Removing "W32.Sality.U" Virus From System

   According to my experience antivirus can only detect & remove infected files because of W32.Sality.U virus, but latest Quick Heal antivirus car repair these infected file, so i suggest you to scan hole system using Quick Heal.

  • Summary:
W32.Sality.U spreads by infecting executable files. It may be dropped by other malware.
  •   Malware Type     :- Virus
  •   Alias                      :-            W32/Sality [Avira], W32/Sality [McAfee]
  •   System Affected :- Windows 2000, 95,98, Me/ NT,Windows Server 2003, Windows XP
  •   Risk Rating       :- Low
  • Description:                                                                             
       When W32.Sality.U is executed, it performs the following activities:
It may infect executables in the root folder, files on network shares, and files it may find based on the following registry locations:

                  It modifies %Windows%\SYSTEM.INI, it adds below string:

 DEVICEMB={Random Numbers}
 It also creates registry keys/entries under:

It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image.The infected files grow by size by 61,440 bytes.              

  • Solution:            
  1. Disable System Restore.
  2. Disable System Restore under Windows Me: Point to Start, Settings, and Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Restart your system.
  3. Disable System Restore under Windows XP: Point to Start, Control Panel, Performance and Maintenance. Double-click “System”, then select the System Restore tab. Select the 'Turn off System Restore” on all drives box. Click Apply. Click Yes. Restart your system.
  4. Edit system.ini: click on start->run, type system.ini , delete string 
 DEVICEMB={Random Numbers}
          and save file.

     Update Anti-Virus with the latest signature pattern definitions and perform a system scan using Quick Heal Scanner.

Post a Comment


  1. You have saved so many hours of mine...excellent shortcut to remove that nasty virus


Do your comment here..