Manually Editing the Registry: You can edit the registry by using the windows built in registry editor. Click on Start > Run to open the run command box in XP, whereas in Vista the box is already open. type regedit and press Enter or Ok , that will open the registry editor. Now Click on Edit > Find. You can use this box to find a particular registry key/ value. In order to do that, copy the last part of the registry keys if they are inside curly braces {}, after the last / (forward slash) and then paste it into this box, or type in the name of the malware in the box and press "Find Next", if the search stops , you should either see a message saying "Finished searching through the registry"or it will stop at that key found. The found item will be displayed in blue selection. You can delete the entire key, that is the entry in the left side of the panel, once you confirm yourself that this key belongs to the malware by looking at the entire key and comparing it with the ones listed here, and by looking at the values that it has created in the right side of the panel. In case you are not sure if you want to remove the key, you can remove the values in the right side panel instead, that will also cripple the functioning of the malware. To delete a key/ value, use the mouse pointer to select it first, then right click on it to see a menu and select delete from it, then say yes to the confirmation alert. Alternately you can press the delete key on the keyboard to delete the selected entry. You can also use the names of the files / folders created by the malware to search for their associated keys in the registry. Once you have deleted an entry, press the F3 key on the keyboard to search for the next occurance of the entry, do this till you reach the end of the registry. Now copy the second registry key/ filename and repeat the above procedure. This is a tedious process and takes time and effort, but there is no better way to make sure the malware is out of your computer. Varitaion 1) See the ThreatExpert report -Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
-Modifies some system settings that may have negative impact on overall system security state. Modified the following file. These are legitimate windows system files. Use the system file checker utility to repair these files. C:\Windows\system.ini
C:\Windows\System32\ctfmon.exe
C:\Windows\System32\mmc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\taskmgr.exe
Creates its own process in place of a windows process
C:\Windows\System32\dllhost.exe
Creates its own kernel-mode drivers in place of windows drivers
C:\Windows\System32\drivers\ipfltdrv.sys
C:\Windows\System32\drivers\iksnpn.sys These are all legitimate windows files/processes/drivers, that it replaces. Therefore it will be very difficult to remove them if you are doing on a running windows. The best way to eliminate it would be to do a boot scan using a currenty updated antivirus, or attach the infected hard disk to another computer and then scan it . One thing that you can probably do on the infected computer is to remove the registry entries created by this virus , by manually editing the registry. Altough if there is any process of the virus currenlty running, it will try to recreate the deleted folders/ files and rewrite the registry entries. You will need a software that will alert you as soon as any process tries to modify the registry, that will help you to prevent further infection of the registry as you delete these keys. You can use Spybot S&D with Teatimer. Teatimer is the component that alerts you as soon as some process tries to midify the registry, and lets you Allow or Deny the changes. Here is a list of the registry keys created by this particular varitaion of Sality
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ABP470N5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ABP470N5\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ABP470N5\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abp470n5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abp470n5\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abp470n5\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABP470N5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABP470N5\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABP470N5\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5\Enum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\Software\%UserName%914
HKEY_CURRENT_USER\Software\%UserName%914\-72398023 It deletes the registry keys of the Safeboot, therefore you will not be able to boot in safe mode. Doing a repair installation of windows can make your computer workable. | 