What is Win32/Sality.AA?
Win32/Sality.AA is a polymorphic virus that infects Win 32 PE executable files, meanwhile, acting as a keylogger. This virus logs keystrokes to certain windows and certain information on the infected machine and all the collected data is periodically submitted to a remote site. Win32/Sality.AA can be spread through unsolicited spam email, corrupt p2p and freeware downloads or porn sites.
After installed onto PC system, Win32/Sality.AA may download adware, spyware and other malware threats and deliver corrupt files, such as scvhsot.exe, blastclnnn.exe, blastclnnn.exe and hinhem.scr, within the Windows Win directory.
Win32/Sality.AA is also known as W32/Sality [McAfee], Virus.Win32.Sality.aa [Kaspersky], W32.Sality.AE [Symantec], Virus: Win32/Sality.AM [MS OneCare], PE_SALITY.EM [Trend].
Do you have Win32/Sality.AA?
If you have enough time and expertise, you can search your computer for Win32/Sality.AA manually. However, it might take hours to find out all files of Win32/Sality.AA, and it is possible that Win32/Sality.AA will appear after rebooting, for its hidden files may still be there.
Download automatic scanner for Win32/Sality.AA
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office - with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.
Manual Win32/Sality.AA removal instructions
WARNING: The manually removal method is for advanced users. Win32/Sality.AA manually removal can be difficult and time-consuming. There is no guarantee that Win32/Sality.AA can be completely removed, for there are hundreds of files generated when Win32/Sality.AA installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.
Follow the instructions below for Win32/Sality.AA removal manually:
Navigate and stop the Win32/Sality.AA processes:
N/A
Navigate and delete Win32/Sality.AA files:
%System%\amvo.exe
%System%\blastclnnn.exe
%System%\scvhsot.exe
%Temp%\00055a0e_rar\scvhsot.exe
%Temp%\000592b2_rar\scvhsot.exe
%Temp%\0005934e_rar\hinhem.scr
%Temp%\0005938d_rar\blastclnnn.exe
%Windir%\hinhem.scr
%Windir%\scvhsot.exe
c:\rdsfk.com
Navigate and remove Win32/Sality.AA registry keys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\”[INFECTED FILE]” = “[INFECTED FILE]:*:Enabled:ipsec”
HKEY_CURRENT_USER\Software\[USER NAME]914
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001
What are the symptoms of Win32/Sality.AA?
- Win32/Sality.AA may infect computer via spam e-mail, corrupt web sites and downloads third-party files through security holes
- Win32/Sality.AA may change system tracks, creates popup ads equivalent browsing habits and collects system activity
- Win32/Sality.AA may forward passwords, login names and other secret private information to outside hackers by avoiding antivirus and firewall programs
How do I keep away from Win32/Sality.AA
Once you have cleaned up Win32/Sality.AA, the most important point to prevent Win32/Sality.AA and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against Win32/Sality.AA and other malware:
- Use a computer firewall
- Confirm that you have downloaded all the latest critical security updates
- Adjust Internet Explorer web browser’s security settings
- Download and install anti-spyware protection, such as, Spyware Cease
- Surf sites and download programs from the web sites you trust
What is Virus?
Win32/Sality.AA is a type of Virus.
A virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are manmade. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt.
