About Sality VirusWin32/Sality Family
Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web.
If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately
to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised
. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router
, you need to reset it with a strong logon/password so the malware cannot gain control before co
There is no guarantee the infection can be completely removed
. In many cases the infected files cannot be deleted
and anti-malware scanners cannot disinfect them properly. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
Should you decide not to follow that advice, you can try the AVG Win32/Sality Remover
. It was last updated in June 2007 and is not always effective for the reasons I indicated above. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights
. alternate download
Since this infection is often spread via USB Flash drives, I recommend you also do the following:
Please download Flash_Disinfector
by sUBs and save it to your desktop.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
- Double-click Flash_Disinfector.exe to run the tool and follow any prompts that may appear.
- If asked to insert your USB flash drive and other removable drives, please do so and allow the utility to clean up them as well.
- Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.