Removing "W32.Sality.U" Virus From System - Immux

Recent

Immux

Welcome to my tech-blog.

Micromax Evok Dual Note Samsung Galaxy On Max Acer Predator Helios 300 Laptops Samsung Galaxy OnNxt 2017 Essential For Home- Smart Buy Offer

Post Top Ad

Thursday, August 18, 2011

Removing "W32.Sality.U" Virus From System

   According to my experience antivirus can only detect & remove infected files because of W32.Sality.U virus, but latest Quick Heal antivirus car repair these infected file, so i suggest you to scan hole system using Quick Heal.

  • Summary:
W32.Sality.U spreads by infecting executable files. It may be dropped by other malware.
  •   Malware Type     :- Virus
  •   Alias                      :-            W32/Sality [Avira], W32/Sality [McAfee]
  •   System Affected :- Windows 2000, 95,98, Me/ NT,Windows Server 2003, Windows XP
  •   Risk Rating       :- Low
  • Description:                                                                             
       When W32.Sality.U is executed, it performs the following activities:
It may infect executables in the root folder, files on network shares, and files it may find based on the following registry locations:

                  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
                  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                  HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
                  It modifies %Windows%\SYSTEM.INI, it adds below string:

 [MCIDRV_VER]
 DEVICEMB={Random Numbers}
 It also creates registry keys/entries under:

HKCU\Software\{UserName}914
It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.The infected files grow by size by 61,440 bytes.              

  • Solution:            
  1. Disable System Restore.
  2. Disable System Restore under Windows Me: Point to Start, Settings, and Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Restart your system.
  3. Disable System Restore under Windows XP: Point to Start, Control Panel, Performance and Maintenance. Double-click “System”, then select the System Restore tab. Select the 'Turn off System Restore” on all drives box. Click Apply. Click Yes. Restart your system.
  4. Edit system.ini: click on start->run, type system.ini , delete string 
[MCIDRV_VER]
 DEVICEMB={Random Numbers}
          and save file.

     Update Anti-Virus with the latest signature pattern definitions and perform a system scan using Quick Heal Scanner.
                                                                                                                                     [Source]

2 comments:

  1. You have saved so many hours of mine...excellent shortcut to remove that nasty virus

    ReplyDelete
  2. I'm trying to install Quickheal but same error "W32.Sality.U" How to remove this before Quickheal installed.

    ReplyDelete

Do your comment here..