SAL.xls.exe virus and resulting damage

Tews · 01 Feb 2010

Try taking ownership of the folder and see if that helps...

Take Ownership Shortcut

bw587 · 02 Feb 2010

No Did not work. Can delete $Recycle but System Volume Information brings it back. Cant delete System Volume Information

Dinesh · 02 Feb 2010

Did you follow my advice?

bw587 · 02 Feb 2010

Hi Dinesh

Hitman Pro could not be run as it could not gain a internet connection. Dont know why as I am internet at same time and internet connection is good. Have noticed other malware and anti-virus programs can not access internet for updates. Could this be related??????? to problem with system volume information and $Recycle.bin.

jav · 02 Feb 2010

Login in Safe mode.
Take ownership of the folder.
Grant full control to your current account.
And try to delete.

It may take a few tries. You may have to take ownership of several folders and grant Full control access.

Or, even better if you will try the same method with Built-in Admin (Built-in Administrator Account - Enable or Disable)

Any chance, that reinstall is the choice? (Believe me it will be a lot less trouble)

And have you done this?

Jaxryley said:

The System Volume Information stores system restore points and is undeletable.

If any or all restore points have an infection it may be best to turn of system restore and delete all restore points through Disk Cleanup - More options then when you are clean turn system restore back on and create a new restore point.

bw587 said:

Hi Dinesh

Hitman Pro could not be run as it could not gain a internet connection. Dont know why as I am internet at same time and internet connection is good. Have noticed other malware and anti-virus programs can not access internet for updates. Could this be related??????? to problem with system volume information and $Recycle.bin.

In my opinion you have more then just this infection.
maybe you will post Hijack log?

bw587 · 02 Feb 2010

I have now tried renaming the folders and deleting them. I can rename them and when I do they disappear.

So it appears successful, however when you reopen the drive the folders reappear again with their original names.

There is obviously a hidden file or something that is controlling them and reinstalling the folders and files.

When I delete the $recycle.bin folder it mentiones desktop.ini files contained in the folder will be deleted as well. These are reinstated when the folder is reinstalled.

When I search programs and files I find one desktop.ini file with the following text

[LocalisedFileNames]
pinned .lnk=@c:\windows\system32\shell32.dll, -4161

Other copies of desktop.ini are hidden in folder and do not appear when I search.
hijackthis.log

AdAware Log 02-02-2010.txt

Jaxryley · 02 Feb 2010

bw587 said:

Hitman Pro could not be run as it could not gain a internet connection. Dont know why as I am internet at same time and internet connection is good. Have noticed other malware and anti-virus programs can not access internet for updates. Could this be related??????? to problem with system volume information and $Recycle.bin.

Those update sites for the security apps could be blocked by "Hosts" file entries.

Scroll down to "How do I reset the hosts file back to the default?"
Updating the HOSTS file in Windows 7 - Windows Forums

Also check Internet Options - Connections - Lan settings - untick use a proxy server and tick "Automatically detect settings"

Ya gonna have to get a scan down with an updated Malwarebytes and Hitman Pro as it will be too tedious trying to clean it up manually especially if it's an autorun worm.

Jacee · 03 Feb 2010

You have a hidden "auto run.ini" at start up.

See what you have:
sal.xls.exe | ThreatExpert statistics
Troj/VB-CYJ Trojan (Win32/VB.EL worm, Worm.Win32.VB.el, W32/Backdoor.VXI) - Sophos security analysis
Quick Heal-Important virus Information-Worm.VB.el

Are you using a USB drive that could be infected?

bw587 · 04 Feb 2010

Thanks Jacee

I have the sal.xls.exe. I read the information about it and it is also called recycler virus.

I can see the System Volume Information folder and a $recycle.bin folder but not the Recycler folder.

I would like to know how to see all hidden files in Windows 7 so these appear with the file inside them.

I found the ctfmon.exe file but cant delete it as "I need permission from TrustedInstaller". This is a new user that has been created and I cant delete the files.

Any idea on how to delete them?

Jacee · 04 Feb 2010

Because "Virut" was shown by Sophos, this is a nasty Trojan ------

You're not only dealing with Virut but you are also dealing with a lot of other malware as well.
What I suggest in your case is to format and reinstall Windows. This because, Virut is a file infector which infects every .exe present on your system. The problem with Virut is, this is a buggy file infector and that's why scanners cannot disinfect them properly either > result > files are corrupted, won't work anymore.
And as I already explained, Virut infects every .exe.

This means that you may not delete these files, but they should be disinfected. And since it's a buggy virus, the files cannot be properly disinfected.

This unfortunately means that this is a game over situation and there's nothing much you can do besides formatting and reinstalling Windows.
Don't backup your files either, because when you backup exe files, they are also infected. You can however backup pictures and documents.

Look at the instructions on this page HM2K.com Win32 Virtob/Virut removal

It's up to you how you decide to work with this infection.