Jump to content

I need help understanding Sality.AT

Aghidio

By Aghidio
in Resolved Malware Removal Logs

 Share

Recommended Posts

Aghidio

Aghidio

Posted
Posted

Hi, i have just gotten a malware called Sality.AT and i use windows 10 pro currently and have 2 USB infected.. i got several questions about sality.AT and probably needed help, but since im bad at speaking english i will try to talk about it as i can.. please do answer this as i need to know if i can recover some of my files.

 

-can sality.AT infect peripherals such as mouse, keyboards, and usb network adaptor? (I currenly have a razer deathadder mouse which could communicate with the razer software for brightness controll and DPI)

 

-does it infect files like .RAR, .PSD (photoshop), .PNG, .MKV, .Mp3, .Mp4, and steam launched library games?

 

-How do i exactly clean 2 of my infected USB? I have formatted them as of now (not the quick format option)

-(related question to above) do sality.AT infect my USB device firmware?

I prob have more question which i could not think of as of yet but please do help me as im in somewhat on a schedule :(

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello @Aghidio and :welcome::

If the computer is indeed the victim of a Sality.AT attack, many identify the Sality strains with a very damaging rootkit type of malware. Your helper will be able to assist you further.

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Link to post
Share on other sites
Aghidio

Aghidio

Posted
  • Author
Posted

Hi, and thanks

I've already run malwarebytes support tool previously, but i may have pressed repair system unknowingly. How of a problem could that be?..

1 hour ago, 1PW said:
  1. WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.

 

 

I also have a followup question to those who could answer it.

 

-Can sality.AT get onto routers and spread to other devices linked to it?

 

-i heard that SATA3 connectors cannot be infected (firmware wise) unlike USB, and so recommended that i ran USB through SATA3 adapter.. is it true?

 

-could sality.AT spread onto motherboards, cpu, and rams even when the drive is cleanly wiped?

 

-i previously have a sony psp connected through the pc during the attack unknowingly.. i heard sality.AT only attack specific OS but idk if that's true to this day, so just to be sure.. im asking if its still ok for the psp (im gonna wipe the memory for sure, but idk if it will stay onto the psp)

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello @Aghidio:

Although some valuable logs may or may not have been lost, it would be best to repeat the log gathering procedure above and post the mbst-grab-results.zip file in your next reply.

Some answers to all your above questions are easier for your helper to make if the data from the logs is posted.

Please take your time for greater accuracy.

Thank you.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I'm sorry but I have some bad news for you. @Aghidio

 

Sality is a File Infector Though there are cleanup tools, they do not function well enough to clean a computer back to a safe and secure system.

I would highly recommend that you download and run the Kaspersky Virus Removal Tool just so that you can attempt a basic cleanup to allow you to save any personal documents to an external drive before formatting the infected drive.

NOTE: Please do not share or connect any USB drive or thumb drive to this computer before running the Kaspersky tool. If you have already connected one then have Kaspersky scan that drive too as it can infect other computers if connected.

This is a dangerous virus that can and will try to infect any type of media that it can write to. Do not share data from this computer with any other computer.

 

 

One or more of the identified infections may also potentially be related to a  rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (back doors) as a means of accessing a computer system that bypasses security mechanisms and steals sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.
 
If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed to include those used for banking, email, eBay, PayPal, and online forums from a CLEAN COMPUTER - never use the same password on different sites. Avoid using Facebook, Google, or other auto sign-on methods. If that account gets exploited they'll also have access to all other sites linked to it.
 
 
You should consider these passwords to be compromised. You should change each password by using a different computer and not from the infected one.
 
If not, an attacker may get the new passwords and transaction information. If using a router, you may need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read the following
 
 
Although the threat may have been identified and may be removed, your PC has likely been compromised and there is no way to be sure certain the computer can ever be trusted again.
 
It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.
 
In some instances, an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.
 

Once the main infection has been removed here are some articles on doing a clean fresh install of Windows 10 (at this time I'd probably not install Windows 11 just yet)

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

 

 

If you have any other questions or need further assistance please let me know

Thank you

 

Link to post
Share on other sites
Aghidio

Aghidio

Posted
  • Author
Posted

@1PW

Sorry bit late, it was midnight but heres what you asked.. 

@AdvancedSetup

Hi!, can you clarify what i asked just to be clear what were dealing with here? Cause i have around 1tb of files (mostly videos and music) that i may/could backup via MEGA cloud.

 

Also is there a way to clean the usb or is it done for? Even after formatting?

DxDiag.txt mbst-fix-results.txt mbst-grab-results.zip

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Running a Kaspersky antivirus scan should clean it up enough to ensure you can backup data you created, but do not backup the entire computer. Just data you've created.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool 

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

That's good. Again, make sure you scan the USB drive you're going to use to backup your data

I'm heading out. It's almost 2 AM for me

Scan your USB drive. Then backup your personal data. Music, Images, Videos, no programs

 

Then once all your data is backed up do a clean install of Windows

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

 

Link to post
Share on other sites
  • 3 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.