W32.HLLP.Sality

[SoulAssassin]

Ok...I did post this in the NAV section but it seems pretty dead over there. Here's teh copy and paste from it:


Anyone run into this yet? I just worked on a friend's computer and ended up reloading it (formatted) and I kept the dsl modem unplugged. Once NIS 2006 was up and the firewall was running I plugged in the DSL modem (to run updates) and sure enough, it came back. Unfortunately I haven't found a thing via google but maybe someone has run into it...here's the link

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllp.sality.html

Symantec wasn't much help by saying just run the virus scanner. Two different scans (normal or safe mode) did nothing. DLL explorer showed the ddependcies of the offending dll (oledsp32.dll) but they were critical dll's to windows. I even deleted the dll at the recovery console but something was triggering it once I rebooted (nothing obvious starting up). I even double checked all the temp folders and cleaned the registry...still came back. No spyware is present on the system anymore, especially considering I formatted the partition. I follwed Symantec's instructions to a T...nothing worked so far.

 

[bygeek]

Did you edit the system.ini file as oultined in the remval instructions?

 

[SoulAssassin]

Yes and then made it read-only as a last gasp effort when simply editing it didn't help.

 

[wormdancer]

I've got it also, I have run everything to try and get rid of it. Symantec has not offered much other than the old "update and run full sys scan". Norton does catch it, everytime I run a program I get a notice saying norton has detected and deleted the file. it must root itself in the program files some where, Im still looking

 

[electronicsfreak]

Heres a few things to try.

http://housecall.trendmicro.com/

http://www.bleepingcomputer.com/files/killbox.php

http://ccollomb.free.fr/unlocker/

http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

[SoulAssassin]

I figured this went off into obscurity...Check your system for cloaker.exe ...the system I worked on was an HP so the recovery software was on the secondary partition which got infected. In this case cloaker.exe was found in the C:\HP\Bin directory which was replicated from the second partition, hence why formatting never helped.