Win32.Sality Removal


Sality is the name of the group of viruses that are damaging most of the systems in July 2009. This virus was first seen in 2006. Yes, thats very long time back. But its still a very tough one to kill. This is because of its capability to update itself from different sites. This virus, when executed, injects itself into the System's processes and registers several DLLs in them so that the virus is launched when these applications are launched. As soon as it is launched, the virus starts its search for files having .exe extensions in the drives and deletes them one by one. The virus also injects its code into the installation files of some applications thus infecting them. So when these files are copied to another computer and executed, the virus starts running in that system. The virus also displays several pop-up messages, disables the Task Manager, Registry editing and Command Prompt. When executed, the virus was seen to hide itself in the %System% or the %System32% directory of the WINDOWS folder. Here, the virus saves some of its important DLLs and injects them into crucial Windows processes like Explorer.exe, Winlogon.exe, Svchost.exe, etc. This virus can even log your key strokes and save it in a separate file that is made for this purpose. This file also stores the information of the recent Url's visited by the user. This way, all the login IDs and passwords are acquired by the virus and the information is sent via mail to any one of the mail IDs from the server. This virus pings to several sites and tries to download several malicious content. Thus it can also be called as a back-door Trojan. It creates several registry entries thus helping itself to launch at every boot-up at any cost. A change in the speed of the Internet connection may also be observed by the user. It also gets through the Windows Firewall by adding itself to the "Trusted Programs" list. Once executed, this virus maybe extremely dangerous to keep in the system. Hence, it should be removed immediately. The removal of this Trojan is almost impossible according to the research made till now. But if you're good at handling your computer, you can actually get rif of it. Otherwise, the only way to delete this virus would be to install a good anti-virus(which is not recommended until this site is alive) or you can even follow these instructions.

Manual instructions to remove Win32.Sality:

  1. As mentioned earlier, the virus disables your registry. So restore it by following one of these instructions here (you'll need it). Now, I've said that the virus injects itself to several Windows processes. So lets start by deleting it from them. Look for the following key in the registry

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    \Shell = Explorer.exe

    Thats the actual value of the key. The virus adds another path to that key. Remove that path but remember its path.

  2. The name would look like %System%\oledsp32.dll or with an extension of a vbs or exe file. Copy the name of the file(from the above example, I'm copying oledsp32.dll.
  3. Using the find button in the registry(if you can't find it, just press Ctrl+f). Now search for that name in the registry. If you find it as a separate key, delete it completely. If thats a Process which you identify to be a required one, just open the key by double-clicking it and remove only the path of the file. You may also find many keys of such kind and you'll have to search and delete all of them. But remember their paths.
  4. Now that you're done with cleaning the registry, reboot in the safe mode (click here to know how to enable it). Open Command Prompt (Start --> Run and type cmd). Type in the following
    attrib -r -a -s -h  {paths which you found in the registry along with the names} 
    For example: 
    attrib -r -a -s -h C:\WINDOWS\System\oledsp32.dll

  5. Now type "del  {the same path and name which you typed earlier}. This way we're deleting the files from being started or spread.
  6. The virus doesn't run in your system anymore. But remember, you have just disinfected your system. You dint remove the files that may contain the virus code. Hence, your computer is safe until you don't run any of the infected files once again.

There maybe several viruses that contain the prefixed name "Win32.Sality". This is a tutorial which will work for most of them. Trying never hurts. So try it and lets hope that you're free from it after following the above instructions. Know how to enable your applications and services here.

Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme