Results 1 to 4 of 4

Thread: removing Win32.sality.aa

  1. #1
    Join Date
    Jan 2006
    Posts
    278

    removing Win32.sality.aa

    I have a server with 4 clients and few days ago when i wanted to open my net program in server from clients, kaspersky alert me this virus (WIN32.SALITY.AA) and blocked my net transfer so i check the server and saw server's kaspersky has been disabled. I cannot even format my hard drive cause it has got important files in it. Please help me.
    If PrAcTiCe MaKeS pErFeCt AnD nObOdY iS pErFeCt WhY pRaTiCe...ThAtS wHaT pEoPlE mAkE hAcKs FoR

  2. #2
    Join Date
    Sep 2005
    Posts
    1,476

    Re: removing Win32.sality.aa

    Have you tried searching forums before posting: Removal of W32/Sality!mem trojan

  3. #3
    Join Date
    Jan 2006
    Posts
    605

    Re: removing Win32.sality.aa

    Method of Infection
    When executed, Win32/Sality.AA drops a malicious component file to:

    %System%\drivers\<random filename>.sys

    This component is a device driver that acts as a 'rootkit' at kernel level; it allows the virus to hide itself in the compromised system by changing data structures in the kernel and hiding its malicious activity. This 'rootkit' method only functions on Windows NT-based operating systems, such as NT/2000/XP/2003.

    Sality.AA also adds the following registry entry as a part of the device driver installation routine:

    HKLM\SYSTEM\CurrentControlSet\Services\abp470n5

    It adds the following text to the "system.ini" file located in the %Windows% directory:

    [MCIDRV_VER]
    DEVICEMB=<random number>

    It also adds the following registry key with numerous random subkeys and entries needed for its malicious routine:

    HKCU\Software\<computer name><3 random numbers>

    For example:

    HKCU\Software\JohnSmith498

    Note: %System% and %Windows% are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.

    Removal Instructions:
    Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.

    Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.

  4. #4
    Join Date
    Jan 2006
    Posts
    2,257

    Re: removing Win32.sality.aa

    Disinfecting PE executables
    On a lightly infected computer running Windows NT/2000/XP/2003, where no significant services have become infected, it may be possible to run SAV32CLI from a command prompt with the -DI switch.

    First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting. Also, check to see if you need an IDE file. If you do, download it and save it to a floppy disk.

    Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected.

    For more information go to this link.
    With great power comes great responsibility - Spiderman's Uncle

    The Greatest Sig Ever

Similar Threads

  1. Cannot remove Win32/Sality.gen!enc
    By Vineeta in forum Networking & Security
    Replies: 4
    Last Post: 04-03-2010, 07:20 PM
  2. Need help for removing this Win32.Opanki.d.
    By Abhirath in forum Networking & Security
    Replies: 5
    Last Post: 23-02-2010, 05:03 AM
  3. Need help for removing Win32.Funner
    By CRiley in forum Networking & Security
    Replies: 5
    Last Post: 09-02-2010, 06:35 AM
  4. Want to remove Win32.Sality.PB?
    By Carley in forum Networking & Security
    Replies: 5
    Last Post: 24-01-2010, 04:20 AM
  5. removing Win32/Bagle.gen!C
    By HELLIAN in forum Networking & Security
    Replies: 3
    Last Post: 07-07-2009, 07:38 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,707,337.58514 seconds with 17 queries