Posted by: EricC | June 15, 2010

Sality Infection Removal

To remove the file-patching virus “Sality,” we simply run two different tools, reboot and then rerun the second tool to verify that the PC is clean.  SecureIT does protect against this infection but we have seen that many people are again discussing it on other blogs and asking for ways to remove the infection when their AV product has failed.

First we download and run “Kaspersky’s Sality Remover.”  The program can be found at “http://support.kaspersky.com/downloads/utils/salitykiller.zip”.  The file comes zipped (in a .zip file), so the first thing to do after downloading is to extract the .zip.  Then within the folder just extracted you will find an exe file.  Double click the exe to start the tool.  This can take quite awhile depending on a couple of different factors, namely CPU processing power, available RAM, how long the infection has been active on the machine, and the number of files on the PC.  We have seen it run for 15 min, and for 2+ hours.  Thus, have patience and be sure to let the tool complete.

Also, Sality can cause the computer to show “Windows – No Disk” errors.  If you are seeing this error window then be sure to watch the sality tool in first couple of minutes.  It will seem to be repeating infinitely on the same file (with the same Process ID, or PID number).  When you see this pattern begin; click the “Cancel” button in the “Windows – No Disk” error window.  This will then let the scanning tool continue to run.

After  the scan has completed it is best to reboot the machine.  Once the machine is back up to the Desktop screen we are ready to begin stage 2 of the Sality removal process.  Download and run Hitman Pro 3.5 from the Surfright site “http://www.surfright.nl/en/downloads”.  Be sure to download the correct version of your operating system (in most cases 32-bit).  Run the downloaded exe file, accept the license agreement, and the scan will begin.  This scan is comparatively short, usually finishing within 5-10 minutes.  It will find the rest (if any) of the Sality files that were missed or unable to be cleaned by the Kasperksy tool.  Take careful note at which files Hitman finds.  These will most likely be legitimate files that were infected by Sality.  So in some cases these 3rd Party pieces of software might ultimately need to be reinstalled.  It is necessary to remove these files because they have been infected with the Sality code and must be removed or they can continue to spread the infection back throughout the machine.  Commonly infected legitimate files that we have seen are MSN Messenger, Yahoo Messenger, and iTunes.  The reason for this is that they are often programs that are running on the machine and Sality seems to focus its initial payload on actively running pieces of software.

Lastly, a method that some choose for any file-patching virus removal is a reinstall of the OS.  If you are wondering about this and concerned about backing up your data first, the good news is that you can!  The file-patching virus only targets whats referred to as “Portable Executable” or “PE” files (exe’s, dll’s, .sys’s. .scr’s).  Any type of media file (music, movie, etc) is fine to backup, as is any Office document (.doc’s, .xls’s, etc).  The only files that you cannot backup are any PE’s, and it is best to backup on a CD or DVD as these do not have a file system associated to them.  For a longer description of PE’s see the Wikipedia page “http://en.wikipedia.org/wiki/Portable_Executable” were all types of PE file extensions are listed along the top right hand side.

All and all, the Sality virus is not extremely difficult to remove.  It can however become a time consuming and tedious adventure.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: