"Variant of win32/Sality" couldn't be cleaned !

Discussion in 'ESET NOD32 Antivirus' started by moataz, Nov 9, 2008.

Thread Status:
Not open for further replies.
  1. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    Hi.
    ~Link removed. - Ron~ file is infected with variant of win32/Sality, NOD32 can detect it and delete it.

    But can't clean it, while Symantec and Kaspersky can do from long time ago.

    I have emailed samples@eset.com, Submit it many time , sent a form about this problem, But nothing positive !

    Any help here?
     
    Last edited by a moderator: Nov 9, 2008
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello, file is detected.

    Code:
    9. 11. 2008 13:11:18	HTTP filter	file	http:// [I]~Link removed.~[/I]	Win32/Sality.NAU virus	connection terminated - quarantined
     
    Last edited by a moderator: Nov 9, 2008
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The file is not only detected, but it can be cleaned as well:
    C:\test_sality\Alfa Fixit.exe - Win32/Sality.NAU virus - cleaned - quarantined
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Website provides different variants, you're right. Once I got Win32/Sality.NAU, once a variant of Win32/Sality. When file is detected before its activation, cleaning algorithm isn't necessary, don't worry.
     
  5. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    The Problem is that i need those .exe file - valuable files to me.
    I have allready lost many .exe files with this virus before by NOD32.

    And i still see this virus from time to time.

    And i don't want to move away from NOD32.
     
  6. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    ....?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The file you uploaded and send to samples[at]eset.com can be cleaned perfectly as I have stated above:

    C:\test_sality\Alfa Fixit.exe - Win32/Sality.NAU virus - cleaned - quarantined

    After my NOD32 has cleaned it, it was no longer reported as infected.
     
  8. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    The file i uploaded can't be cleaned of course.

    This file is the parent (variant of win32/Sality), it produces a child (Win32/Sality.NAU).

    The child itself can be cleaned. but the parent couldn't be cleaned.

    The parent infects other .exe files (i mean it produces another parents, not only childs)

    The problem that NOD32 kills the parent, I only want NOD32 to cure the parent as it cures the child.

    this is a pic.

    I have Smart Security Definition: 12 Nov 2008
     
  9. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    I suppose to get help here :rolleyes:
     
  10. Hefaistos22

    Hefaistos22 Registered Member

    Joined:
    Mar 14, 2008
    Posts:
    73
    Location:
    Slovakia
    Maybe you should turn to Eset technical support.Probably,they will ask you for log from Eset SpyInspector. Untill they answer you,you could try scan your pc with Malwarebytes Anti-malware;)
     
  11. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    maybe because it detected as "variant of...."(which is result from AH) so ESET doesnt provide cleaning algorithm..
    ESET needs to create exact detection for that specific file to create cleaning algorithm
     
  12. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    When is something detected as "a variant of", "probably a variant of" or "NewHeur_PE" etc, but "Win32/%something%" too, everything depends on cleaning algorithm. When virus database doesn't include it, file can't be cleaned, only deleted, quarantined.
     
  13. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    I Put my flash disk on the infected PC, then get ~Link removed. Ron~ two files on it.

    Is that what you mean?
     
    Last edited by a moderator: Nov 18, 2008
  14. ASpace

    ASpace Guest

    No . When EAV detects Win32/Sality.NAU virus - this means 100% detection (100% sure that the file is precisely that virus) . When detected either as probably a variant of , or a variant of , this is a heuristic detection
    http://en.wikipedia.org/wiki/Heuristic_algorithm

    Detected proactively without signatures , most of the times EAV will not be able to clean the virus . "Clean" because a virus infects other files and needs cleaning , not just deletion in most times.

    Contact ESET and start a support case

    Download and start ESET SysInspector
    http://www.eset.com/download/sysinspector.php

    When the utility has collected the information , click File > Save Log
    Confirm your wish. A log file , placed in a zip archive , will be created.

    Send that archived file to ESET Technical Support , email support@eset.com .
    Then , they'll guide you to a way to eliminate the threat and possibly recover the problems :thumb:
     
  15. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    Thank you, I'll do.
     
  16. ASpace

    ASpace Guest

    You are welcome !
     
  17. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    Well. I have done like you told me, but nothing yet.

    I think i was wrong opening this thread from the begining while i have other solutions that perfectly cleans this type of virus from time ago (i mean Norton Antivirus and Kaspersky Antivirus).
     
  18. ASpace

    ASpace Guest

    I am sorry to hear that ! Wish you luck ! :thumb:
     
  19. moataz

    moataz Registered Member

    Joined:
    Nov 5, 2008
    Posts:
    9
    Finally i found a perfect fix -that cleans- this variant of sality, It's by Kaspersky.
    here is the "ht tp://rapidshare.com/files/191628505/Sality_off.exe.html"
     
    Last edited by a moderator: Jan 30, 2009
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
Thread Status:
Not open for further replies.