Troubleshooting Kaspersky SalityKiller: Common Issues and FixesSalityKiller is a specialized removal tool from Kaspersky designed to detect and remove the Sality family of malware—file infectors and bootkit variants that can be difficult to eradicate. Although SalityKiller is powerful, users sometimes encounter problems running it or completing a full cleanup. This article walks through common issues, practical fixes, and best practices to increase your chances of a successful removal.
How SalityKiller works (brief)
SalityKiller scans file system objects and boot records for Sality signatures and behavior, disinfects or removes infected files, and attempts to restore system integrity. Because Sality often hides in running processes, system services, and protected boot sectors, thorough cleanup may require multiple steps and tools.
1) SalityKiller won’t start or crashes immediately
Common causes
- Conflicts with other security software (real-time protection blocking components).
- Corrupted download or partially extracted files.
- System instability from heavy infection or damaged system files.
Fixes
- Redownload and verify: Download the latest SalityKiller directly from Kaspersky’s official site. Ensure the archive extracts without errors.
- Run as administrator: Right-click the executable and choose “Run as administrator.” Elevated privileges are often necessary to access infected files and system areas.
- Temporarily disable other AV: Temporarily pause other real-time antivirus/firewall tools (including Windows Defender) while running SalityKiller to avoid conflicts. Re-enable them after cleanup.
- Use Safe Mode: Boot into Safe Mode (or Safe Mode with Networking if you need to download updates) and run SalityKiller; this prevents many malicious components from loading.
- Check system integrity: If the tool crashes due to corrupted system files, run System File Checker:
sfc /scannowThen reboot and try SalityKiller again.
2) SalityKiller detects but cannot remove certain files
Common causes
- Files are locked by running processes.
- Files are protected by rootkit techniques or alternate data streams.
- The infected file is critical system file and removal would destabilize the OS.
Fixes
- Kill locking processes: Use Task Manager or Process Explorer (from Sysinternals) to locate and terminate processes that lock infected files. Then re-run SalityKiller.
- Use Safe Mode or WinRE: Removing infections from outside the primary OS session avoids file locks. Boot into Safe Mode or Windows Recovery Environment (WinRE) and run the tool.
- Quarantine instead of delete: If the infected file is critical, allow the tool to quarantine it rather than delete. Quarantine isolates the file so you can restore it if needed and replace with clean system files via repair or reinstall.
- Manual removal with care: For advanced users, identify the infected file and replace it with a clean copy from a known-good source (e.g., system installation media) before running SalityKiller. Make a backup first.
3) Persistent reinfection after cleanup
Common causes
- Multiple infected hosts on the network (shared drives, removable media).
- Incomplete removal of autorun or scheduled tasks that reintroduce the malware.
- Infected backups or shadow copies being restored.
Fixes
- Disconnect and isolate: Immediately disconnect the infected machine from networks and unmount shared drives to prevent spread.
- Scan all removable media and network shares: Use updated antivirus tools to scan USB drives, external disks, and mapped shares. Remove infections there.
- Check autoruns and scheduled tasks: Use Autoruns (Sysinternals) to inspect and disable suspicious startup entries and scheduled tasks that may reinstate the malware.
- Clean shadow copies and backups: Either delete infected shadow copies or restore from a known-clean backup. For shadow copies:
- Open Command Prompt as admin and run:
vssadmin delete shadows /all(Be aware this deletes all volume shadow copies—ensure you have clean backups first.)
- Open Command Prompt as admin and run:
- Rebuild or repair system files: If core files were replaced by the malware, consider an in-place upgrade/repair install of Windows or a clean OS reinstall if stability cannot be restored.
4) SalityKiller reports boot sector infection but can’t fix MBR/boot
Common causes
- Boot sector protected by advanced bootkits.
- Disk errors or corrupted partition tables.
- Tool lacks permissions to write to the disk while OS is running.
Fixes
- Use Windows Recovery Environment (WinRE): Boot from Windows installation media or recovery drive, open Command Prompt, and run:
bootrec /fixmbr bootrec /fixboot bootrec /rebuildbcd - Use Kaspersky Rescue Disk: Bootable rescue environments operate outside the infected OS and can repair boot sectors more reliably. Download Kaspersky Rescue Disk, create a USB/DVD, boot from it, update signatures, and run a full scan and repair.
- Check disk health: Run CHKDSK to identify and repair file system errors:
chkdsk C: /f /rReplace C: with the appropriate drive letter if different in WinRE.
- Backup and rebuild partition table: For severe corruption, use disk imaging to backup data, then recreate partitions and restore files from clean backups.
5) False positives or important files flagged as infected
Common causes
- Heuristic detection misidentifying legitimate software.
- Older or custom utilities packaged in unusual ways.
Fixes
- Quarantine and verify: Quarantine the suspicious file rather than deleting immediately. Upload to Kaspersky’s online scanner or use VirusTotal to cross-check detections.
- Restore trusted files: If verified clean, restore from quarantine and add an exclusion in your security software for that specific file/path. Keep records of why the exclusion is needed.
- Update signatures: Ensure SalityKiller and any Kaspersky products are updated to the latest signatures—false positives are often corrected in updates.
6) SalityKiller reports “outdated” or refuses to run due to missing updates
Fixes
- Download the latest version: Always use the newest SalityKiller binary or Kaspersky removal tool.
- Update virus definitions: If using a Kaspersky Rescue Disk or full AV product, update signatures before scanning. In offline environments, download updates on a clean machine and transfer via USB.
7) Logs are unclear or you need more data for troubleshooting
How to gather useful logs
- Enable detailed logging in SalityKiller: If the tool offers verbose logging, enable it before running.
- Collect system logs: Export Event Viewer logs (Application, System) around the time of detection/removal attempts.
- Process and file evidence: Use Process Explorer to capture handles/strings of suspicious processes, and ProcDump to capture memory if you need expert analysis.
- Prepare an infection timeline: Note when symptoms began, what files/devices were connected, and any network activity that correlates with reinfection.
Preventive steps after cleanup
- Keep OS and software updated with security patches.
- Use a reputable, real-time antivirus and enable ransomware/behavioral protection.
- Disable autorun for removable drives and avoid unknown USB devices.
- Maintain regular offline backups and periodically test restores.
- Segment networks so single-machine infections don’t spread to critical systems.
When to seek professional help
- You cannot stop reinfection despite isolating the machine.
- Critical systems or data are at risk and backups are infected.
- Boot sector repairs or partition recovery might cause data loss if mishandled.
- Legal/compliance obligations require forensics-quality handling.
If you want, provide specific SalityKiller log snippets, error messages, or describe the symptoms and I’ll suggest targeted next steps.
Leave a Reply