Manual removal of Win32 Sality.aa

This is a polymorphic virus it loads in the startup as a driver

Creates following files and registry entries:

%System%\drivers\.sys it is "infuo.sys" in my case(but this file is hidden) in system32\drivers loads as a driver so it has capability to block antivirus sites.

HKCU\Software\"username"914

For example:
HKCU\Software\Administrator498

HKCU\Software\Administrator914

It adds the following text to the "system.ini" file located in the %Windows% directory:
[MCIDRV_VER]
DEVICEMB=random number

it disables windows firewall by executing the following command

"netsh firewall set opmode disable"

it adds following entry to firewall through registry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"" = ":*:Enabled:ipsec"

It deletes and modifies the following registry entries:

HKCU\System\CurrentControlSet\Control\SafeBoot
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

It also modifies Hidden files entry in the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL

Modifies the dword "Checked value" from 1 to 0

It also disables Registry Editor and Task Manager by adding these registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = dword:00000001

Terminates major antivirus software services

Prevents access to security related sites and antivirus sites

Also disable settings related to system security. It does this by adding the following registry entries:
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify= dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001

For more information on this virus please visit this link

Manual Virus removal instructions for an infected system:

1.Download this rarfile from this link

2.Extract the contents to desktop, open cmd and type "netsh winsock reset" without quotes

3.Execute the file regtools.vbs by doubleclicking it

4.Now Execute the XP_reg.reg file by doubleclicking it click yes in the dialogbox that appears.

5.Execute the file regtools.vbs by doubleclicking it again.

6.Now execute the assoc.reg file by doubleclicking it click yes in registry prompt.

7.Execute the file regtools.vbs by doubleclicking it again.

8.Now open registry editor Go to start->Run->type "regedit" without quotes press enter
sometimes you need execute the script again and again to open regedit after opening registry editor do not close it.

9.Now in registry editor navigate to HKCU\software and delete the entry that contains your "username"

10.Now navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete all values in right window pane

11.Now navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete all values in right window pane

12.Now navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and delete Disabletaskmgr value. If task manager is not working use process explorer

13.Now qiuckly press Crtl+Shift+Esc it opens task manager.

14.Now quickly figureout processes that are running without your interaction like notepad.exe
or Winmine.exe ( these are files which I did not open but were running in task manager in my system.

15. Now after figuring out any exe files running without your interaction (even if they are legitimate microsoft files they are affected by virus) delete those files from system32 and by using Unlocker. get unlocker here.

16.Now Go to Run type CMD press enter, now type sfc /scanow and insert XP cd to restore system files that are modified.

17.Now download autoruns.zip extract the contents open autoruns.exe click on drivers tab in autoruns and delete abp470n5 value from drivers section.

18.Now open Run->type sysedit->goto system.ini and delete
[MCIDRV_VER]
DEVICEMB=random number

19. Now navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and delete all values in right pane. Also delete all startup items present in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" because all executables are infected even antivirus entries should be deleted. Also clean all temporary files and clean prefetch in windows

20. Now also doubleclick the safeboot registry entries for restoring safeboot

21.Download malwarebytes and run it

21.Now restart the system and install kaspersky trial version or use the tool given below and scan all files.

Win32/Sality.aa removal tools:

Run this tool on an infected system to remove the infection

download tool from kaspersky:

Link1

Link2

Print Friendly and PDF

Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)