PE_SALITY.MCU
Virus:Win32/Sality.AU (Microsoft), W32.Sality.AE (Symantec), W32/Sality.gen.z (McAfee), Virus.Win32.Sality.gen (Kaspersky), Win32/Sality.NBA virus (ESET), Mal/Sality-D (Sophos)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware, Infects files, Propagates via removable drives
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
As of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
114,688 bytes
EXE
Yes
27 Oct 2015
Deletes files, Terminates processes, Connects to URLs/IPs, Downloads files
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This file infector drops the following files:
- %Windows%\drivers\{random file name}.sys - detected as RTKT_SALITY.RL
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It injects codes into the following process(es):
- explorer.exe
Autostart Technique
This file infector registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Type = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Start = "3"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
ErrorControl = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
DisplayName = "amsint32"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
ImagePath = "\??\%Windows%\drivers\{random file name}.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32\Enum
0 = "Root\LEGACY_AMSINT32\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32\Enum
Count = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32\Enum
NextInstance = "1"
It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\amsint32
Other System Modifications
This file infector adds the following registry keys:
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = "1"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}
d1_0 = "0xea805a4e"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}
d2_0 = "0x000018ed"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}
d3_0 = "0x01036a29"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}
d4_0 = "0"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
1953069412 = "0x00000098"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
-388828472 = "0"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
1564240940 = "0"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
-777656944 = "0x00000023"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
-777656944 = "0x00000023"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
1175412468 = "0x0000017f"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
-1166485416 = "0A00687474703A2F2F6163656D6F676C75737563756B6C6172692E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F612D6272696E672E636F6D2F73616E79626F6F6B2F6C6F676F2E67696600687474703A2F2F746E36396162692E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F67696D382E706C2F6C6F676F2E67696600687474703A2F2F61636C617373616C657274732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E3370696E6469612E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F6163692E6772617469782E636F6D2E62722F6C6F676F2E67696600687474703A2F2F3173327176683931782E736974652E61706C75732E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F6162622E696E642E696E2F6C6F676F2E67696600687474703A2F2F7777772E616B70617274697361726976656C696C65722E636F6D2F696D616765732F696D672E676966"
HKEY_CURRENT_USER\Software\Avkxsagxk{4 random letters}\
2033412880
786583996 = "26CEFB056C4C612B18DF8A4E39AD3E086BC14A679A0C16609597EAFA4EF436B86480FE516A315D6A51F28DA8CC0B11C7B9B304C866869787A103BDFE12342ED26176866CF93A99E8E0CDB62E08DCA2F8E5A923A228BAEAE68DD518B021F8E826E6A8FDBA0704B9328FCAEA4242FC6AF4104D60B896922EC0CEDBAF6F67E08E9F"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = "1"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"
(Note: The default value data of the said registry entry is 0.)
It modifies the following registry entries to hide files with Hidden attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
(Note: The default value data of the said registry entry is 1.)
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware file name} = "{malware path}\{malware file name}:*:Enabled:ipsec"
File Infection
This file infector infects the following file types:
- .EXE
- .SCR
Propagation
This file infector drops copies of itself into all the removable drives connected to an affected system.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
Note: The order of autorun.inf strings may vary and may contain a combination of uppercase and lowercase letters.
;{garbage characters}
[AutoRun]
;{garbage characters}
shell\explore\command = {random}.{exe/pif}
;{garbage characters}
open = {random file name}.exe
;{garbage characters}
shell\open\command = {random}.{exe/pif}
shell\open\default = 1
;{garbage characters}
shell\autoplay\command = {random}.{exe/pif}
;{garbage characters}
Process Termination
This file infector terminates processes or services that contain any of the following strings if found running in the affected system's memory:
- NPROTECT.
- NSCHED32.
- NSMDTR.
- NSSSERV.
- NSSTRAY.
- NTRTSCAN.
- NTOS.
- NTXCONFIG.
- NUPGRADE.
- NVCOD.
- NVCTE.
- NVCUT.
- NWSERVICE.
- OFCPFWSVC.
- OUTPOST.
- ONLINENT.
- OPSSVC.
- OP_MON.
- PAVFIRES.
- PAVFNSVR.
- PAVKRE.
- PAVPROT.
- PAVPROXY.
- PAVPRSRV.
- PAVSRV51.
- PAVSS.
- PCCGUIDE.
- PCCIOMON.
- PCCNTMON.
- PCCPFW.
- PCCTLCOM.
- PCTAV.
- PERSFW.
- PERTSK.
- PERVAC.
- PESTPATROL.
- PNMSRV.
- PREVSRV.
- PREVX.
- PSIMSVC.
- QUHLPSVC.
- QHONLINE.
- QHONSVC.
- QHWSCSVC.
- QHSET.
- RFWMAIN.
- RTVSCAN.
- RTVSCN95.
- SALITY.
- SAPISSVC.
- SCANWSCS.
- SAVADMINSERVICE.
- SAVMAIN.
- SAVPROGRESS.
- SAVSCAN.
- SCANNINGPROCESS.
- SDRA64.
- SDHELP.
- SHSTAT.
- ADVCHK.
- AGB.
- AKRNL.
- AHPROCMONSERVER.
- AIRDEFENSE.
- ALERTSVC.
- AVIRA.
- AMON.
- TROJAN.
- AVZ.
- ANTIVIR.
- APVXDWIN.
- ARMOR2NET.
- ASHAVAST.
- ASHDISP.
- ASHENHCD.
- ASHMAISV.
- ASHPOPWZ.
- ASHSERV.
- ASHSIMPL.
- ASHSKPCK.
- ASHWEBSV.
- ASWUPDSV.
- ASWSCAN.
- AVCIMAN.
- AVCONSOL.
- AVENGINE.
- AVESVC.
- AVEVAL.
- AVEVL32.
- AVGAM.
- AVGCC.
- AVGCHSVX.
- AVGCSRVX.
- AVGNSX.
- AVGCC32.
- AVGCTRL.
- AVCENTER.
- AVGNTMGR.
- AVGSERV.
- AVGTRAY.
- AVGUARD.
- AVGUPSVC.
- AVGWDSVC.
- AVINITNT.
- AVKSERV.
- AVKSERVICE.
- AVKWCTL.
- AVP.
- AVP32.
- AVPCC.
- AVAST.
- AVSERVER.
- AVSCHED32.
- AVSYNMGR.
- AVWUPD32.
- AVWUPSRV.
- AVXMONITOR.
- AVXQUAR.
- BDSWITCH.
- BLACKD.
- BLACKICE.
- CAFIX.
- BITDEFENDER.
- CCEVTMGR.
- CFP.
- CFPCONFIG.
- CCSETMGR.
- CFIAUDIT.
- CLAMTRAY.
- CLAMWIN.
- CUREIT.
- DEFWATCH.
- DRVIRUS.
- DRWADINS.
- DRWEB.
- DEFENDERDAEMON.
- DWEBLLIO.
- DWEBIO.
- ESCANH95.
- ESCANHNT.
- EWIDOCTRL.
- EZANTIVIRUSREGISTRATIONCHECK.
- F-AGNT95.
- FAMEH32.
- FILEMON.
- FIREWALL.
- FORTICLIENT.
- FORTITRAY.
- FORTISCAN.
- FPAVSERVER.
- FPROTTRAY.
- FPWIN.
- FRESHCLAM.
- EKRN.
- FSAV32.
- FSAVGUI.
- FSBWSYS.
- F-SCHED.
- FSDFWD.
- FSGK32.
- FSGK32ST.
- FSGUIEXE.
- FSMA32.
- FSMB32.
- FSPEX.
- FSSM32.
- F-STOPW.
- GCASDTSERV.
- GCASSERV.
- GIANTANTISPYWARE.
- GUARDGUI.
- GUARDNT.
- GUARDXSERVICE.
- GUARDXKICKOFF.
- HREGMON.
- HRRES.
- AVPM.
- A2GUARD.
- A2CMD.
- A2SERVICE.
- A2FREE.
- AVAST.
- AVGEMC.
- AVGFWSRV.
- AVGNT.
- SITECLI.
- SPBBCSVC.
- SPHINX.
- SPIDERCPL.
- SPIDERML.
- SPIDERNT.
- SPIDERUI.
- SPYBOTSD.
- SPYXX.
- SS3EDIT.
- STOPSIGNAV.
- SWAGENT.
- SWDOCTOR.
- SWNETSUP.
- SYMLCSVC.
- SYMPROXYSVC.
- SYMSPORT.
- SYMWSC.
- SYNMGR.
- TAUMON.
- TBMON.
- TMLISTEN.
- TMNTSRV.
- TMPROXY.
- TNBUTIL.
- TRJSCAN.
- VBA32ECM.
- VBA32IFS.
- VBA32LDR.
- VBA32PP3.
- VBSNTW.
- VCRMON.
- VPTRAY.
- VRFWSVC.
- VRMONNT.
- VRMONSVC.
- VRRW32.
- VSECOMR.
- VSHWIN32.
- VSMON.
- VSSERV.
- VSSTAT.
- WATCHDOG.
- WEBSCANX.
- WINSSNOTIFY.
- WRCTRL.
- XCOMMSVR.
- ZLCLIENT.
- ZONEALARM.
- HSOCKPE.
- HUPDATE.
- IAMAPP.
- IAMSERV.
- ICLOAD95.
- ICLOADNT.
- ICMON.
- ICSSUPPNT.
- ICSUPP95.
- ICSUPPNT.
- IPTRAY.
- INETUPD.
- INOCIT.
- INORPC.
- INORT.
- INOTASK.
- INOUPTNG.
- IOMON98.
- ISAFE.
- ISATRAY.
- KAV.
- KAVMM.
- KAVPF.
- KAVPFW.
- KAVSTART.
- KAVSVC.
- KAVSVCUI.
- KMAILMON.
- MAMUTU.
- MCAGENT.
- MCMNHDLR.
- MCREGWIZ.
- MCUPDATE.
- MCVSSHLD.
- MINILOG.
- MYAGTSVC.
- MYAGTTRY.
- NAVAPSVC.
- NAVAPW32.
- NAVLU32.
- NAVW32.
- NEOWATCHLOG.
- NEOWATCHTRAY.
- NISSERV.
- NISUM.
- NMAIN.
- NOD32.
- NORMIST.
- NOTSTART.
- NPAVTRAY.
- NPFMNTOR.
- NPFMSG.
Download Routine
This file infector connects to the following URL(s) to download its component file(s):
- http://{BLOCKED}usucuklari.com.tr/images/logo.gif
- http://{BLOCKED}g.com/sanybook/logo.gif
- http://{BLOCKED}bi.com/images/logof.gif
- http://{BLOCKED}8.pl/logo.gif
- http://{BLOCKED}alerts.com/images/logo.gif
- http://www.{BLOCKED}a.in/images/logo.gif
- http://aci.{BLOCKED}x.com.br/logo.gif
- http://1s2qvh91x.site.{BLOCKED}s.net/images/logo.gif
- http://abb.{BLOCKED}d.in/logo.gif
- http://www.{BLOCKED}sariveliler.com/images/img.gif
As of this writing, the said sites are inaccessible.
NOTES:
This file infector deletes the following services:
- AVP
- Agnitum Client Security Service
- aswUpdSv
- aswMon2
- aswSP
- aswTdi
- aswFsBlk
- acssrv
- AV Engine
- avast! iAVS4 Control Service
- avast! Antivirus
- avast! Mail Scanner
- avast! Web Scanner
- avast! Asynchronous Virus Monitor
- avast! Self Protection
- AVG E-mail Scanner
- Avira AntiVir Premium Guard
- Avira AntiVir Premium WebGuard
- Avira AntiVir Premium MailGuard
- BGLiveSvc
- BlackICE
- CAISafe
- ccEvtMgr
- ccProxy
- ccSetMgr
- COMODO Firewall Pro Sandbox Driver
- cmdGuard
- cmdAgent
- Eset Service
- Eset HTTP Server
- Eset Personal Firewall
- F-Prot Antivirus Update Monitor
- fsbwsys
- FSDFWD
- F-Secure Gatekeeper Handler Starter
- FSMA
- Google Online Services
- InoRPC
- InoRT
- InoTask
- ISSVC
- KPF4
- KLIF
- LavasoftFirewall
- LIVESRV
- McAfeeFramework
- McShield
- McTaskManager
- MpsSvc
- navapsvc
- NOD32krn
- NPFMntor
- NSCService
- Outpost Firewall main module
- OutpostFirewall
- PAVFIRES
- PAVFNSVR
- PavProt
- PavPrSrv
- PAVSRV
- PcCtlCom
- PersonalFirewal
- PREVSRV
- ProtoPort Firewall service
- PSIMSVC
- RapApp
- SharedAccess
- SmcService
- SNDSrvc
- SPBBCSvc
- SpIDer FS Monitor for Windows NT
- SpIDer Guard File System Monitor
- SPIDERNT
- Symantec Core LC
- Symantec Password Validation
- Symantec AntiVirus Definition Watcher
- SavRoam
- Symantec AntiVirus
- Tmntsrv
- TmPfw
- UmxAgent
- UmxCfg
- UmxLU
- UmxPol
- vsmon
- VSSERV
- WebrootDesktopFirewallDataService
- WebrootFirewall
- wscsvc
- XCOMM
It deletes the contents of the SafeBoot registry.
SOLUTION
9.300
12.114.03
27 Oct 2015
12.115.00
28 Oct 2015
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove the malware/grayware file dropped/downloaded by PE_SALITY.MCU. (Note: Please skip this step if the threat(s) listed below have already been removed.)
- PE_SALITY.MCU-O
Step 3
Identify and delete files detected as PE_SALITY.MCU using the Recovery Console
Step 4
Restore this deleted registry key/value from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
- SafeBoot
- SafeBoot
Step 5
Restart in Safe Mode
Step 6
Enable Registry Editor, Task Manager, and Folder options
Step 7
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline = "0"
- GlobalUserOffline = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
- DisableTaskMgr = "1"
- DisableTaskMgr = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
- DisableRegistryTools = "1"
- DisableRegistryTools = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusDisableNotify = "1"
- AntiVirusDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallDisableNotify = "1"
- FirewallDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallOverride = "1"
- FirewallOverride = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UpdatesDisableNotify = "1"
- UpdatesDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UacDisableNotify = "1"
- UacDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- UacDisableNotify = "1"
- UacDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA = "0"
- EnableLUA = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusOverride = "1"
- AntiVirusOverride = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- {malware path}\{malware file name} = "{malware path}\{malware file name}:*:Enabled:ipsec"
- {malware path}\{malware file name} = "{malware path}\{malware file name}:*:Enabled:ipsec"
Step 8
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- From: DoNotAllowExceptions = "0"
To: DoNotAllowExceptions = 1
- From: DoNotAllowExceptions = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- From: EnableFirewall = "0"
To: EnableFirewall = 1
- From: EnableFirewall = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- From: DisableNotifications = "1"
To: DisableNotifications = 0
- From: DisableNotifications = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusDisableNotify = "1"
To: AntiVirusDisableNotify = 0
- From: AntiVirusDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallDisableNotify = "1"
To: FirewallDisableNotify = 0
- From: FirewallDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: UpdatesDisableNotify = "1"
To: UpdatesDisableNotify = 0
- From: UpdatesDisableNotify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusOverride = "1"
To: AntiVirusOverride = 0
- From: AntiVirusOverride = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallOverride = "1"
To: FirewallOverride = 0
- From: FirewallOverride = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: Hidden = "2"
To: Hidden = 1
- From: Hidden = "2"
Step 9
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- amsint32
- amsint32
- In HKEY_CURRENT_USER\Software
- Avkxsagxk{4 random letters}
- Avkxsagxk{4 random letters}
Step 10
Search and delete AUTORUN.INF files created by PE_SALITY.MCU that contain these strings
[AutoRun]
;{garbage characters}
shell\explore\command = {random}.{exe/pif}
;{garbage characters}
open = {random file name}.exe
;{garbage characters}
shell\open\command = {random}.{exe/pif}
shell\open\default = 1
;{garbage characters}
shell\autoplay\command = {random}.{exe/pif}
;{garbage characters}
Step 11
Restart in normal mode and scan your computer with your Trend Micro product for files detected as PE_SALITY.MCU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.