Manual Removal of W32.Sality.aa Trojan

Manual Removal of W32.Sality.aa Trojan

W32/Sality-AA is a virus that also acts as a keylogger.
The virus logs keystrokes to certain windows, as well as information about the infected computer.
This logged data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T.
Aliases: Virus.Win32.Sality.aa (Kaspersky), Virus:Win32/Sality.AM (Microsoft), W32/Sality.ah (McAfee)
Type of infiltration: Virus/Trojan
Size: Variable
Affected platforms: Windows
Short description: Win32/Sality.NAR is a polymorphic file infector.

Damage Level : Highly Dangerous / Severe

Distribution Level: High/Medium
Auto Removal Tool for W32.Sality.aa Trojan
W32 Sality Remover Download

W32.Sality.aa Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

%System%\amvo.exe
%System%\blastclnnn.exe
%System%\scvhsot.exe
%Temp%\00055a0e_rar\scvhsot.exe
%Temp%\000592b2_rar\scvhsot.exe
%Temp%\0005934e_rar\hinhem.scr
%Temp%\0005938d_rar\blastclnnn.exe
%Windir%\hinhem.scr
%Windir%\scvhsot.exe
c:\rdsfk.com
%System%\drivers\.sys
%temp%\win%name%.exe
%temp%\%name%.exe
%Program files\DriveGuard\ [ Delete Folder and Contents ]
Usb Drive: %\system\Driveguard\
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg [ Right Click - Save Target As/Linked Content As ]
Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.

Kill the following processes if running and delete the appropriate files:
antzom.exe, ax.exe, bomryuc.dll, drlbqse.dll, egjjen.sys, fmgonn.sys, hehmu.sys, hsgfrn.sys, idlrrh.sys, impnn.sys, jnjpvn.sys, loader174.exe, mAO3q2B7r6.exe, mm2emt.exe, ogmkmn.sys, omdftn.sys, vwservice.exe, vwsrv.exe, vwsrv[1].exe, win13652.dll, win21309.dll, win25709.dll, win27388.dll, win28610.dll, win29788.dll, win3096.dll, win31324.dll, win33848.dll, win35482.dll, win36587.dll, win37763.dll, win40320.dll, win40346.dll, win44025.dll, win46721.dll, win48684.dll, win63279.dll, win7320.dll, windjnvr.exe, winibqs.exe, winjepm.exe, winkrqpx.exe, winkxggjh.exe, winnmswkj.exe, winrlwmt.exe, winxotbiy.exe, wmdrtc32.dll, wmdrtc32.dl_, x1001[1].exe, x2000[1].exe, x2007.exe, x2011.exe, x2011[1].exe, x3000[1].exe, ywsnkhb.dll

W32.Sality.aa Trojan Spreading on removable media and System - Removal
The virus copies itself into the root folders of removable drives using a random filename. The filename has one of the following extensions:
.exe
.pif
.cmd
example: fsto.pif, jclhuf.exe, h.cmd
The following file is dropped in the same folder:
autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
A New Program will install in %\Program Files\DriveGuard\Driveprotect.exe
To delete that folder,
Open Task manager, End the process explorer.exe
then goto file>New Task
then type cmd, press enter key then the command prompt will open,
type cd\ to get C:\
then type:" cd program files " press enter, (without quotes)
to delete the folder, type:" rd Driveguard "

type:" shutdown -r -t 0 to restart your pc "

W32.Sality.aa Trojan Unregister DLL Files Using Windows Command Prompt

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
Type "cd" in order to change the current directory,
Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
To unregister a "Program" DLL file,
Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
A message will pop up that says you successfully unregistered the file.

W32.Sality.aa Trojan Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

Download and run this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ] and then continue with the removal.
Save it to your Windows desktop. Do not run it at this time, download it only.
After booting into the Safe Mode or VGA Mode.
Right-click the UnHookExec.inf file and click Install.
[This is a small file. It does not display any notice or boxes when you run it.]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
“GlobalUserOffline” = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
“EnableLUA” = 0
The following Registry entries are deleted:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2dd611c-0b40-11dc-bf14-0019d1772ee2}
AutoRun\command- System\DriveGuard\DriveProtect.exe -run
Explore\Command- System\DriveGuard\DriveProtect.exe -run
Open\Command- System\DriveGuard\DriveProtect.exe -run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aouei
Key: CLSID\{1CE21416-0B8D-8CF6-1FCB-099B30C628BB}\InprocServer32
Value: ThreadingModel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000\Control
Value: ActiveService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000\Control
Value: *NewlyCreated*
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Service
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: 0
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\Root\LEGACY_NDISFILESERVICES32\0000\Control
Value: ActiveService

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value: {06DB7430-7430-6DB1-306D-430DB4306DB1}
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: DeleteFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: ClassGUID
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: DeviceDesc
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Service
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: ConfigFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Legacy
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ObjectName
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ErrorControl
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Start
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Type
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: FailureActions
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: NextInstance
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value: Start Page

_+ Any of the Above Listed Files +_

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

5 comments :

Anonymous12/19/08, 5:05 PM
how to use the Unhookexec.inf??
Anwar Anabtawi4/25/09, 11:50 AM
Just right click and choose install
Anwar Anabtawi4/25/09, 12:06 PM
hi fire fly this how to remove the sality virus but what about the infected file how can we disinfect it ?
Thanks
Unknown9/3/10, 9:07 PM
hi,

is there anyway that we can disinfect the infected .exe's without having to make a fresh installation of the attacked OS?

Rgs
Rahul Mg9/10/10, 7:57 PM
i Couldnt find any manual disinfection, you can try Kaspersky 2011 or Bitdefender 2011 for disinfection of file... If your pc got multiple virus attack disinfection may get fail.

Note: kaspersky Slows down Pc, but Scans faster than Bitdefender, Bitdefender Faster on pc but Scan is slow.

Comment on this Post!!

Windows PC Tips, Tricks, Tools

Enter your Keyword, Search here,

Manual Removal of W32.Sality.aa Trojan

5 comments :

More Posts that you may be interested...

Copyright © 2012 W7Tweaks by Rahul Mg. Powered By Google.