Win32/Sality.AA_Remove Threats

Win32.Sality.AA

Posted by elise in Blog Worm on July 11th, 2011 | 2 Comments

Win32.Sality.AA is a kind of worm, which violate your privacy and also aims at your money. It mainly targets the less aware PC users who are pushed into buying the licensed version. It is only afterward that it is discovered that the program is fake and is actually spyware. At this point everyone wishes to know about how to remove Win32.Sality.AA.

What does Win32.Sality.AA do?

The main objective of Win32.Sality.AA is to spread and infect as many computers as possible. They do this by creating copies of themselves on infected computers, which then spread to other computers by several channels including email, P2P programs and instant messaging, among others.

Win32.Sality.AA often use social engineering techniques. To do so, malware creators use attractive names to camouflage the malicious files. Most of these names relate to sex, famous people, pirate software, current affairs or generally try to appeal to people’s morbid curiosity.

How to deal with Win32.Sality.AA infectinfection

There are two ways by which the infection can easily be eliminated from the user’s PC. You may remove Win32.worm.lovgate manually as well as by anti-virus software.

You can remove Win32.Sality.AA by following the given manual steps.

Remove all executable W32-Harakit processes with the help of Windows Task Manager

Delete all the its registry entries by using registry editor

Search for all the available W32-Harakit processes and delete it

Manual removal is quite risky procedure and should be executed by advanced users only as there are chances of system damage.

Using the Anti-virus software is an intelligent way to remove intelligent infection from your computer. Since there are many such anti-virus software in the market, we sincerely recommend you try PC Safe Doctor. This program can scans your system and detects the corrupted and malicious program files stored in it. It thoroughly scans the entire PC and eliminates each and every traces of Win32.Sality.AA from the PC.

Can’t believe it? You can now easily remove Win32.Sality.AA within three steps:

1. Download PC Safe Doctor for free

2. Install and run online scan of PC Safe Doctor

3. After the scan finish, select all the detected virus and click Remove button

Download the right tool for your operating system. The original W32/Autorun-BCM was found on Windows XP and ME, but has since come to newer operating systems like Vista. Be sure to grab the right removal tool from Symantec’s website to ensure removal of W32/Autorun-BCM.

Win32/Sality.AA

What is Win32/Sality.AA?
Win32/Sality.AA is a polymorphic virus that infects Win 32 PE executable files, meanwhile, acting as a keylogger. This virus logs keystrokes to certain windows and certain information on the infected machine and all the collected data is periodically submitted to a remote site. Win32/Sality.AA can be spread through unsolicited spam email, corrupt p2p and freeware downloads or porn sites.

After installed onto PC system, Win32/Sality.AA may download adware, spyware and other malware threats and deliver corrupt files, such as scvhsot.exe, blastclnnn.exe, blastclnnn.exe and hinhem.scr, within the Windows Win directory.

Win32/Sality.AA is also known as W32/Sality [McAfee], Virus.Win32.Sality.aa [Kaspersky], W32.Sality.AE [Symantec], Virus: Win32/Sality.AM [MS OneCare], PE_SALITY.EM [Trend].

Do you have Win32/Sality.AA?
If you have enough time and expertise, you can search your computer for Win32/Sality.AA manually. However, it might take hours to find out all files of Win32/Sality.AA, and it is possible that Win32/Sality.AA will appear after rebooting, for its hidden files may still be there.

Download automatic scanner for Win32/Sality.AA
Spyware Cease – the technology-oriented security protection that provides a risk-free computing environment for your home and office – with detection, removal and guard in one intuitive and straight-forward interface. Only Spyware Cease gives you individual fix against the most dangerous spyware problems.

Manual Win32/Sality.AA removal instructions
WARNING: The manually removal method is for advanced users. Win32/Sality.AA manually removal can be difficult and time-consuming. There is no guarantee that Win32/Sality.AA can be completely removed, for there are hundreds of files generated when Win32/Sality.AA installed on your system. Make sure to back up your computer in case that you make any mistakes and your system does not work.

Follow the instructions below for Win32/Sality.AA removal manually:

Navigate and stop the Win32/Sality.AA processes:
N/A

Navigate and delete Win32/Sality.AA files:
%System%\amvo.exe
%System%\blastclnnn.exe
%System%\scvhsot.exe
%Temp%\00055a0e_rar\scvhsot.exe
%Temp%\000592b2_rar\scvhsot.exe
%Temp%\0005934e_rar\hinhem.scr
%Temp%\0005938d_rar\blastclnnn.exe
%Windir%\hinhem.scr
%Windir%\scvhsot.exe
c:\rdsfk.com

Navigate and remove Win32/Sality.AA registry keys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\”[INFECTED FILE]” = “[INFECTED FILE]:*:Enabled:ipsec”
HKEY_CURRENT_USER\Software\[USER NAME]914
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001

What are the symptoms of Win32/Sality.AA?

Win32/Sality.AA may infect computer via spam e-mail, corrupt web sites and downloads third-party files through security holes
Win32/Sality.AA may change system tracks, creates popup ads equivalent browsing habits and collects system activity
Win32/Sality.AA may forward passwords, login names and other secret private information to outside hackers by avoiding antivirus and firewall programs

How do I keep away from Win32/Sality.AA
Once you have cleaned up Win32/Sality.AA, the most important point to prevent Win32/Sality.AA and future malicious programs from reverting is to stay suspicious of spam E-mail attachment and unknown websites. Here are several ways in which you can help protect your computer against Win32/Sality.AA and other malware:

Use a computer firewall
Confirm that you have downloaded all the latest critical security updates
Adjust Internet Explorer web browser’s security settings
Download and install anti-spyware protection, such as, Spyware Cease
Surf sites and download programs from the web sites you trust

What is Virus?
Win32/Sality.AA is a type of Virus.

A virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are manmade. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt.