Severity scale:  
  (100/100)

Sality virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - - | Type: Malware

Sality – an old but dangerous family of malware that is still prevalent today

Sality virus
Sality virus is a dangerous malware family that is capable of self-replication

Sality virus is a group of malware that was first introduced in 2003. Security researchers believe that it originated in Russia and evolved significantly over the years. Since 2010, the malware employed rootkit[1] capabilities, as well as used peer-to-peer network (botnet) to communicate with the infected computers. While different versions exhibit different symptoms and perform particular functions on the infected computer, most Sality variants are worms that are capable of replicating themselves by using autorun functionality. While the malware is old, it is still prevalent and is capable of stealing sensitive data, sending spam emails, functioning as a trojan downloader, and avoiding AV detection. The malicious threat is considered to be one of the most complex and powerful malware ever created.

SUMMARY
Name Sality virus
Type Malware/Worm
Alternative names SaILoad, SaliCode, Spamta, Kukacka, Kookoo, Vilsel, 
First spotted 2003
Related file amsint32.sys
Spread Copies itself to remote and removable drives
Symptoms Security software stops working, registry editor becomes unavailable, the presence of amsint32.sys
Detection and elimination Use reputable security tools like Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

Sality virus executes several sets of commands that infect all the EXE and SCR files located on Windows computer. The worm then quickly spreads to all the virtual and physical devices connected to the same network. The malware modifies the original host code at the entry point to reroute the execution to the polymorphic[2] viral code. Additionally, Sality trojan performs several changes in Windows Registry to be able to start with every Windows boot.

Sality virus works as malware downloader, which uses a preset list or URL's that point to the source where additional files and be downloaded, decrypted and then executed. The cyber threat uses an RC4 encryption algorithm to encrypt and decrypt data used in the host infection process.

To be able to remove Sality virus, it is important not to ignore signs of the infection, which include:

  • The installed security software starts malfunctioning or is terminated;
  • Security-related services and processes and stopped;
  • Booting into Safe Mode becomes impossible;
  • The malware starts sending malicious emails;
  • The presence of a  malicious file amsint32.sys located in %SystemRoot%\system32\drivers

Sality virus removal can be a complicated task because it can name its own executable by any name. Therefore, AV engines that use a preset list of malware names to detect it might fail to do so. Nevertheless, please check the last part of the article for full eradication instructions, and then you can clean all the malware traces using Reimage.

Sality malware
Sality virus is malware that can steal sensitive information, disable Windows processes and stop AV engines from detecting it

Protect yourself from malware infections

Users typically infect their computers with malicious software due to lack of security measures. Some users are not aware of certain things that need to be done in order to protect themselves, while others simply neglect adequate security means.

One of the most important rules is to obtain reputable security software. While the Sality virus is old, security software developers implemented appropriate preventive measures to keep the malware away. However, you need to make sure that AV's database is continuously updated. Additionally, patching all the programs installed on the computer is vital as well. Software vulnerabilities are often used to infect malware automatically (that includes the operating system as well).

Finally, you should not execute any unknown files on your computer. If you really have to open it, use competent tools to scan the file in question.

Sality virus removal steps

Sality virus removal is a complicated task, that is why preventing it is critical. Nevertheless, if you suspect that your computer is infected with this malware, you should perform several tasks to make sure that the cyber threat is gone. 

There are different types of Sality viruses around. Therefore, in some cases, scanning your machine with robust security software will do the trick. Unfortunately, as we mentioned above, the malware typically stops the operation of multiple AV providers, and booting the system in Safe Mode might be impossible as well.

Some anti-virus providers created tools that are specifically designed to remove Sality virus. AVG provides Sality fix, and you can also make use of Kaspersky's Salitykiller. Once the malware is gone, you should make use of Reimage or Malwarebytes MalwarebytesCombo Cleaner to fix all the damage done and restore Registry files.

Finally, security experts[3] do not recommend removing Sality manually, as the infection changes various parameters on the system. Thus, finding it and reverting the changes is an extremely complicated task that should only be practiced by trained IT specialists.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Sality virus, follow these steps:

Remove Sality using Safe Mode with Networking

If Sality virus allows you to enter Safe Mode, proceed with the following:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Sality

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sality removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Sality using System Restore

You can also try System Restore to get rid of malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Sality. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Sality removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sality and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

Removal guides in other languages