How to Remove Win32 Sality Virus

Viruses can be a real pain at times. Today I’ll share with you my experience with the Win32 Sality Virus. Win32/Sality is a polymorphic virus that infects Win32 PE executable files. It also contains trojan components. Win32/Sality has been known to be downloaded by variants of the Win32/Bagle family.
This is one of the worst viruses I came across. It all happened when I plugged in my friends pen drive to copy some stuff into my pc. At that moment I had disabled Kaspersky Internet Security which I use due to some app restrictions. Everything was fine until evening. But then my explorer started crashing, task manager got disabled, many installers stopped functioning and started giving me weird errors. The worst part was I wasn’t able to start Kaspersky Internet Security again. I decided to format my C drive, as I formatted it and reinstalled XP I realized that the virus still exists! Now that was really annoying. But somehow I managed to install kaspersky without installing anything else. I scanned the whole hard disk and discovered that all my installation files, program files, and even Vista on other partition was infected. These things really got me on to my nerves. I somehow disinfected some of the viruses but wasn’t able to fully remove them. If your pc is infected by this virus you need to do the following:

Firstly, get a good antivirus program I would suggest Kaspersky as I personally use it. You can also try out NOD32, Norton or Avast.
Also get the Win32 Sality virus remover from here.

Run a scan on all the partitions on your hard disk. You can ignore the drives with songs and movies as this virus doesn’t infect them.
Now disinfect the viruses discovered using the above programs. Some viruses won’t be disinfected. To get rid of them you need to delete such files. I had maintained a partition with full of installers (exe), 90% of them were infected due to which I had to delete all of them. Kaspersky disinfected most of them but the problem was some installers weren’t able to run.

Now once you got rid of the infected stuff copy or backup the good ones to another partition and format the infected partition.

Once done run the virus check again on the particular drive you formatted to check if the virus is still there. Mostly it will be gone.

Lastly if the virus still exists in the C drive then you need to format it and reinstall your operating system.

Ahh! That’s the end of Win32 Sality Virus. Now you know why I was away from my blog for so many days. Hence forth I’ll never repeat the mistake of disabling Kaspersky.

Related: How to remove malware from a pc using Combo Fix

STAY IN TOUCH WITH UPDATES | SUBSCRIBE VIA RSS or Email |

Discussion

32 comments for “How to Remove Win32 Sality Virus”

  • My PC has been infected with this virus 5 months ago and still can’t get rid of it …. i will try your method and hope that it can remove this malware.

    Thanks

  • Oh that’s bad
    If it’s win32 virus then it should disappear if you follow what I did. Three of my other friends also have the same virus looks like we all shared same stuff

  • Karthik

    My computer was affetced by this virus recently and I scanned my computer with ESET Nod32 and it detected and cleaned the virus. Now it is working fine. Dont go for any other anti virus softwares.

  • Sri Krushnan

    You can also go for Windows live one care. Wow! what an anti virus software it is. Thank you. All the best! Post your feedback after using Windows live one care. Bye!!!

  • Sri Krushnan

    If you are using Windows Vista, you are lucky. If you have the vista disc, put the disc in the computer and start the process called inplace upgrade(Dont boot the computer with the disc). There will not be any data loss in the inplace upgrade process. It would take about 40 to 60 minutes at the max. It replaces the system files in the computer and there by removes any bad system files and makes your computer to wor fine. You can also try this if you have any issues with windows update. If this is not working, best thing that we can do try and format all the drives and install fresh copy. Waiting for your feedback.

  • Hi Sri Krushnan,

    Thanks for the suggestion. I didn’t try Windows live one care. Will give it a try soon.

  • Sri Krushnan

    Hi Joel,

    Today my computer was affected by sality virus and I scanned my computer with Norton anti virus 2009 and it worked fine. Sality virus mainly affects .exe files and creates some entries in the Registry and norton works fine for me. You can also try that…

  • kurt

    I used spybot for the registry entries and avast for full removal, seemed to work. Like you, sality showed up right after rebuilding the system, hard to believe. I think it may be lodged in irfanview, which I use regularly. Luckily I did a full acronis backup just prior to loading any programs.

  • Ismail

    hye the only way to remove it is to sell the computer and buy a new one.

  • suresh

    Can some one give me a manual procedure to remove the virus

  • i want sality remove

  • marvin paguia

    un avast anti virus d kayang patayin un sality virus..ngyari kasi sa pc ko yun.pti malware bytes ko na infrk n din ng sality… i cannot access my anti virus anymore,,dq n din xa ma remove to install a new one..i think i nid to re4mat my pc..huhuhuh
    Y_Y

  • marvin paguia

    pati un avg sality remover..my tyms n d n nya ma recover un infekted files ko.. i nid to restore my pc para lng gumana un mga files ko..

  • Naimul

    My computer is also attacked by Win32:Sality virus. Now I want to know does this will done by Avast? While scanning this antivirus ask me to delete all. I’m afraid of lossing all my data if I permit Avast to delete all. Can anyone kindly give me the solution?

  • Try this method.It uses live (mini) xp cd and a clean usb flash drive.
    You’ll have to burn an iso image onto cd on another clean computer….

    link:

    http://setrst.blogspot.com/2009/09/win32sality-cleaningremovingdisinfectin.html

  • Since 2003 similar kind of sality viruses are in play, but they have been affecting the users systems in many names. Recently there has been a tremendous increase in the spread of these viruses through the usage of pen drives.

    They infect all the .exe files in OS and in most cases the system can’t be saved. Only a complete drive format will erase them. The attacker also opens up a port by which he can hack unauthorized information from the PCs thereby easily spamming and spreading malwares to affected machines.

    Once you are affected then you can use the number of removal tools available in internet for free. But remember, finding the root infected file and removing them is impossible once it critically activates itself. We have to act beforehand. In the beginning you might find your antivirus software prompting that it cannot delete the virus. But after critical damage your system may not boot leaving your OS in a complete disarray.

    To prevent the virus from attacking I will always recommend you not to download cracks from websites. Because most of them are viruses. Next disable the autorun feature in your OS. Always right click my computer and select explore. Now in the explorer pane you click the removable disk and access the flash or usb drive. Before opening or clicking any file check twice that it is not an exe file. Unless and untill you click the .exe file by yourself your system has no chance of getting affected. No matter how many virus the pen drive contains first see the extension of file and then ignore the .exe files which generally are less than 1Mb. If you follow these steps carefully your system will have no loopholes because prevention is always better than cure.
    Answers

  • Nirmal ,take a look at

    http://little0nemo.googlepages.com/neverRun.zip

    It is best thing for people that use windows explorer (even with autorun disabled and NoDriveTypeAutoRun set)
    This just renames autorun.inf and
    problem is gone.

    Cheers 😉

  • SauroS

    See guys, Kaspersky or AVAST or any other anti-virus will not work for this one. Sure they will detect it if ur virus database is up-to-date. But hte only option they give u is either delete the file or quarntine it. Both options are worthless as deleting or moving the infected .exe file will render the applciation useless.
    I have a sor tof solution, which i tried on my system and worked pretty neat.

    1. First get the latest versiion of Avira Antivirus Personal Edition. This wont be a problem since its a free program. But before u take it to the infected system, zip (or rar) it.

    2. Hopefully u have Winrar on the system. From my experience, u can still unrar a file from context menu. (Right click options).

    3. Unrar the Avira ab\ntivirus and without wating a sec, install it.

    4. After installing, it will give the option of repairing or deleting the infected file. Choose repair.
    Cleaning the whole system may take some time.

    5. Also u can try this program.
    http://uploading.com/files/c2c51m4c/RMSality.exe

  • But SauroS I’m sure there’s no full proof alternative for formatting that particular drive.
    And repairing the file just doesn’t help. I feel sality is a stubborn virus!

  • That is one of my problem regarding with my pc. I am using currently AVAST antivirus but seems it is not effective.

  • Jay Krishnan

    We have this virus and a lot many other virusses in our common office pc and whenever i swap a usb between that old computer (in our office we call it the prostitute) and our laptops, the laptops risk getting these.

    My free Awast usually catches them and recommends moving them to chest. Since these are unimportant files i do that. Though the free Avira was very good too, I had an infection even with that running.

  • hi every1..actually i had experience on this such virus Win.32.Sality…..i infected all my software that .exe programs….

    it can infect all .exe programs that you keep in your hardisk and your pendrive…

    so alternate ways you have to burn on cd basic software especially your anti virus from a very clean pc…
    its not infect .rar or .zip files…

    after you format the OS partition with a new fresh copy of windows all you need to do is dont ever2 open your other partition like D,E,F or your external hardisk,your pendrive,flashdrive,wherever it is you keep your software…

    try to connect to the internet and download a fresh copy of antivirus i suggest here ‘Avira Antivir’…you can download them at filehippo.com or anywhere else…

    then after installed the antivirus all you need to do is right click the partition and scan with avira…
    if found any just click ‘repair’ and
    ‘ok’…

    or you guys can try ComboFix.exe if you dont want to replace a new system OS…just double click and wait until it reboot and finish…

  • s@nd

    After ur pc infected by sality u can’t use your antivirus(setup)..
    i suggest u using NOD 32.. it not only quarantine but it can prevent .exe for been delete(silent)…

    no need to formatting..

  • louie liew

    well my computer was infected by this virus..
    im so pissed since everytime im using google chrome or any other browser it keeps gettin an error..
    some o my other programs cant even execute anymore cause i deleted them due to what my anti v recomended which was a noobie move for me x.x
    even my task manager has been disabled..
    wat i did was runned my antivirus which was avast on the boot and deleted almost at least 6 thousand files.
    now i wana know whats gonna be the effects of this on my computer since im such a newbie on this things..

  • Carn

    I have had this bloody virus on & off now for 6 months, I took out all my flash and HDD drives and used an external USB to PATA/SATA kit to plug them into a comp at work that had mcafee installed (and running) in order to clean them (still had to reinstall OS) and after being free of this virus for a month, last night I pluged my Nokia N85 into my comp in “mass storage mode” (aka flashDrive mod) and BAMM reinfected (this comp is not online and has no anti-virus).
    so if any1 knows who or where this virus came from pls tell me so I can get a flight to there city hunt them down, torture (for as many hours as I have been f##ked by this virus) and then dump them by the road somewhere, thanx

  • awiepzz

    do you know where does the viruses from? in indonesian, it had infected so many pc,also my pc. it is so annoyng…

  • k3if3r

    I’m scanning my pc right now with avast so far only a few files were infected and hopefully it stays that way

  • whew, that was a smart one!
    funny how u insert a jumpdrive with antivirus installation files there and they disappear right in front of your eyes.
    so i knew i had to use a CD so virus can not alter its content.
    that’s what i did.
    i have tried dr.web cure it bootable cd first, it found like 5 ites, deleted them, but nothing got fixed. my system was still acting same way: i had my registry access disabled, no internet connection and no antivirus software would get installed. ZoneAlarm (which i generally like a lot) was installed but patched by virus and it wasn’t working.
    sheer fun..
    so the thing that helped me was SalityKiller.exe utility from Kaspersky. It found the stupid sality in about every program i had on my pc and cured it. Now im back online and didnt need to format my drive which im very happy about.

  • srujan

    will it work wid panda cloud anti virus??

  • ayeen

    now, my lappy was infected by this suck virus. i cant open HD in D normally and need to right click, explore to open it. im using kapersky . is it effective?

  • FFX

    …Hi, Guys! That’s stuff far and away from Israelite, as many other GODDAMn s. BE AT FIRE FOREVER!

  • Japhethkioko

    cant believe i have tha sucker virus on.all ma games are kaboom.

web analytics