his/her computer know which hard drive to boot from? My cousin's computer is running Vista, if I installed Kaspersky onto his computer would Kaspersky scan my computer without problems? (Being that he's running Vista and I'm running XP.)

I'm looking forward to fixing my computer ASAP, because I ordered some high end gaming peripherals and I want my computer to be completely clean before I install the drivers.


----------



## erocker (Mar 16, 2009)

francis511 said:


> Have you tried googling it ?





francis511 said:


> So you have tried googling it ?





francis511 said:


> I take it googling didn`t help then m8 ?



Perhaps you just need to not say anything.  You are being exactly the opposite of a helpful member.  Please don't do this any further.


----------



## Bokteelo (Mar 16, 2009)

Thanks to erocker for infracting francis511.

Alright, I just spoke to my cousin. He's using Windows Vista, but his older brother is using Windows XP. I'll be asking for permission to install Kaspersky onto his computer to clean my drive. I'll update you guys with information as soon as I can a reply! 

Thanks a lot, you've all been extremely helpful. Feel free to post comments and alternative methods of clearing up my mess if you know of any. I will read and reread every post.


----------



## lemonadesoda (Mar 16, 2009)

Wile E said:


> It cannot infect the other computer because the virus won't start unless Windows tells it to. Since it's not your Windows that's loading, it won't be told to start.



CAREFUL.

If you expore (browse) that HDD, then if it has an autorun.inf it can get itself going!

Advice

I really would suggest you get a new HDD. Do a fresh windows install on the new HDD.  Then after you have "locked down" the PC, you can install the old drive via USB or as secondary drive to copy across important data.

Be warned that the HOURS you spend trying to clean up a computer may well leave it with a damage ACL/security policies that can only be fixed by reinstall anyway.

In my experience a virus that has got full hold of the OS is best removed via reformat. YES, you can spend hours and the rest of the weeks trying to clean it... but you have a 50/50 your registry and ACL will be damaged.


----------



## Bokteelo (Mar 16, 2009)

God... this virus has been stressing me out for over a month now... UGH! I honestly don't want to reformat if there are other methods of disinfecting my system without wiping my drive... even if there's the slightest chance of cleaning it without wiping my entire HDD I'm going to try it. 

If all fails, fine, I'll use KillDisk to wipe my drive completely and reinstall Windows XP Media Edition using the recovery CDs I ordered off HP not long ago at the advice of a staff member of TechSupportForum. (He advised me to use KillDisk, but I've been putting it off because he met an accident resulting in heavy injuries and I intended on waiting for him to recovery to continue guiding me. Finally he's back in shape, but I'm reluctant to wipe my hard drive so here I am seeking other methods.)


----------



## lemonadesoda (Mar 16, 2009)

A HDD is cheap. Please check post 28 again. There is no need to reformat and lose data. Just swap the HDD out with a new one then run the recovery CDs. Then hook up the old HDD and recover whatever data you need.


----------



## Bokteelo (Mar 16, 2009)

Let me get this straight: 

1. I purchase another hard drive and install windows on it. 
2. I lock it down. (How?)
3. Install the old drive.
4. Copy across data. (How?)


----------



## Wile E (Mar 16, 2009)

lemonadesoda said:


> CAREFUL.
> 
> If you expore (browse) that HDD, then if it has an autorun.inf it can get itself going!
> 
> ...


Easy enough. Look for an autorun in the root of the drive.


----------



## Bokteelo (Mar 16, 2009)

Wile E said:


> Easy enough. Look for an autorun in the root of the drive.



I think you should tell me where to find this before I kill my cousin's computer! 

Edit: Why does this even matter? Even if the virus decides to run, Kaspersky is capable of stopping it in it's tracks for me to disinfect it right? So either way, as long as Kaspersky is installed, the virus can't harm the other computer? Right?


----------



## DRDNA (Mar 16, 2009)

If you can get Malwarebytes installed http://download.cnet.com/3001-20_4-10804572.html?spi=2fefa24deb6c7cd23213e33d960ab19b and get updated Then you could for sure get it clean(in safe mode).....If your current account is to hosed to do anything then try creating another admin account and get on it quick and install Malwarebytes and update it fast before that account gets too hosed ...then clean her up in safe mode.GL


----------



## Bokteelo (Mar 16, 2009)

DRDNA said:


> If you can get Malwarebytes installed http://download.cnet.com/3001-20_4-10804572.html?spi=2fefa24deb6c7cd23213e33d960ab19b and get updated Then you could for sure get it clean(in safe mode).....If your current account is to hosed to do anything then try creating another admin account and get on it quick and install Malwarebytes and update it fast before that account gets too hosed ...then clean her up in safe mode.GL



The free version of Malwarebytes can clean Win32.Sality? If so, I'll download the .exe on my laptop, put it in a USB, drag it onto my new admin account and take the USB out before it's infected.

I know of 3 AVs that can cure Sality: Kaspersky, BitDefender, and ShieldDeluxe. I'm not sure about MalwareBytes, but I know I've read about it someone. (I've done extensive research on this virus.)


----------



## lemonadesoda (Mar 16, 2009)

Bokteelo said:


> Let me get this straight:
> 
> 1. I purchase another hard drive and install windows on it.
> 2. I lock it down. (How?)
> ...



Point 2./

1.Install your antivirus software at the HIGHEST settings
2.Turn off autoplay (google this)
3.Install malwarebytes
4.Create a user account with STANDARD priviledges not admin.

Then install the old HDD

Point 4./

1.Log in as a standard user, NOT admin
2.Using explorer "Open", do not double click, on the old HDD
3.Search for autorun.inf
4.Delete any and all you find
5.Using explorer find the files you want to keep, and copy them to your new drive


----------



## lemonadesoda (Mar 16, 2009)

Wile E said:


> Easy enough. Look for an autorun in the root of the drive.


No it aint "that easy". If the user is in explorer and has autorun feature turned on, then double clicking the drive to explore it will automatically run the autorun.inf and WHAM you could be reinfected.

You need to be very careful in "exploring". Must right click and "open" any drive or folder, and NOT double click.

There shouldnt really be any autoruns on a HDD, so searching and deleting them all is a good way to start.


----------



## Wile E (Mar 16, 2009)

Bokteelo said:


> I think you should tell me where to find this before I kill my cousin's computer!
> 
> Edit: Why does this even matter? Even if the virus decides to run, Kaspersky is capable of stopping it in it's tracks for me to disinfect it right? So either way, as long as Kaspersky is installed, the virus can't harm the other computer? Right?


If it was in there, it would be in C:

At any rate, if you get Kaspersky fully installed and updated before attaching the drive you should be fine.

But just to be safe, disable autorun on your cousins computer. You can use a simple reg key to do it.

I've attached one. Just change the file extension from .txt to .reg and double click it. Answer yes when it asks if you want to continue.


----------



## Wile E (Mar 16, 2009)

lemonadesoda said:


> No it aint "that easy". If the user is in explorer and has autorun feature turned on, then double clicking the drive to explore it will automatically run the autorun.inf and WHAM you could be reinfected.
> 
> You need to be very careful in "exploring". Must right click and "open" any drive or folder, and NOT double click.
> 
> There shouldnt really be any autoruns on a HDD, so searching and deleting them all is a good way to start.



I meant for him to find it before swapping drives.


----------



## Bokteelo (Mar 16, 2009)

DRDNA said:


> If you can get Malwarebytes installed http://download.cnet.com/3001-20_4-10804572.html?spi=2fefa24deb6c7cd23213e33d960ab19b and get updated Then you could for sure get it clean(in safe mode).....If your current account is to hosed to do anything then try creating another admin account and get on it quick and install Malwarebytes and update it fast before that account gets too hosed ...then clean her up in safe mode.GL



I can't boot into safe mode, I just tried again. (MalwareBytes installed with no problems though. Too bad I can't say the same for BitDefender/Kaspersky.)



Wile E said:


> If it was in there, it would be in C:
> At any rate, if you get Kaspersky fully installed and updated before attaching the drive you should be fine.
> But just to be safe, disable autorun on your cousins computer. You can use a simple reg key to do it.
> I've attached one. Just change the file extension from .txt to .reg and double click it. Answer yes when it asks if you want to continue.



Just that one script will disable autorun? (Do I still need to do any exploring?) Hell, how exactly do I explore? Do I press ctrl+F in My Computer?

Edit: MalwareBytes is currently performing a scan on another user account.


----------



## Wile E (Mar 16, 2009)

Bokteelo said:


> I can't boot into safe mode, I just tried again. (MalwareBytes installed with no problems though. Too bad I can't say the same for BitDefender/Kaspersky.)
> 
> 
> 
> ...


Just click on My Computer in the start menu to explore your drives.

And yeah, that script will disable the autorun feature. By autorun feature, I mean how CDs or flash drives automatically start running you you plug/load one in.


----------



## lemonadesoda (Mar 16, 2009)

Wile E said:


> And yeah, that script will disable the autorun feature. By autorun feature, I mean how CDs or flash drives automatically start running you you plug/load one in.



... in fact, ANY folder that contains an autorun.inf (with autorun enabled).


----------



## paulm (Mar 16, 2009)

lemonadesoda said:


> ... in fact, ANY folder that contains an autorun.inf (with autorun enabled).



I wasn't aware that a folder with an autorun.inf file and autorun enabled would actually "auto-run". Never happened to me when I was playing around with some uncompressed Windows disks...

Regardless, OP should probably backup any data that he absolutely needs and just re-format. Wiping the drive is unnecessary in this situation. Viruses don't often (never to my knowledge) survive a single pass overwrite. Just get your data to an external drive or flash drive and start over. First thing you should do after doing that is download a good A/V, malware/spyware scanner, and firewall. 

I like the combination of Avira Antivir Premium (with heuristics on high) , COMODO Firewall (without defense+ or whatever they call it), and Malwarebytes. Seems to work very well for me, and isn't too heavy on the resources.


----------



## Bokteelo (Mar 17, 2009)

Alright, I have a buddy who has both a blank CD for me to burn KillDisk on AND a computer that I can possibly put my drive in. 

I've yet to try a system reformat since I don't have a Windows XP CD, what I have is a set of recovery discs I ordered directly from HP's website, specifically made for my computer. My computer does have the recovery partition built in, but the virus survived the 2-3 system recoveries that I've done.

I'll see what I can do about this tomorrow when I'm over at my buddy's house, whether to wipe my drive and/or swap drives.


----------



## lemonadesoda (Mar 17, 2009)

lemonadesoda said:


> ... in fact, ANY folder that contains an autorun.inf (with autorun enabled).



Just checked this statement. It depends. Networked or mapped folders will do this. Roots on drives can do this. Folders within drives should not unless the folder itself is networked mapped.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q136214


----------



## Bokteelo (Mar 18, 2009)

Both friend and cousin wouldn't let me put my drive in their rig, and my sister's old computer is SLOWWW. BitDefender had it lagging out of it's case... ended up using KillDisk.

KillDisk + Complete system recovery finished in about 3 hours. Now installing Windows Updates and all software I use the most! The antivirus can come last, but I will be very careful from now on. Going to consider some of the firewall/antivirus recommendations given somewhere in this thread!


----------



## lemonadesoda (Mar 18, 2009)

LOL

Antivirus should be installed FIRST. Goodness knows what might be on your install disks/CDs and your legitimate set of serials numbers keygens.

BEFORE you go anywhere near the internet, get the AV installed.  Then get it updated to latest definitions. The *only* internet action you should take is Windows Update before you have completely locked down the PC. Better to even do that after you have antivirus installed. It's just good practice.


----------



## Bokteelo (Mar 18, 2009)

Lol! lemonade, I got these discs off HP, they're recovery discs made specifically for my computer model!  No worries on my part! (It does come with a 2006 trial of Norton, so it'll do for now until I get everything else installed.)


----------



## temp02 (Mar 18, 2009)

Warning: This virus is like no "normal" virus!
It infects all the executables it can find on the C: drive of your computer, and when I said infect I mean that it copies itself to inside each .exe it finds, so no "normal" methods of "Safe boot" or "remove autorun.ini" will work beacuse it's everywhere.

*How to Fix:*
* Download a copy of Norton (any version I guess, but make sure it is a full version, not a demo, don't bother buying it, you probably will uninstall it later so...);
* Update it using one of the setups in this webpage
* Left your computer FULLY scanning overnight;
* When you wake up, all that is left to do is scan every external drives you own (this included CDs/DVDs, because the virus might still be there);
* Uninstall Norton (worst AV ever IMO, but does it's job);

*My story:*
I found that I was infect by this about a year ago when I was "playing around" with Process Explorer (I tend to do this somtimes, beacuse I don't use any antivirus software), when I sudently found a quite funny Handle name CUCU (or KUKU don't remember, also it's not the only handle the virus creates). Well, that turned out not that funny when I found that ALL running processes created the same handle. Still using process explorer I tracked down the virus to a specific filename: vcmgdr32.dll (if I remmember) that sit on system32 folder. Deleting it was no good because all the running processes where infected and recreated the file everytime I deleted it.
So I decided to reinstall windows, copied "my stuff" to a temp folder on C, seleced "keep files" instead of "quick format" and a new Windows Instalation was born. The bad thing was that when I instaled the first program (Daemon Tools ) the virus dll file appeared again on the windows folder, because the daemon setup was previously infected by it. My attemps to clean the virus have failed, for the first time I was unnable to remove a virus "by hand" I really thought I would loose all my data beacuse of the infection.
Until I remmembered that when I bought my computer (far way back) it came with Norton, wich had a "Fix" feature (it first tries to Fix if it fails either it Quarentines the file or Deletes it). So, with my infected computer, I downloaded a Norton version, uploaded to the latest version (using not the auto-update but a complete update package that Symantec updates weekly on its site) and left my computer over night "healing" itself. In the morning after I scanned every external drive, I uninstalled Norton, and up until today I was abble to not need an antivirus again .


----------



## Bokteelo (Mar 18, 2009)

temp02, I'm not exactly sure how Norton was able to rid you of the virus... The virus penetrates and takes control of your operating system including Windows files, so if Norton deletes them wouldn't your computer be running haywire?

And yes, this is by no means a normal virus. It's lethal and once infected, almost impossible to deal with.


----------



## temp02 (Mar 18, 2009)

Bokteelo said:


> temp02, I'm not exactly sure how Norton was able to rid you of the virus... The virus penetrates and takes control of your operating system including Windows files, so if Norton deletes them wouldn't your computer be running haywire?
> 
> And yes, this is by no means a normal virus. It's lethal and once infected, almost impossible to deal with.



FIX!!!!! It fixes the files! AKA remove malicious code that virus put inside each .exe
get it?


----------



## Skywalker12345 (Mar 18, 2009)

i got a solution try booting in safe mode then, go to trend micro.com and do a thing called house call and it will scan your computer online and remove them for free


----------



## Bokteelo (Mar 18, 2009)

lucasweir said:


> i got a solution try booting in safe mode then, go to trend micro.com and do a thing called house call and it will scan your computer online and remove them for free



A system's ability to even boot into safe mode is a problem.



temp02 said:


> FIX!!!!! It fixes the files! AKA remove malicious code that virus put inside each .exe
> get it?



Does Norton really work? That's shocking, really.


----------



## temp02 (Mar 20, 2009)

Bokteelo said:


> *snip*
> Does Norton really work? That's shocking, really.



Yes it will work, try it and see for yourself, you have nothing to loose 
BTW the version I used for removing the virus was Norton 2005 Professional, but I guess it doesn't matter at all the version you will use, because after you update it's virus definitons they all will work (and remmember to fully scan every drive, internal and external, any CD/DVD infected will be garbage).
Good luck.


----------



## h3llb3nd4 (Mar 20, 2009)

I feel your pain bokteelo! I had to reinstall windows twice in one day because I got a heur virus on my flash...


----------

