Aliases: W32/Sality.B.gen!Eldorado (Command) W32/Sality.AT (Avira) Win32/Sality.AA (CA) Win32.Sector.21 (Dr.Web) Win32/Sality.NBA (ESET) Trojan.Win32.Vilsel.vyy (Kaspersky) W32/Sality.gen.e (McAfee) W32/Sality.BD (Norman) W32/Spamta.QO.worm (Panda) Win32.KUKU.kj (Rising AV) Troj/SalLoad-A (Sophos) PE_SALITY.BA (Trend Micro)
Windows Defender detects and removes this threat.
This virus stops some security software and prevents some Windows utilities from running. It also tries to download other files, including other malware, from a remote server.
It spreads by infecting Windows files and copying itself to removable and remote drives.
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
You should also run a full scan. A full scan might find other, hidden malware.
To recover your affected files you might need to re-install the affected software.
This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:
Scan removable drives
Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:
Enable the registry editor
This threat might prevent Registry Editor from running. To let the Registry Editor to run, follow these steps:
- Click Start then Run and type cmd to run a command prompt.
- In the command prompt, type the following and press Enter:
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
- Type exit.
Recovering from recurring infections on a network
You might need to take the following steps to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
- Ensure that an antivirus product is installed on all PCs connected to the network that can access or host shares.
- Ensure that all available network shares are scanned with an up-to-date antivirus product.
- Restrict permissions as appropriate for network shares on your network. Use access control to restrict who can use files.
- Remove any unnecessary network shares or mapped drives.
It might also be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Remove program exceptions in the firewall
This threat might add itself to your Windows Firewall exception list. This means it can go online without being blocked. To remove it from the exception list, do the following:
- Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall.
- In the left pane, tap or click let an app or feature through Windows Firewall.
- Tap or click Change settings. You might be asked for an admin password or to confirm your choice.
- Select the check box next to the app you want to let, select the network types you want to let communication on, and then click OK.
For Windows 7:
- Click Start, select Control Panel, then System and Security.
- Select Windows Firewall.
- On the menu on the left, select let a program through Windows Firewall. If you're prompted, type the password or provide confirmation.
- Click Change Settings. If you're prompted, type the password or provide confirmation.
- Select <program name> from the list of leted programs and features. Click Remove.
- Click OK.
For Windows Vista:
- Click Start, select Control Panel, then Security Center.
- On the menu on the left, select Windows Firewall.
- On the menu on the left, select let a program through Windows Firewall. If you are prompted, type the password or provide confirmation.
- Select <program name> from the list of leted programs and features. Click Delete.
- Click OK.
Additional remediation instructions for this threat
This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:
- Restore security settings to a known working state
- Reset Internet Explorer settings
- View hidden and/or system files:
- Start Windows services:
- Enable System Restore:
- Enable Windows Firewall:
- Enable Windows Security Center/Action Center alerts:
- Disable third-party tool bands and Browser Helper Objects
- Use the system recovery options:
- For other support and help related articles, go to:
- Microsoft Security TechNet Center