Experience removing Conficker, Sality, Virut infection

Anupam · 17. Oct 2010, 10:26 AM

I am sharing my experience here, which I recently had when dealing with an infected PC of my friend. I shared some of the background here :

Virus infection from my friend's computer

In short again, the PC did not had any resident antivirus protection(stupid indeed). The PC got infected by a pen drive, and the infection was severe.

I tried to install Avast antivirus, but the PC just rebooted whenever I tried to run the setup. Add to that, the virus deleted the setup file.

I tried to boot into Safe Mode. No luck there either. Just before booting into Safe Mode, the PC would reboot.

I was able to run MalwareBytes Antimalware, and it caught some infections and removed them too, but still the PC remained infected. I came to know that infection was from Conficker, and Virut.

I then looked up on internet and came to know that Microsoft Malicious Software Removal Tool can remove Conficker. So, I downloaded that, and ran it. It found many infections, and removed them too. It reported two virus... Conficker and Sality.

One thing I did not like about the MS removal tool is that it did not show any details as to which files were infected, and which were removed. That's a negative for me.

Now, Conficker was removed, but Sality remained, and its a nasty one. It targets and infects the exe files. It is the one which prevents the PC from booting into Safe Mode too.

Everytime I ran the MS removal tool, it would find Sality, but could not remove it fully. I tried MBAM again, but it was unsuccessful, and did not find any infection. I was not able to run SAS.

I then tried the portable Emsisoft Anti-malware. It caught hold of files which were infected with Sality, and quarantined them. Important files were infected too, and so could not delete them. But, Emsisoft Antimalware was able to contain the infection, and returned the PC into a usable state. So, that's impressive.

Still, it was not enough, because the programs stopped working, as the files were in quarantine. I was not able to uninstall the programs, neither was I able to run them.

As I had decided, I would be formatting the PC ultimately, so I decided to experiment more with this.

I searched on Google for removal of Sality, and on some sites, I read that Norman Malware Cleaner was able to deal with Sality. Avast is able to deal too, but it would not install, as told earlier. I also came across this very helpful webpage :

http://www.istanto.net/8-step-to-rem...2salityae.html

In the above webpage, there are steps to remove Sality, plus, there are small files which turn off autorun and network share.... methods by which Sality spreads. It also provides small files to turn the Safe Mode on, and also for repairing registry.

I downloaded these files. I then restored all the files from the quarantine of Emsisoft Anti-malware. This restored the infection and it got more severe this time. Now, it removed every file which it saw as threat. For example, I tried to run MBAM again. It ran, but after running, the MBAM exe was just deleted. I tried to run Norman Malware Cleaner too, but it too failed to run. I had changed the name to Norman.cmd. Still, I would run the file, and nothing would happen. Moreover, Sality infected important system file exes too, as I got message that system files have been changed, and I should insert Windows CD to repair them.

I then wrote Norman Cleaner on a CD. Then, I ran the small file, which repaired the Safe Mode. After that, I was successfully able to boot the PC in Safe Mode. In Safe Mode, I ran the Norman Cleaner from the CD, and it ran without any problem. Norman Malware Cleaner was able to repair the exe files, and I was pretty impressed by this. Some files it could not repair, and it deleted those, but those files were not important. From the results of Norman Cleaner, I came to know that several important exe files were infected, even those of Emsisoft Anti-malware, MBAM etc, and therefore these did not work as desired the second time.

After the cleaning, the PC was restored to normal. I was able to install Avast antivirus and it too did not find any infection. So, Sality had been successfully removed by Norman. Impressive indeed.

A software which is able to repair the files which got infected by virus is an impressive one. Many security software can detect infection, and quarantine the files, but that does not solve the problem fully, as programs stop to work. Still, even containing an infection so that PC is returned to a usable state is good.

I have found that there are several tools out there. Some of them we do not read about much, but still they are helpful in certain situations. For example, I have often used tools like SDFix, RogueFix, VCleaner, ComboFix etc to remove infections... and they have worked nicely.

I had seen Norman Malware Cleaner on download sites often, and wondered about it. Well, saw it in action. Its available here :

http://www.norman.com/support/support_tools/58732/

Anyways, it was a good experience, as I gained some knowledge. The infection was removed totally I think, but I still formatted the PC, to be sure that any infection, in case it remained, was removed. My friend is not computer savvy at all, so had to make sure of that.

I hope this experience helps someone anytime.

MidnightCowboy · 17. Oct 2010, 03:42 PM

Great post Anupam

I'm sure this will help a lot of folks in a similar position who would rather try removal first than launch straight into a reformat.

Anupam · 17. Oct 2010, 05:18 PM

Thanks MC. Yes, that is the purpose of posting this too. Format should be the last option in case of an infection. Because, one, it can be a long process. Another, there might be files, which are important, and they get infected, and also there is no backup. So, those files will have to be saved.

I once came across a situation, where every exe on the system was infected with some virus. I thought that format will have to be done, as other methods had failed. But, on the PC was a software which was not available for installation, and it was important for the person I knew.

I don't remember the name of the virus, but I looked it up on Google, and came across Vcleaner from Grisoft(AVG fellas). Its a small program, but it cleaned and repaired the infection. The PC was back to normal.

So, tools are available which can repair infected files, and remove infection totally.

Still, prevention is always better than cure.

bo.elam · 17. Oct 2010, 07:25 PM

Quote:

Originally Posted by MidnightCowboy

Great post Anupam

I'm sure this will help a lot of folks in a similar position who would rather try removal first than launch straight into a reformat.

I agree, great post. Thanks Anupam for posting this about the
Norman tool, I will use it sometime.

Bo

J_L · 17. Oct 2010, 09:03 PM

Interesting experience, using a boot cd first is the best way to disinfect an heavily infected system. Without booting into Windows, the malware cannot be active.
Avira has one as well: http://www.avira.com/en/support-down...-rescue-system

Anupam · 18. Oct 2010, 05:29 AM

Yes, a rescue CD is a good option in such situation. But, I did not have any at that time. I have also seen that antivirus are not very good at repairing the infected files. They mostly offer either to quarantine, or delete the file, which is not helpful for important files. Therefore, I wanted to look for a specific cleaning tool first. Luckily, I came across Norman Cleaner, which did the job.

I downloaded Kaspersky Rescue CD afterwards. Scanned the PC with it, and it did not find any infection. The rescue CD will come in handy for later.

Av_Crazy · 18. Oct 2010, 09:22 AM

For virut and sality i have used this standalone kaspersky products
http://www.softpedia.com/get/Antivir...utKiller.shtml
http://www.softpedia.com/get/Antivir...tyKiller.shtml
they have been succesful

and kaspersky rescue disk has been most effective for me

jim · 18. Oct 2010, 09:33 AM

Yes, great post Anupam. I, too, have helped family and friends with similar problems, most learning as I went along like yourself. Apart from the help of your advice here I think it it highlights once again the need for disk imaging. Well done.

Anupam · 18. Oct 2010, 10:22 AM

Thanks a lot for the links Vivek.

Thanks Jim. Yes, now I too felt that imaging should be used.

Taurus · 18. Oct 2010, 02:59 PM

Quote:

Originally Posted by Anupam

Thanks a lot for the links Vivek.

Thanks Jim. Yes, now I too felt that imaging should be used.

Excellent post Anupam! And thanks for the heads up on Norman Malware Cleaner.

Imaging is an important part of a proactive defense.

17. Oct 2010, 10:26 AM	#1 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Experience removing Conficker, Sality, Virut infection I am sharing my experience here, which I recently had when dealing with an infected PC of my friend. I shared some of the background here : Virus infection from my friend's computer In short again, the PC did not had any resident antivirus protection(stupid indeed). The PC got infected by a pen drive, and the infection was severe. I tried to install Avast antivirus, but the PC just rebooted whenever I tried to run the setup. Add to that, the virus deleted the setup file. I tried to boot into Safe Mode. No luck there either. Just before booting into Safe Mode, the PC would reboot. I was able to run MalwareBytes Antimalware, and it caught some infections and removed them too, but still the PC remained infected. I came to know that infection was from Conficker, and Virut. I then looked up on internet and came to know that Microsoft Malicious Software Removal Tool can remove Conficker. So, I downloaded that, and ran it. It found many infections, and removed them too. It reported two virus... Conficker and Sality. One thing I did not like about the MS removal tool is that it did not show any details as to which files were infected, and which were removed. That's a negative for me. Now, Conficker was removed, but Sality remained, and its a nasty one. It targets and infects the exe files. It is the one which prevents the PC from booting into Safe Mode too. Everytime I ran the MS removal tool, it would find Sality, but could not remove it fully. I tried MBAM again, but it was unsuccessful, and did not find any infection. I was not able to run SAS. I then tried the portable Emsisoft Anti-malware. It caught hold of files which were infected with Sality, and quarantined them. Important files were infected too, and so could not delete them. But, Emsisoft Antimalware was able to contain the infection, and returned the PC into a usable state. So, that's impressive. Still, it was not enough, because the programs stopped working, as the files were in quarantine. I was not able to uninstall the programs, neither was I able to run them. As I had decided, I would be formatting the PC ultimately, so I decided to experiment more with this. I searched on Google for removal of Sality, and on some sites, I read that Norman Malware Cleaner was able to deal with Sality. Avast is able to deal too, but it would not install, as told earlier. I also came across this very helpful webpage : http://www.istanto.net/8-step-to-rem...2salityae.html In the above webpage, there are steps to remove Sality, plus, there are small files which turn off autorun and network share.... methods by which Sality spreads. It also provides small files to turn the Safe Mode on, and also for repairing registry. I downloaded these files. I then restored all the files from the quarantine of Emsisoft Anti-malware. This restored the infection and it got more severe this time. Now, it removed every file which it saw as threat. For example, I tried to run MBAM again. It ran, but after running, the MBAM exe was just deleted. I tried to run Norman Malware Cleaner too, but it too failed to run. I had changed the name to Norman.cmd. Still, I would run the file, and nothing would happen. Moreover, Sality infected important system file exes too, as I got message that system files have been changed, and I should insert Windows CD to repair them. I then wrote Norman Cleaner on a CD. Then, I ran the small file, which repaired the Safe Mode. After that, I was successfully able to boot the PC in Safe Mode. In Safe Mode, I ran the Norman Cleaner from the CD, and it ran without any problem. Norman Malware Cleaner was able to repair the exe files, and I was pretty impressed by this. Some files it could not repair, and it deleted those, but those files were not important. From the results of Norman Cleaner, I came to know that several important exe files were infected, even those of Emsisoft Anti-malware, MBAM etc, and therefore these did not work as desired the second time. After the cleaning, the PC was restored to normal. I was able to install Avast antivirus and it too did not find any infection. So, Sality had been successfully removed by Norman. Impressive indeed. A software which is able to repair the files which got infected by virus is an impressive one. Many security software can detect infection, and quarantine the files, but that does not solve the problem fully, as programs stop to work. Still, even containing an infection so that PC is returned to a usable state is good. I have found that there are several tools out there. Some of them we do not read about much, but still they are helpful in certain situations. For example, I have often used tools like SDFix, RogueFix, VCleaner, ComboFix etc to remove infections... and they have worked nicely. I had seen Norman Malware Cleaner on download sites often, and wondered about it. Well, saw it in action. Its available here : http://www.norman.com/support/support_tools/58732/ Anyways, it was a good experience, as I gained some knowledge. The infection was removed totally I think, but I still formatted the PC, to be sure that any infection, in case it remained, was removed. My friend is not computer savvy at all, so had to make sure of that. I hope this experience helps someone anytime. __________________ Anupam Last edited by Anupam; 17. Oct 2010 at 10:33 AM. Reason: Some additions

17. Oct 2010, 03:42 PM	#2 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 9,250	Great post Anupam I'm sure this will help a lot of folks in a similar position who would rather try removal first than launch straight into a reformat. __________________ Knows nothing and cares even less

17. Oct 2010, 05:18 PM	#3 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Thanks MC. Yes, that is the purpose of posting this too. Format should be the last option in case of an infection. Because, one, it can be a long process. Another, there might be files, which are important, and they get infected, and also there is no backup. So, those files will have to be saved. I once came across a situation, where every exe on the system was infected with some virus. I thought that format will have to be done, as other methods had failed. But, on the PC was a software which was not available for installation, and it was important for the person I knew. I don't remember the name of the virus, but I looked it up on Google, and came across Vcleaner from Grisoft(AVG fellas). Its a small program, but it cleaned and repaired the infection. The PC was back to normal. So, tools are available which can repair infected files, and remove infection totally. Still, prevention is always better than cure. __________________ Anupam

18. Oct 2010, 05:29 AM	#6 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Yes, a rescue CD is a good option in such situation. But, I did not have any at that time. I have also seen that antivirus are not very good at repairing the infected files. They mostly offer either to quarantine, or delete the file, which is not helpful for important files. Therefore, I wanted to look for a specific cleaning tool first. Luckily, I came across Norman Cleaner, which did the job. I downloaded Kaspersky Rescue CD afterwards. Scanned the PC with it, and it did not find any infection. The rescue CD will come in handy for later. __________________ Anupam

18. Oct 2010, 09:22 AM	#7 (permalink)
Av_Crazy Senior Member Join Date: Mar 2010 Location: Mumbai Posts: 488	For virut and sality i have used this standalone kaspersky products http://www.softpedia.com/get/Antivir...utKiller.shtml http://www.softpedia.com/get/Antivir...tyKiller.shtml they have been succesful and kaspersky rescue disk has been most effective for me __________________ My blog - http://attitudevivek.wordpress.com/

17. Oct 2010, 09:03 PM	#5 (permalink)
J_L Co-Author, Best Free Security List Join Date: Dec 2008 Posts: 1,475	Interesting experience, using a boot cd first is the best way to disinfect an heavily infected system. Without booting into Windows, the malware cannot be active. Avira has one as well: http://www.avira.com/en/support-down...-rescue-system

18. Oct 2010, 09:33 AM	#8 (permalink)
jim Moderator Join Date: Apr 2008 Location: near Ashford Kent England Posts: 304	Yes, great post Anupam. I, too, have helped family and friends with similar problems, most learning as I went along like yourself. Apart from the help of your advice here I think it it highlights once again the need for disk imaging. Well done.

18. Oct 2010, 10:22 AM	#9 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Thanks a lot for the links Vivek. Thanks Jim. Yes, now I too felt that imaging should be used. __________________ Anupam

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode