Jump to content
Sign in to follow this  
sophos

Immunet Can't Remove This Malware!

Recommended Posts

Good Morning-evening everyone,

I'm a new user. My real name is Bayan,

this's my biggest problem::

I installed Immunit Protect Plus (trial) & had it perform a full scan.

It found more than 120 copies of:

win32.sality.sperto.1013

I removed most of them to quarantine, but some files couldn't be removed cuz they belong to file system .

When I moved them to quarantine, I'd several error messages from windows, saying:

"Some files have been replaced by unrecognized type. please enter your Windows xp sp3 disk & retry again"

When I removed all infected files from quarantine & rescanned, it detected many files infected with

sality.spero.1013 again.

I can NOT enter Safe Mode.

What should i do?

bayan

Share this post


Link to post
Share on other sites

Good Morning-evening everyone,

I'm a new user. My real name is Bayan,

this's my biggest problem::

I installed Immunit Protect Plus (trial) & had it perform a full scan.

It found more than 120 copies of:

win32.sality.sperto.1013

I removed most of them to quarantine, but some files couldn't be removed cuz they belong to file system .

When I moved them to quarantine, I'd several error messages from windows, saying:

"Some files have been replaced by unrecognized type. please enter your Windows xp sp3 disk & retry again"

When I removed all infected files from quarantine & rescanned, it detected many files infected with

sality.spero.1013 again.

I can NOT enter Safe Mode.

What should i do?

bayan

 

Bayan,

 

Turn off the SPERO engine in the your product and restore all of the items from Quarantine. The engine looks like it is detecting some files which are not viruses (or possibly are stricken with a file infector). It actually should not be able to do that but clearly something is not operating properly. Also, you can call: 1-877-678-2096 and we will walk you through the process.

 

Best,

al

Share this post


Link to post
Share on other sites

Bayan,

 

Turn off the SPERO engine in the your product and restore all of the items from Quarantine. The engine looks like it is detecting some files which are not viruses (or possibly are stricken with a file infector). It actually should not be able to do that but clearly something is not operating properly. Also, you can call: 1-877-678-2096 and we will walk you through the process.

 

Best,

al

Dear Alfred,

what makes me believe that these are not "False positives" is actually 2 things::

1- I did have the sality virus earlier before installing Immunit.

It was detected by IKARUS. (there's a file that's common between -Ikarus & Spero- which is "Acrordr32.exe" , which both detected as infected with sality.

I also use IMMUNIT on another PC, & I've the same sality problem, possibly from my dad's USB.

2- If it's false positive, it wouldn't detect "more than 140 files" as infected with Sality.

So, I think the infected files are stricken with a file infector as u suggested.

More info on "file infectors" would be much appreciated.

Thanks alot for your time,

plz excuse my simplified English.

Yours sincerely,

Bayan

Share this post


Link to post
Share on other sites

Dear Alfred,

what makes me believe that these are not "False positives" is actually 2 things::

1- I did have the sality virus earlier before installing Immunit.

It was detected by IKARUS. (there's a file that's common between -Ikarus & Spero- which is "Acrordr32.exe" , which both detected as infected with sality.

I also use IMMUNIT on another PC, & I've the same sality problem, possibly from my dad's USB.

2- If it's false positive, it wouldn't detect "more than 140 files" as infected with Sality.

So, I think the infected files are stricken with a file infector as u suggested.

More info on "file infectors" would be much appreciated.

Thanks alot for your time,

plz excuse my simplified English.

Yours sincerely,

Bayan

 

 

Ahh OK. Well in that case it's likely a file infector.

 

Cheers, al

Share this post


Link to post
Share on other sites

Ahh OK. Well in that case it's likely a file infector.

 

Cheers, al

would you plz tell me more about "file infectors"?!

i don't know anything about them!

& would you plz tell me how to get rid of this sality without compromising my system files or deleting them?

yours sincerely,

bayan

Share this post


Link to post
Share on other sites

Good Morning-evening everyone,

I'm a new user. My real name is Bayan,

this's my biggest problem::

I installed Immunit Protect Plus (trial) & had it perform a full scan.

It found more than 120 copies of:

win32.sality.sperto.1013

I removed most of them to quarantine, but some files couldn't be removed cuz they belong to file system .

When I moved them to quarantine, I'd several error messages from windows, saying:

"Some files have been replaced by unrecognized type. please enter your Windows xp sp3 disk & retry again"

When I removed all infected files from quarantine & rescanned, it detected many files infected with

sality.spero.1013 again.

I can NOT enter Safe Mode.

What should i do?

bayan

 

 

 

Hi Bayan,

1st of all, accept my cordial condolences. Wholeheartedely. Vik

 

Now seriously.

 

File Inspector is - Virus that infects other files on a system or network. A role of a file infector is to directly strike and modify an application, usually seeking out EXE. or COM extensions. When the application is started, the infection is executed and does whatever it has been commanded to do. It is typically installed into system memory. There it waits for something to trigger it and corrupt other items. This infection is most commonly distributed via compromised networks, over the web or from a corrupted floppy disk. One of the most malicious forms of the file infector goes by the alias Win32. Its purpose is to transfer hits to the HttpSendRequest into a corrupted .DLL format. This type of file infector is often installed by other malware. This infection will corrupt other items and usually result in the crash of a web browser. This file infector employs a technique to make sure its corrupted .DLL format will replace the target extension found within the system. When the computer is restarted and DISABLE SYSTEM BACKUP/RESTORE BEFORE YOU START REMOVAL PROCESS!!!!, it unknowingly boots the infected content. Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, THEREFORE, VirusScan will be unable to delete these files.

File infector viruses often misinfect, either leaving the file completely non-functional or simply failing to run the viral code at all. More sophisticted forms of file infector virus, which try to hide their presence by changing aspects of their code with each infection, are known as polymorphic or metamorphic viruses.

Polymorphic virus - Virus that re-encrypts itself with each infection. A polymorphic virusis one that encrypts its code differently with each infection, or generation of infections. The aim of this behaviour is to make it difficult for anti-malware software to detect all files infected with the virus, requiring much more sophisticated detection techniques than simple file-infecting viruses, which insert their code unchanged into each infected file.nThe same term is often also used to cover metamorphic viruses.

Metamorphic virus - Virus that changes its own code with each infection. A metamorphic virus is one that is capable of rewriting its own code with each infection, or generation of infections, while maintaining the same functionality. The rewriting process allows each infection to appear different from others, but the changes are not supposed to affect the functionality of the code. This is intended to avoid detection by anti-malware software, but can usually be overcome via emulation or other techniques, and in many cases is deployed in a flawed manner leading to large numbers of misinfections. The complex technology required to do the rewriting is known as a metamorphic engine, and the same such engine may be implemented in several different virus variants. The term is often used interchangeably with polymorphic virus.

 

I would call the Immunet Specialist to assist you in the removal process.

 

Vik

 

Share this post


Link to post
Share on other sites

Hi Bayan,

1st of all, accept my cordial condolences. Wholeheartedely. Vik

 

Now seriously.

 

File Inspector is - Virus that infects other files on a system or network. A role of a file infector is to directly strike and modify an application, usually seeking out EXE. or COM extensions. When the application is started, the infection is executed and does whatever it has been commanded to do. It is typically installed into system memory. There it waits for something to trigger it and corrupt other items. This infection is most commonly distributed via compromised networks, over the web or from a corrupted floppy disk. One of the most malicious forms of the file infector goes by the alias Win32. Its purpose is to transfer hits to the HttpSendRequest into a corrupted .DLL format. This type of file infector is often installed by other malware. This infection will corrupt other items and usually result in the crash of a web browser. This file infector employs a technique to make sure its corrupted .DLL format will replace the target extension found within the system. When the computer is restarted and DISABLE SYSTEM BACKUP/RESTORE BEFORE YOU START REMOVAL PROCESS!!!!, it unknowingly boots the infected content. Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, THEREFORE, VirusScan will be unable to delete these files.

File infector viruses often misinfect, either leaving the file completely non-functional or simply failing to run the viral code at all. More sophisticted forms of file infector virus, which try to hide their presence by changing aspects of their code with each infection, are known as polymorphic or metamorphic viruses.

Polymorphic virus - Virus that re-encrypts itself with each infection. A polymorphic virusis one that encrypts its code differently with each infection, or generation of infections. The aim of this behaviour is to make it difficult for anti-malware software to detect all files infected with the virus, requiring much more sophisticated detection techniques than simple file-infecting viruses, which insert their code unchanged into each infected file.nThe same term is often also used to cover metamorphic viruses.

Metamorphic virus - Virus that changes its own code with each infection. A metamorphic virus is one that is capable of rewriting its own code with each infection, or generation of infections, while maintaining the same functionality. The rewriting process allows each infection to appear different from others, but the changes are not supposed to affect the functionality of the code. This is intended to avoid detection by anti-malware software, but can usually be overcome via emulation or other techniques, and in many cases is deployed in a flawed manner leading to large numbers of misinfections. The complex technology required to do the rewriting is known as a metamorphic engine, and the same such engine may be implemented in several different virus variants. The term is often used interchangeably with polymorphic virus.

 

I would call the Immunet Specialist to assist you in the removal process.

 

Vik

 

HELLO,Vik,

1st of all,

accept my compliments for your sense of humour,

u really are cute & funny :)

2nd, Thank u very very much for your kind explanation!

I really don't know how to pay u back! :rolleyes:

Let me tell u sth about this sality virus,

when i used Emsisoft, it detected sality in acrordr32.exe (& many other EXEs, & I deleted it after removing it to quarantine>>>

Now, when i scanned using Immunit, it detected the same file (which i'd deleted completely earlier), so how did that happen?? :mellow:

did Emsisoft delete it or not? :huh:

could there be any rootkits?

I scanned by Immunit & found nothing!

Cheers,

Bayan

Share this post


Link to post
Share on other sites

See if this is relevant, probably is http://techblog.avira.com/2009/02/02/removal-of-the-sality-virus/en/ I tried that particular infection and even with live-cds, Avira and Dr. Web, some programs still had to be reinstalled. I guess those with some sort of self-check, think Malwarebytes was one of them. Destructive crap it is.

 

Emsisoft probably never did remove all of it. One thing I remember from my little test was how incredible fast it spreads. Few minutes of activity and there can be 100s of exe files, now with "attachment". Removal might be impossible at some point.

 

Bitdefender, the engine Immunet uses, probably has the most compatible and full featured live-cd so you can try that as well http://download.bitdefender.com/rescue_cd/ Is based on a more proven to work Linux distro than most others, some seem experimental and home made.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...