Jump to content

Please help me to remove this Sality Trojan


Recommended Posts

Hello, I saw an unknown .exe file in my C: Drive and whenever I delete it it keeps instantly coming back and when I installed MalwareBytes to solve it I was spammed like 12 times with different domains that were blocked from random .exe files but I know that it was from this .exe in my C: Drive because I uploaded it to VirusTotal, and there are also random .exe naming appearing in my %temp% folder and they keep coming back too, I had this problem before and I reinstalled a new windows but it's still there.

https://www.virustotal.com/gui/file/c5c333811d91ae56ecdaa5ba1412dc5d6ee27743df609e339c969f9f82bf23a9/detection

Link to post
Share on other sites
  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

Hi,    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one

 

Let us start out by running this very special tool from Malwarebytes.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

RIGHT-click with your mouse pointer  on the MBAR  and select "Run as Administrator" allow it to run.  Reply YES to allow it to start.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

 

Link to post
Share on other sites

Thanks for the MBAR report.

Let's do a couple of things in a elevated Command prompt.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

del /s /q C:\USERS\ZIAD\APPDATA\LOCAL\TEMP\*.*

tap Enter key and allow that to proceed.

Now anther command

Copy this whole line as-is  & Paste this command

WMIC /OUTPUT:"%userprofile%\desktop\ProcessList.txt" path win32_process WHERE Name="cmd.exe" get Caption,Processid,Commandline

tap Enter key and allow that to proceed.

 

Now, close the Command window.  Do a Windows Restart now.  The MBAR needs a restart to finish its work,

.

Next, after the Restart, when system is then ready, look on the Desktop

Find the file Processlist.txt   and attach it in your next reply, at your next opportunity.

.

Now do a new special scan with Malwarebytes for Windows like this.

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.


Let it remove what it has detected.

 

Link to post
Share on other sites

Hopefully, also including the Windows Restart.   Keep going down this list & do all.   We will do more scans , later, too.

[  1   ]

locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

[   2   ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at &   tick   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Link to post
Share on other sites

I'd suggest you keep your browsers all Closed while ESET is scanning.

The notice-window actually means the EXE is STOPPED  by the Malwarebytes program.  It s halted.  We will do more later on.

But for now, Close & exit all browsers.  Close any other program  ( except Eset)  that you have open now.

After ESET completes, send me its Log.

Link to post
Share on other sites

I see the scan log report from ESET.  I do not know what was usually housed on the D and F drive.

What I noticed is that what got tagged on the C drive were generally games.   Please be sure that you do not have tasks that do automatic downloads,

Please do not do any banking on this computer while this problem-case is going on.

 

Lets take a few minutes and do this.

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.4.760.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Link to post
Share on other sites

It will take several passes to hope to get this set of infections squashed.

Like I said, do not do any banking on this machine.  Do not do any downloading, except for what I suggest you get.

Thanks for doing the Support tool report.  That is just a report.

Please do not go getting and running other "apps" like Spyhunter.   If you have questions, ask me first.

and "process hacker 2" ???

.

I have listed 2 procedures to be done.  Please do all of it as much as possible,  But keep going down the list.

[   1   ]

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for   ZIADW12   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.211c0f3384c35d415c3f2815d2f8f0d1.png

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   BUT do not stop here,  KEEP going down to next step.

[    2   ]

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows.


Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

next click on the blue Scan options

Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.

                                            
and let it scan the system.

When it reboots the system, please just login with your regular login-account.

Have patience during the scan run.



Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

 

 

Fixlist.txt

Link to post
Share on other sites

Thanks for sending the log.   You did well.

Now,

Look on the Security area  ( like the one you posted)
On the Firewall & network protection,   click on the Turn on button.
Then look back at the icon marked Virus and threat protection.
Click that icon, please.
You should see a new window, title Virus & threat protection.
Look for the blue line that is marked "Scan options"

Please go slow & careful.   I would like for you to click the circle  ( choice) marked Full scan
Then click on  Scan now button.

Link to post
Share on other sites

Please have lots & Lots of patience.  Leave it alone  and let it have as much time as it takes.  It can easily take a hour or two or more to do a full scan.

This scan is one important run to help look and find any other remaining trojan / virus

It may not show a moving count, but just leave it be over night if needed.

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.