Sality.an trojan infected my main computer - and possibly router

[Nerdcore]

   My Desktop(Windows 10) recently got the Sality.an trojan through a usb thumb drive. The drive was one I normally used, and was safe. It got infected when I plugged it in at a nearby bookstore to get a few documents printed out. The intrusion was detected by Windows Defender, though it wasn't able to contain it. My PC was the only one connected to our router at the time via an ethernet cable (was actually connected to a secondary router I put in the living room to spread out the main one's signal, which is connected by another ethernet cable to the main one).

   Naturally, not knowing much about viruses, I panicked and started googling solutions and came across this forum post here on malwarebytes titled: "I need help understanding Sality.AT" by user Aghidio. Following the instructions there I promptly downloaded the Kaspersky Virus Removal Tool, disconnected my PC from the internet, unplugged the main router then ran the tool with reports unencrypted.(more information on this below). Then I went to my Ubuntu laptop which by all accounts should be uninfected, and spent the night changing passwords - connected to my mobile hotspot. I changed the hotspot's name and password before opening it so there is no way the infected PC would have been able to connect to it.

   I am concerned about a couple of things, and would appreciate some expert opinion. Firstly, the original post was about the AT strain(I think that's what that's called), and what I got was AN. I don't know what significance this has, but perhaps it's a newer, more dangerous version? From reading the main post I understand that once a computer gets the Sality virus, a complete wipe will be necessary before it can be safe to use again - which is fine, but I would like to save any documents, photographs, videos I can from it. I will now provide the steps I took in detail, and the reports from using the tool below:

 

1) When I first ran the tool, selecting every scannable option from "change parameters" it only got past scanning Drive:C, and I had to stop the scan before D could be scanned - It was morning and I had to go out of down so I shut the PC down, though before that I selected the "Cure" option for the 2 already detected objects so far. I have lost the reports to this one sadly.

 

2) Coming back to it a day later I decided to plug the infected usb drive in first, format it then scan it in the Kaspersky Tool alongside everything else. The scan was taking rather long so I decided to take a nap while it wrapped up, and when I returned it seems the tool has done the "action" part on its own after waiting for some time. I have attached here the report, scan results, and the quarantined objects that appeared afterwards:

  

I have taken no further actions, just closed the tool, unplugged the usb and shut down the computer.

What should my next steps be?

• I would like to save my data to an external drive, but I'm not certain that drive won't become infected once I plug it in. Is it safe to assume I can start transferring data out at this point, or if not what else should I do?
• I am concerned one or both of my routers are also infected, how can I know - or rid them of this virus?
• I would then like to do a fresh install of Windows 10 on the computer with a usb drive, but I don't know how to go about this without the new install (or the drive beforehand) won't become infected
• Lastly, after everything is done and dusted, I'd like to purchase and start using a well established and trustworthy anti-virus program. Foolishly, I didn't have one before and relied solely on windows defender. Can you recommend me one?

Thank you very much for giving me your time to read this! I am very distraught and lost as to what to do next, and would appreciate your opinion ^^

[1PW]

 

Hello @Nerdcore and :

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:  Please pay close attention the the instructions in all of the following links.

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans:  Please pay close attention the the instructions in all of the following links.

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool  
    

Example image of where to click to attach 5 files when posting your reply

 

Thank you.

[Nerdcore]

Hello, before I get started following all the instructions you sent me: does this mean I need to connect the infected computer back to the internet to download the programs you suggested? Will this not a pose a security risk to the passwords and accounts I've already changed to protect them?

[Nerdcore]

31 minutes ago, 1PW said:

 

 

Hello @Nerdcore and :

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:  Please pay close attention the the instructions in all of the following links.

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans:  Please pay close attention the the instructions in all of the following links.

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool  
    

Example image of where to click to attach 5 files when posting your reply

 

Thank you.

Hello, before I get started following all the instructions you sent me: does this mean I need to connect the infected computer back to the internet to download the programs you suggested? Will this not a pose a security risk to the passwords and accounts I've already changed to protect them? - sorry for reposting, couldn't figure out how to quote reply

[Porthos]

@Nerdcore If this is actually Sality, the only fix is to wipe and reinstall Windows with a clean USB drive.

[Nerdcore]

Just now, Porthos said:

@Nerdcore If this is actually Sality, the only fix is to wipe and reinstall Windows with a clean USB drive.

I don't mind doing that, but I would like to save some stuff

[Porthos]

2 minutes ago, Nerdcore said:

I don't mind doing that, but I would like to save some stuff

The only things you can save are documents, pictures, and the like. Absolutely NO executable or program files of any kind.

[Nerdcore]

1 minute ago, Porthos said:

The only things you can save are documents, pictures, and the like. Absolutely NO executable or program files of any kind.

The main things I want to save are:

• Videos and Audio files
• Pictures
• Text Documents (docx, odt, rtf)
• PDF files
• Lua and XML files(my own projects)
• Rar and Zip files containing any of the above

Can I save these?

[David H. Lipman]

Was there one Sality file detection or a was there lot of files being detected as being infected with Sality?

[Nerdcore]

1 minute ago, David H. Lipman said:

Was there one Sality file detection or a was there lot of files being detected as being infected with Sality?

At least 3 detected by windows defender, then a couple more by Kaspersky Virus Removal Tool

[David H. Lipman]

That's not many and the infection was most likely stopped.

I believe data files only extraction would be safe and then the system can be wiped.  Albeit it would be better to retrieve files from a backup instead. 
If you do not perform regular backups, you just learned a valuable lesson as to why making backups is important.

[Nerdcore]

33 minutes ago, David H. Lipman said:

That's not many and the infection was most likely stopped.

I believe data files only extraction would be safe and then the system can be wiped.  Albeit it would be better to retrieve files from a backup instead. 
If you do not perform regular backups, you just learned a valuable lesson as to why making backups is important.

The main things I want to save are:

• Videos and Audio files
• Pictures
• Text Documents (docx, odt, rtf)
• PDF files
• Lua and XML files(my own projects)
• Rar and Zip files containing any of the above

Can I save these?

Also how can I be certain the usb I used(the one I contracted the virus from) has been cleared of the infection, is formatting it enough? Some resources online say that sality can effect routers, what should I do about that?

When attempting to save my documents, how will I be certain that the external drive I will transfer them to won't be infected? Also I plan to gather reports from the programs user 1PW asked of me by installing the programs from a disposable CD/DVD which I will then throw away, is this a good idea to install these suggested programs onto my inftected computer?

Thank you for taking your time to assist me!

[David H. Lipman]

 

7 minutes ago, Nerdcore said:

The main things I want to save are:

• Videos and Audio files
• Pictures
• Text Documents (docx, odt, rtf)
• PDF files
• Lua and XML files(my own projects)
• Rar and Zip files containing any of the above

Can I save these?

Yes, they are data files.

You have an Ubuntu laptop that can scan the USB and any/all files on it using ClamAV.  If it is not installed already, install ClamAV

If you plan on Wiping the PC and reinstalling the OS then gathering said reports from the programs @1PW suggested is a moot point. 
If however you choose to keep the OS then the logs would be crucial in determining the breadth, alterations and havoc the Sality may have caused.

One last note:  Pictures of logs contain limited information.  The actual log files of detections showing the fully qualified name and path to the subject files and their detection is best. 
For example an EXE file is detected as well as the ZIP file that it was in was detected.  While physically it is is two detections is is really only one file, inside and outside the Archive, that was detected.

[Nerdcore]

9 minutes ago, David H. Lipman said:

 

Yes, they are data files.

You have an Ubuntu laptop that can scan the USB and any/all files on it using ClamAV.  If it is not installed already, install ClamAV

If you plan on Wiping the PC and reinstalling the OS then gathering said reports from the programs @1PW suggested is a moot point. 
If however you choose to keep the OS then the logs would be crucial in determining the breadth, alterations and havoc the Sality may have caused.

One last note:  Pictures of logs contain limited information.  The actual log files of detections showing the fully qualified name and path to the subject files and their detection is best. 
For example an EXE file is detected as well as the ZIP file that it was in was detected.  While physically it is is two detections is is really only one file, inside and outside the Archive, that was detected.

• Won't plugging the usb into my Ubuntu laptop risk getting it infected as well? My desktop got it immediately without me transferring or clicking on anything inside the usb drive.
• Regarding the last note: I am currently downloading the programs 1PW suggested onto a DVD and I'll run them, then provide all the logs generated as soon as it's done

[Nerdcore]

Just now, Nerdcore said:

• Won't plugging the usb into my Ubuntu laptop risk getting it infected as well? My desktop got it immediately without me transferring or clicking on anything inside the usb drive.
• Regarding the last note: I am currently downloading the programs 1PW suggested onto a DVD and I'll run them, then provide all the logs generated as soon as it's done

Also forgot to add, I already formatted the usb using my infected Desktop

[Nerdcore]

3 minutes ago, Nerdcore said:

• Won't plugging the usb into my Ubuntu laptop risk getting it infected as well? My desktop got it immediately without me transferring or clicking on anything inside the usb drive.
• Regarding the last note: I am currently downloading the programs 1PW suggested onto a DVD and I'll run them, then provide all the logs generated as soon as it's done

I thought I would still download the programs to scan to ensure a safer transfer for the documents I want to save, is that a silly idea?

[David H. Lipman]

Just now, Nerdcore said:

I thought I would still download the programs to scan to ensure a safer transfer for the documents I want to save, is that a silly idea?

Yes. 

Sality is a Windows PE file infector only.  It does not target other OS'.  It will not cross infect Ubuntu.

ClamAV's signatures cross OS infectors thus if Sality is there in those data files (including non-Sality detections), ClamAV on Ubuntu can detect and remove this 20 yr old file infecting virus.  If any detections are made by ClamAV you can attach that log file.

Reference:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3AWin32%2FSality.AN

[Nerdcore]

1 minute ago, David H. Lipman said:

Yes. 

Sality is a Windows PE file infector only.  It does not target other OS'.  It will not cross infect Ubuntu.

ClamAV's signatures cross OS infectors thus if Sality is there in those data files (including non-Sality detections), ClamAV on Ubuntu can detect and remove this 20 yr old file infecting virus.  If any detections are made by ClamAV you can attach that log file.

Reference:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3AWin32%2FSality.AN

Thank you so much, I will transfer the files I want to save, scan them on my laptop with ClamAV, then do a fresh install. I will report if anything unexpected occurs.

[Nerdcore]

1 minute ago, Nerdcore said:

Thank you so much, I will transfer the files I want to save, scan them on my laptop with ClamAV, then do a fresh install. I will report if anything unexpected occurs.

Also forgot once again to add: What about the stuff I read about routers? Any chance that my main or secondary router could be infected?

[David H. Lipman]

No.  Routers don't tend to run Windows and you can't execute a Sality infected file on the Router platform.  Over the Counter (OTC) Routers are considered appliances and run what is usually a 'nix based OS from Read Only Memory (ROM) and settings are stored in non volatile Random Access Memory (NVRAM).  Sality has fixed capabilities and will not infect your Router Appliance. 

** For OTHER  malware that specifically targets Router Appliances, a hard reset will remove it and bring it back to factor defaults.  The user can then re-enter settings or restore the settings from disk if that Router has a Backup Settings option.

 

Some notes and tips for the Router:

Spoiler

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
  Example:  Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
• Mitigate SSID Confusion attacks [CVE-2023-52424] by avoiding credential reuse across SSIDs by using a unique password per SSID.
  Example:  One password for 2.4Ghz and a different password for 5.0Ghz.
• Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 69, 135 ~ 139, 161, 445, 1234, 3389, 5555 and 9034
• Many Routers support Saving and Restoring settings from a file.  It is suggested to make a backup by saving your Router's settings once it has been configured.
• Document passwords created and store them in a safe but accessible location.

NOTE:  The above suggested tips may be dependent upon one's preferences and the Router's capabilities.

References:

1. What is a Cable Modem?
2. What is a Router?
3. what is a Modem+Router?
4. How To Reset Your Router
5. Ports Database
6. IANA official ports

 

 

 

Edited August 15 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[AdvancedSetup]

Not sure if this tool is any better or not bu it was a dedicated tool back when Sality was very popular

salitykiller.zip

 

 

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

 

 

Edited August 15 by AdvancedSetup
Updated information

[AdvancedSetup]

The following information will help you to keep your computer and data safer as well as improve your overall privacy

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/780233/best-password-manager/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal