How to clean win32/sality.NAR virus

O.S : windows vista home premium
Antivirus:Eset nod32 Antivirus 4 (license copy)

win32/sality.NAR virus attacks the .exe files and are not getting cleaned using the above anitvirus
it gives a message saying "error while cleaning"
but it says its quarantined,how do i clean the virus? n what harm does it creates if not cleaned?
But every  time i do a scan it shows the same infiltrations.
LVL 3
SoulwinnerIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
If I were you I would just reformat, can't really trust these file infectors.

Run these tools:
Kaspersky Sality removal tool
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


Virut:(it's possible that virut is present there as well)
http://www.freedrweb.com/ 
 

Also run combofix and show us the logfile.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 

 
0
awawadaCommented:
0
younghvCommented:
@awawada - I agree that the Panda site can give a good scan of a system, but your comment has nothing to do with this question.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

GIMLICommented:
The cleaning depends on whether the system files are infected or not (I assume they are). In such case, the best would be to slave the disk, boot from a clean one and run a scan of the infected disk

or

The file that is associated with the sality virus is wmimgr32.dll it resides in the C:\WINDOWS\system32\
folder.
1. Download a good anti virus program, Kaspersky seems to be the one to use with regards to this virus and install it.
2. Update Kaspersky.
3. Download CCleaner, install and and run it.
4. Turn off System Restore (This will prevent you from potentially reinfecting your PC)
5. Run a Disk Cleanup
6. Boot into safe mode by restarting the PC and press F8 repeatedly until you see a boot menu, choose safemode.
7. Once in safemode, look for the wmimgr32.dll file and delete it, press shift + Del to bypass the recycle bin
8. Run CCleaner again.
9. If possible scan PC with kaspersky.
Once you are satisfied your system is clean turn system restore back on and create a restore point.
0
Mohammed HamadaSenior IT ConsultantCommented:
I believe combofix will take care of this, but you will need to disable startup items that has any relations to this virus...
I recommend disabling all the startup items except the system ones which you can recognize by name.

You should also unhide system files to delete any hidden viruses.. List folders by type and check if there are any folder icons that has ".exe" extension or marked as an application.

Restart your computer in safe mode and create the following Rescue disk or flash disk.
http://www.megaleecher.net/Bootable_Kaspersky_Rescue_Disk

This will surely clean all this crapware for you.

GL
0
Mohamed OsamaSenior IT ConsultantCommented:
As advised above by rpggamergirl, the kaspersky removal tool sality_off will do the trick
howeer please make sure to go through the other steps on that page (registry fixes, cleaning temp folders,etc...) as the tool  will only do the required results if those steps are followed.
also please make sure to disconnect the infected machines from the Network as this virus spreads very quickly through File shares.

you will also need to clean up %TEMP% folder directory completely , since the dropper resides there.


0
SoulwinnerIT ManagerAuthor Commented:
I believe the link given by rpggamergirl: http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889 

does not remove win32sality.NAR virus but only (y,z,aa)modifications
0
Mohamed OsamaSenior IT ConsultantCommented:
Please check the aliases for  Win32sality.NAR on ESet website,different names same version
http://www.eset.sk/buxus/generate_page.php?page_id=20616
0
SoulwinnerIT ManagerAuthor Commented:
kaspersky sality removal tool dint work for me even after disabling real time file protection and antivirus and antispyware protection.

i used the ESET nod32  AV with strict cleaning enabled in the threat sense engine and did a ccleaner and it worked.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tony GiangrecoCommented:
Restart into safe mode and run your anti virus and spyware detection programs. I suggest running this series in three back to back cycles, rebooting once per cycle back into safe mode:

1, Malwarebytes
2. SuperAntiSpyware
3. Spybot
4. Symantec Endpoint or Symantec Corp AntiVirus

After three complete cycles, reboot into normal mode. If the situation continues, go to TrendMicro and run the online scan Housecall
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.