SAL.xls.exe virus and resulting damage

[bw587]

I have been infected with sal.xls.exe virus and have removed it with AVG - latest version.

My hard disk and removable disks have a $recycle.bin and System Volume Information folder on them that is hidden and unaccessable.

I have stopped system restore and tried to delete folders. I can remove the $recycle.bin folder but not the system volume information folder. The $recycle.bin reappears.

How do I remove them?

I am running a HP Pavilion DV7 Notebook PC with a Intel Core i7 CPU Q820 1.73 GHz and 4 GB Ram


Need help as my system is slowing down. Any ideas please.

 

[Dinesh]

Quickly download Hitman Pro and run a scan.
Products - SurfRight
Make sure you are connected to internet before you scan.

 

[Jaxryley]

The System Volume Information stores system restore points and is undeletable.

If any or all restore points have an infection it may be best to turn of system restore and delete all restore points through Disk Cleanup - More options then when you are clean turn system restore back on and create a new restore point.

 

[bw587]

I have run:
1. AVG Anti virus Free V9
2. AdAware Free V9 anti Spy and AntiRootkit
3 cCleaner V2.28.1091 (Latest)
4. AML Free Registery cleaner
5. HiJack this

I need to delete the $Recycle.bin and System Volume Information folders to clean up the disk and stop the virus reappearing.

In regedit I have set the values for Hidden files to 1 so I can see the folders but I can not delete them.

Any ideas?

 

[madtownidiot]

It's undeletable from windows. One of the major benefits of dual booting linux and windows is the ability to get into protected system folders including system volume information and delete files that would otherwise be impossible to remove. It comes in very handy for cleaning out infected HDDs, with almost no chance of spreading the virus/trojan/malware to my own computer. Something to consider trying.

 

[bw587]

If it's undeletable from windows how can I stop it reinstalling $Recycle.Bin and how can I remove infected part of System Volume Information? I have turned off system restore.

 

[Jonathan_King]

The Recycle Bin folder is put there because OS files are shown in Folder Options. If you don't like it, you can Hide Protected OS files in Folder Options or disable Recycle Bin for that drive.

Right-click on the Recycle Bin and select Properties.

 

[Jaxryley]

bw587 see if you can get a quick scan down with Malwarebytes. Update first before scanning.

The follow what Dinest suggested and do a scan with Hitman Pro.

|MG| Malwarebytes Anti-Malware 1.44 Download

 

[Tews]

If you dont have a system image that you can restore from, you will need to do a clean install...

 

[bw587]

If I can get into the system volume Information folder I can delete the malicious files. However I can see the folder in Explorer but I can't access the folder. Is there a way to get into the folder. There must be a setting somewhere to grant access.

 

[Tews]

Try taking ownership of the folder and see if that helps...

http://www.sevenforums.com/tutorials/1911-take-ownership-shortcut.html?ltr=T

 

[bw587]

No Did not work. Can delete $Recycle but System Volume Information brings it back. Cant delete System Volume Information

 

[Dinesh]

Did you follow my advice?

 

[bw587]

Hi Dinesh

Hitman Pro could not be run as it could not gain a internet connection. Dont know why as I am internet at same time and internet connection is good. Have noticed other malware and anti-virus programs can not access internet for updates. Could this be related??????? to problem with system volume information and $Recycle.bin.

 

[jav]

Login in Safe mode.
Take ownership of the folder.
Grant full control to your current account.
And try to delete.

It may take a few tries. You may have to take ownership of several folders and grant Full control access.

Or, even better if you will try the same method with Built-in Admin (http://www.sevenforums.com/tutorials/507-built-administrator-account-enable-disable.html)

Any chance, that reinstall is the choice? (Believe me it will be a lot less trouble)

And have you done this?

The System Volume Information stores system restore points and is undeletable.

If any or all restore points have an infection it may be best to turn of system restore and delete all restore points through Disk Cleanup - More options then when you are clean turn system restore back on and create a new restore point.

Hi Dinesh

Hitman Pro could not be run as it could not gain a internet connection. Dont know why as I am internet at same time and internet connection is good. Have noticed other malware and anti-virus programs can not access internet for updates. Could this be related??????? to problem with system volume information and $Recycle.bin.

In my opinion you have more then just this infection.
maybe you will post Hijack log?

 

[bw587]

I have now tried renaming the folders and deleting them. I can rename them and when I do they disappear.

So it appears successful, however when you reopen the drive the folders reappear again with their original names.

There is obviously a hidden file or something that is controlling them and reinstalling the folders and files.


When I delete the $recycle.bin folder it mentiones desktop.ini files contained in the folder will be deleted as well. These are reinstated when the folder is reinstalled.

When I search programs and files I find one desktop.ini file with the following text

[LocalisedFileNames]
pinned .lnk=@c:\windows\system32\shell32.dll, -4161

Other copies of desktop.ini are hidden in folder and do not appear when I search.
View attachment hijackthis.log

View attachment AdAware Log 02-02-2010.txt

 

[Jaxryley]

Hitman Pro could not be run as it could not gain a internet connection. Dont know why as I am internet at same time and internet connection is good. Have noticed other malware and anti-virus programs can not access internet for updates. Could this be related??????? to problem with system volume information and $Recycle.bin.

Those update sites for the security apps could be blocked by "Hosts" file entries.

Scroll down to "How do I reset the hosts file back to the default?"
Updating the HOSTS file in Windows 7 - Windows Forums

Also check Internet Options - Connections - Lan settings - untick use a proxy server and tick "Automatically detect settings"

Ya gonna have to get a scan down with an updated Malwarebytes and Hitman Pro as it will be too tedious trying to clean it up manually especially if it's an autorun worm.

 

[Jacee]

You have a hidden "auto run.ini" at start up.

See what you have:
sal.xls.exe | ThreatExpert statistics
Troj/VB-CYJ Trojan (Win32/VB.EL worm, Worm.Win32.VB.el, W32/Backdoor.VXI) - Sophos security analysis
Quick Heal-Important virus Information-Worm.VB.el

Are you using a USB drive that could be infected?

 

[bw587]

Thanks Jacee

I have the sal.xls.exe. I read the information about it and it is also called recycler virus.

I can see the System Volume Information folder and a $recycle.bin folder but not the Recycler folder.

I would like to know how to see all hidden files in Windows 7 so these appear with the file inside them.

I found the ctfmon.exe file but cant delete it as "I need permission from TrustedInstaller". This is a new user that has been created and I cant delete the files.

Any idea on how to delete them?

 

[Jacee]

Because "Virut" was shown by Sophos, this is a nasty Trojan ------

You're not only dealing with Virut but you are also dealing with a lot of other malware as well.
What I suggest in your case is to format and reinstall Windows. This because, Virut is a file infector which infects every .exe present on your system. The problem with Virut is, this is a buggy file infector and that's why scanners cannot disinfect them properly either > result > files are corrupted, won't work anymore.
And as I already explained, Virut infects every .exe.

This means that you may not delete these files, but they should be disinfected. And since it's a buggy virus, the files cannot be properly disinfected.

This unfortunately means that this is a game over situation and there's nothing much you can do besides formatting and reinstalling Windows.
Don't backup your files either, because when you backup exe files, they are also infected. You can however backup pictures and documents.


Look at the instructions on this page HM2K.com Win32 Virtob/Virut removal

It's up to you how you decide to work with this infection.