How to remove: virus.win32.sality.aa

[eshui2007]

These is the indications :
1. Task manager is disabled.
2. Registry Editor is disabled.
3. Show all hidden files and folders are not working .
Hiden Files Folder setting always checks “Do not show hidden files and folder” option. i can't change the option, even if i check “Show hidden files and folder” option
4. Firewall and anti virus are not working.
i can't run it and i can't scan with it; even i can run it and scan with it, the virus won't be found or the virus will be found but anti virus can't clean/delete it.
5. The virus infects .exe files on every partition of harddisk.
Almost all .exe files on my computer is infected (included explorer.exe,
uninstall.exe, etc). Some of my .exe applications still may run, but some of them won't run (it will kill the runing process of infected .exe aplication or/and show an error message)!
6. The virus may infects some .com and .scr files.
7. The virus may infects some .dll files on Windows folder.
8. If i plug in my USB Device on my computer, it will create an autorun.inf file + a random virus file.
9. I can't boot Windows in safe mode. i will failed if i try to boot Windows in
safe mode, and my system will restart automatically.

kaspersky virus removal tools detect that is virus.win32.sality.aa but it wants to delete all my .exe files.

[Rene-gad]

virus.win32.sality.aa is a file infector, you have to check your disk with CureIt during the installed system is not active - either from LiveCD or by re-building the harddisk into any other PC.

After cure:

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore


- Execute following script in Manual Cure

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 StopService('abp470n5');
 QuarantineFile('C:\WINDOWS\system32\drivers\ekmshk.sys','');
 QuarantineFile('C:\Program Files\IDM\IDMan.exe','');
 QuarantineFile('C:\Program Files\IDA\ida.exe','');
 QuarantineFile('C:\Program Files\Download Direct\DLD.exe','');
 DeleteFile('C:\WINDOWS\system32\drivers\ekmshk.sys');
 DeleteService('abp470n5');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('abp470n5');
BC_Activate;
RebootWindows(true);
end.

After reboot execute following script in Manual Cure

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Repeat a log file.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach a log to your new post..

[eshui2007]

task manager is on after doing above scripts. but regedit is off and it saids that regedit is disabled by administor

[Rene-gad]

- Execute following script in Manual Cure

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 StopService('MBAMSwissArmy');
 QuarantineFile('C:\WINDOWS\system32\drivers\mbamswissarmy.sys','');
 DeleteFile('C:\WINDOWS\system32\drivers\mbamswissarmy.sys');
 DeleteService('MBAMSwissArmy');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('MBAMSwissArmy');
BC_Activate;
SetAVZPMStatus(True);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(11);
ExecuteRepair(16);
ExecuteRepair(17);
RebootWindows(true);
end.

After reboot execute following script in Manual Cure

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Repeat a logfile AVPTool.
- Make a log file with GMER: http://www.gmer.net/
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.

[eshui2007]

it takes a lot of time (3 hour) to get log with gmer.
task manager and regedit are enabled but these parts (in the picture) disabled and enabled automatically each time.

[Rene-gad]

Do/did you use any TuneUp-Tools?

[eshui2007]

I use "System Mechanic Professional 7" and "TweakUI"

[Rene-gad]

I use "System Mechanic Professional 7" and "TweakUI"

Possibly these tools are blocking the windows management @ taskbar.

[eshui2007]

I can't boot Windows in safe mode. i will failed if i try to boot Windows in
safe mode, and my system will restart automatically.

[Rene-gad]

- Execute following script in Manual Cure

Код:

begin
ExecuteRepair(10);
RebootWindows(true);
end.

After reboot try to boot in safe mode

[eshui2007]

Safe mode is on now ( thanks ). but after the repairs this part (in the picture) add in my start menu.



And after all, how can i understand that the virus removed from my computer.

[Rene-gad]

but after the repairs this part (in the picture) add in my start menu.

How to remove my network places

And after all, how can i understand that the virus removed from my computer.

That's impossible: http://technet.microsoft.com/de-de/l...87(en-us).aspx

[eshui2007]

Thanks a lot for your help (Rene-gad).