Severity scale:  
  (100/100)

Remove Sality virus (Virus Removal Instructions) - updated Oct 2019

removal by Linas Kiguolis - - | Type: Malware

Sality – is a self-propagating worm that was first introduced back in 2003 but is still prevalent today

Sality virus
Sality virus is a dangerous malware family that is capable of self-replication

Sality virus is a complex and multi-functional malware family that was first spotted in the wild back in 2003. Capable of spreading via infected removable drives and network shares, the worm operates by infecting all the .exe and .scr files on the host system – it is a typical functionality of a virus.

Security researchers believe that the Sality virus originated in Russia and evolved significantly over the years. Since 2010, the malware employed rootkit[1] capabilities, as well as used peer-to-peer network (botnet) to communicate with the infected computers. While different versions exhibit different symptoms and perform particular functions on the infected computer, most Sality variants are worms[2] that are capable of replicating themselves by using autorun[3] functionality.

Sality virus family is relatively old, but by no means, it is no longer a threat. It can use sophisticated evasion techniques like feeding its .dll files directly into memory and naming the main executables by using randomly generated names, which consequently prevents AV detection. Besides being able to send out spam, record keystrokes, steal sensitive information, etc., Sality is also continually communicating with its remote server to receive necessary updates and improve its functionality by implementing new modules (such as Trojan downloader, for example).

SUMMARY
Name Sality virus
Type In early stages, the virus was a relatively primitive file infector, but evolved into a self-propagating worm
Alternative names SaILoad, SaliCode, Spamta, Kukacka, Kookoo, Vilsel
First spotted The first sightings on the this virus family were spotted back in 2003
Most affected countries USA, India, Mexico, Russia, France, Ukraine, Romania, etc.
Related files amsint32.sys (placed into Device folder) and wmdrtc32.dll (placed into %SYSTEM% folder)
Spread Copies itself to remote and removable drives
Capabilities
  • Code injection
  • Keylogging and information stealing
  • Generating and sending spam
  • Removal of anti-malware software installed on the host machine
  • P-2-P Botnet establishment
  • Rootkit function that prevents users from visiting security websites
  • Downloader that uses pay-per-install scheme, etc.
Symptoms Security software stops working, registry editor becomes unavailable, installation of unknown programs or files, the presence of amsint32.sys
Detection and elimination Due to Sality virus capabilities, removing it might become extremely difficult. However, the infected users should access safe Mode with Networking in order to temporarely stop the functionality of malware and then perform a full system scan using security software like Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

For the infection process, Sality virus drops two different .dll files (wmdrtc32.dll and wmdrtc32.dl_) into %SYSTEM% folder, which are later executed. However, more advanced variants of the worm do not drop any DLLs into the system but instead use the memory, meaning, no files are written on the disk. During the infection process, Sality may create a random driver file and place it into the %SYSTEM%\drivers folder.

Sality virus executes several sets of commands that infect all the EXE and SCR files located on the Windows computer. The worm then quickly spreads to all the virtual and physical devices connected to the same network. It also modifies the original host code at the entry point to reroute the execution to the polymorphic[4] viral code – it runs mutated algorithms to perform the same tasks each time the computer is booted. Additionally, Sality worm makes several changes in Windows Registry to be able to start with every Windows boot. The affected keys include (nevertheless, there are also several other keys that the virus creates, modifies, and deletes):

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Sality virus works as a malware downloader, which uses a preset list of URLs that point to the source where additional files and be downloaded, decrypted, and then executed. The cyber threat uses an RC4 encryption algorithm to encrypt and decrypt data used in the host infection process.

After infecting the host machine, Sality virus uses lists of predetermined URLs to establish multiple HTTP connections, which consequently feeds the payload with the newest updates and can also inject new modules into the affected computer.

To be able to remove Sality virus, it is important not to ignore signs of the infection, which include:

  • The installed security software starts malfunctioning or is terminated;
  • Security-related services and processes are stopped;
  • Booting into Safe Mode becomes impossible;
  • The malware starts sending malicious emails;
  • The presence of a  malicious file amsint32.sys located in %SystemRoot%\system32\drivers

Sality virus removal can be a complicated task because it can name its own executable by any name. Therefore, AV engines that use a preset list of malware names to detect it might fail to do so. Nevertheless, please check the last part of the article for full eradication instructions, and then you can clean all the malware traces using Reimage Reimage Cleaner .

Sality malware
Sality virus is malware that can steal sensitive information, disable Windows processes and stop AV engines from operating

Computer infections via contaminated external drives and networks is still a huge risk

Users typically infect their computers with malicious software due to a lack of security measures. Some users are not aware of certain things that need to be done in order to protect themselves, while others simply neglect adequate security means and end up infecting their computers with dangerous malware.

One of the most important rules is to obtain reputable security software. While the Sality virus is old, security software developers implemented appropriate preventive measures to keep the malware away. However, you need to make sure that AV's database is continuously updated. Additionally, patching all the programs installed on the computer is vital as well. Software vulnerabilities are often used to infect malware automatically (that includes the operating system as well).

Finally, you should be aware that some files that look normal might be actually malicious. Therefore, you should never insert USB flash drives, SSD, or other external drives if you are not sure that they are safe to use. Unfortunately, you cannot be sure about that 100%, so you should let reputable anti-malware software to block such content before it manages to spread. Also, as a general rule, you should never open unknown files you download from the internet before you check them with tools like Virus Total (this includes pirated software, which is not recommended to download in the first place).

Sality virus removal steps

Sality virus removal is a complicated task, that is why preventing it is critical. Nevertheless, if you suspect that your computer is infected with this malware, you should perform several tasks to make sure that the cyber threat is gone. 

There are different types of Sality viruses around. Therefore, in some cases, scanning your machine with robust security software will do the trick. Unfortunately, as we mentioned above, the malware typically stops the operation of multiple AV providers, and booting the system in Safe Mode might be impossible as well.

Sality virus removal and prevention
There are several applications available that can successfully eliminate the Sality malware and prevent its entry in the first place. To repair the damaged system, you should use PC repair tools

Some anti-virus vendors created tools that are specifically designed to remove Sality virus. AVG provides a Sality fix, and you can also make use of Kaspersky's Salitykiller. Once the malware is gone, you should make use of Reimage Reimage Cleaner or SpyHunter 5Combo Cleaner to fix all the damage done to the machine – remember, the worm infects system files and anti-malware software typically can not repair the corrupted files. Therefore, use applications that can remediate your PC and restore Registry files.

Finally, security experts[5] do not recommend removing Sality manually, as the infection changes various parameters on the system. Thus, finding it and reverting the changes is an extremely complicated task that should only be practiced by trained IT specialists.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Sality virus, follow these steps:

Remove Sality using Safe Mode with Networking

If Sality virus allows you to enter Safe Mode, proceed with the following:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sality

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sality removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sality using System Restore

You can also try System Restore to get rid of malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sality. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Sality removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sality and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

Removal guides in other languages


Your opinion regarding Sality virus