Manual Removal of W32.Sality.aa Trojan
Manual Removal of W32.Sality.aa Trojan
The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T. W32/Sality-AA is a virus that also acts as a keylogger.
The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T.
Aliases: Virus.Win32.Sality.aa (Kaspersky), Virus:Win32/Sality.AM (Microsoft), W32/Sality.ah (McAfee)
Type of infiltration: Virus
Size: Variable
Affected platforms: Windows
Signature database version: 3267 (20080714)
Short description: Win32/Sality.NAR is a polymorphic file infector.
Distribution Level: High/Medium
There is NO Auto Removal Tool for W32.Sality.aa Trojan
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
- %System%\amvo.exe
- %System%\blastclnnn.exe
- %System%\scvhsot.exe
- %Temp%\00055a0e_rar\scvhsot.exe
- %Temp%\000592b2_rar\scvhsot.exe
- %Temp%\0005934e_rar\hinhem.scr
- %Temp%\0005938d_rar\blastclnnn.exe
- %Windir%\hinhem.scr
- %Windir%\scvhsot.exe
- c:\rdsfk.com
- %System%\drivers\
.sys - %temp%\win%name%.exe
- %temp%\%name%.exe
Kill the following processes and delete the appropriate files:
antzom.exe, ax.exe, bomryuc.dll, drlbqse.dll, egjjen.sys, fmgonn.sys, hehmu.sys, hsgfrn.sys, idlrrh.sys, impnn.sys, jnjpvn.sys, loader174.exe, mAO3q2B7r6.exe, mm2emt.exe, ogmkmn.sys, omdftn.sys, vwservice.exe, vwsrv.exe, vwsrv[1].exe, win13652.dll, win21309.dll, win25709.dll, win27388.dll, win28610.dll, win29788.dll, win3096.dll, win31324.dll, win33848.dll, win35482.dll, win36587.dll, win37763.dll, win40320.dll, win40346.dll, win44025.dll, win46721.dll, win48684.dll, win63279.dll, win7320.dll, windjnvr.exe, winibqs.exe, winjepm.exe, winkrqpx.exe, winkxggjh.exe, winnmswkj.exe, winrlwmt.exe, winxotbiy.exe, wmdrtc32.dll, wmdrtc32.dl_, x1001[1].exe, x2000[1].exe, x2007.exe, x2011.exe, x2011[1].exe, x3000[1].exe, ywsnkhb.dll
Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename. The filename has one of the following extensions:
.exe
.pif
.cmd
The following file is dropped in the same folder:
autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
“GlobalUserOffline” = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
“EnableLUA” = 0
The following Registry entries are deleted:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aouei
Key: CLSID\{1CE21416-0B8D-8CF6-1FCB-099B30C628BB}\InprocServer32 Value: ThreadingModel HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE Value: NextInstance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000 Value: Class HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000\Control Value: ActiveService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice Value: DisplayName HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Enum Value: Count HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Security Value: Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: Type HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: Start HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: ErrorControl HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: ImagePath HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32 Value: DisplayName HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32\Security Value: Security HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32 Value: NextInstance HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000\Control Value: *NewlyCreated* HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: Service HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: Legacy HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: ConfigFlags HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: Class HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: ClassGUID HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 Value: DeviceDesc HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum Value: 0 HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum Value: Count HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum Value: NextInstance HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\Root\LEGACY_NDISFILESERVICES32\0000\Control Value: ActiveService HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion |
_+ Any of the Above Listed Files +_
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
Written by FireFly. Read more great feeds at is source WEBSITE
7 comments.
Read more articles on trojan removal and W32.Sality.aa and amvo.exe and manual removal and Removal and otherSoftware and removal of trojan and Windows.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article
achdias
Huck47
#1. December 20th, 2008, at 12:24 AM.
Sir,
We are facing the problem with Sality.aa. We tried to remove the entries, which have given you. But some entries are found and some entries or not found. After that we scan the system with Kaspersky but the safe mode, Registy & Task Manager also disabled. In this situation we downloaded some repairing tools also. With that only 2 minutes it works and after 2 minutes agiain condition is same.
Please help us in this regard
SHARMA