How to remove W32.Sality.AE

Posted on: Tuesday, 14 Dec, 2010

W32.Sality.AE [W32.Sality varian] W32.Sality.AE virus mainly spreads though removable medias like the USB flash drives and external Hard Drive.
According to Threats and Risks, here a little summary: 

Risk Level 1: Very Low
Also Known As: TROJ_AGENT.XOO [Trend], W32/Sality.ae [McAfee], Sality.AG [Panda Software], Win32/Sality.Z [Computer Associates], Win32/Sality.AA [Computer Associates], W32/Sality.AA [F-Secure]
Type: Virus
Infection Length: 57,344 bytes
Systems Affected: Windows XP, Windows NT, Windows 2000

W32.Sality.AE is a virus that spreads by infecting executable files and attempts to download potentially malicious files from the Internet.

For more information, please see the following resources here and here.

So, I am coming up with the 4 methods for the troubleshooting.

Method 1

I’m usually do this, everytime. But the problem is if the warranty not expired yet.

  1. Turn off your PC
  2. Take your infected hard drive out of your PC
  3. Go to another clean PC / Notebook or someone who have the latest updated antivirus
  4. Put your hard drive to his/her PC
  5. Run his/her windows in a Safe Mode
  6. Scan your hard drive using his/her antivirus. You’ll find out that most of your .exe files have been infected
  7. Disinfect all of them
  8. You will find that some files in your system32 couldn’t be disinfected. This is the core of the virus, get rid of them
  9. You will find that a file couldn’t be deleted. This is the main problem. You need delete it manually, you can use UnLocker, Pocket Killbox
  10. Copy the installer of the antivirus from his/her computer
  11. Run your windows, install the antivirus and update it to the latest version
  12. Your PC is safe now

Method 2

  1. Download new virus definitions from your antivirus site, and get your antivirus updated.
  2. Disable System Restore (Windows Me/XP).
  3. Run a full system scan.
  4. Delete any values added to the registry.
  5. __» If you see the following resources you will know which registry safe to delete. Or you can use tools like CCleaner to clean it up, but my recommendation… use Registry First Aid, this one is good to me. Or you can Download and run this tool, and then continue with the removal. Right click that file and choose Install.


  • If you can please run a full system scan via Windows Safe Mode.
  • Do not select Delete all infected files as it can delete some system files resulting in system crash. Delete any .EXE or .COM apps that you think may be infected. But if your antivirus like mine [SymantecAV CE v10] it can be cleaned them.

Method 3

This method I came across through Inforids article. I am just posting it here for easy reference.

Download the following three files (rmsality.exe, rmsality.nt, rmsality.dos) from here and run the rmsality.exe file.

You can also specify the disks (or partitions) to heal as a command parameters, e.g.: “rmsality C: D:”. Run the rmsality.exe file as an administrator (in windows vista and windows 7) to start the tool for scanning.

Method 4

This method thoroughly scan your computer with On-line Virus scanner and clean/delete all infected files.

  1. Connect to Internet and Scan with any of the following on-line Virus Scanner.
    • Symantec Security Check | proceed
    • TrendMicro SysClean | proceed
    • TrendMicro Housecall | proceed
    • Panda ActiveScan | proceed
    • BitDefender | proceed
    • F-Secure | proceed

      Note: Online Virus Scanner works with default Internet Explorer settings (Internet zone – Medium security level). If you have changed them, you may enable ActiveX and JavaScript from Tools->Internet Options->Security->Custom Level.

  2. Reboot computer and start it normally.
  3. Do another scan to make sure that there are no threats left on your computer.

Last things you need to do is:

Enable Task Manager

Start » Run and type gpedit.msc Navigate to User Configuration » Administrative Templates » System » Ctrl+Alt+Del Options on your right ensure that Remove Task Manager option is set to “Disable”

Repeat for regedit and ensure that Prevent Access to Registry Editing Tools is set to “Disable” under Systems close the window after making the changes restart your PC and you are free again. Just watch out for the virus though.

Disable Autorun Feature of Windows

I will write this up next day… or you can browse to this link below:

Support Microsoft

Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
How to disable the Autorun functionality in Windows
Enabling and Disabling AutoRun
Enabling and Disabling AutoRun in Windows Explorer

Download fix update dari Microsoft
Fix it for me

Did you liked the post? Feel free to post your queries, opinions & views through your comments.


1 Response to "How to remove W32.Sality.AE"

You post very interesting articles here. Your blog deserves much more traffic.
It can go viral if you give it initial boost, i know very useful tool that can help you, simply search in google:
svetsern traffic tips

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Enter your email address to subscribe to
this blog and receive notifications of new posts by email.

Join 2 other followers


%d bloggers like this: