Pages

Monday, December 17, 2012

Removing Sality virus-win32

virus alert



WIN32 - SALITY VIRUS
HOW TO REMOVE SALITY VIRUS:A family of file infecting viruses with back door and key logger capabilities.
Some variants install a helper component in the Windows System folder.

Names on this component vary by SALITY VARIANT:
· SYSLIB32.DLL (All early versions)
· OLEMDB32.DLL (Sality.M, version 3.03)
· WMIMGR32.DLL (Sality.N, version 3.04)
· VCMGRD32.DLL (Sality.P/Q, version 3.07)
· VCMGCD32.DLL (Sality.R, version 3.09)
· WDMFMC32.DLL (Sality.S, version 3.07)
This DLL is then injected into running processes.

ANOTHER ALIAS:
· Sality,
· Win32/Sality,
· Sality.AA,
· Sality.AE,
· Sality.AH,
· Sality.AM,
· Sality.AR

HOW TO KNOW YOUR COMPUTER IS INFECTED BY SALITY VIRUS :


· Task manager is disabled.

· Registry Editor is disabled.

· Show all hidden files and folders are not working .Hidden Files Folder setting always checks “Do not show hidden files and folder” option. You can't change the option, even if you check “Show hidden files and folder” option.

· Firewall and anti virus are not working. You can't run it and you can't scan with it; even you can run it and scan with it, the virus won't be found or the virus will be found but anti virus can't clean/delete it.

· The virus infects .exe files on every partition of you hard disk. Almost all your .exe files on your computer will be infected (included explorer.exe, uninstall.exe, etc). Some of your .exe applications still may run, but some of them won't run (it will kill the runing process of infected .exe aplication or/and show an error message)!

· The virus may infects some .com and .scr files.

· The virus may infects some .dll files on your Windows folder.

· If you plug in your USB Device on your computer, it will create an autorun.inf file + a random

· The virus created an autorun.inf file + a random virus file (pwkmla.cmd) on my sample UFD.

· You can't boot your Windows in safe mode. You will failed if you try to boot your Windows in safe mode, and your system will restart automatically.


HOW TO DELETE SALITY VIRUS FROM YOUR SYSTEM :
Before deleting the virus, you should download these tools:

· Norman Safiano Malware Cleaner choose one of these two links :

Download 1 : http://download.norman.no/public/Norman_Malware_Cleaner.exe

Download 2 : http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe

· Symantec Win32.Sality.AE Removal Tool Choose one of these two links :

Mirror Download 1: http://www.ziddu.com/download/3653712/FxSltyAE.rar.html

Mirror Download 2: http://rapidshare.com/files/233586434/FxSltyAE.rar.html

HOW TO REMOVE SALITY VIRUS:
· Turn off “System Restore”.

· Run Norman Safiano what's up bro Malware Cleaner to scan the virus.

· If “do you want to restart...” dialog appears after scanning by Norman Safiano Malware Cleaner, you may restart or not restart.

· If you want to restart, make sure the “System restore” is still turn off before restarting. After restarting, you should do step 1 to 2 again.

· Run Symantec Win32.Sality.AE Removal Tool

· If “do you want to restart...” dialog appears after scanning by Symantec Win32.Sality.AE Removal Tool, you should restart. Make sure the “System restore” is still turn off before.

· After restarting, the virus most probably has been removed. Task manager and Registry Editor

· To make sure the virus has been removed, run Symantec Win32.Sality.AE Removal Tool once

HOW TO HANDLE DURING DELETING THE SALITY:
· Sality virus most probably has been removed but maybe some files (exe, dll, etc) are still infected by Sality Virus. To clean it, you should scan it with your anti virus (NOD32, Kaspersky, Norman, Symantec, etc).

· If anti virus can't clean it, you should delete the infected files (exe, dll, etc) BUT you should do it carefully and you should be more careful if the infected files exist on Windows Folder (example : explorer.exe etc). Before deleting, make sure the system will be fine if you delete it. If you're not sure, don't do it, or consult it to expert.

· To repair safe mode, you can download the registry file to fix it:
http://www.eset.hk/support/tools/repairboot.zip

http://support.kaspersky.com/downloads/utils/sality_regkeys.zip

Extract, and run one file for your match system (safeboot WinXP for windows XP, etc).

· Re-installing Windows is not the best option, especially if your Windows license is not FPP/OLP. (Remember, if you re-install Windows, you must re-install driver & some softwares, etc and don't forget you should re-activate your Windows again). Re-formatting all of your hard disk partitions then re-installing Windows is the last option IF you want to do it.

· I haven't re-formatted all of my hard disk partitions and re-installed Windows, because Sality virus has been removed and the infected files have been deleted carefully.

2 comments:

  1. very useful post. My pc attacked lately by sality virus. Gonna try this now. Thanks :)

    ReplyDelete