Monday, March 16, 2009

W32.Sality.AE Cleaning instruction

If your computer has been infected with the virus w32.Sality.AE. You can try to clean the virus using a write by Symantec in the following.

1. Disable System Restore (Windows Me/XP). <-- Follow the link for instruction. 2. Update your virus definitions. 3. Run a full system scan. 4. Open Registry Editor and delete any values added to the registry or restore to original values if required.



  • Navigate to and delete the following registry entry:
  1. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"

  • Navigate to and delete the following registry subkeys:
  1. HKEY_CURRENT_USER\Software\[USER NAME]914
  2. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
  3. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER

  • Restore the following registry entries to their previous values, if required:
  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

  • Restore registry entries under the following registry subkeys to their previous values, if required:
  1. HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  5. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  6. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  7. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Learning to be.. :)

5 comments: