0

I have a Windows XP SP3 system which is affected by the Sality worm. The usual symptoms of taskmanager and regedit being disabled were there, and I saw that I was unable to boot my system in safe mode. Then I found that the Sality worm removes the SAFEBOOT keys from registry hive.

So I downloaded a reg file from http://support.kaspersky.com/faq/?qid=208279889 and was successfully able to update the reg file to my system. But still when I hit F8 during boot and select the safe mode option, it still restarts after loading mup.sys file.

I don't know what more to do to get to safe mode. The virus is still there in its dormant stage. I can verify that because taskmanager and regedit are not disabled after I restarted in normal mode and I could browse any site and it did not kill the browser process. I also ran the salitykiller from the same link above and it healed all infected exe files.

This is related to another question which I have asked here, but I don't see how a common solution can solve both of those problems.

Any help folks?

Improve this question
4
  • Uhm.. Please update your former topic.
    – Apache
    Commented Jun 26, 2010 at 11:54
  • possible duplicate of System restarting after pressing scan on rootkit revealer
    – Apache
    Commented Jun 26, 2010 at 11:55
  • the rootkit issue and this may be related, but i don't see how a common solution can solve both of those problems. So it is not a dupe.
    – Anirudh Goel
    Commented Jun 26, 2010 at 12:23
  • Please add this distinction to your question @Anirudh
    – Ivo Flipse
    Commented Jun 26, 2010 at 18:18

2 Answers 2

Reset to default
1

I have no particular experience with this virus, but these instructions from Lifehacker can help you clean a virus even if you can't boot your computer at all. Fortunately I haven't needed to use them, but Lifehacker's instructions are usually very good.

Basically, you make a Linux USB thumb drive, put an AV application on the disk (they have a good list, but I don't use any in that list, so I can't recommend one), and boot the computer from the drive/CD. Then, you run the virus scanner from the safety of the Linux OS, which doesn't have the virus. This should clean the virus from the Windows drive, so that you can boot again. I don't know if any of their apps will repair Safe Mode, but that should be a lot easier to do when you don't have to worry about a virus. If this doesn't repair Safe Mode, gbarry's answer is probably the best place to start, as I can't help with that.

Improve this answer
1
  • Its best not to boot to an infected disk. Booting off a livecd or removing the hard drive and attaching it to another computer is the best way to be sure the virus doesnt get loaded and continue infection.
    – Keltari
    Commented Sep 2, 2012 at 19:00
0

Then i found that the sality worm removes the SAFEBOOT keys from registry hive.

There's an article I found that says it also adds keys to safeboot. I'll quote this because then it can be found with a search even if the URL changes.

The virus also writes extra records to the system registry which would terminate TaskManager and UAC, and adds the driver to the registry branch “System\CurrentControlSet\Control\SafeBoot”. This allows the driver to boot in safe mode.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .