Running that commandline virus scanner... question

[casey.o]

I'm running salitykiller.exe (from Kapersky) on everything. Every
computer, and on all plug in USB drives. I've not yet tried to tun it
in Win98, but want to scan the dualboot Win2000 on same computer. Will
it scan the entire computer regardless which OS I run? In other words,
will it scan the Win98 files if I run it from Win2000, or scan the
Win2000 files if I run it from Win98?

Does anyone know?

Actually, I want to try to run it from a DOS floppy boot first......

But I cant do that to check USB drives, since I cant access USB from
Dos.

One other thing, if you ever use this program, and use the -v switch to
create a report, DONT DO IT on a large drive. I scanned my USB portable
HDD, which has backups of several computers, and double copies. I ended
up with a 546,704 KB text file. .....

Details about this program here:
http://support.kaspersky.com/us/viruses/disinfection/1874#block2

 

[Paul]

I'm running salitykiller.exe (from Kapersky) on everything. Every
computer, and on all plug in USB drives. I've not yet tried to tun it
in Win98, but want to scan the dualboot Win2000 on same computer. Will
it scan the entire computer regardless which OS I run? In other words,
will it scan the Win98 files if I run it from Win2000, or scan the
Win2000 files if I run it from Win98?

Does anyone know?

Actually, I want to try to run it from a DOS floppy boot first......

But I cant do that to check USB drives, since I cant access USB from
Dos.

One other thing, if you ever use this program, and use the -v switch to
create a report, DONT DO IT on a large drive. I scanned my USB portable
HDD, which has backups of several computers, and double copies. I ended
up with a 546,704 KB text file. .....

Details about this program here:
http://support.kaspersky.com/us/viruses/disinfection/1874#block2

It's interesting the helper here recommends "level and reload".
These guys don't usually give up.

http://www.bleepingcomputer.com/forums/t/451539/got-infected-by-my-biggest-enemy-online-sality/

Even Bleepingcomputer has been hit by Sality. The ComboFix developer
somehow got Sality on his developer machine.

http://www.bleepingcomputer.com/for...-being-infected-and-what-you-should-do/page-2

They don't recommend regular AV software to stop it, so one of
the two versions of SalityKiller is the way to go at the moment.

I wasn't able to find anything that promises that SalityKiller scans
everything. I suspect it does, but any network shares that are currently
not mounted, you'll have to arrange to do those separately. It would
pretty well have to scan every partition, because it has to expunge
all the autorun.inf files. As well as .pif or .exe that were added
or modified. Cleaning just C: would be pretty pointless with something
this nasty.

*******

I'm guessing the main purpose of a malware like this, is to make
your machine(s) part of a botnet. But with your dialup networking,
at least some botnets don't bother with machines that have
poor network connectivity. Imagine how hard it would be for Sality
to download "helpers" at 3KB/sec Or to particulate in a DDOS
attack, at 3KB/sec. Vroom!

Do the best you can with SalityKiller.

Paul

 

[JJ]

I'm running salitykiller.exe (from Kapersky) on everything. Every
computer, and on all plug in USB drives. I've not yet tried to tun it
in Win98, but want to scan the dualboot Win2000 on same computer. Will
it scan the entire computer regardless which OS I run? In other words,
will it scan the Win98 files if I run it from Win2000, or scan the
Win2000 files if I run it from Win98?

Does anyone know?

It'll scan all harddisk drive letters unless you use the -n or -s switch
(see --help switch output). The program depend entirely on the OS on what
file systems to support, so assumming that it can run on Win9x, it can't
scan NTFS drives unless you have NTFS driver for Win9x. If I remember
correctly, SysInternals (now Microsoft) has a read-only NTFS driver for
Win9x.

Actually, I want to try to run it from a DOS floppy boot first......

That won't work. SalityKiller is a Windows program that runs on console.
It's not a DOS program.

But I cant do that to check USB drives, since I cant access USB from
Dos.

If you booted from USB drive to DOS, you can access that USB drive. But if
you didn't boot from a USB drive, you'll need a USB mass storage driver and
ASPI driver. Google for "Motto Hairu" or "mhairu", and "USBASPI".

One other thing, if you ever use this program, and use the -v switch to
create a report, DONT DO IT on a large drive. I scanned my USB portable
HDD, which has backups of several computers, and double copies. I ended
up with a 546,704 KB text file. .....

Well, at least it does its job properly.
The -p switch should be used to avoid scanning all drives.

 

[JJ]

On Sat, 24 May 2014 21:05:42 -0400, (e-mail address removed) wrote:
It'll scan all harddisk drive letters unless you use the -n or -s switch

Sorry, I meant -n or -r switch.

 

[casey.o]

It's interesting the helper here recommends "level and reload".
These guys don't usually give up.

http://www.bleepingcomputer.com/forums/t/451539/got-infected-by-my-biggest-enemy-online-sality/

Even Bleepingcomputer has been hit by Sality. The ComboFix developer
somehow got Sality on his developer machine.

This must be a severe threat right now.... ???

http://www.bleepingcomputer.com/for...-being-infected-and-what-you-should-do/page-2

They don't recommend regular AV software to stop it, so one of
the two versions of SalityKiller is the way to go at the moment.

All the AV software I tried was destroyed.

I wasn't able to find anything that promises that SalityKiller scans
everything. I suspect it does, but any network shares that are currently
not mounted, you'll have to arrange to do those separately. It would
pretty well have to scan every partition, because it has to expunge
all the autorun.inf files. As well as .pif or .exe that were added
or modified. Cleaning just C: would be pretty pointless with something
this nasty.

I ran it on several systems now and watched it scan partitions as well
as individual folders on my HDD and external drives. So I guess it is
doing it's job. I have created the text files taht show what occurred,
but there is a lot of jibberish in them, and they take forever to load
because they are so huge. I did still have one copy of of Firefox22
installer which I forgot to delete. That file was tagged as dangerous
on the laptop, but it did not specify what it contained. Salitykiller
did NOT make any notice about that file, so I dont think it looks INSIDE
of files. However, considering the screwed up mess that my laptop was
in, who knows if the AV software really did find a REAL threat in that
file or not. But I removed the file anyhow.

I'm just glad I store all my personal stuff on the Win98 machine. That
seems to be the only system to survive. I not only scanned Win2000 with
salitykiller, but while booted to Win98, I deleted the Win2000 folder
and replaced it from a backup.

I am now pretty sure this damn virus is gone, except for one flash drive
which I KNOW has it. That flash drive contains some .exe driver files I
just downloaded from Lenovo, for another computer. I noted that some of
those files were being tagged as INFECTED during the scan of the laptop
HDD. I've decided to just format that flash drive, and will do so right
before I format the HDD on the laptop to restore my backup.

Once I get all of this done, I'll be running AV software on my laptop.
I'm not real sure which one though. The MS Security Essentials is
supposed to be good, and it's free, but I'm not sure if their
definitions will continue to work on XP. But it seems to me that those
same viruses would affect Win7 etc....

I'm not going to buy one, and who knows how good those free ones are?

Unfortunately there dont seem to be anything to run on Win98 anymore as
far as AV software. But maybe I can scan my syetem using Win2000? All
I can do is try.

Yes, this is a VERY SEVERE virus. I learned that quick.,.,..

I've neve dealt with anything like this before. I've had my share of
spyware and toolbars, and I have had a few trojans that I could remove
by hand. I even had a virus back in the dos days that was a pain in the
ass, but never anything this destructive.

Thanks

 

[Paul]

I've neve dealt with anything like this before. I've had my share of
spyware and toolbars, and I have had a few trojans that I could remove
by hand. I even had a virus back in the dos days that was a pain in the
ass, but never anything this destructive.

Thanks

You've performed a valuable service to the community.

Namely, we can't afford to be as complacent as we were a
week ago.

I'm downloading a copy of the Baseline Security Analyzer,
to see if any updates are missing.

Paul

 

[Ken Springer]

Unfortunately there dont seem to be anything to run on Win98 anymore as
far as AV software. But maybe I can scan my syetem using Win2000? All
I can do is try.

Take a look here, even supports Win95 supposedly.

http://www.srnmicro.com/products/

--
Ken
Mac OS X 10.8.5
Firefox 25.0
Thunderbird 24.3.0
"My brain is like lightning, a quick flash
and it's gone!"

 

[Evan Platt]

Home.com

That looks like an interesting site Casey. Are they reliable?

That's a landing page for nothing more than pay par click links.

 

[casey.o]

Home.com

That looks like an interesting site Casey. Are they reliable?

That's where all computer users live. But most of them dont put ".COM"
next to their address numbers on the house.

 

[Jon Danniken]

That's a landing page for nothing more than pay par click links.

So he's spamming us. Great.

Jon

 

[Paul]

That's where all computer users live. But most of them dont put ".COM"
next to their address numbers on the house.

You could use (e-mail address removed) instead, if
the intention is to make a fake email identifier.

http://en.wikipedia.org/wiki/Top-level_domain

invalid: reserved for use in obviously invalid domain names

I don't think the Google Groups search works worth a damn
any more, so having a useful identifier for that purpose
is likely a waste of time.

If you use a real email identifier, it can be harvested
and used for receipt of spam emails. Email sent to .invalid
would be rejected by most any receiving email agent, so
attempts to spam with such an address, don't burden more
than the sender's system.

HTH,
Paul

 

[Zaky Waky]

That's where all computer users live. But most of them dont put ".COM"
next to their address numbers on the house.

Well, from the evasiveness of you reply I conclude it's some kind of
spam/scam that you are running.