This is an short tutorial how to remove Hybrid Sality Shortcut Win32.Sector.2x virus. This short articles will cover how to detected your system if infected by this virus, how this virus will spreading on your network and removable device , and what you can do to stop this virus then remove it from your system. This short articles provided “AS-IS” with no express or implied warranty for accuracy or accessibility.

How to detect if your system infected by Hybrid Sality Shortcut Win32.Sector.2x Virus.

1. Like an older sality technique, virus will disabled your registry editors.

2. Virus will change your folder options automatically when active, to hide from yourself to know where is virus location.

3. Virus will stop your windows firewall service.

4. Virus will add new rules named “IPSEC” into your firewall settings. This is used when you’re push computers to activate your firewall service, virus still can update from internet.

[to_plus]

5. Virus will add something your SYSTEM.ini with name [fje32a1s] [minr=1] (I don’t know what this will be used, might some advanced user know)

6. Virus will try to used your internet connection to update himself when you’re connected to the internet. If you fell your internet speed become slower you may look on your system for infection.

7. Virus will kill all application within string below:

A2CMD, A2FREE A2GUARD A2SERVICE, ADVCHK, AGB, AHPROCMONSERVER, AIRDEFENSE, AKRNL, ALERTSVC, AMON, ANTIVIR APVXDWIN, ARMOR2NET, ASHAVAST, ASHDISP, ASHENHCD, ASHMAISV, ASHPOPWZ, ASHSERV, ASHSIMPL, ASHSKPCK, ASHWEBSV, ASWSCAN, ASWUPDSV, AVAST AVCENTER AVCIMAN, AVCONSOL, AVENGINE, AVESVC, AVEVAL, AVEVL32, AVGAM AVGCC, AVGCC32, AVGCHSVX, AVGCSRVX, AVGCTRL, AVGEMC, AVGFWSRV, AVGNSX, AVGNT, AVGNTMGR AVGSERV, AVGTRAY, AVGUARD, AVGUPSVC, AVGWDSVC, AVINITNT, AVIRA AVKSERV, AVKSERVICE, AVKWCTL, AVP, AVP32, AVPCC, AVPM, AVSCHED32, AVSERVER, AVSYNMGR, AVWUPD32, AVWUPSRV, AVXMONITOR AVXQUAR, AVZ, BDSWITCH, BITDEFENDER, BLACKD, BLACKICE, CAFIX, CCEVTMGR, CCSETMGR, CFIAUDIT, CFP, CFPCONFIG, CLAMTRAY, CLAMWIN, CUREIT, DEFENDERDAEMON, DEFWATCH, DRVIRUS, DRWADINS, DRWEB, DWEBIO, DWEBLLIO, EKRN, ESCANH95, ESCANHNT, EWIDOCTRL, EZANTIVIRUSREGISTRATIONCHECK, F-AGNT95, F-SCHED, F-STOPW, FAMEH32, FILEMON, FIREWALL FORTICLIENT, FORTISCAN, FORTITRAY, FPAVSERVER, FPROTTRAY, FPWIN, FRESHCLAM, FSAV32, FSAVGUI, FSBWSYS, FSDFWD, FSGK32, FSGK32ST, FSGUIEXE, FSMA32, FSMB32, FSPEX, FSSM32, GCASDTSERV, GCASSERV, GIANTANTISPYWARE, GUARDGUI, GUARDNT, GUARDXKICKOFF, GUARDXSERVICE, HREGMON, HRRES, HSOCKPE, HUPDATE, IAMAPP, IAMSERV, ICLOAD95, ICLOADNT, ICMON, ICSSUPPNT, ICSUPP95, ICSUPPNT, INETUPD, INOCIT, INORPC, INORT, INOTASK, INOUPTNG, IOMON98, IPTRAY, ISAFE, ISATRAY, KAV, KAVMM, KAVPF, KAVPFW, KAVSTART, KAVSVC, KAVSVCUI, KMAILMON, MAMUTU, MCAGENT, MCMNHDLR, MCREGWIZ, MCUPDATE, MCVSSHLD, MINILOG, MYAGTSVC, MYAGTTRY, NAVAPSVC, NAVAPW32, NAVLU32, NAVW32, NEOWATCHLOG, NEOWATCHTRAY, NISSERV NISUM, NMAIN, NOD32 NORMIST, NOTSTART, NPAVTRAY, NPFMNTOR, NPFMSG, NPROTECT, NSCHED32, NSMDTR, NSSSERV, NSSTRAY, NTOS, NTRTSCAN, NTXCONFIG, NUPGRADE, NVCOD, NVCTE, NVCUT, NWSERVICE, OFCPFWSVC, ONLINENT, OP_MON, OPSSVC, OUTPOST PAVFIRES, PAVFNSVR, PAVKRE, PAVPROT, PAVPROXY, PAVPRSRV, PAVSRV51, PAVSS, PCCGUIDE, PCCIOMON, PCCNTMON, PCCPFW, PCCTLCOM, PCTAV, PERSFW, PERTSK, PERVAC, PESTPATROL PNMSRV, PREVSRV, PREVX PSIMSVC, QHONLINE, QHONSVC, QHSET, QHWSCSVC, QUHLPSVC, RFWMAIN, RTVSCAN, RTVSCN95, SALITY SAPISSVC, SAVADMINSERVICE, SAVMAIN, SAVPROGRESS, SAVSCAN, SCANNINGPROCESS, SCANWSCS, SDHELP, SDRA64, SHSTAT, SITECLI, SPBBCSVC, SPHINX, SPIDERCPL, SPIDERML, SPIDERNT, SPIDERUI, SPYBOTSD, SPYXX, SS3EDIT, STOPSIGNAV, SWAGENT, SWDOCTOR, SWNETSUP, SYMLCSVC, SYMPROXYSVC, SYMSPORT, SYMWSC, SYNMGR, TAUMON, TBMON, TMLISTEN, TMNTSRV, TMPROXY, TNBUTIL, TRJSCAN, TROJAN, VBA32ECM, VBA32IFS, VBA32LDR, VBA32PP3, VBSNTW, VCRMON, VPTRAY, VRFWSVC, VRMONNT, VRMONSVC, VRRW32, VSECOMR, VSHWIN32, VSMON, VSSERV, VSSTAT, WATCHDOG, WEBSCANX, WINSSNOTIFY, WRCTRL, XCOMMSVR, ZLCLIENT, ZONEALARM.

8. Virus will kill your “SYSTEM RESTORE” Service.

9. Virus will make BSOD (blue screen of death) when you’re trying to use windows safe mode or safe boot function.

10. Virus will change your registry to start spreading using your network or removable device.

How Hybrid Sality Shortcut Win32.Sector.2x Virus spreading.

Virus has been made using C languages and compressed with UPX. Like an older technique virus will try to spreading using social technique to tricky his victims. Virus will created some .lnk files (link) and hidden the real files. When victims click on this fake files virus active and start to spreading in the system and looking the other ways/device to spreading.

Once virus active it will infected all .exe and .scr files (it may become bigger) virus also will created an autorun.inf on all root folders. When virus detected removable device virus will automatically generated 3 files into removable device to help virus spreading in other computers.

When virus found shared folders or files virus will crated fake files to keep spreading in networks. This is truly a nightmare for newbie out there 😀

How to Remove Hybrid Sality Shortcut Win32.Sector.2x

1. Unplug your computers from your networks, Remove all removable device, Disconnected from Internet.

2. Disable all your Startup programs. Start -> Run -> Type “MSCONFIG” -> go to tab “Startup” -> click on “Disable All” -> Apply -> Reboot/Logoff.

3. Download CureIt!, Compress that files with .ZIP archive, Right click on it the choose “Explore” the choose “RUN“, waiting until all process is done.

4. Restore back SYSTEM.ini. Start -> Run -> Type “SYSTEM.ini“.

It will opened system.ini in notepad, don’t forget to save it when you done, delete this string.

[fje32a1s]
minr = 1

[MCIDRV_VER]
DEVICE=[random]

* Carefully Don’t delete anything except the string I told you.

4. Restore back your windows firewall settings. Start -> Run -> Type “Firewall.cpl” -> go to tab “Advanced” -> Click on “Restore Defaults

5. Repair your registry using this code:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=Hook
DelReg=Rem

[Hook]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″””
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x10001,0x00000001

[Rem]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5b7fdd69-e6fd-11df-a9bd-806d6172696f}
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system, EnableLUA
HKLM, System\CurrentControlSet\Services\amsint32

Save files as Anything.inf then right click on it choose “Install“. If you meet problem with WP characters conversion download my version click here.

6. Repair your BSOD safe mode or safe boot. Download this registry files, extract it, then choose registry based on what operating system you are using.

7. Cleaning up your temporary files. Start -> Run -> Type “Cleanmgr” -> Clear all temporary files.

8. Activated back your “System Restore“. From Desktop -> Right click on “My Computers” -> Properties -> Move to tab “System Restore” -> Then turn on System Restore back.

9. Install this security patch from Microsoft Ms10-46.

10. Scan again all your system with your best trusted and updated antivirus to make sure there is no virus left.

Done, Have a Nice Day 🙂

[/to_plus]

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!