Full Clean Sality.Gen Virus from Infected Harddrive

Posted by Kenna

W32/Sality-AM

Aliases
* Win32/Sality.gen
* W32/Sality.dll
* New Win32.s

Category
* Viruses and Spyware

Type
* Virus

Virus Information
W32/Sality-AM is a virus for the Windows platform.

The virus includes the functionality to download additional files from a remote location.

When first run, the virus may infect executables in the root folder, files on network shares, and files it may find based on the following registry locations:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

W32/Sality-AM may install the following file:

<System>\<random>.sys

This file is detected as Troj/RkSal-A

W32/Sality-AM may set registry entries under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80

W32/Sality-AM may delete registry entries under:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\

W32/Sality-AM disables some system integrity checkers by modifying executables named "filemon.exe" so that they exit immediately.

Due to errors in the viral infection code, some files may be corrupted by W32/Sality-AM so that they won't run. Some but not all of these files are still disinfectable, although W32/Sality-AM always overwrites data appended to files during infection so this will never be recoverable.

It is advisable to enable scanning for suspicious files and submit any files detected as Sus/Sality-A to Sophos.

What to do if your computer has infected?
1. Backup your data to other drive (D,E,etc)
2. Format your "C" drive and install fresh Windows
3. Install McAfee VirusScan Enterprise
4. Update your McAfee VirusScan Enterprise after installation
5. Download PCMAV (just google it)
6. Now follow these step to take folder ownership

How to take ownership of a folder
You must have ownership of a protected folder in order to access it. If another user has restricted access and you are the computer administrator, you can access the folder by taking ownership.

To take ownership of a folder, follow these steps:

1. Right-click the folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of the folder, select the Replace owner on subcontainers and objects check box.
5. Click OK, and then click Yes when you receive the following message:
You do not have permission to read the contents of directory folder name. Do you want to replace the directory permissions with permissions granting you Full Control?
All permissions will be replaced if you click Yes.

Note folder name is the name of the folder that you want to take ownership of.
6. Click OK, and then reapply the permissions and security settings that you want for the folder and its contents.

Source: http://support.microsoft.com/kb/308421/en-us

7. After all of above step, now run PCMAV-CLN.EXE
8. Scan All Drive and wait until it done.

McAfee will automatically clean infected files. If you have infected files at Flashdrive or Removable Drive, may be your .exe files will broken after cleaning. Just .exe files at Harddrive will be safe after cleaning.

I hope this will help you all.