cancel
Showing results for 
Search instead for 
Did you mean: 
sophos
Level 7

McAFEE CAN't DETECT SALITY!!

Good morning, every1!
My real name is Bayan. This's my 1st post!
I've 2 computers infected with 'Sality'!!
The problem is No Antivirus could detect it except 2: [Ikarus- Immunet protect free]
I installed MCAFEE, full scan, nothing found!!!
I'd earlier managed to upload a file detected by Ikarus to virus total & threat expert:
http://www.virustotal.com/file-scan/report.html?id=7c9fc40df401c7fb9523babb31550a7256eaed46c5b74f730...
http://virusscan.jotti.org/en/scanresult/b51afefb2dfe0540e9212ae34b17b88a167a72e2
http://www.threatexpert.com/report.aspx?md5=b64b498138739d9c18b69a77b360391b
-----------------------------------------------------
I'm definitely sure it's Not FALSE POSITIVE!

How do i know? Good Question!

1- In Threat Expert report,the same window (titled 'nsis' error) appears to me everytime i want to uninstall ANY software.
2- What makes me believe that it's not false positive is actually 2 things:
A) i'd a long time ago- scanned using kasper- it found 'sality.aa' & removed it, but after that, i couldn't browse any web page. i was able , however, to connect to the internet , but couldn't browse any webpage!!
B) both ikarus & Immunet found over 100 files infected with sality, a lot of files common between the 2, so i don't think it's false positive.
C) i once scanned with spyware Doctor, & it found worm.sality files in the registry, & all of these files contained the word 'legacy'!what does that mean?
It's not only 1 file, ikarus & Immunet both detected more than 100 file!
the problem is: whenever i upload a detected file to virustotal, it comes out clean, even clean by ikarus on virustotal!!!
------------------------------------------------------

I hope some1 can explain how to remove it without formatting WINDOWS!!
------------------------------------------------------

0 Kudos
6 Replies
exbrit
Level 21

Re: McAFEE CAN't DETECT SALITY!!

W32.sality is detectable by McAfee so this must be a new variant.  Try the Safe Mode methods as described here:  Required reading re: Malware Removal .

Also if possible, submit a sample to McAfee Labs:  Submit a Sample .

If all that fails try the FREE version of THIS tool.  It can be installed and run in 'Safe Mode with Networking' if necessary (reached by tapping F8 repeatedly while booting up).  Make sure you update it before running.

I moved this provisionally to Malware Discussion > Home User Assistance by the way.

Message was edited by: Ex_Brit on 24/12/10 9:21:44 EST AM
0 Kudos
sophos
Level 7

Re: McAFEE CAN't DETECT SALITY!!

DEAR SIR,

I"VE TRIED EVERYTHING RELATED TO SALITY, but NONE SEEMS TO WORK!!

ONLY 'IKARUS & IMMUNET' CAN DETECT IT!!

THE FOLLOWING ANTIVIRUS SOFTWARE FAILED TO:

[MCAFEE- TRENDMICRO- ESCAN- BITDEFENDER- AVAST- AVIRA- NORTON- AVG SALITY REMOVER- SALITY KILLER BY KASPER- MALWAREBYTES- PANDA- VBA32- NOD32-]

ONLY IMMUNET & IKARUS CAN DETECT IT

THE PROBLEM IS: I CAN'T ACCESS 'SAFE MODE'!!

EVERYTIME I UPLOAD A FILE DETECTED BY IMMUNET TO VIRUSTOTAL & THREATEXPERT, IT COMES OUT CLEAN!!

HOWEVER, WHEN I SCANNED BY 'SPYWARE DOCTOR', IT FOUND NO SALITY IN EXECUTABLES, BUT FOUND MANY WORM.SALITY FILES IN THE REGISTRY & THEY ALL END WITH THE WORD 'LEGACY'...ANY IDEAS?

0 Kudos
exbrit
Level 21

Re: McAFEE CAN't DETECT SALITY!!

Try not using all capitals as it makes it difficult to read.    I suggest you download Hijackthis and post its log on one of the following specialist forums for expert advice.

DOWNLOAD HIJACKTHIS

Do not post Hijackthis logs here, we can't help with  those!

Post the logs at a specialist Forum:

AUMHA

BLEEPINGCOMPUTER

MAJOR GEEKS

MALWAREBYTES

MALWARE REMOVAL

SPYWAREHAMMER

SPYWARE INFO

WHATTHETECH

Be sure to read all the sticky announcements/instructions at the top of each malware forum!

0 Kudos
sophos
Level 7

Re: McAFEE CAN't DETECT SALITY!!

thank you, sir!!

i really appreciate it!

i'd like to tell you smething :

i've already posted @ malwarebytes & avast forumes..

malwarebytes said: NO ANTIVIRUS CAN REMOVE SALITY!!

avast: stuck !!

i give up!

i've tried everything.... anything you can think of!

hijack doesn't help cuz this malware uses very sophisticated techniques to hide itself from antiviruses...

thank you, anyway!

0 Kudos
paullotion
Level 11

Re: McAFEE CAN't DETECT SALITY!!

Hello,

I see you also posted at the Avast forum:

https://forum.avast.com/index.php?PHPSESSID=7ab142cdd4775a52d76c7e6cc8b6220b&topic=68190.0

Are you running two antivirus by any chance? If so...then running two antivirus on the same machine can give f/p`s.

As for the Legacy keys...those are drivers or services that are no longer installed on the machine, subsquently they are placed in the Legacy key.

I suggest you follow SafeSurf`s advice and post your OTL logs as requested.

on 01/01/11 23:25:37 GMT
0 Kudos
sophos
Level 7

Re: McAFEE CAN't DETECT SALITY!!

Thank you , sir

just wanna tell you sth: i'm formatting!

I give up!

indeed no antivirus can beat 'Sality'!

0 Kudos