Sality, Qoolaid. Reformat?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by GloKrae, Sep 24, 2006.

  1. GloKrae

    GloKrae Private E-2

    I am cleaning a Win XP system by working through your steps. I have progressed from unable to boot to working through all of your steps.
    System was not totally clean. Windows tool kept trying to remove Qoolaid, requiring many reboots. Additionally, popups continue -- although fewer than before.

    Then I installed zonealarm and avg. avg scanned and kept indicating files infected with sality. When I tried to quarantine files, avg warned that these were system files and that the system may not work properly if quarantine.

    Additionally, each program I install -- zonealarm, avg, ccleaner, spybot, etc. -- disappears. The desktop icons become generic icons; when clicked the flashlight searches and does not find the program. If I look in the installation folder, the program file is gone. All MS Office programs are gone, too.

    I have the log files and will post if you want. It is a major nuisance to do anything on that machine as it is painfully slow and popups popups popups. Then there is the problem of disappearing programs.

    I am wondering if I should just reformat and reinstall. Will reformatting and reinstallation of Win XP destroy sality and Qoolaid?
     
  2. GloKrae

    GloKrae Private E-2

    If I transport logs via USB to another machine to post here, do I risk infecting the other machine?

    Does running the infected machine on my home network threaten my other puters?

    I did not commit system files to quarantine; I chose ignore.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Transporting the log files themselves should not cause a problem, but it really depends on what kind of infections are on the original machine. Some infections can spread to any connected media. Is your second PC well protected and is all protection software up to date.

    Similar to the above! It depends on the infection and whether your networked PCs are protected and also are any drives being shared.

    What system files are you referring too? If files are infected and you ignore them, then you are still infected.

    You need to attach all the logs from the READ ME.


    Yes if you fdisk, format, and reinstall the infection will be gone. But you must make sure when you reinstall that you are not reinstalling from any media that has infections on them.
     
  4. GloKrae

    GloKrae Private E-2

    What system files are you referring too? If files are infected and you ignore them, then you are still infected.

    AVG found Sality in several exe files in the windows\system32\ folder.
    When I clicked quarantine, AVG warned that each was a system file and if I deleted the OS might become unusable.


    Is your second PC well protected and is all protection software up to date.

    All of my other machines are up-to-date as far as virus and spyware protection. All are firewalled.


    it really depends on what kind of infections are on the original machine.

    The infections that I cannot cure are called Sality and Qoolaid.
    Sality is particulary nasty. It is eating programs: zonelalarm, avg, all ms office programs, ccleaner, etc. The exe files simply disappear. The pretty shortcut icon becomes a generic icon. Searching for the exe yeilds nothing. Goning to program files\zonealarm, the exe is gone.

    I will try to post the logs. They will appear in a message with very little writing as I don't want to keep that machine running longer than needed.
     
  5. GloKrae

    GloKrae Private E-2

    logs attached
     

    Attached Files:

  6. GloKrae

    GloKrae Private E-2

    more logs
     
  7. GloKrae

    GloKrae Private E-2

    have tried several times. hope they appear.
     
  8. GloKrae

    GloKrae Private E-2

    uploading files
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I really wanted to see all the logs before getting started, but let's get started anyway.

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall!
     
  10. GloKrae

    GloKrae Private E-2

    I reformatted and reinstalled Windows.
     
  11. GloKrae

    GloKrae Private E-2

    Well, I reformatted and reinstalled Windows.
    Then I installed Computer Associates Virus protection.
    Installed drivers from computer manufacturer's website.
    Went through the whole How to protect yourself from malware thread.

    Only downloaded from manufacturer, CA, and links from MajorGeeks.

    Scanned with Spybot S&D and came up with:

    AvenueA
    DoubleClick
    MediaPlex

    Spybot was able to remove these issues, but I wonder why they would appear already.

    Also am wondering about new Internet Explorer. Is it more secure than IE6.
    I like Firefox, but this computer belongs to a music-crazed 13-year-old. She will not have the patience to switch to IE or restart the computer when Firefox crashes.

    She will probably return to the AOL browser. But I would to give her tools reliable tools she can use.

    Firewalls -- is Zonealarm the least instrusive, most effective of the freeware offers?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you ran the How to protect thread, did you pay attention to step 11.

    Why do you expect FireFox to be crashing and why would you expect it to crash anymore than IE?

    Yes IE7 is more secure than IE6.

    Some people like the AOL browser. Personally I would not use anything from AOL.

    ZoneAlarm is the best of the free versions and it does configure/setup more for you by default; hwoever, all software firewalls do require some human interaction. There is no way around it. Everyone needs to be involved in their own security. If they do not take an active role, then they will more than likely be the root cause of getting infected again.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds