Remove Trojan W32.Sality.AA

W32/Sality-AA adalah virus yang juga bertindak sebagai Keylogger.
Virus mencatat keystrokes serta informasi tentang komputer yang terinfeksi. Data yang masuk secara berkala dikirimkan ke situs pembuat virus.
W32/Sality-AA telah mulai menyebarkan dirinya melalui email

Alias: Virus.Win32.Sality.aa (Kaspersky), Virus:Win32/Sality.AM (Microsoft), W32/Sality.ah (McAfee)
Tipe infiltrasi: Virus
Size: Variable
platforms: Windows

Level Kerusakan : Highly Dangerous
Distribution Level:
High/Medium

Tidak ada Auto Removal Tool untuk W32.Sality.aa


Instruksi Menghilangkan Trojan ini:

1. Start komputer dalam Safe Mode:
Caranya Safe Mode: Restart komputer, tekan F8 , ketika Screen hidup, Pilih Safe mode, tekan enter.

Files terinfeksi dapat dilihat dalam folder – folder ini dan berjalan dalam sistem.
2. Hentikan proses yang aktif dibawah ini, sebelum proses Removal.
  • %System%\amvo.exe
  • %System%\blastclnnn.exe
  • %System%\scvhsot.exe
  • %Temp%0055a0e_rar\scvhsot.exe
  • %Temp%00592b2_rar\scvhsot.exe
  • %Temp%005934e_rar\hinhem.scr
  • %Temp%005938d_rar\blastclnnn.exe
  • %Windir%\hinhem.scr
  • %Windir%\scvhsot.exe
  • c:\rdsfk.com
  • %System%\drivers\.sys
  • %temp%\win%name%.exe
  • %temp%\%name%.exe
Matikan proses dan file yang berhubungan sebagai berikut :
antzom.exe, ax.exe, bomryuc.dll, drlbqse.dll, egjjen.sys, fmgonn.sys, hehmu.sys, hsgfrn.sys, idlrrh.sys, impnn.sys, jnjpvn.sys, loader174.exe, mAO3q2B7r6.exe, mm2emt.exe, ogmkmn.sys, omdftn.sys, vwservice.exe, vwsrv.exe, vwsrv[1].exe, win13652.dll, win21309.dll, win25709.dll, win27388.dll, win28610.dll, win29788.dll, win3096.dll, win31324.dll, win33848.dll, win35482.dll, win36587.dll, win37763.dll, win40320.dll, win40346.dll, win44025.dll, win46721.dll, win48684.dll, win63279.dll, win7320.dll, windjnvr.exe, winibqs.exe, winjepm.exe, winkrqpx.exe, winkxggjh.exe, winnmswkj.exe, winrlwmt.exe, winxotbiy.exe, wmdrtc32.dll, wmdrtc32.dl_, x1001[1].exe, x2000[1].exe, x2007.exe, x2011.exe, x2011[1].exe, x3000[1].exe, ywsnkhb.dll

Menyebar pada removable media
Virus mengkopi dirinya ke root folder dari removable drives ( spt : Flash disk ) menggunakan nama file random. Nama file tersebut memiliki ekstension:
.exe
.pif
.cmd
File tersebut diatas berada dalam folder yang sama:
autorun.inf
Oleh karena itu, virus akan menular setiap kali media yang terinfeksi dimasukkan ke komputer.
Note: Jika task manager disabled, Download file ini, untuk enabled
Remove Dari Registry Secara Manual
Klik Start, Run, ketik: regedit, Klik OK.
Note: Jika registry editor gagal dibuka , karena telah dimodifikasi oleh virus untuk mencegah akse ke registry editor. Download dan run tool ini dan kemudian lanjutkan dengan removal.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
“GlobalUserOffline” = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
“EnableLUA” = 0
The following Registry entries are deleted:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aouei
Key: CLSID\{1CE21416-0B8D-8CF6-1FCB-099B30C628BB}\InprocServer32
Value: ThreadingModel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE
Value: NextInstance

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE000\Control
Value: ActiveService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32000\Control
Value: *NewlyCreated*
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32000
Value: Service
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32000
Value: Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32000
Value: ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32000
Value: ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32000
Value: DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: 0
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\Root\LEGACY_NDISFILESERVICES32000\Control
Value: ActiveService

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value: {06DB7430-7430-6DB1-306D-430DB4306DB1}
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: DeleteFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE000
Value: ClassGUID
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE000
Value: DeviceDesc
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE000
Value: Service
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE000
Value: ConfigFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE000
Value: Legacy
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ObjectName
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ErrorControl
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Start
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Type
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: FailureActions
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: NextInstance
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value: Start Page


3. Cari di Registry untuk nama file Virus yang terdaftar diatas dan remove. Dari menu Edit – Find , masukan Keyword dan hilangkan semua nilai yang ditemukan dalam pencarian.

4. Keluar dari Registry Editor

5. Restart Komputer.

One Response

  1. sa-sangat sangat membantu…
    tapi ada ga cara memperbaiki file yang dah terinfeksi??
    mungkin ada cirinya gitu??
    or perlu hex editor or semacamnya??
    mohon pencerahanya lebih lanjut

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: