September 17, 2011

How to Smartly Get Rid of Win32:Sality Virus?

I was stuck last month in the finding a safest way to remove the Sality virus that infects in one of our office PC. I remember that the same virus hit also the majority of units in the Internet Café where I was appointed by my boss to maintain.
Sality Virus has been the most destructive threat known for a long time. It’s a polymorphic type of threat with combined power of trojan, worm and spyware. Sality has a lot aliases o and one of the most stupid is the Win32: Sality .It spreads like a charm in your system thru by infecting USB drives with autorun.inf and can update itself if your connected internet.

The win32 Sality usually attacks Windows XP and Vista OS but can’t fully penetrate Windows 7 since it was armed with tight security features.

Win32: Sality sabotage the ff. functionality & tools in your system.
  1.  Task Manager is disabled(CTRL +ALT +DEL)
  2.  Safe Mode is disabled
  3.  System Restore is infected
  4.  Registry Editor is disabled (Regedit)
  5.  Block Antivirus Installation or disable its defense.
  6.  Infect USB Storage with autorun.inf
  7.  Disable the Explorer folder options
  8.  Infect files with .exe extensions. Archive files are safe like with .rar.
Sality Files and Processes:
%Windir%\system.ini
%AppData%\HEX-5823-6893-6818\jusched.exe
c:\WINDOWS\system32\dimsntfy32.dll
%System%\winrtsnr.txt
qviqhw.pif
autorun.inf
xiqlx.exe
A0012216.exe and related values
A0012216.pif & related values
winyfyoak.exe
vexod.exe
ehyinf
winwkgaga.exe
epole.exe
aedikr.exe
fhwm.exe


Win32: Sality is not a threat that you can simply remove manually without sweating lol…Why? Because it’s need a good technique to heal your system without losing your files. Remember all .exe files in your system are infected.

Preliminary Tools
Do you know that almost all of the Antvirus, Virus Cleaner and Antispyware can detect Sality however they can’t remove it completely.
  • Malwarebytes and SuperAntispyware- best works on safe mode but Safe mode is disabled by Sality. Can repair the system tools and registry but can’t remove the infected path in the System Restore where Sality reverts after scanning. If Sality block you to install those tools try renaming it or get a portable one.

  • Avast-You’re lucky if you have installed Avast  and its good if running before Sality infect your PC then, you can fire up a Boot Time Scanning however, be careful when it prompts you to delete some system files that are infected because it will be gone forever. Avast is very powerful and it will surely detect and delete all .exe files infected with Sality however, it can’t repair it.
  • Sality Remover-Mostly doesn't work based on my experienced...you can try it here.

My Recommended Tools
Other than sacrificing all your files in formatting your pc which could surely kill Sality here are the most effective tools against Sality and all type of threats…
  • Hirens Disk-is a Boot Disc Utility packed with Freeware tools that can help you rescue your system. During the Mini XP boot mode, (works like safemode ) the threats in the system is inactive and defenseless. So, you can fire up  malwarebytes, SuperAntispyware and other virus cleaner to scan the whole system smoothly. You can backup your files as well before doing any rogue actions.
Hirens  Disc is almost 700 Mb in size than can be download and .iso image then, boot on it.
You can get your copy from torrent or any site online.(it’s free).
  • Kaspersky Rescue Disc-only around 200mb in size can be burn to a cd or can  recorded to you’re your USB drive. Kaspersky Rescue Disc is a bootable virus cleaner comes with a linux environment where you can backup files and scan your whole system. While scanning you can connect browse with internet flawlessly using Nomoroka (aka Firefox), take screenshots or update the AV definition as well.
Remember: You must finish the scanning process it would takes time depends on the size of your local drives where you set to be scan. When scanning is complete it prompts for action on how to deal the threat detected, CHOOSE “DISINFECT” don’t choose for the complete removal of the file or quarantine.

Disinfect= repair infected files and remove the threat as well
Removal= as in the files will be erase in your hard disk
Quarantine = I don’t trust.

Know where to download and how to record Kaspersky in USB Drives here. 

If your infected computer is a laptop prepare an external mouse while using Kaspersky Rescue Disc. Some laptop touch pad won’t work with linux environment.

DON’T s….. without installing Antivirus first
DO NOT insert your unsafe Flash Drives
DO NOT browse / connect in the network where infect by Sality
DO NOT Download anything in the Internet w/o unupdated AV
DO NOT copy your back up to your newly clean PC --do--------

That’s all.Congrats!

Do you have some clarifications or additional tips? Please add your idea and comments below. ty