Link to home
Start Free TrialLog in
Avatar of Soulwinner
SoulwinnerFlag for United Arab Emirates

asked on

How to clean win32/sality.NAR virus

O.S : windows vista home premium
Antivirus:Eset nod32 Antivirus 4 (license copy)

win32/sality.NAR virus attacks the .exe files and are not getting cleaned using the above anitvirus
it gives a message saying "error while cleaning"
but it says its quarantined,how do i clean the virus? n what harm does it creates if not cleaned?
But every  time i do a scan it shows the same infiltrations.
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

If I were you I would just reformat, can't really trust these file infectors.

Run these tools:
Kaspersky Sality removal tool
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


Virut:(it's possible that virut is present there as well)
http://www.freedrweb.com/ 
 

Also run combofix and show us the logfile.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 

 
Avatar of awawada
awawada

@awawada - I agree that the Panda site can give a good scan of a system, but your comment has nothing to do with this question.
The cleaning depends on whether the system files are infected or not (I assume they are). In such case, the best would be to slave the disk, boot from a clean one and run a scan of the infected disk

or

The file that is associated with the sality virus is wmimgr32.dll it resides in the C:\WINDOWS\system32\
folder.
1. Download a good anti virus program, Kaspersky seems to be the one to use with regards to this virus and install it.
2. Update Kaspersky.
3. Download CCleaner, install and and run it.
4. Turn off System Restore (This will prevent you from potentially reinfecting your PC)
5. Run a Disk Cleanup
6. Boot into safe mode by restarting the PC and press F8 repeatedly until you see a boot menu, choose safemode.
7. Once in safemode, look for the wmimgr32.dll file and delete it, press shift + Del to bypass the recycle bin
8. Run CCleaner again.
9. If possible scan PC with kaspersky.
Once you are satisfied your system is clean turn system restore back on and create a restore point.
I believe combofix will take care of this, but you will need to disable startup items that has any relations to this virus...
I recommend disabling all the startup items except the system ones which you can recognize by name.

You should also unhide system files to delete any hidden viruses.. List folders by type and check if there are any folder icons that has ".exe" extension or marked as an application.

Restart your computer in safe mode and create the following Rescue disk or flash disk.
http://www.megaleecher.net/Bootable_Kaspersky_Rescue_Disk

This will surely clean all this crapware for you.

GL
As advised above by rpggamergirl, the kaspersky removal tool sality_off will do the trick
howeer please make sure to go through the other steps on that page (registry fixes, cleaning temp folders,etc...) as the tool  will only do the required results if those steps are followed.
also please make sure to disconnect the infected machines from the Network as this virus spreads very quickly through File shares.

you will also need to clean up %TEMP% folder directory completely , since the dropper resides there.


Avatar of Soulwinner

ASKER

I believe the link given by rpggamergirl: http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889 

does not remove win32sality.NAR virus but only (y,z,aa)modifications
Please check the aliases for  Win32sality.NAR on ESet website,different names same version
http://www.eset.sk/buxus/generate_page.php?page_id=20616
ASKER CERTIFIED SOLUTION
Avatar of Soulwinner
Soulwinner
Flag of United Arab Emirates image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Restart into safe mode and run your anti virus and spyware detection programs. I suggest running this series in three back to back cycles, rebooting once per cycle back into safe mode:

1, Malwarebytes
2. SuperAntiSpyware
3. Spybot
4. Symantec Endpoint or Symantec Corp AntiVirus

After three complete cycles, reboot into normal mode. If the situation continues, go to TrendMicro and run the online scan Housecall