Real Virus.Sality Infection or is it a False Positive

[RRamdeo]

Hello,

Thank you in advance for any help.

Results of a Malwarebytes custom scan including rootkits

Name: Virus.Sality

Type: Malware

Object Type: File

Location: C/PROGRAMDATA/MALWAREBYTES/MBAMSERVICE/TMP/HPISCNAPP.EXE-K.MBAM

Action: Delete on Reboot

(Reading through this site, I know I'm supposed to upload logs and other files, but I took the pc that is 'infected' off the network to be safe. Also, the above has happened with three separate scans.)

Monthly, I scan my family's windows 10 computer with Windows Defender and the free edition of Malwarebytes. I usually run a Defender quick and fullscan and a default Malwarebytes scan. This month, the Windows Defender full scan found 7 PUAs which were all files and container files of old CCleaner executables. Some of these were up to 10 years old. I cleaned all of those files out, rescanned and everything came up clean.

These "positives" from Windows Defender made me scan the computer with a Malwarebytes custom scan including rootkits. This scan came up with Virus.Sality as mentioned above. Malwarebytes quarantined and deleted the file on reboot. However, whenever I performed a Malwarebytes custom scan including rootkits, this file keeps coming up in the same place. Nothing else is detected even after 12 hours of scanning. When I scan with Malwarebytes and do not include for rootkits this file never comes up. This virus also never comes up with a Windows Defender quick or full scan.

I read through this forum afterwards and read that the scan for rootkit option is defaulted to off for various reasons. So, i was just wondering, is this a genuine Virus.Sality infection or is it a false positive due to enabling rootkits to be scanned. Also, the virus is usually found during the "scanning file system" portion of the scan and not the "scanning for rootkits" portion of the scan.

The computer shows no signs of a virus infection such as slowdowns, weird downloads, etc. The one "weird" thing is in the folder where the virus is supposedly located, in the TMP folder for Malwarebytes, there are several zip files with long names of random letters and numbers. I'm not sure if that is normal or not, even though they all have "Date Modified" times that correspond to when I scanned with Malwarebytes.

In any case, thank you for reading. Any help, advice or information would be appreciated. Thanks again, and have a great day.

 

[1PW]

Hello @RRamdeo and :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

1. Download the Malwarebytes Support Tool.
2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
4. Run the MBST Support Tool.
5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

[AdvancedSetup]

Hello  and      

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow all steps in the provided order and post back all requested logs
• Please attach all log files to your post, unless otherwise requested

 

 

If you really have the Sality virus then you need to back up personal data only..  Images, documents, music, videos. DO NOT backup full games or any type of EXE, DLL etc.

The virus scanners can remove the infection but cannot clear up the damage.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[RRamdeo]

Hello,

Thank you for quick responses to my questions. I believe I have done everything you have asked for. The Malwarebytes Support Tool report and the results for the Kaspersky Virus Removal Tool are enclosed. The scan with the removal tool came up with no detections.

Thank you for any future guidance and thank you for all of your help thus far.

Have a great day.

mbst-grab-results.zip report_2023.08.21_13.12.07.klr.txt

[AdvancedSetup]

Thank you for the logs @RRamdeo

I'm waiting for a reply back from the Research Team on this

 

[AdvancedSetup]

Can you please upload that file to https://virustotal.com  and have them scan it. Then post back the link @RRamdeo

Thank you

 

 

[cli]

Thanks for reporting, this was a false positive because rootkit scanning was enabled. This should be fixed in the next update.

[AdvancedSetup]

As this was a confirmed FP let's go ahead and clean up your system @RRamdeo

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[RRamdeo]

Hello,

Thank you to the both of you for your responses and help it is greatly appreciated.

I downloaded the kprm tool executable. When I tried to run it on my computer it gives me the message "Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.", is it okay to run the app?

Sorry for a question that might be overly cautious, but after this virus scare I just wanted to be extra careful.

Thank again for everything.

[RRamdeo]

I just wanted to add that the above warning message was brought up by Microsoft WIndows SmartScreen. Okay, thanks again.

[AdvancedSetup]

Yes, the tool is safe @RRamdeo - it is good that you're being cautious. Microsoft SmartScreen is being overly aggressive. Please allow it to be saved to your system.

Similar to SecurityCheck that SmartScreen also does not allow.

 

 

 

 

Thank you

 

 

[RRamdeo]

Hello,

Thank you for the response. I've ran the kprm tool and have attached the resulting log file to this post.

I just have a few more questions about this overall process. First, is there any reason to have the "scan for rootkit" option enabled on custom scans or should I just leave it blank for future scans. Also, I was going to upload the "infected" file to virus total, but I couldn't locate the file. It wasn't in the Malwarebytes TMP folder nor could I find it when I used the Windows search bar. Any ideas on why that is?

In any case, thank you and everyone else for all of the responses and for all of the help. It really made this process very straightforward and easy.

Thank Again. Have A Great Day.

kprm-20230822115721.txt

[Porthos]

3 minutes ago, RRamdeo said:

First, is there any reason to have the "scan for rootkit" option enabled on custom scans or should I just leave it blank for future scans.

Scanning in rootkit mode does eliminate some whitelisting. It should only be used if there is an infection that we can't remove from normal scan mode. 

5 minutes ago, RRamdeo said:

I was going to upload the "infected" file to virus total, but I couldn't locate the file. It wasn't in the Malwarebytes TMP folder nor could I find it when I used the Windows search bar. Any ideas on why that is?

They are temporary files and get deleted automatically.

[AdvancedSetup]

Please open Malwarebytes, click on the small gear icon. On the General tab scroll down to the bottom and click on the Restore default setting button.

Unless there is a valid reason to uncheck or change one of the default settings we'd recommend you leave them as they are.

 

 

Do you have any other questions before we close up this topic as resolved?   @RRamdeo

 

[RRamdeo]

Hello,

Thank you to the both of you for your responses and thank you to everyone for all of your help. You all made this process very manageable and easy to deal with. With that said, I do not have any more questions and will just say thank you again.

Thanks Again

Have A Great Day and I Wish All of You All the Best

[AdvancedSetup]

Excellent, glad things are well now.

Take care and stay safe out there and have great rest of your week.

Cheers @RRamdeo

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you