TechSpot

W32 sality

By chunx
Sep 23, 2008
  1. hi bleeping computers experts. my laptop microsoft vista buisness had been infected by w32 sality. run button disappear from start, my task manager cannot be started, regedit was disabled by adminstrator but im the adminstrator. All my .exe is infected. im running SDfix\a2cmd.exe, norman malware cleaner, AVG free edition and virus remover for W32 sality now. i also tried errosmart and antispyware, but after scanning and removing threats, task manager and regedit is still not enabled.
    i really need serious help here. i have hijackthis in my computer too. seriously need instructions to clear this W32 sality.
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. chunx

    chunx TS Rookie Topic Starter Posts: 20

    oops sorry. i posted my problem on bleeping computer but no one replied so i copied from there and paste it here and i forgot to change it to techspot. im runing malwarebytes and superantispyware now and also SDfix kaspersky virus removal tool. everytime i boot up my laptop and try to log into windows, it will auto restart. i have to reboot and press F8 and select 'boot from last known good configuration' to log in to windows.

    Hi. this is my logs.
     

    Attached Files:

  4. SpiritWind

    SpiritWind TS Rookie Posts: 164

    Hi :

    Highly unusual for Adobe Reader to be a "Running Process", as indicated in your
    HijackThis log . This MAY be the Source of your infection because Researchers found a new hackertoolkit that uses nothing but Adobe securityleaks in order to infect systems. "PDF Xploit Pack" ( http://www.trustedsource.org/blog/15...e-PDF-Exploits )adds all kind of exploits to PDF-files. When a certain exploit has successfully infected the OS, the IP address is sent to the attackers, so they need to try again. This to reduce the time it takes to manage the bots.

    Use of PDF-files is becoming more and more popular amongst malcreants, this because other toolkits also have PDF exploits now. A year ago only 3% of the exploits were PDF directed.

    After uninstalling Adobe, seriously consider using the safer "Foxit Reader" .
     
  5. chunx

    chunx TS Rookie Topic Starter Posts: 20

    i uninstall adobe reader but it does not solve my problem. task manager and regedit still disabled. when i boot my laptop and i try to log into my user account, it says "The group policy client failed to log on, The media is write protected" and then i automatically restart after showing the message for 0.5 second.
     
  6. SpiritWind

    SpiritWind TS Rookie Posts: 164

    Hi :

    I see other problems, but doubt resolving them would change your "Situation" .
    Since no one else is responding, I suggest you ask the experienced, certified,
    "Microsoft Most Valuable Professionals" on the Support Forums at
    http://aumha.net for help . And do NOT post a HijackThis Log that has been run
    in "Safe Mode" unless "Normal Mode" will not run .
     
  7. chunx

    chunx TS Rookie Topic Starter Posts: 20

    ok thnx. anyway i used group policy to enable my regedit. inside HKCU\software\microsoft\windows\currentversion\policies\System, disabletaskmgr and disableregedit is set to 1. so i set it to 0 and off regedit. but after i close regedit, it will automatically set to 1 again and regedit is disabled by adminstrator again. So i guess it is the virus that cause this to happen.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Download RatsCheddar

    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, Double click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.
     
  9. chunx

    chunx TS Rookie Topic Starter Posts: 20

    to kimsland

    hey. eh that ratscheddar is useful at the first time. after that once i open regedit and close it. taskmgr and regedit is disabled again and ratscheddar dun work anymore. anyway more importantly is that my OS cant boot normally. when i tried to log in, its says "The group policy client failed to log on, The media is write protected" and then it automatically restart after showing the message for 0.5 second. i have to boot and press F8 and select boot from last known good configuration in order to log into windows.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please tick and fix these entries in HJT

     
  11. chunx

    chunx TS Rookie Topic Starter Posts: 20

    it seems like im unable to delete it. i click fix checked. and then rescan again, the thing is there again.
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  13. chunx

    chunx TS Rookie Topic Starter Posts: 20

    i try uninstalling antispyware, it says fatal error occured removing driver: uninstallFilterDriver : LoadLib : The specified module could not be found. i cant seems to find AVG7 things in my add and remove programs.
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Means AVG7, files (well the above HJT log files), are gone
    By removing them in a new HJT scan, all should be ok

    What Antivirus are you presently using?
     
  15. chunx

    chunx TS Rookie Topic Starter Posts: 20

    yup im in adminstrator account. what u mean by "Means AVG7, files (well the above HJT log files), are gone
    By removing them in a new HJT scan, all should be ok" im using adaware, spybot search and destroy, malwarebytes, Superantispyware, SDfix.
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'm referring to Post#11 above

    Run HijackThis again, and remove those entries

    Also part of the New Preliminary Removal Instructions was to install (and update) an Antivirus.

    I tell you what, do the following:

    Uninstall any live protecting programs like Spybots S&D, then download Avira free Antivirus.
    Do a full update. Then do a full scan

    Please do these steps (which are also part of the New Preliminary Removal Instructions you completed, you did complete those steps, didn't you??)
     
  17. chunx

    chunx TS Rookie Topic Starter Posts: 20

    hmm im unable to delete these hijackthis entries. everytime i delete it keep coming back.

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe (file missing)

    i did follow the New Preliminary Removal Instructions as u can see from post #4, after doing it i posted the logs of malwarebytes, Superantispyware and hijackthis.
    i uninstalled Spybot S&D and installed avira, im going to do a full scan now. thnx
     
  18. chunx

    chunx TS Rookie Topic Starter Posts: 20

    i ran avira scan and it detect almost all my .exe files as W32\sality.
     
  19. momok

    momok TS Rookie Posts: 2,265

    Almost all as in referring to on your system? I once encountered a problem like this, and I would recommend a reformat to be ultimately safe, especially if it keeps coming back through different program exe's.

    I ended up cleaning and uninstalling almost every important program/software/game on my system because apparently such trojans infect exe files, and perpetuates its codes on other exe files. As such, you can delete/clean the original bad trojan file, but the infection remains stuck on your system.

    There's no knowing which files have been infected and are just lying dormant waiting to be run and infect more exe files on your system.
     
  20. chunx

    chunx TS Rookie Topic Starter Posts: 20

    to momok

    hmm i have thought of reformatting but im using vista and i duno how to do a reformat. all i have is a Windows vista recovery DVD. but everytime i boot up with the with recover DVD inside or choose repair my computer, it will hang at a black screen after loading for awhile. i waited for 1 hour but nothing happened. System restore is also not working. everytime i do system restore and restart my laptop, it will say the system restore had failed.
     
  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well the System Restore fail, is not that shocking. Once you get Virus/Trojan/Malware issues, usually System Restore is one of the first areas to also be effected.

    But the DVD Recovery image is the bigger concern.
    I'd say all attention should be on getting this to work, otherwise you'll never be able to re-install Windows (Repair, or a preferred Clean install)

    Your first option would be to check the DVD for scratches/marks, and either clean or replace it (through your manufacture)
    Next would be to run Memtest on your Ram
    Failing (or rather passing) that, I would say run a HardDrive diagnostics test
    Lastly, laptops have always had the issue of poor quality DVD players, you could run a disc cleaner through it, or possibly install an external DVD Drive (although I'm not sure how this will effect the Restore process)
     
  22. chunx

    chunx TS Rookie Topic Starter Posts: 20

    i repeat New Preliminary Removal Instructions in safe mode and now my regedit and task manager is working again. my laptop is booting back to normal again! thnx techspot people! i guess my problem is solved!
     
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Glad it's resolved
    Please continue to disregard my last post, until one day when you will need to re-install or repair Windows ;)
     
  24. chunx

    chunx TS Rookie Topic Starter Posts: 20

    yup i will. thnx kimsland! =)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...