riddled with win32/Sality virus

willietherock

My AVG anti virus has shown that this virus is all over the place in my computer. Many Windows files ect. How do I get rid of this virus?

Anti

Download AVG from www.grisoft.com and get ewdio while your there too. Then follow the instructions on screen to remove it

irlrobins

Run AVG and delete all infected files it finds.

Then do this:

1. Click Start > Run.
2. Type the following:

notepad c:\windows\system.ini

and then click OK.

(Notepad opens)

Note: If Windows is installed in a different location, make the appropriate path substitution.
3. In the TFTempCache section of the file, look for lines similar to the following and delete them:

id=[RANDOM_NUMBER]
RtlMoveMeory=[RANDOM_NUMBER]
PING=[NUMBER]
TIME=[TIME]
4. Click File > Save.
5. Click File > Exit.

accensi0n

irlrobins wrote:

Run AVG and delete all infected files it finds.

Then do this:

1. Click Start > Run.
2. Type the following:

notepad c:\windows\system.ini

and then click OK.

(Notepad opens)

Note: If Windows is installed in a different location, make the appropriate path substitution.
3. In the TFTempCache section of the file, look for lines similar to the following and delete them:

id=[RANDOM_NUMBER]
RtlMoveMeory=[RANDOM_NUMBER]
PING=[NUMBER]
TIME=[TIME]
4. Click File > Save.
5. Click File > Exit.

please explain.

Anti

no need for explinations, just follow what he says

irlrobins

accensi0n wrote:

please explain.

The virus adds those entries (it's configuration data) to the System.ini file. AVG is not able to remove these automatically so you have to do it manually.

For more info you can read this article.

anti wrote:

no need for explinations, just follow what he says

Not helpful and rude. The poster might be concerned about the effect of the action I stated and interested to know what it does. If we just did what they were told, everyone on boards would be infected with Bubbles' virii. There is no harm in questioning.

Anti

*sigh*

It was meant sarcasticially. I forgot to put the after it

willietherock

They are about 200 program and windows .exe files that are infected. Just to be 100%, these infected files can be sent to the AVG vault?

This is the notepad you mentioned IRL,

; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=app850.FON
EGA80WOA.FON=EGA80850.FON
EGA40WOA.FON=EGA40850.FON
CGA80WOA.FON=CGA80850.FON
CGA40WOA.FON=CGA40850.FON
[MCIDRV_VER]
DEVICE=267421mqvddl14625
__h=16
__dr=27
[IDslow]
IDVer32=14369765

What lines, if any, should be deleted?

Thanks,
wtr

Anti

if you read here, it is all explqained

http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99&tabid=3

willietherock

anti wrote:

if you read here, it is all explqained

http://www.symantec.com/security_response/writeup.jsp?docid=2006-011714-3948-99&tabid=3

I've no doubt it's explained, it's just I've little idea of what it all means unfortunately.

lonnbeimnech

anti wrote:

no need for explinations, just follow what he says

lol

I will look over the article and see if it makes any sense to me OP.

lonnbeimnech

willietherock wrote:

I've no doubt it's explained, it's just I've little idea of what it all means unfortunately.

What bit are you having trouble with?

Anti

WHat it means is, parts of your system.ini have been modified by this virus. And you have to remove parts that it modified yourself. Avg will take care of the virus/ You do the rest

irlrobins

Willie, you can leave your system.ini as it is. It doesn't appear to be changed by the virus (it's not always the case that it is).

It seems that any file infected is to be deleted. And it is probably best to run the AVG scan while in safe mode.

(To run in safe mode, restart PC, and press F8 as it boots up. A menu will appear and just choose safe mode from the choices.)

willietherock

Deleted all the infected .exe files using AVG with bad results. Can't now use any applications that were deleted. For ex, on my desk top can't use Ad-aware,ewido,paddypowerpoker and microsoft works shortcut. In the folders in program files for example, the logo of ewido ( a golden e) has been replaced with looks like a small blanck screen which won't open and same with desktop logos. :eek:
What can I do? Don't have a system resore saved as far as I know.

Anti

REinstall is about all you can do now. Or if they are only shortcuts, just delete them. All you have to do is find the original file and create a new shortcut for them.

TempestSabre

If I were you, I'd back up all my data then install a clean copy of windows. Secure that install, then scan your backup files. Once thats clean I'd make a fresh backup of the clean data and trash the old one.

Thats the best & quickest IMO.

irlrobins

Yea I think TS advice is best. You obviously were badly infected with the virus. Sometimes it's just not possible to get rid of the virus and leave teh system in an operating state.

And even if you had system restore on, you couldn't be sure you weren't restoring the virus as well.

lonnbeimnech

This virus sounds especially nasty. How was it it was able to get by AVG undetected? By default updates and scans are scheduled daily unless you changed this? I know my AVG edition has a resident shield for windows explorer which is supposed to alert me the minute I actively come across a virus regardless of whether a scan is being executed or not but I don't think this comes as standard with the Free Edition.

TempestSabre

Easy enough to download something past all your virus protection.

willietherock

lonnbeimnech wrote:

This virus sounds especially nasty. How was it it was able to get by AVG undetected? By default updates and scans are scheduled daily unless you changed this? I know my AVG edition has a resident shield for windows explorer which is supposed to alert me the minute I actively come across a virus regardless of whether a scan is being executed or not but I don't think this comes as standard with the Free Edition.

About 3 wks ago I got an "electronic certificate" problem with AVG. It would scan normally but I couldn't access the vault or update. I only got around to uninstalling/reinstalling an ew AVG Fri. Ran it and bang. Around the same time my ewido wouldn't open. Didn't twig at the time I'm afraid. :rolleyes:

willietherock

Right, reinstalling the OS and reading instructions from the operating manual and ran in to this: I can't delete the c drive partition becoz" it contains temporary setup files that are required to complete installation".

Have reinstalled b4 and never had any problems. If I can't delete I left putting 2 OS on the same partition. Any advice appreciated.

TempestSabre

Are installing from an original CD, or from a hard drive parition.

willietherock

TempestSabre wrote:

Are installing from an original CD, or from a hard drive parition.

Original product recovery cd-rom

lonnbeimnech

TempestSabre wrote:

Easy enough to download something past all your virus protection.

Yes but if your virus definitions are up to date and you have an entry for a virus which you have just downloaded in theory your resident shield should alert immediately to the offending file should it not?

It's happened to me a few times anyway.

willietherock

Right, reinstalling the OS and reading instructions from the operating manual and ran in to this: I can't delete the c drive partition becoz" it contains temporary setup files that are required to complete installation".

Have reinstalled b4 and never had any problems. If I can't delete I left putting 2 OS on the same partition. Any advice appreciated

Anyone any ideas about how to delete the partition?