Manual Removal of W32.Sality.aa Trojan

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %System%\amvo.exe
• %System%\blastclnnn.exe
• %System%\scvhsot.exe 
• %Temp%\00055a0e_rar\scvhsot.exe
• %Temp%\000592b2_rar\scvhsot.exe
• %Temp%\0005934e_rar\hinhem.scr
• %Temp%\0005938d_rar\blastclnnn.exe
• %Windir%\hinhem.scr
• %Windir%\scvhsot.exe
• c:\rdsfk.com
• %System%\drivers\.sys
• %temp%\win%name%.exe
• %temp%\%name%.exe

Kill the following processes and delete the appropriate files:
antzom.exe, ax.exe, bomryuc.dll, drlbqse.dll, egjjen.sys, fmgonn.sys, hehmu.sys, hsgfrn.sys, idlrrh.sys, impnn.sys, jnjpvn.sys, loader174.exe, mAO3q2B7r6.exe, mm2emt.exe, ogmkmn.sys, omdftn.sys, vwservice.exe, vwsrv.exe, vwsrv[1].exe, win13652.dll, win21309.dll, win25709.dll, win27388.dll, win28610.dll, win29788.dll, win3096.dll, win31324.dll, win33848.dll, win35482.dll, win36587.dll, win37763.dll, win40320.dll, win40346.dll, win44025.dll, win46721.dll, win48684.dll, win63279.dll, win7320.dll, windjnvr.exe, winibqs.exe, winjepm.exe, winkrqpx.exe, winkxggjh.exe, winnmswkj.exe, winrlwmt.exe, winxotbiy.exe, wmdrtc32.dll, wmdrtc32.dl_, x1001[1].exe, x2000[1].exe, x2007.exe, x2011.exe, x2011[1].exe, x3000[1].exe, ywsnkhb.dll

Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename. The filename has one of the following extensions:
.exe
.pif
.cmd
The following file is dropped in the same folder:
autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.

If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

Manually Remove From Registry 
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
“GlobalUserOffline” = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
“EnableLUA” = 0
The following Registry entries are deleted:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aouei Key: CLSID\{1CE21416-0B8D-8CF6-1FCB-099B30C628BB}\InprocServer32 Value: ThreadingModel HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE Value: NextInstance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000 Value: Class HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000\Control Value: ActiveService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice Value: DisplayName HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Enum Value: Count HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Security Value: Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: Type HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: Start HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: ErrorControl HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: ImagePath HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: DisplayName HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32\Security Value: Security HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32 Value: NextInstance HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000\Control Value: *NewlyCreated* HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: Service HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: Legacy HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: ConfigFlags HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: Class HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: ClassGUID HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: DeviceDesc HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum Value: 0 HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum Value: Count HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum Value: NextInstance HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\Root\LEGACY_NDISFILESERVICES32\0000\Control Value: ActiveService HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion Value: d HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks Value: {06DB7430-7430-6DB1-306D-430DB4306DB1} HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32 Value: ImagePath HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32 Value: DeleteFlag HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32 Value: ImagePath HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000 Value: ClassGUID HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000 Value: DeviceDesc HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000 Value: Service HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000 Value: ConfigFlag HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000 Value: Legacy HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice Value: ImagePath HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice Value: ObjectName HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice Value: ErrorControl HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice Value: Start HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice Value: Type HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice Value: FailureActions HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum Value: NextInstance HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum Value: 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion Value: s HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion Value: f HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion Value: d HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion Value: f HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion Value: d HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion Value: s HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Value: Start Page

_+ Any of the Above Listed Files +_
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Some of the IT pro may not aware that NTBackup is already remove from Windows Server 2008 & Windows Vista. If you try to restore a previous NTBackup backup file (.bkf) on Windows Server 2008 or Windows Vista, Windows Explorer will return you unknown file format and ask you to choose a program to open it. If you try to access Windows Server 2008 backup tool, you still unable to browse for the backup file and restore on other location.

Another question will come to your mind, if this is the case, IT pro will not be able to restore NTBackup file on Windows Server 2008, should I need to setup another Windows Server 2003 or below just only to restore NTBackup file in the future? The answer is No. You will still be able to restore it on Windows Server 2008 by using a tool called Windows NTBackup - Restore Utility. Once you install this tool on your Windows Server 2008 box, you will be able to restore a NTBackup file on Windows Server 2008. For those who are interested, please get the tool from below link:

Windows NTBackup - Restore Utility

Note: You will need to enable Removable Storage Management feature in order to run Windows NTBackup - Restore Utility

Windows XP running a little slow, or crashing regularly?

It is likely a problem with the Windows XP registry.

With all the software we use today over time the computer registry can get messed up or at a minimum become very inefficient.

This can lead to:

• Slow system performance
• The blue screen of death
• Random crashes
• Odd error messages
• Windows that won’t open
• Etc, etc…

If any of the above is happening to you, you should try cleaning your registry for improved performance. It can really go a long way to speeding up your PC and preventing all kinds of hard to diagnose Windows errors.

So, what is the best registry cleaner for Windows XP?

Honestly, you would be if you knew how to do it by hand but even I can’t do that!

So, I did the next best thing — I tested the top 5 registry cleaners on 3 different PCs running XP and while they all seemed to help some one was clearly the best at repairing the registry and it offers a free scan:

Click here for your FREE registry scan

I’ve been using it for about 3 weeks now and my system(s) are definiately running smoother. It also just feels good knowing my system is clean.

It is free to try so go for it and let me know how it works for you in the comments.

Windows 7 Activation Keys

Do not let storage space stop you from deleting current files such as documents and spreadsheets on your computer. If these files have been around for years, back them up and take them out of your computer. Other than taking up space, you just have to consider the worst scenarios such as hard disk crashes or imminent formatting caused by system software malfunctions that are common today.

Formatting a hard drive is the last resort but is the easiest solution when it comes to program conflicts and crashes. While there are programs that try to help you restore a system, it remains that your PC will never be the same again due to buggy installation. Overwriting may be a good option but you will notice that after you do this, your computer slows down a bit more.

So to address speed and consistency of the operating system of your computer, it would be best to clean it from scratch and start a fresh copy of your preferred Windows operating system. It is a hard decision to make but at times you are left with very few choices to make.

If you have files that have been around for over 2 years which you don’t access, just copy them to a CD or a tape drive. Do not leave them on your PC hard drive for easy access. At times you will never know when you would need to recover them and normally, backups are the best way to safeguard them in case something untoward happens to your PC.