W32.Sality.AE
W32.Sality.AE is a Trojan that modifies Windows registry to add an entry so that it can bypass installed firewall programs. Another payload of the virus is to download and execute additional threats from remote server. W32.Sality.AE can spread on computers by infecting executable files on local and remote drives. It is so harmful that it can delete files it sense belonging to legitimate security programs.
Alias: TROJ_AGENT.XOO, W32/Sality.ae, Sality.AG, Win32/Sality.Z, W32/Sality.AA
Threat Assessment By: Symantec
Damage Level: Medium
Systems Affected: Windows 2000, Windows NT, Windows XP
How to Remove W32.Sality.AE:
FIRST AID TO STOP W32.Sality.AE:
If this virus have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with W32.Sality.AE, please restore Windows to previous configuration.
MANUAL REMOVAL OF W32.Sality.AE:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
3. Thoroughly scan the system and clean/delete all infected file(s). Please see below.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
- Click on Start. Search or Run regedit.exe to begin registry editor.
Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.
5. Exit registry editor and restart Windows.
ADDITIONAL TOOLS AND PROGRAMS:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Technical Details and Additional Information:
Other functionalities of this Virus:
- W32.Sality.AE registers itself as WMI_MFC_TPSHOKER_80 service under Windows.
- The virus will stop any running process that belongs to legitimate antivirus programs.
- It connects to an specified URL to get commands and downloads addition malicious files.
Malicious Files Added by W32.Sality.AE:
%System%\drivers\[RANDOM NAME].sys
%DriveLetter%:\[RANDOM NAME].exe
%DriveLetter%:\[RANDOM NAME].cmd
%DriveLetter%:\[RANDOM NAME].pif
%DriveLetter%:\autorun.inf
File Location for Windows Versions:
- %System% for all versions of Windows it is located under C:\Windows\System32
Associated Windows Registry Entries:
HKEY_CURRENT_USER\Software\[USER NAME]914
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\”[INFECTED FILE]” = “[INFECTED FILE]:*:Enabled:ipsec”
Amir
Aug 05, 2008 @ 14:29:15
I have having lot of problems because of this virus does anyone have a solutions for this? Please let me know.
Gempar
Sep 24, 2008 @ 13:37:43
You can use Norman Malware Cleaner to remove this virus.
huy
Oct 03, 2008 @ 04:11:18
Please send me removal tools about:
W32.Sality.AE
W32.Virut.R
W32.Almanahe.B!inf
Adware.ZangoSearch
Trojan.Packed.NsAnti
amit
Dec 09, 2008 @ 10:54:45
Tools to remove W32.Sality.AE virus
Gangadhar
Jan 15, 2009 @ 12:34:39
Hi, please send me w32.sality.ae and w32.sality.DFC virus removal tools.
Warm regards,
Gangadhar
Rajni Godhasara
Feb 01, 2009 @ 05:57:57
plesea send me removal tools about
W32.Sality.AE
W32.Virut.R
W32.Almanahe.B!inf
Adware.ZangoSearch
Trojan.Packed.NsAnti
w32 SAlity.t
abd other sality tools
w32.douwndup
thanX
Junagadh
precisesecurity
Feb 04, 2009 @ 00:40:25
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
– Update Malwarebytes’ Anti-Malware
– Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart Windows.
Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
SareH
Jun 21, 2009 @ 18:30:04
I have changed my windows about 5 times because of this virus. I think it has saved a copy in my system files so every time I changed the windows the virus remains and after 2, 3 months the speed of operating gets very low and can’t even listen music with it. Is anyone knows how to remove it from system files?
I do disable the restore system before changing the windows, but it won’t get of my laptop.
raman
Aug 01, 2009 @ 08:43:17
Required removal tool.
kunal
Oct 29, 2009 @ 10:50:40
Required removal tool
w32.sality.ae
KAVERI KAPUR
Dec 15, 2009 @ 08:31:06
i want clean scan and remove
viji.asv
Dec 30, 2009 @ 06:17:41
Need to removal tool for W32.silly.FDC
poojitha
May 30, 2010 @ 17:32:37
sorry for im saying like this. really i dont kw about this virus. no one file is correctly opened in my laptop. atleast yahoo messenger also not opened. please help me. tel me any solution. please giv me reply just now here only. i wil chech it . pleaseeeeeeeeeeee help me friends
Sanjeev
Jul 27, 2010 @ 06:43:31
Hi
1. I just want to know if there is a stinger exists for this virus.
2. Which is the most effective AV for this.
3. How to Re-enable ‘regedit’ command (which this virus has disabled). I’ve already tried symatec’s ‘Unhook.inf’).
PLS HELP.
Sakthi
Sep 10, 2010 @ 13:30:47
I have removed the virus ,but i cant resolve the settings done by that. my anti virus is not working .please help me to resolve the settings.