Solved

How to clean win32/sality.NAR virus

Posted on 2009-06-30
10
7,223 Views
Last Modified: 2013-11-22
O.S : windows vista home premium
Antivirus:Eset nod32 Antivirus 4 (license copy)

win32/sality.NAR virus attacks the .exe files and are not getting cleaned using the above anitvirus
it gives a message saying "error while cleaning"
but it says its quarantined,how do i clean the virus? n what harm does it creates if not cleaned?
But every  time i do a scan it shows the same infiltrations.
0
Comment
Question by:saul2paul
10 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24743649
If I were you I would just reformat, can't really trust these file infectors.

Run these tools:
Kaspersky Sality removal tool
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


Virut:(it's possible that virut is present there as well)
http://www.freedrweb.com/ 
 

Also run combofix and show us the logfile.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 

 
0
 
LVL 18

Expert Comment

by:awawada
ID: 24743903
0
 
LVL 38

Expert Comment

by:younghv
ID: 24744512
@awawada - I agree that the Panda site can give a good scan of a system, but your comment has nothing to do with this question.
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 1

Expert Comment

by:GIMLI
ID: 24745272
The cleaning depends on whether the system files are infected or not (I assume they are). In such case, the best would be to slave the disk, boot from a clean one and run a scan of the infected disk

or

The file that is associated with the sality virus is wmimgr32.dll it resides in the C:\WINDOWS\system32\
folder.
1. Download a good anti virus program, Kaspersky seems to be the one to use with regards to this virus and install it.
2. Update Kaspersky.
3. Download CCleaner, install and and run it.
4. Turn off System Restore (This will prevent you from potentially reinfecting your PC)
5. Run a Disk Cleanup
6. Boot into safe mode by restarting the PC and press F8 repeatedly until you see a boot menu, choose safemode.
7. Once in safemode, look for the wmimgr32.dll file and delete it, press shift + Del to bypass the recycle bin
8. Run CCleaner again.
9. If possible scan PC with kaspersky.
Once you are satisfied your system is clean turn system restore back on and create a restore point.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 24745671
I believe combofix will take care of this, but you will need to disable startup items that has any relations to this virus...
I recommend disabling all the startup items except the system ones which you can recognize by name.

You should also unhide system files to delete any hidden viruses.. List folders by type and check if there are any folder icons that has ".exe" extension or marked as an application.

Restart your computer in safe mode and create the following Rescue disk or flash disk.
http://www.megaleecher.net/Bootable_Kaspersky_Rescue_Disk

This will surely clean all this crapware for you.

GL
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24750175
As advised above by rpggamergirl, the kaspersky removal tool sality_off will do the trick
howeer please make sure to go through the other steps on that page (registry fixes, cleaning temp folders,etc...) as the tool  will only do the required results if those steps are followed.
also please make sure to disconnect the infected machines from the Network as this virus spreads very quickly through File shares.

you will also need to clean up %TEMP% folder directory completely , since the dropper resides there.


0
 
LVL 3

Author Comment

by:saul2paul
ID: 24751540
I believe the link given by rpggamergirl: http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889 

does not remove win32sality.NAR virus but only (y,z,aa)modifications
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24751707
Please check the aliases for  Win32sality.NAR on ESet website,different names same version
http://www.eset.sk/buxus/generate_page.php?page_id=20616
0
 
LVL 3

Accepted Solution

by:
saul2paul earned 0 total points
ID: 24752601
kaspersky sality removal tool dint work for me even after disabling real time file protection and antivirus and antispyware protection.

i used the ESET nod32  AV with strict cleaning enabled in the threat sense engine and did a ccleaner and it worked.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 24772050
Restart into safe mode and run your anti virus and spyware detection programs. I suggest running this series in three back to back cycles, rebooting once per cycle back into safe mode:

1, Malwarebytes
2. SuperAntiSpyware
3. Spybot
4. Symantec Endpoint or Symantec Corp AntiVirus

After three complete cycles, reboot into normal mode. If the situation continues, go to TrendMicro and run the online scan Housecall
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question