MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 09-23-06, 23:52
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Question Sality, Qoolaid. Reformat?

I am cleaning a Win XP system by working through your steps. I have progressed from unable to boot to working through all of your steps.
System was not totally clean. Windows tool kept trying to remove Qoolaid, requiring many reboots. Additionally, popups continue -- although fewer than before.

Then I installed zonealarm and avg. avg scanned and kept indicating files infected with sality. When I tried to quarantine files, avg warned that these were system files and that the system may not work properly if quarantine.

Additionally, each program I install -- zonealarm, avg, ccleaner, spybot, etc. -- disappears. The desktop icons become generic icons; when clicked the flashlight searches and does not find the program. If I look in the installation folder, the program file is gone. All MS Office programs are gone, too.

I have the log files and will post if you want. It is a major nuisance to do anything on that machine as it is painfully slow and popups popups popups. Then there is the problem of disappearing programs.

I am wondering if I should just reformat and reinstall. Will reformatting and reinstallation of Win XP destroy sality and Qoolaid?
Reply With Quote
Sponsored links
  #2  
Old 09-24-06, 00:09
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

If I transport logs via USB to another machine to post here, do I risk infecting the other machine?

Does running the infected machine on my home network threaten my other puters?

I did not commit system files to quarantine; I chose ignore.
Reply With Quote
  #3  
Old 09-24-06, 20:08
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Sality, Qoolaid. Reformat?

Quote:
Originally Posted by GloKrae
If I transport logs via USB to another machine to post here, do I risk infecting the other machine?
Transporting the log files themselves should not cause a problem, but it really depends on what kind of infections are on the original machine. Some infections can spread to any connected media. Is your second PC well protected and is all protection software up to date.

Quote:
Originally Posted by GloKrae
Does running the infected machine on my home network threaten my other puters?
Similar to the above! It depends on the infection and whether your networked PCs are protected and also are any drives being shared.

Quote:
Originally Posted by GloKrae
I did not commit system files to quarantine; I chose ignore.
What system files are you referring too? If files are infected and you ignore them, then you are still infected.

You need to attach all the logs from the READ ME.


Yes if you fdisk, format, and reinstall the infection will be gone. But you must make sure when you reinstall that you are not reinstalling from any media that has infections on them.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #4  
Old 09-25-06, 05:57
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

What system files are you referring too? If files are infected and you ignore them, then you are still infected.

AVG found Sality in several exe files in the windows\system32\ folder.
When I clicked quarantine, AVG warned that each was a system file and if I deleted the OS might become unusable.


Is your second PC well protected and is all protection software up to date.

All of my other machines are up-to-date as far as virus and spyware protection. All are firewalled.


it really depends on what kind of infections are on the original machine.

The infections that I cannot cure are called Sality and Qoolaid.
Sality is particulary nasty. It is eating programs: zonelalarm, avg, all ms office programs, ccleaner, etc. The exe files simply disappear. The pretty shortcut icon becomes a generic icon. Searching for the exe yeilds nothing. Goning to program files\zonealarm, the exe is gone.

I will try to post the logs. They will appear in a message with very little writing as I don't want to keep that machine running longer than needed.
Reply With Quote
  #5  
Old 09-25-06, 09:27
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

logs attached
Attached Files
File Type: log hijackthis.log (7.7 KB, 4 views)
File Type: txt newfiles.txt (23.5 KB, 0 views)
Reply With Quote
Sponsored links
  #6  
Old 09-25-06, 09:29
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

more logs
Reply With Quote
  #7  
Old 09-25-06, 09:31
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

have tried several times. hope they appear.
Reply With Quote
  #8  
Old 09-25-06, 10:13
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

uploading files
Reply With Quote
  #9  
Old 09-25-06, 22:42
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Sality, Qoolaid. Reformat?

I really wanted to see all the logs before getting started, but let's get started anyway.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #10  
Old 09-28-06, 12:02
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

I reformatted and reinstalled Windows.
Reply With Quote
Sponsored links
  #11  
Old 09-30-06, 08:16
GloKrae GloKrae is offline
Private E-2
 
Join Date: Sep 2006
Posts: 24
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Sality, Qoolaid. Reformat?

Well, I reformatted and reinstalled Windows.
Then I installed Computer Associates Virus protection.
Installed drivers from computer manufacturer's website.
Went through the whole How to protect yourself from malware thread.

Only downloaded from manufacturer, CA, and links from MajorGeeks.

Scanned with Spybot S&D and came up with:

AvenueA
DoubleClick
MediaPlex

Spybot was able to remove these issues, but I wonder why they would appear already.

Also am wondering about new Internet Explorer. Is it more secure than IE6.
I like Firefox, but this computer belongs to a music-crazed 13-year-old. She will not have the patience to switch to IE or restart the computer when Firefox crashes.

She will probably return to the AOL browser. But I would to give her tools reliable tools she can use.

Firewalls -- is Zonealarm the least instrusive, most effective of the freeware offers?
Reply With Quote
  #12  
Old 09-30-06, 17:44
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,736
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Sality, Qoolaid. Reformat?

If you ran the How to protect thread, did you pay attention to step 11.

Why do you expect FireFox to be crashing and why would you expect it to crash anymore than IE?

Yes IE7 is more secure than IE6.

Some people like the AOL browser. Personally I would not use anything from AOL.

ZoneAlarm is the best of the free versions and it does configure/setup more for you by default; hwoever, all software firewalls do require some human interaction. There is no way around it. Everyone needs to be involved in their own security. If they do not take an active role, then they will more than likely be the root cause of getting infected again.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:17.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger