1. Disconnect the computer that will be cleared from the network and the Internet.
2. Turn off System Restore during the cleaning process takes place.
To start eliminating inceksi of this virus is lethal for the first antivirus process, he also would seek to block that the user can not access the web from some antivirus follows:
· Cureit · Drweb · Onlinescan · Spywareinfo · Ewido · VirusScan · Windowsecurity
· Spywareguide · Bitdefender · Panda Software · Agnmitum · Virustotal · Sophos
· Trend Micro · Etrust.com · Symantec · McAfee ° F-Secure · Eset.com · Kaspersky
Not only that W32/Sality.AE also will remove the key "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ ALG". ALG or Application Layer Gateway Service is a services that provides support for plug-in protocol applications and enabled network connectivity / protocol. This service may be turned off. Impact is a program like MSN Messenger and Windows Messenger will not work. This service can be run, but only if you use a firewall, either built-in Windows firewall or another firewall. If no computer is infected with this virus will experience a serious security hole.
2. Block access to "safe mode"
In order to "defend" itself, W32/Sality.AE will also try to block access to the mode "safe mode" so that the user can not boot in mode "safe mode" by removing the key is located at the following locations:
· HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot
· HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Control \ SafeBoot
· HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot
3. Exe file injection / com / scr
The main objective of this virus is trying to inject the installation program and files that have the extension exe / com / scr which is on drive C - Y is mainly the result of the installation files (files that are in the directory C: \ Program Files) and portable files ( file that can be run directly without the need to install it), it will also infect files that have extensions ". exe" which contained the following registry list, allowing the virus can be activated automatically every time the computer boots.
· HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
· HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
· HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ ShellNoRoam \ MUICache
Files are managed in the injection will increase in size usually around 68-80 KB of its original size. Programs that have been infected this will continue to be run as normal so the user does not suspect that the file is actually already in infection by W32/Sality.AE. One of sophistication is the ability to inject file Sality ride so bervirus file size is not uniform, clearly more difficult to identify than other viruses that replace the existing file so the file size will be equal.
Please be careful, not all antivirus programs to clean up files that have been infected W32/Sality.AE, might file will be broken after the scan and in the clear by the antivirus.
Not to be outdone by another foreign virus, to facilitate the action he will try to connect to a number of web addresses that have been determined in order to call / download a trojan / virus that the annunciator is a variant of the previous version which allows the virus to update itself.
4. Exploit Default Share and Full Sharing
W32/Sality.AE will spread quickly through the network with memanfaatkkan windows default share folder or share that has full access to ways to infect files that have extensions exe / com / scr. Therefore, Vaksincom advised computer users to disable the default share (C $, D $ .. etc) and avoid Full Sharing your folders on the network.
In addition to spread by using the network, he also will take advantage of the flash disk that is the way the coffee itself with a random file name with the extension exe / cmd / PIF and create a autorun.inf file for themselves can be activated automatically without having to run an infected file, other than that it will also infect files that have the extension exe / com / scr contained in the flash disk.
How to clean W32/Sality.AE
1. Disconnect the computer that will be cleared from the network and the Internet
2. Turn off System Restore during the cleaning process takes place.
3. Turn off the Autorun and Default Share. Please download the file and run the following ways:
o Right click repair.inf
o Click Install
sality kill
4. Turn off the active application program in memory so that the cleaning process faster, especially programs that exist in the startup list.
5. We recommend that you scan by using the removal tools with the first extension of the removal tools with an extension other [for example: CMD] in order not to re-infection by W32/Sality.AE. In the example below, the file name "Norman_Malware_Cleaner.exe" in rename it to "Norman_Malware_Cleaner.cmd" so not on Sality infection.
Note:
· Order for removal was not infected by W32/Sality.AE, should change the extension of the removal tools into other extensions [for example: CMD] (see figure 4 above)
· Sality.AE will try to infect files that have EXE and SCR extensions and COM, the file that has been repeatedly in the infection by this virus sometimes will be damaged if cleaned by antivirus programs, so if there are programs that the error after the scan by antivirus should reinstall the program.
IMPORTANT!
Please backup your important data before cleaning the virus. PT. Vaksincom not responsible for any losses caused by this virus cleaning process either directly or indirectly!
6. In order for a computer that is infected W32/Sality.AE to boot "safe mode", please restore the registry has been changed by the virus.
Please download the following files and then run the OS that is infected W32/Sality.AE.
sality kill file 2
7. Another registry fix in change by the virus, please download the following tools and then run the file in the following manner:
o Right click repair.inf
o Click Install
sality kill 3
8. Restart the computer and re-scan using removal tools to ensure your computer has been clean from viruses.
9. For optimal cleaning and prevent re-infection should install and scan with the antivirus can detect Sality well.
can also use the latest Norman Malware Cleaner to detect and eradicate the virus Sality. Download here .. NMC
Source
0 comments
Post a Comment
Thank you for your visit, Please leave a comment and a time to click on one of the ads ...