Académique Documents
Professionnel Documents
Culture Documents
Sality should be
applied only if NO Kaspersky Lab product is installed on an infected computer, and/ or if the computer
is already infected and a Kaspersky Lab product cannot be installed by regular means. Kaspersky Lab
experts also recommend using Rescue Disk to disinfect an infected computer.
The SalityKiller.exe utility given in this article allows detecting and disinfecting only the following
Sality modification Virus.Win32.Sality.aa, Virus.Win32.Sality.ae, Virus.Win32.Sality.ag,
Virus.Win32.Sality.bh.
While disinfecting this group of the computers do not log on under domain administrator on any other
computers to prevent further spread of the infection in the network.
Do not stop or terminate work of the utility until all computers in the network have been disinfected.
Computers on which you log on under a domain administrator rights should be disinfected first. Once
these computers are disinfected, start disinfecting other computers in the network.
• Run the utility SalityKiller.exe on the infected computers once again (no additional commands to
run the utility are needed).
• A reboot might require after disinfection.
• Make sure that the anti-virus icon in system tray has turned red thus indicating the anti-virus
software is fully functional. If otherwise, reinstall the anti-virus via Kaspersky Administration
Kit.
• Update the anti-virus databases (signature threats) for the Kaspersky Lab’s product installed on
your PC. If you cannot download the updates from the Internet, update from the zip-archives.
o how to update Kaspersky Lab’s products version 5.0 from the zip archives.
o how to update Kaspersky Lab’s products version 6.0 from the zip archives
o how to update Kaspersky Lab’s products version 7.0 from the zip archives
• set the full scan options to their maximum scan level
• run full computer scan
You can also disable autorun from all devices by running the SalityKiller utility with parameter
-a.
• Click Yes to confirm adding the information to the registry
• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:
o under Windows 2000 run the registry file SafeBootWin200.reg
o under Windows XP run the registry file SafeBootWinXP.reg
o under Windows 2003 run the registry file SafeBootWinServer2003.reg
o under Windows Vista / 2008 run the registry file SafebootVista.reg
o under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg
• Disable the technologies iSwift and iChecker, if one of the following products is installed and
running on your PC:
o Kaspersky Anti-Virus 7.0
o Kaspersky Internet Security 7.0
o Kaspersky Anti-Virus 6.0
o Kaspersky Internet Security 6.0
o Kaspersky Anti-Virus 2009;
o Kaspersky Internet Security 2009;
o Kaspersky Anti-Virus 2010;
o Kaspersky Internet Security 2010;
o Kaspersky Anti-Virus 2011;
o Kaspersky Internet Security 2011;
o Kaspersky PURE;
o Kaspersky Anti-Virus 6.0 for Windows Workstations
o Kaspersky Anti-Virus 6.0 SOS
o Kaspersky Anti-Virus 6.0 for Windows Servers
• Download and unpack the file SalityKiller.zip
• Run the file SalityKiller.exe
• A reboot might require after disinfection.
With an installed Kaspersky Lab product you might be prompted to allow any activity to the process
Sality_killer.exe
o Go to Start > All programs > right-click Startup > select Open
You can also disable autorun from all devices by running the SalityKiller utility with parameter
-a.
• Click Yes to confirm adding the information to the registry
• Update the anti-virus databases (threat signatures) for the installed Kaspersky Lab’s product. If
you cannot download the necessary databases (threat signatures) form the Internet, update the
databases from the zip archives:
o how to update Kaspersky Lab’s products version 5.0 from the zip archives
o how to update Kaspersky Lab’s products version 6.0 from the zip archives
o how to update Kaspersky Lab’s products version 7.0 from the zip archives
• set the full scan options to their maximum scan level
• run full computer scan
• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:
o under Windows 2000 run the registry file SafeBootWin200.reg
o under Windows XP run the registry file SafeBootWinXP.reg
o under Windows 2003 run the registry file SafeBootWinServer2003.reg
o under Windows Vista / 2008 run the registry file SafebootVista.reg
o under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg
You can restore the registry branch SafeBoot which is needed for a PC to be able to boot in safe mode, by
running SalityKiller.exe with parameter -j.