How to remove sality virus
K. Sality Description
What is Sality?
This is a quote from Norman website :
“A family of fileinfecting viruses with backdoor and keylogger capabilities. Some variants install a helper component in the Windows System folder. Names on this component vary by Sality variant:SYSLIB32.DLL (All early versions)
OLEMDB32.DLL (Sality.M, version 3.03)
WMIMGR32.DLL (Sality.N, version 3.04)
VCMGRD32.DLL (Sality.P/Q, version 3.07)
VCMGCD32.DLL (Sality.R, version 3.09)
WDMFMC32.DLL (Sality.S, version 3.07)
…and others.This DLL is then injected into running processes.”
Another alias : Sality, Win32/Sality, Sality.AA, Sality.AE, Sality.AH, Sality.AM, Sality.AR
L. How to know your computer is infected by Sality Virus :
These is the indications :
- Task manager is disabled.
- Registry Editor is disabled.
- Show all hidden files and folders are not working.
Hiden Files Folder setting always checks “Do not show hidden files and folder” option. You can’t change the option, even if you check “Show hidden files and folder” option
- Firewall and anti virus are not working.
You can’t run it and you can’t scan with it; even you can run it and scan with it, the virus won’t be found or the virus will be found but anti virus can’t clean/delete it.
- The virus infects .exe files on every partition of you harddisk.
Almost all your .exe files on your computer will be infected (included explorer.exe, uninstall.exe, etc). Some of your .exe applications still may run, but some of them won’t run (it will kill the runing process of infected .exe aplication or/and show an error message)!
- The virus may infects some .com and .scr files.
- The virus may infects some .dll files on your Windows folder.
- If you plug in your USB Device on your computer, it will create an autorun.inf file + a random virus file.
Pic1 :
The virus created an autorun.inf file + a random virus file (pwkmla.cmd) on my sample UFD. - You can’t boot your Windows in safe mode. You will failed if you try to boot your Windows in safe mode, and your system will restart automatically.
M. Virus Removers
Before deleting the virus, you should download these tools :
- Norman
SafianoMalware Cleaner
Choose one of these two links :
Download 1 : http://download.norman.no/public/Norman_Malware_Cleaner.exe
Download 2 : http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe
- Symantec Win32.Sality.AE Removal Tool
Choose one of these two links :
Mirror Download 1: http://www.ziddu.com/download/3653712/FxSltyAE.rar.html
Mirror Download 2: http://rapidshare.com/files/233586434/FxSltyAE.rar.html
N. How to remove Sality Virus
How to remove sality virus :
- Turn off “System Restore”.
Pic2 :
System restore - Run Norman
Safiano what’s up broMalware Cleaner to scan the virus.
Pic3 :
Norman Malware Cleaner - If “do you want to restart…” dialog appears after scanning by Norman
SafianoMalware Cleaner, you may restart or not restart.
- If you want to restart, make sure the “System restore” is still turn off before restarting. After restarting, you should do step 1 to 2 again.
- Run Symantec Win32.Sality.AE Removal Tool
Pic4 :
Symantec Win32.Sality.AE Removal Tool - If “do you want to restart…” dialog appears after scanning by Symantec Win32.Sality.AE Removal Tool, you should restart. Make sure the “System restore” is still turn off before restarting.
- After restarting, the virus most probably has been removed. Task manager and Registry Editor are re-enabled now.
- To make sure the virus has been removed, run Symantec Win32.Sality.AE Removal Tool once again.
O. Important Note
- Sality virus most probably has been removed but maybe some files (exe, dll, etc) are still infected by Sality Virus. To clean it, you should scan it with your anti virus (NOD32, Kaspersky, Norman, Symantec, etc).
- If anti virus can’t clean it, you should delete the infected files (exe, dll, etc) BUT you should do it carefully and you should be more careful if the infected files exist on Windows Folder (example : explorer.exe etc). Before deleting, make sure the system will be fine if you delete it. If you’re not sure, don’t do it, or consult it to expert.
- To repair safe mode, you can download the registry file to fix it :
http://www.eset.hk/support/tools/repairboot.zip
or
http://support.kaspersky.com/downloads/utils/sality_regkeys.zip
Extract, and run one file for your match system (safebootWinXP for windows XP, etc).
- Re-installing Windows is not the best option, especially if your Windows license is not FPP/OLP. (Remember, if you re-install Windows, you must re-install driver & some softwares, etc and don’t forget you should re-activate your Windows again). Re-formatting all of your hard disk partitions then re-installing Windows is the last option IF you want to do it.
- I haven’t re-formatted all of my hard disk partitions and re-installed Windows, because Sality virus has been removed and the infected files have been deleted carefully.
Yusuf KS (The S’ abbreviation is not Sality!!)
p.s. If a problem’s still occurred, you can ask it on comment, I’ll help as best as I can.
Weblog : http://myks.wordpress.com
Permalink : http://myks.wordpress.com/2009/05/16/how-to-remove-sality-virus/
PDF Version : http://www.kakikaku.com/yks/articles/how_to_remove_sality.pdf
Ultra Thanks Master, your information help me more.Thanks…
ehem i just have been attack by sality virus…
huh it make my head in pain
you just saved my ass, I think. thanks.
Just removed this virus from another laptop and I can’t browse the web anymore. Yahoo Messenger connects fine though. Any idea why?
@ Jose and mr.tree :
You’re welcome.
@Ankit :
I’m not sure why, maybe some files of your browser were being deleted while you’re removing the virus. Please try these two steps :
1. Reinstall your browser. Example : if your browser is Mozilla, you should reinstall Mozilla on your computer.
2. If your browser still can’t connects to Internet, you should install another browser, example Opera, GoogleChrome, etc.
Please try step 1-2 for now, if it still can’t connects to Internet, maybe another problem happens (Internet setting, firewall, etc).
Thanks! This seems to have worked. Quick question, why is it important to disable system restore? I could think of a few reasons, but is there something this virus does with it? Thanks again for the help.
@Ru
You’re welcome.
Some viruses can backed up their selves in system restore folder, that’s why we should turn off system restore before virus scanning/removing.
Some variants of sality virus can turn on system restore if system restore setting is turn off, that’s why we should make sure system restore is still turn off when we scan/remove this virus.
[quote]Yusuf KS (The S’ abbreviation is not Sality!!)[/quote]
If the abbreviation of S’ is not for Sality then perhaps it’s erm..
Clue: Remove some letters and change it into the other letters.
..
Sa[s]lity[/s] becomes Sa[b]mi[/b].. =D
Yehey!
Eh.. Kalo Sami sih yang nyanyiin lagu Supplication yah!
Yaah.. Keliru lagi deh..
Maaf, maaf ada kesalahan teknis euy.. @#$%!$%^
@ Ulan :
Wrong! Not Sami, nor Sama. I don’t know Supplication but I know Sami Tamaki, eh Nami ^^.
trima kasih atas info nya, tp windows saya msh error nh mas..
contoh: gak bisa drag, paste file (copy bisa,tp begitu di paste gak bisa), klo klik kanan trus send to juga gak bisa (loading lama bnget)..
kira2 bagaimana yaa memfix nya??? please bantuan nya..
mksh..
Thanks for your info! it really helps!
I’m enable to go into my task manager again,
so should I enable back my system restore?
and by the way, which free antivirus would you can recommend for this task as you mentioned? will AVG do the job?
“# Sality virus most probably has been removed but maybe some files (exe, dll, etc) are still infected by Sality Virus. To clean it, you should scan it with your anti virus (NOD32, Kaspersky, Norman, Symantec, etc).”
@to cool :
Coba scan lagi pakai Norman Malware Cleaner, lalu lihat apakah masih ada file yang terinfeksi sality. (Scan juga pake antivirus lain yang up to date).
Kemungkinan masih ada file yang terinfeksi sality, jadi harus dibersihkan atau dihapus.
Untuk sementara ini supaya bisa copy paste dengan lancar cobalah pakai file manager selain Windows explorer. Bisa juga pakai image browser seperti ACDSEE (shareware), XnView (Freeware).
Semoga dapat membantu.
@kb :
You’re welcome.
Yes if you want to enable back it.
I recommend ESET NOD32. I think, if your anti virus –whichever anti virus you have– is up to dated, it should do the job
.
oh my god… how come even I scan through everything.. this time it gets more serious…
now I notice it is still not clean.. and I cannot go into safe mode… further more, my antivirus (avast) is often shut down by it, when I open, it will automatically close even before it can run the program…
any ideas?
Symantec Win32.Sality.AE Removal Tool says there are no sality 32 in my computer…
then what should be the problem?
because all the indications of my computer are like as mentioned above.
I can’t go into safe mode, all my exe files are not working anymore, even going into rar file sometimes also need some special works on it.. which is very troublesome.. everything seems not under my control…
Answer :
That’s why some exe files are still not working.
1. Please repeat part M (1-2) to part N (1-8)
2. a. Reinstall your newest antivirus from your disc or
b. Download newest antivirus (freeware or shareware), then install it
3. Do part O 1-3, and do not run any .exe application exclude antivirus before doing part O (1-3).
Remember, antivirus may be able to clean the infected files or may be not.
.
So, if anti virus can’t clean it, you should delete the infected files (exe, dll, etc) BUT you should do it carefully. Don’t worry, you can reinstall them after that
Excellent Explanation about Sality. You have Done a Great Job to IT Professionals. THANKS a LOT for ur Work.
I have been battling this virus for 8days now,till i found this suggestions which am going to try today…if it works or not i will let y’all know.
thanks… my computer are back to normal…
Thanks, it worked
before running norman.exe a useful tip would be to rename this as a norman.bat to be executed to the infected PC as sality will infect the exe as soon as it is copied to the hard disk.
another useful utility is a NSS from symantec.
A friend of mine just emailed me about kaspersky license from your articles from a while back .I read that one a few more. Really enjoy your blog.
Thanks
Dont work for me aaaaa
error by slity.nar thanks 4 info…. i hope it work
Help why when i start scanning norman malware cleaner it stops at C:\Documents and Settings\HP_Owner\Local Settings\Temp\cgrmww.exe (infected with W32/Horst.gen33)
Help when i start scanning normal malware cleaner it stops at C:\Documents and Settings\HP_Owner\Local Settings\Temp\cgrmww.exe
@gigs :
Thanks for your additional information.
@Angel and cahgombong :
I wish I can help you more. Thanks for trying those steps.
@Aldrin :
It seems your computer’s infected by Trojan.PWS.Gamania.v2 AKA W32/Horst.gen33, Mal/Heuri-E, Trojan-PWS.Win32.Agent.im, etc. I recommend you to clean/remove this trojan first. Scan your computer with your antivirus, make sure that your antivirus is up-to-dated. Also, you can download another newest version antivirus (freeware or trial) to scan and clean/remove this trojan e.g. ESET NOD 32, Symantec, Norman, AntiVir (Freeware), F-Secure, Ikarus, Panda, Sophos, Sunbelt, or else.
After the Trojan has been cleaned/removed, you can try again those “how to remove sality virus” steps to remove sality virus.
Thank You! Thank You! Thank You! I got hit with this virus while I was traveling in Italy away from any bootable CD, my restore CD, my Norton restore CD. I downloaded the programs you recommended, followed your instructions, and was able to recover / remove this awful virus from my laptop.
In short, you and your site was a life saver for my laptop and the rest of my trip. Again, Thank You!
Hi All,
My PC has been infected with Sality virus. while i am searching for the solution luckily i found this forum.
I tried removing implementing these steps, but i need so stop at the first step itself because my “system restore” tab has been disabled. even i tried opening through registry but even i am unable to open regedit from run tab.
Can you please help me on this.
Thanks,
Raghu
small correction in my above posting, “system restore” tab is missing….
@ Howard :
You’re welcome.
@raghu :
1. Insert your Windows XP CD.
2. Start –> Run –> Type or copy paste “rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf” –> OK.
bosss,
sehabis restart langsung blue screen tuh bos, solusinya gimana ya???
thx
@ed :
Kalau masalah blue screen bisa bermacam-macam kemungkinan, bisa ada masalah pada software (termasuk Windows), bisa juga ada masalah pada hardware. Saran saya, coba bongkar dan pasang kembali beberapa komponen yang terpasang di motherboard seperti memory, card (vga card, tv tuner card jika ada). Bersihkan pula jika kotor.
Why is it that my avast antivirus(up to date)hasnt been destroyed by the virus?????becoz my pc has beed infected by it too.the virus came from a USB after i click the USB it itsecutes itself then avast detected it then too many exe file has been infected so avast suggest to have a boot scan then POFF!! the virus has now gone safe mode has been restored by that .reg file of kaspersky..
then only one question to ask:
Is my PC clean now after avast deleted the files then i followed with MBAM scan then Dr.Web Cure It and theres no virus has been detected so does my pc now is clean??
@ Josh :
Yes, I think. If you don’t get sality indications on your computer, your computer is clean.