clean sality from your OS
W32/Sality.ae is a parasitic virus that infects Win32 PE executable files.
Upon execution, it drops the following files into the Windows system directory:
* %Windir%\System32\Hdaudprop.dll
* %Windir%\System32\Hdaudpropres.dll
* %Windir%\System32\Hdaudpropshortcut.exe
* %Windir%\System32\drivers\Hdaudbus.sys
* %Windir%\System32\drivers\Hdaudio.sys
* %Windir%\System32\drivers\portcls.sys
Creates the following registry keys:
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMI_MFC_TPSHOCKER_80
* HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
Downloads further malware from the following domains:
* bpowqbvcfds677.info
* aapowqbvcfds677.info
* abpowqbvcfds677.info
* d98dc9.bpowqbvcfds677.info
* bmakemegood24.com
* d99395.bmakemegood24.com
* bbeakemegood24.com
* bperfectchoice1.com
* d998b6.bperfectchoice1.com
* cbparfectchoice1.com
* cbpbrfectchoice1.com
* bcash-ddt.net
* d9aab7.bcash-ddt.net
* pzrk.ru
* dbcabh-ddt.net
* bddr-cash.net
* ebddrbcash.net
It modifies the following registry entries:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
The virus also deletes entries in the following registry subkeys:
* HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
So my dear friend the easiest way to tackle this virus is to Remove above mention Virus Entry Doors from registry and Delete those .DLL files from system.
Upon execution, it drops the following files into the Windows system directory:
* %Windir%\System32\Hdaudprop.dll
* %Windir%\System32\Hdaudpropres.dll
* %Windir%\System32\Hdaudpropshortcut.exe
* %Windir%\System32\drivers\Hdaudbus.sys
* %Windir%\System32\drivers\Hdaudio.sys
* %Windir%\System32\drivers\portcls.sys
Creates the following registry keys:
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMI_MFC_TPSHOCKER_80
* HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
Downloads further malware from the following domains:
* bpowqbvcfds677.info
* aapowqbvcfds677.info
* abpowqbvcfds677.info
* d98dc9.bpowqbvcfds677.info
* bmakemegood24.com
* d99395.bmakemegood24.com
* bbeakemegood24.com
* bperfectchoice1.com
* d998b6.bperfectchoice1.com
* cbparfectchoice1.com
* cbpbrfectchoice1.com
* bcash-ddt.net
* d9aab7.bcash-ddt.net
* pzrk.ru
* dbcabh-ddt.net
* bddr-cash.net
* ebddrbcash.net
It modifies the following registry entries:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
The virus also deletes entries in the following registry subkeys:
* HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
So my dear friend the easiest way to tackle this virus is to Remove above mention Virus Entry Doors from registry and Delete those .DLL files from system.
Posting Komentar untuk "clean sality from your OS"
Silahkan kirim kritik/saran anda, untuk kemajuan blog ini. Thanks so Much
Posting Komentar