Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
W32.Sality.AE virus
- Thread starter forumit
- Start date
Here's one detailed solution:
--
"If to err is human, then I must be some kind of human!" -Me
--
"If to err is human, then I must be some kind of human!" -Me
- Thread starter
- #3
This virus is also dropping files on our Windows 2003 servers and is causing mayor problems. It causes SEP AV to crash etc. Anyone have idea how to get ris of this virus on Windows 2003 Servers. Symantec only seems to detect this virus on a on-demand scan and not on-access scanner.
Users cant map drives to servers as map network drives opens with notepad or minesweeper.
Users cant map drives to servers as map network drives opens with notepad or minesweeper.
The problem with Sality is that it changes EXE (and other extensions) files and Registry entries...
see
Basically, what this points toward is, that you need to isolate each infected machine from the network and do the cleaning then... in the case of the Server, this should happen over the weekend or at night when the machine is not in use, or restore to an image that was not infected...
8 Step to Remove W32/Sality.AE
PS: Norman Malware Cleaner can be found under the following link:
suggestion: use MBAM as well as NWC (above) and rename both EXE files (as Sality infects those) as suggested in the article...
Good Luck!
Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
see
Basically, what this points toward is, that you need to isolate each infected machine from the network and do the cleaning then... in the case of the Server, this should happen over the weekend or at night when the machine is not in use, or restore to an image that was not infected...
8 Step to Remove W32/Sality.AE
PS: Norman Malware Cleaner can be found under the following link:
suggestion: use MBAM as well as NWC (above) and rename both EXE files (as Sality infects those) as suggested in the article...
Good Luck!
Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
- Thread starter
- #5
I have Symantec Endpoint Protection 11 MR4 but it's not killing the virus. In most cases SEP reports access denied - clean failed. As soon as i add a new computer to the network it gets infected. MS malicious software removal tool and MBAM dont detect this virus. Also found that lots of the computers cant boot into safe mode which probably means it's already infected by this virus. This virus is much worse than what Symantec is reporting. This virus causes SEP to malfunction.
forumit said:
So, it's a political problem then?
![[wink]](/data/assets/smilies/wink.gif "[wink] [wink]")
In that case, is the SEP like the DNC or GOP?
Okay, enough corniness, I suppose, for a Monday morning.
I'd have to agree with BadBigBen on this one. You may very well be to the point to where you have to seriously look at restoring your systems with an images made prior to the infection.
--
"If to err is human, then I must be some kind of human!" -Me
goombawaho
MIS
Isolation is defintely the first thing. Then run a bootable malware cleaner program on each machine.
Or put the drive as a slave and run MalwareByte's Anti-Malware against it.
If you don't want to slave it, use the bootable CD or run Combofix from Safe Mode. Read all warnings on the Bleeping Computer page related to running combofix.
Or put the drive as a slave and run MalwareByte's Anti-Malware against it.
If you don't want to slave it, use the bootable CD or run Combofix from Safe Mode. Read all warnings on the Bleeping Computer page related to running combofix.
- Thread starter
- #8
I;m trying the following at the moment -:
Scanned all pc's again in safe mode and found no virusses, but found a few on a Windows 2003 file server with Kaspersky Sality removal tool.
I will report back with final outcome...
Scanned all pc's again in safe mode and found no virusses, but found a few on a Windows 2003 file server with Kaspersky Sality removal tool.
I will report back with final outcome...
- Thread starter
- #9
goombawaho
MIS
MalwareByte's Anti-Malware - scan on each machine with all machines disconnected from the network - including the server.
Don't (Do NOT) scan in safe mode unless you have no choice. If you can only run it in safe mode, do that scan and then another in regular mode.
The other thoughts that come to mind is:
Clean out temp files before MBAM scan (CCLEANER)
Turn system restore off before MBAM scan and then back on after the reboot at the end of the scan to flush it out of system restore.
Don't (Do NOT) scan in safe mode unless you have no choice. If you can only run it in safe mode, do that scan and then another in regular mode.
The other thoughts that come to mind is:
Clean out temp files before MBAM scan (CCLEANER)
Turn system restore off before MBAM scan and then back on after the reboot at the end of the scan to flush it out of system restore.
goombawaho
MIS
You could also create a bootable Bart PE CD with the Mcafee plugin to scan. That would be a great "first thing to do" even before you run the MBAM scan.
- Thread starter
- #12
I have never seen MBAM detecting this virus. Kaspersky salitykiller definitely detects and clean this virus.What worries why isn't SEP not detecting this virusses during full scan in safe mode or normal mode?
Symantec should realy bring out a standalone removal tool for this virus.There will be no virus activity for days until someone executes an exe file on the server. Both client and server gets infected again. Once the virus "activates" itself i starts infecting almost all exe files. I have already lost half all my sofware installation exe's located on the server.I have been scanning offline computers & servers for days now without cleaning out this virus.
Symantec should realy bring out a standalone removal tool for this virus.There will be no virus activity for days until someone executes an exe file on the server. Both client and server gets infected again. Once the virus "activates" itself i starts infecting almost all exe files. I have already lost half all my sofware installation exe's located on the server.I have been scanning offline computers & servers for days now without cleaning out this virus.
- Status