How to remove W32.Sality.AE
Posted Tuesday, 14 Dec, 2010on:
According to Threats and Risks, here a little summary:
Risk Level 1: Very Low
Also Known As: TROJ_AGENT.XOO [Trend], W32/Sality.ae [McAfee], Sality.AG [Panda Software], Win32/Sality.Z [Computer Associates], Win32/Sality.AA [Computer Associates], W32/Sality.AA [F-Secure]
Infection Length: 57,344 bytes
Systems Affected: Windows XP, Windows NT, Windows 2000
W32.Sality.AE is a virus that spreads by infecting executable files and attempts to download potentially malicious files from the Internet.
So, I am coming up with the 4 methods for the troubleshooting.
I’m usually do this, everytime. But the problem is if the warranty not expired yet.
- Turn off your PC
- Take your infected hard drive out of your PC
- Go to another clean PC / Notebook or someone who have the latest updated antivirus
- Put your hard drive to his/her PC
- Run his/her windows in a Safe Mode
- Scan your hard drive using his/her antivirus. You’ll find out that most of your .exe files have been infected
- Disinfect all of them
- You will find that some files in your system32 couldn’t be disinfected. This is the core of the virus, get rid of them
- You will find that a file couldn’t be deleted. This is the main problem. You need delete it manually, you can use UnLocker, Pocket Killbox
- Copy the installer of the antivirus from his/her computer
- Run your windows, install the antivirus and update it to the latest version
- Your PC is safe now
- Download new virus definitions from your antivirus site, and get your antivirus updated.
- Disable System Restore (Windows Me/XP).
- Run a full system scan.
- Delete any values added to the registry.
__» If you see the following resources you will know which registry safe to delete. Or you can use tools like CCleaner to clean it up, but my recommendation… use Registry First Aid, this one is good to me. Or you can Download and run this tool, and then continue with the removal. Right click that file and choose Install.
- If you can please run a full system scan via Windows Safe Mode.
- Do not select Delete all infected files as it can delete some system files resulting in system crash. Delete any .EXE or .COM apps that you think may be infected. But if your antivirus like mine [SymantecAV CE v10] it can be cleaned them.
This method I came across through Inforids article. I am just posting it here for easy reference.
Download the following three files (rmsality.exe, rmsality.nt, rmsality.dos) from here and run the rmsality.exe file.
You can also specify the disks (or partitions) to heal as a command parameters, e.g.: “rmsality C: D:”. Run the rmsality.exe file as an administrator (in windows vista and windows 7) to start the tool for scanning.
This method thoroughly scan your computer with On-line Virus scanner and clean/delete all infected files.
- Connect to Internet and Scan with any of the following on-line Virus Scanner.
- Symantec Security Check | proceed
- TrendMicro SysClean | proceed
- TrendMicro Housecall | proceed
- Panda ActiveScan | proceed
- BitDefender | proceed
- F-Secure | proceed
- Reboot computer and start it normally.
- Do another scan to make sure that there are no threats left on your computer.
Last things you need to do is:
Enable Task Manager
Start » Run and type gpedit.msc Navigate to User Configuration » Administrative Templates » System » Ctrl+Alt+Del Options on your right ensure that Remove Task Manager option is set to “Disable”
Repeat for regedit and ensure that Prevent Access to Registry Editing Tools is set to “Disable” under Systems close the window after making the changes restart your PC and you are free again. Just watch out for the virus though.
Disable Autorun Feature of Windows
I will write this up next day… or you can browse to this link below:
Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
How to disable the Autorun functionality in Windows
Enabling and Disabling AutoRun
Enabling and Disabling AutoRun in Windows Explorer
Download fix update dari Microsoft
Fix it for me
Did you liked the post? Feel free to post your queries, opinions & views through your comments.