Jump to content

Removing Sality


Recommended Posts

Hi all,

I have Sality on my computer and I know the best thing to do is to reformat, which I'm going to do. But I have so many important stuff I can't afford to lose. So in a hopless try to save them clean before reformatting, I posted in a forum for help but they stoped answering me for quite long time now after giving me couple of steps, I'm already having dificulties with. (And I already tried to sak the admns for help)

These are the steps..

I can't guarantee it will work at all, but I have had success with this method in the past. THere's also a risk - your machine may not boot after we've don't this, so you you need to decide whether the risk is worth it

OK. As I said, Sality is highly infectious, so to move forward we need a clean PC to download the removal tools to, and a clean USB memory stick to transfer them to the infected machine.

Notes:

Please read through tese instructions a few times until you are confident what to do before starting them. It is vital that these steps are performed in the correct order and exactly as posted. I suggest that you print off this post for reference before proceding.

In step 5 you will be asked to temporarily disable any security programs you are running (Anti-virus and Spyware). Click here for details

++++++++++ oOo +++++++++

Steps 1 & 2 are performed on the clean machine.

» Step 1 Securing the USB/Flash device «

Flash Drive Disinfector

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

» Step 2 Download the tools we need «

Even if you already have any of the following, please download them again, as your versions may be infected

Note: All of these tools require renaming before you copy then to the infected machine

  • Download SalityKiller.zip, unzip it, rename SalityKiller.exe to SK.com and save it your USB disk
  • Download Combofix.exe rename ComboFix.exe to SvcHost.com and save it your USB disk
  • Download drweb-cureit.exe rename drweb-cureit.exe to DrW.com and save it your USB disk

The next steps are performed on your infected machine

» Step 3 Transfer the tools to the infected machine «

  • Copy SK.com to your C:\ drive on the infected machine
  • Copy SvcHost.com to your desktop on the infected machine
  • Copy DrW.com to your desktop on the infected machine

» Step 4 Run SalityKiller «

On the infected machine:

  • Click Start > Run
  • Type in: c:\SK.com -a -j -k -l c:\SKLog.txt and press enter
  • A black screen will appear as the scan starts
  • Once complete, Press any key to continue.
  • Locate SKreport.log, in C:\. Please post the contents of SKreport.log on your next reply after you've run the remaining steps.

» Step 5 Run ComboFix «

Browse to your desktop where you placed a copy of Combofix (SvcHost.com).

  • Disable your Antivirus and Antispyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on SvcHost.com & follow the prompts.
  • As part of its process, ComboFix may check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

  • Click on Yes, to continue scanning for malware.
    When finished, it may ask for a reboot. Please do so if requested.
    It shall produce a log for you. Please include the C:\ComboFix.txt in your next reply after you've run the remaining steps.

» Step 6 Run Dr Web «

  • Doubleclick DrWeb.com, click on Start and allow it to run the express scan
  • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan
  • Once the short scan has finished, choose the Complete Scan
  • Select all drives. A red dot shows which drives have been chosen
  • Click the green arrow at the right, and the scan will start
  • Click Yes to all if it asks if you want to cure/move the file
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    drweb_check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    drweb_move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv. Open it, copy the contents and post it on your next reply. If you can't open it, rename it to Drweb.txt
  • If asked to reboot, please do so. This will allow DrWebCureIT! to move/delete files that were in use

.

»Finally... «

Please let me know how you got in in your next reply and post all the logs

  • [*]SalityKiller log - SKLog.log

[*]Combofix log - Combofix.txt

[*]DrWeb log - DrwWeb.csv/DrWeb.txt

This is how far I got..

I couldn't get past step 5 but here's SKlog:

19:22:12:968 1764 scanning threads ...

19:22:20:328 1764

19:22:20:328 1764 scanning processes ...

19:22:20:921 1764

19:22:20:921 1764 removing autorun.inf files ...

19:22:21:015 1764

19:22:21:015 1764 Disabling autorun on all drive types

19:22:21:015 2480

Monitoring thread started

19:22:21:031 1764

19:22:21:031 1764 restoring SafeBoot registry node

19:22:21:031 1764 Restoring safe/network boot registry branches for windows XP

19:22:21:421 1764

19:22:21:421 1764 fixing registry ...

19:22:21:421 1764 SalityRegCure: Restoring general registry keys

19:22:21:531 1764 SalityRegCure: Fixing system.ini

19:22:21:531 1764

19:22:21:531 1764 scanning drives ...

19:22:21:531 1764 scanning C:\ ...

19:35:48:625 1764 scanning D:\ ...

19:39:04:578 1764 scanning E:\ ...

19:41:22:125 1764 scanning F:\ ...

19:41:36:953 1764 scanning G:\ ...

19:42:40:593 1764

19:42:40:593 2480

Monitoring thread stopped

19:42:40:593 1764

completed

19:42:40:593 1764 Infected files: 0

19:42:40:593 1764 Infected processes: 0

19:42:40:593 1764 Infected threads: 0

19:42:40:593 1764 Cured files: 0

19:42:40:593 1764 Will be cured on reboot: 0

19:42:40:593 1764 Executed registry scripts: 8

I can't finish the ComboFix scan because it's asking for Windows Recovery Console and I don't have it and don't have internet connection to let ComboFix get it. I tried something I found about creating an independent bootable cd but it didn't work - I don't know if it's ok to put a link to that page or not.

PS: If I read right, The SKlog says I'm not infected; also, just today I managed to open windows in the safe moode, which normally wouldn't happen.. Does this mean I got rid of Sality or what? And what about my internet conection, I can't log onto the internet from my computer.

Is it possible to finish this fix here?

Link to post
Share on other sites

  • Staff

Hi,

The problem with file infectors like Sality and Virut are that they infect all of your legitimate programs.

The problem is... the virus is very buggy, so it does not do a good job of infecting your files, so any attempt to disinfect and possibly save your files would be futile, in that, due to the buggy virus, we cannot properly disinfect your files.

What I highly recommend now is a reformat and a reinstallation of Windows.

Please let me know if you are prepared to do so.

You may backup and save all files except programs (meaning pictures and documents are okay), because if you backup any applications, they will transfer to your clean system, and you will be reinfected.

Link to post
Share on other sites

  • 2 weeks later...

Hi, :)

Sorry for replying so late but I had a problem with my internet connection in the computer I'm currently using, but it's ok now.

The whole point of trying to save my infected files is to save irreplaceable photo files, that SO MANY people warned me from backing them up, any thing else can be got back. But you say it's ok to do so..

Sorry if this might seem a little bit rude but are you sure? It's been crazy for months now with nothing more than doing lots of scans.

Link to post
Share on other sites

  • Staff

Hi,

I gave you my recommendations. You can try to save your photos but nothing is guaranteed. If after formatting, reinstalling Windows, and restoring your images, your computer is still infected, then your photos cannot be backed up.

If they are that important to you then I would try it. If not, don't. You can always format again and your CD wont be infected.

Link to post
Share on other sites

Hi, :)

If they are that important to you then I would try it. If not, don't. You can always format again and your CD wont be infected.

Putting it that way, I actually felt kind of relieved after all this time.. I'm still uneasy because they are important and they might be infected, but there is no escape, right!

Just to be sure, what does this "it" refer to? Backing up or disinfecting?

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.