Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
2 replies to this topic

#1 hongfireonly


  • Members
  • 1 posts
  • Local time:11:47 PM

Posted 12 August 2010 - 09:17 AM

Pardon my language and anger, but I really hate this "King of Virus" called Sality.

I got infected with a strange variant, possibly Win32\Sality.ag and it is spreading through my network like a monster on steroid.

I think it has downloaded a few "helper virus" to assist it over the weeks using its own peer to peer downloader.

I cant remove it, I've tried using nod32, kaspersky rescue disk, avg rescue disk, dr web rescue disk and bitdefender rescue disk. I've also tried many many removal tools.

Kaspersky Rescue disk couldnt finish mounting my drive, got error.
Avg rescue disk cant remove it.
Dr web cant even detect it.
Bitdefender rescue disk wont load for some reason. (my last resort)

Task mgr, regedit and various antiviruses are all disabled and the virus is dropping .tmp, .Lnk files all over my systems.

It searches for network share in my network and drop its payload in them, creating lots of porn shortcuts as well.

I've scoured the internet for a way to kill this monster to no avail, it is almost impossible to remove it short of reformatting ALL MY PC in the network (oh god plz no).

I wanna use Bart PE to boot into windows and find the rootkit files it created and delete them but I have no idea which file it is, because they have random names and .sys extension in C:\windows\system32\drivers folder.

I edited my registry and disabled autorun and tried to remove as many virus files as possible but it kept coming back (rewriting my registry in seconds). My Server is now infected with 50,000 shortcut links created by Sality.

the links are harmless but its taking up space and slowing down my computers.

PLZ HELP!!!! I'm losing hope man.

BC AdBot (Login to Remove)


#2 Stor-A11


  • Members
  • 29 posts
  • Local time:12:47 AM

Posted 12 August 2010 - 12:22 PM

Disconnect as many of your pc's from the network as soon as possible. Run SalityKiller and MSRT on each pc while still disconnected from the network. Then extract and run Sality Reg Keys on each infected pc.

Make sure KB2286198 is installed on each pc/server. Install it manually if you have to do so.

You'll also need to delete all of Sality .LNK files.

#3 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,317 posts
  • Gender:Female
  • Location:Romania
  • Local time:07:47 AM

Posted 15 August 2010 - 04:15 AM

Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users