Manual Removal of W32.Sality.aa Trojan

W32/Sality-AA is a virus that also acts as a keylogger.

The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T. W32/Sality-AA is a virus that also acts as a keylogger.
The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T.

Aliases: Virus.Win32.Sality.aa (Kaspersky), Virus:Win32/Sality.AM (Microsoft), W32/Sality.ah (McAfee)
Type of infiltration: Virus
Size: Variable
Affected platforms: Windows
Signature database version: 3267 (20080714)
Short description: Win32/Sality.NAR is a polymorphic file infector.
Damage Level : Highly Dangerous
Distribution Level:
High/Medium
There is NO Auto Removal Tool for W32.Sality.aa Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:

How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

  • %System%\amvo.exe
  • %System%\blastclnnn.exe
  • %System%\scvhsot.exe
  • %Temp%\00055a0e_rar\scvhsot.exe
  • %Temp%\000592b2_rar\scvhsot.exe
  • %Temp%\0005934e_rar\hinhem.scr
  • %Temp%\0005938d_rar\blastclnnn.exe
  • %Windir%\hinhem.scr
  • %Windir%\scvhsot.exe
  • c:\rdsfk.com
  • %System%\drivers\.sys
  • %temp%\win%name%.exe
  • %temp%\%name%.exe
Kill the following processes and delete the appropriate files:
antzom.exe, ax.exe, bomryuc.dll
, drlbqse.dll, egjjen.sys, fmgonn.sys, hehmu.sys, hsgfrn.sys, idlrrh.sys, impnn.sys, jnjpvn.sys, loader174.exe, mAO3q2B7r6.exe, mm2emt.exe, ogmkmn.sys, omdftn.sys, vwservice.exe, vwsrv.exe, vwsrv[1].exe, win13652.dll, win21309.dll, win25709.dll, win27388.dll, win28610.dll, win29788.dll, win3096.dll, win31324.dll, win33848.dll, win35482.dll, win36587.dll, win37763.dll, win40320.dll, win40346.dll, win44025.dll, win46721.dll, win48684.dll, win63279.dll, win7320.dll, windjnvr.exe, winibqs.exe, winjepm.exe, winkrqpx.exe, winkxggjh.exe, winnmswkj.exe, winrlwmt.exe, winxotbiy.exe, wmdrtc32.dll, wmdrtc32.dl_, x1001[1].exe, x2000[1].exe, x2007.exe, x2011.exe, x2011[1].exe, x3000[1].exe, ywsnkhb.dll

Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename. The filename has one of the following extensions:
.exe
.pif
.cmd
The following file is dropped in the same folder:
autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.

If you have any of these files in running process from task manger, end the process before removal.

Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
“GlobalUserOffline” = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
“EnableLUA” = 0
The following Registry entries are deleted:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot



HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aouei
Key: CLSID\{1CE21416-0B8D-8CF6-1FCB-099B30C628BB}\InprocServer32
Value: ThreadingModel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE
Value: NextInstance

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000\Control
Value: ActiveService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000\Control
Value: *NewlyCreated*
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Service
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: 0
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\Root\LEGACY_NDISFILESERVICES32\0000\Control
Value: ActiveService

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value: {06DB7430-7430-6DB1-306D-430DB4306DB1}
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: DeleteFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: ClassGUID
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: DeviceDesc
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Service
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: ConfigFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Legacy
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ObjectName
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ErrorControl
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Start
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Type
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: FailureActions
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: NextInstance
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value: Start Page

_+ Any of the Above Listed Files +_
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find
, enter Keyword and remove all value that find in search
.

Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

0 comments:

Post a Comment

How About Them?

My Allied

KillroyLive Chat Box


ShoutMix chat widget

Killroy Think..

My photo
PJ, Selangor, Malaysia
A true friend respects you for who you are.they won't expect you to change or do things differently just to please them..

People Here?

Where their come from?