Solved

How to clean win32/sality.NAR virus

Posted on 2009-06-30
10
7,203 Views
Last Modified: 2013-11-22
O.S : windows vista home premium
Antivirus:Eset nod32 Antivirus 4 (license copy)

win32/sality.NAR virus attacks the .exe files and are not getting cleaned using the above anitvirus
it gives a message saying "error while cleaning"
but it says its quarantined,how do i clean the virus? n what harm does it creates if not cleaned?
But every  time i do a scan it shows the same infiltrations.
0
Comment
Question by:saul2paul
10 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24743649
If I were you I would just reformat, can't really trust these file infectors.

Run these tools:
Kaspersky Sality removal tool
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


Virut:(it's possible that virut is present there as well)
http://www.freedrweb.com/
 

Also run combofix and show us the logfile.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 
0
 
LVL 18

Expert Comment

by:awawada
ID: 24743903
0
 
LVL 38

Expert Comment

by:younghv
ID: 24744512
@awawada - I agree that the Panda site can give a good scan of a system, but your comment has nothing to do with this question.
0
 
LVL 1

Expert Comment

by:GIMLI
ID: 24745272
The cleaning depends on whether the system files are infected or not (I assume they are). In such case, the best would be to slave the disk, boot from a clean one and run a scan of the infected disk

or

The file that is associated with the sality virus is wmimgr32.dll it resides in the C:\WINDOWS\system32\
folder.
1. Download a good anti virus program, Kaspersky seems to be the one to use with regards to this virus and install it.
2. Update Kaspersky.
3. Download CCleaner, install and and run it.
4. Turn off System Restore (This will prevent you from potentially reinfecting your PC)
5. Run a Disk Cleanup
6. Boot into safe mode by restarting the PC and press F8 repeatedly until you see a boot menu, choose safemode.
7. Once in safemode, look for the wmimgr32.dll file and delete it, press shift + Del to bypass the recycle bin
8. Run CCleaner again.
9. If possible scan PC with kaspersky.
Once you are satisfied your system is clean turn system restore back on and create a restore point.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 24745671
I believe combofix will take care of this, but you will need to disable startup items that has any relations to this virus...
I recommend disabling all the startup items except the system ones which you can recognize by name.

You should also unhide system files to delete any hidden viruses.. List folders by type and check if there are any folder icons that has ".exe" extension or marked as an application.

Restart your computer in safe mode and create the following Rescue disk or flash disk.
http://www.megaleecher.net/Bootable_Kaspersky_Rescue_Disk

This will surely clean all this crapware for you.

GL
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 23

Expert Comment

by:Admin3k
ID: 24750175
As advised above by rpggamergirl, the kaspersky removal tool sality_off will do the trick
howeer please make sure to go through the other steps on that page (registry fixes, cleaning temp folders,etc...) as the tool  will only do the required results if those steps are followed.
also please make sure to disconnect the infected machines from the Network as this virus spreads very quickly through File shares.

you will also need to clean up %TEMP% folder directory completely , since the dropper resides there.


0
 
LVL 3

Author Comment

by:saul2paul
ID: 24751540
I believe the link given by rpggamergirl: http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889

does not remove win32sality.NAR virus but only (y,z,aa)modifications
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24751707
Please check the aliases for  Win32sality.NAR on ESet website,different names same version
http://www.eset.sk/buxus/generate_page.php?page_id=20616
0
 
LVL 3

Accepted Solution

by:
saul2paul earned 0 total points
ID: 24752601
kaspersky sality removal tool dint work for me even after disabling real time file protection and antivirus and antispyware protection.

i used the ESET nod32  AV with strict cleaning enabled in the threat sense engine and did a ccleaner and it worked.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 24772050
Restart into safe mode and run your anti virus and spyware detection programs. I suggest running this series in three back to back cycles, rebooting once per cycle back into safe mode:

1, Malwarebytes
2. SuperAntiSpyware
3. Spybot
4. Symantec Endpoint or Symantec Corp AntiVirus

After three complete cycles, reboot into normal mode. If the situation continues, go to TrendMicro and run the online scan Housecall
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now