Is it very complicated to use Kaspersky Sality Solution and DrWebCureIt to rid of Virut/Sality?
I have a laptop with XP SP3 installed, and my external HDDs are infected with Virut/Sality.
I used ComboFix earlier, but it was the first time I used it and it didn't go too well... Had to reinstall the whole system again. Don't want to experience the same thing with http://support.kaspersky.c
So I wonder if there are any risks in using them, like with ComboFix?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
The problem is I don't know which one of them it is, or if it is both. Another Master told me it was Virut/Sality, I don't know if she meant both of them.
And I have already wiped my internal HDD clean with WipeDrive and reinstalled OS, but my 3 external HDDs (total 500 GB) need to be cleaned. And after cleaned, wiped completely clean.
Do you have an installed antivirus program after you reinstalled your system ?
you need to connect the external drives one at a time & scan using an updated version of your antivirus
make sure Autorun is disabled on all hard drives first
http://support.micros
you
running the symantec tool for Virut in safe mode shouldn't hurt either.
Thanks a lot for giving me all these tools to rid of Virut/Sality, I will definitely give it a try.
I have already wiped my internal 250 GB HDD and reinstalled. But most probably, Virut/Sality is still on my 3 external HDDs. And I have a lot of important content on them, so I can't just wipe them, must try to find Virut/Sality on them first. When cleaned, I can move everything to one external HDD and wipe, move back and wipe the other external HDD etc.
I have connected all my external HDDs (first, I turned off autoplay), and first run a scan with Kaspersky Internet Security 2009 but it freezes all the time. Maybe it's because of Virut/Sality, what do you think? So I think I should use the heavy weapons first, the ones you suggest, to first find Virut/Sality, and use Kaspersky Internet Security 2009 to find other types of viruses.
Or should I change AV to something that doesn't freeze all the time? I consider to change my Kaspersky to AVG, Avast, ZoneAlarm Extreme Security, BitDefender, or NOD32. It's a XP SP3 I'm running.
Not necessarily, it could be trojan agent for another malware.
If you use the sality tool you'll see it as sality detected
Kaspersky is good but just like any good antivirus, things can get thru. You have to keep you antivirus updated at least one time per day.
My top antivirus software is: Eset Nod32, Symantec Endpoint Protection, Mcafee Enterprise. These are my top and my opinion.
And even with those mentioned, if a new variant comes out they might go undetected. Symantec endpoint has a feature called zero day proactive, which helps big time against unknown variants that are not in definition files yet.
If you reinstalled, that's great. Scan your other 3 drives of data. Download a trial of eset and scan the drives as well.
One thing I've noticed in my long experience, each antivirus product always find something the other doesn't
Eset or symantec endpoint along with weekly scans of malwarebytes/superantispyw
NaturaTek,
I just tried to run the AVG .exe file in safe mode. I logged on as Administrator, and the three AVG files were in the same folder. But got this message:
... Is not a valid Win32 application
What am I doing wrong?
The .exe icon is a square with a blue strip on top, grey borders around. It is named rmsality.exe
You need to run in dos mode, maybe you have a dos boot disk or try running from recovery console.
Create a dos ntfs boot cd http://www.bootdisk.com/nt
Create a bootable antivirus kaspersky CD, your best bet.
Can't boot your pc into safe mode, or trouble downloading & installing antivirus/antispyware applications?
Create a bootable antivirus Kaspersky, step by step instruction here:
http://www.techmixer.com/k
Now that I have completed the Stinger scan, I have logged on in normal mode and been on the internet for some time, and also had the external drives connected. Is it any risk with that? Should I have first run the AVG Sality removal tool in DOS? And immediately after that use Stinger in safe mode, and then Kaspersky rescue disk? Must I scan one more time with Stinger now?
Kaspersky rescue disk seems straightforward, no problems. But how do I create a dos ntfs boot cd? There are many links on www.bootdisk.com/ntfs.htm,
Just download Kaspersky Disk from here
http://dnl-eu10.kaspersky-
Burn it, and boot from it, that will take care of your sality in DOS mode as well.
You have progress so far, congrats!
I only have DVD-R and CD-R at home, is it -WR or +WR I need to burn the ISO-image?
Ok, so I don't need to use AVG, just use the Kaspersky rescue disk instead, is that right?
And no need to use Kaspersky Sality Solution either? (http://support.kaspersky.
One thing I wonder is if this whole operation is a one-time thing for 2 years or so? It's definitely worth it, because I'll soon begin to use the laptop for working with Chinese translations, so I really need a computer system that runs uninterupted for 2 years or so. So if I can get the whole system 100 % clean now and make a Ghost, that would be gold worth! After I used all the tools, to be certain I will wipe my entire HDD one more time, and also the external HDDs.
So far I've used Malwarebytes (which removed some), and Stinger for Virut (which removed 89 infections). The next step is to use the Kaspersky rescue disk in DOS mode to remove Sality. After that, will I be completely done? Or to be as certain as possible to really find every Virut and Sality residue, should I use even more tools?
How certain can I feel afterwards that I really found everything? One Virut or Sality left undetected would be a catastrophy in the long run!
Download the ISO and burn it. You just need a blank cdr.
Burn the ISO with Nero, Roxio or whatever cd buring program you have.
If you don't have one, you can download a trial
Or you can download a trial of PowerISO
http://www.poweriso.com/do
Open the ISO and burn it within the program
Or
http://www2.ashampoo.com/w
Or a free iso burning app
http://www.ntfs.com/iso-bu
Certainty? Hmm there is no such thing as 100% certainty in the Malware world. The best steps I have found is to use a combo of things, A good base antivirus/antispyware program along with weekly/biweekly scans of superantispyware/malwareby
That, along with commonsense, becareful on what you click on, adult sites are notorious for spyware infections (fake codec downloads, fake programs to access suppose sites, etc), fake antivirus warnings when you browse..telling you are infected, drivescanner warnings enticing the user to download their software which is crapware, downloading music in uncontrolled environments. People do malicious things. Here's an example. Client in wonderland goes into limewire starts searching for 'michael jackson - thriller'. Somewhere in the world a person is being malicious, perhaps he just think michael jackson is a dweeb or simply looking to get ranks in the virus community..so he takes a virus/spyware program and renames it to Michael Jackson Thriller.exe, shares it. The file could be something new, a variant the guy/kid worked on, just malicious to crash your computer, or leave a backdoor installed, take advantage of some vulnerability, or some other malicious purpose. Client in wonderland see's results in his limewire search with michael jackson thriller, starts clicking away. Download is done and he double clicks. Complains to himself darn music aint playing. When he restarts, all hell breaks loose. And so on.
Believe it or not most users searching for music dont know music is not suppose to end in .exe, .com, .pif, .bat or other executable format. Dead giveaways of something malicious is the file extensions and the size. There's no way a 5 minute song is going to be 382k
You reformatted, which is good. Make a image of your main drive with Acronis True Image or such..so if anything happens in future, you can apply image in 10minutes and under.
Virut is gone from system files since you reinstalled. If you have any executables on your other ddrives, virut maybe attached which kaspersky boot cd can rid off for you.
I tried Active ISO-Burner, and I tried CDBurnerXP several times, with both CD-R and DVD-R. In Active ISO-Burner, I got Burning error all the time. In CDBurnerXP I have to use a writable CD or DVD.
I have installed all additional software and drivers from HP, so that shouldn't be any problem.
And I moved the burning software to trusted applications in Kaspersky.
What do I do wrong?
Try burning at a lower speed. Download nero trial and burn at lower speed. You only need a CDR not a DVDR.
If you get a error, while writing, discard that cd or set it aside for now, pop in a new cd.
Never used cdburnerxp, but looked at it on it's website. Choose the options 'disc at once' and 'finalize cd', while using lower speed. CDR will work fine.
For now, don't update, just start scanning. You need to leave cd in drive, and restart computer from the CD and scan from there. Not leave cd in drive and run from windows.
The current definitions on the cd handles virut/sality for now.
Once thats done, whatever you are using in windows, kaspersky/mcafee/etc.. update it and let it full scan, then you'll be set.
Do you have a windows full antivirus solution ?
because if you wiped your system clean, then I do not believe this machine is currently infected with Sality, you will probably need to scan the external drives from within windows.
if you do not have an installed resident antivirus solution your can try one of those , both are free and are very effecient.
you can run the sality_off tool in windows to confirm this
To be on the extreme safe side, scan with the boot cd. Kaspersky boot cd, will get rid of any virut/sality remains and other lurking items.
Any antivirus is better than no antivirus, yes avg/avira free, but my opinion are poor. If you can get 50$ together, pay for Kaspersky, Symantec Endpoint Protection, or Eset nod32. Eset now has Eset Smart Security suite which is great, runs nice and smooth. Theres bitdefender with good reviews, but personally I have not tried it.
The scan goes on at steady rate all the time, never freezes, seems very stable. But 1 percent takes 1-2 hours! So it will take about 6 days to complete, day and night. No risk to have the laptop working nonstop 6 days? (It's a Celeron so the processor don't get heated so easily though)
And it found virus Type.com, which I deleted.
What happens if I quarantine? At some stage, something must be done also with the quarantined viruses, so why quarantine in the first instance?
Quarantined is like locked away from system into a quarantine folder. Some antivirus automatically delete quarantine after sometime and some you have to delete it.
Why quarantine? If antivirus or so detects something important as a virus ..when it might be a false positive, you can go in and restore the file from quarantine.
There has been more than a few times I personally had to restore a file from quarantine which I know were good. I recommend letting antivirus do its job and reboot, then go in and delete the quarantine items.
Yeah scan take a bit depending on hardware, 6 days you say? I wouldve think a night/day might be tops. Then again you said you have lots of data .
How do I know where the quarantined files are saved so I won't loose trace of them?
It's really crisis now, because the scan goes slower and slower (only the percent indicator, the display of scanned files is always normal always at same steady pace). The last percent took something like 24 hours! It seems like maybe it depends on what types of files that are being scanned that determines the pace, could that be so? But I have a final exam in the end of next week, and with this pace it will take one or two more weeks to complete scan. It's 750 GB! So far, I'm at 38 %.
Is there any alternative to Kaspersky Rescue Disk? For instance Eset Smart Security Suite, scan in DOS mode?
Or if I try to use Kaspersky's Sality solution again?:
http://support.kaspersky.c
What do you think about this boot-scanner?
http://www.free-av.com/en/
or Eset SysRescue?:
http://kb.eset.com/esetkb/
Are you having difficulties with the scan? Finish the kaspersky scan , or you can stop it, boot into windows and scan the other drives with your windows antivirus. Download a trial of Eset nod32 at eset.com if you don't have a antivirus. The trial is fully functional and if you download the eset smart security suite, you can make a boot cd from its menu if you ever need it.
For the mean time, lets finish scanning the other drives in dos or windows.
So far, Norman Malware cleaner has found these:
W32/Malware.AVTN (2 pieces)
W32/Zbot.BXU
HTML/Iframe.N (5 pieces)
W32/Tencent.D
W32/Packed_Nspack.A
W32/Packed_FSG.D
Suspicious_M.gen
I think Tencent is related to Tencent Software (Chinese company) that makes the IM Software QQ.
But Norman Malware Cleaner, does it only remove Virut and not Sality? Sality seems the hardest one.
Stinger removed 89 infections.
Do you think this link could be worth trying?:
http://www.uninstall-spywa
No, stick with the routine. You did a reinstall, you are only scanning the other 3 drives to see if anything is infected right?
Are those infections above detected on your newly reinstalled drive? Or on the other drives?
Your normal antivirus will remove sality/virut from other drives. It is only when your operating system is infected they make these small tools for/safemode scan..
You did norman, good
you did superantispyware, good
you did malwarebyes, good
do a full scan from windows using your antivirus. Download a trial of eset and scan the drives if you have no antivirus.
Those 14 infections were all on my other (external) drives. Were any of them a Virut or Sality virus? How will I know when I have found a Virut or Sality? Is it always in the name: Virut or Sality?
One of my external drives is a former internal drive that got damaged, so on that one is an old Windows-installation (with infections on it), I put it in a case and now use it as an external drive.
I'll download a trial of Eset Smart Security 4.0 and replace Kaspersky. Then run a full scan on all internal and external drives. Do you think I should I should use highest security level on this scan?
I'll try SuperAntiSpyware also, haven't done that yet, only Malwarebytes, Stinger and Norman.
Do you think the chances are pretty good then to find every Virut/Sality on my external drives, and delete them?
What scanner options should I select for SuperAntiSpyware?
Ignore files larger than 4MB X
Ignore non-executable files X
Ignore System Restore/Volume Information on ME/XP
Scan only known file types (.exe., .com., .dll., etc) X
Close browsers before scanning
Scan for tracking cookies X
Resolve Links/Shortcuts during scan (.lnk) X
Terminate memory threats before quarantining
Scan Alternate Data Streams X
Use Kernel Direct File Access X
Use Kernel Direct Registry Access X
Use Direct Disk Access X
Display scan option in explorer context (right-click) menu X
(Those above that I have marked with 'X' were pre-selected by SuperAntiSpyware)
I got a blue screen during the SuperAntiSpyware scan: "A problem has been detected and windows has been shut down. Beginning dump of physical memory. Dumping physical memory to disk."
The screen was blue for a long time, not until I pressed Esc did it reboot.
What's the reason? Was it something in the scanning process? Can I have Kaspersky Anti-Virus turned on at the same time as SuperAntiSpyware is scanning?
It detected two trojans which were deleted. I couldn't find any alternative in Kaspersky to scan only one drive, can just find 'Scan all drives'. Are you sure there's an alternative to scan only one external drive in Kaspersky?
If I use chkdsk /r, how do I know which letter to use for the specific external drive? I know that it is the last drive, and I know which external drive it is, but I don't know which letter it has.
I just deleted 9 infections, but after this the computer is almost not possible to use. Can't use Windows media player ("internal application error"). Can't access hotmail on internet, and other sites like download site for kmplayer. Some sites works. When I try to download to desktop, I get the message that download complete, but it doesn't show up on desktop (even though I chose to download to Desktop). I'm always logged on as Administrator. And I can't open Windows Media player.
The scan report in Kaspersky contain a lot of light-blue colored i:s, and together with these i:s:
Detected: http://viruslist.com/en/ad
...contains vulnerability
'Detected' and 'viruslist', does that mean it's a virus and needs to be deleted? Or can I just ignore these light-blue colored i:s? There are about 20 of them.
Don't delete. They all related to java, just simply update your java. Go to www.java.com and download/install the latest version, they're free. Java vulnerabilities existed in older versions and come from time to time, java usually pops up theres a update available.
Business Accounts
Answer for Membership
by: Admin3kPosted on 2009-05-24 at 09:20:15ID: 24462032
IF your machine is infected with BOTH Sality & Virut /Virux , then I would seriously suggest not to waste your time trying to recover , take this machine offline, just backup DATA files to an external drive or CD, that would be documents, PST files ,etc... & just format then rebuild the mahcine.
if we were talking about one of them ,I would have been optimistic, but not both , The sality one for example can be fixed without lots of complications using the above kaspoersky tool /steps , however Virut will mess up executables to a great extent & a combination of both can be a one way trip for your executables.