cchibonga
asked on
Computers infected with Virus
my servers are infected with a virus called w32.sality.ae according symantec endpoint protection and win32/heur or win32/Tanatos.m according to AVG. we have used avg enterprise edition for the longest time it has worked . recently our server and computers got attacked and every time we clean out the servers using AVG, Trend micro or Symantec this virus keeps coming back. it is attacking our .exe files and making the software unusable. when ever AVG scans the c:\ or f:\ it quarantines the same files that are under a specific shared folder . it has happening with symantec too.
I scanned the files replaced them with new ones the following night the same files were corrupted and then quarantined by AVG as well symantec. not sure what to do . scanned server with trend micro, avg, symantec, ad aware, spy bot. to no avail. even after it shows that the server is clean the same files seem to get infected.
any solution will help. at this point.
I scanned the files replaced them with new ones the following night the same files were corrupted and then quarantined by AVG as well symantec. not sure what to do . scanned server with trend micro, avg, symantec, ad aware, spy bot. to no avail. even after it shows that the server is clean the same files seem to get infected.
any solution will help. at this point.
Judging from what you are explaining, at this point, your only real option is to isolate the infected computers and restore them using trusted media. I would do a complete reinstall followed by a tightening of security to reduce the possibility of it happening again. Your servers have been compromised, and others might be threatened, to the point where it doesn't make sense to try to clean them forensically.
I just wouldn't try to patch your system - especially if you are in a business environment.
Good Luck.
I just wouldn't try to patch your system - especially if you are in a business environment.
Good Luck.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>>even after it shows that the server is clean the same files seem to get infected.<<<
Sality is a polymorphic file infector, it copies itself into the root folders of each removable drives with a random names. It also creates an autorun.inf so it runs when inserted into another pc, it spreads via USB drives, so be careful and make sure USB sticks are clean.
Sality is a polymorphic file infector, it copies itself into the root folders of each removable drives with a random names. It also creates an autorun.inf so it runs when inserted into another pc, it spreads via USB drives, so be careful and make sure USB sticks are clean.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also thought it is worh mentioning , that there was always a couple of other infections including a trojan downloader & a JS exploit , so a full scan using updated Antivirus is a must after the cleanup is complete, in our case we had some SAN storage that we had to scan from a clean machine once we recovered to get rid of sleeping copies of this nasty, also quickly cleaning all the impacted machines at once can reduce the risk of machines being reinfected , which takes seconds in this case.
finally , there was a very small number of executables that got corrupt after the cleanup, all were related to some in-house developed applications, so be prepared to restore from backup if needed.
hope this helps.
finally , there was a very small number of executables that got corrupt after the cleanup, all were related to some in-house developed applications, so be prepared to restore from backup if needed.
hope this helps.
ASKER
thanks Amin3k
i will try that out.
i will try that out.
ASKER
now does this process actually heal the executable files that are infected or does it just delete them just like our anti virus software does?
thanks.
thanks.
The Sality_off remover disinfects the files alright, but like I mentioned be prepared to retore or reinstall some executables that will get corrupt , in our case those were local applications executables , all below 45 KB , none of the windows system files got impacted, I have later on compiled the above tools & scripts into a Winrar SFX for ease of use & automation , run in safe mode & you are good to go sir.
P.S: the fix is optimized for Windows server 2003 , for XP or earlier NT based machines please use the manual steps above & the associated reg files
P.S2 ; rename FIX.txt to FIX.exe before running.
FIX.txt
P.S: the fix is optimized for Windows server 2003 , for XP or earlier NT based machines please use the manual steps above & the associated reg files
P.S2 ; rename FIX.txt to FIX.exe before running.
FIX.txt
ASKER
i was able to run the scan. but the viruses keep coming back. so i am wondering if the sality_off actually works. on the command propmt it keeps saying it is this file is being used by another process. i have avg on the servers.
Please reconsider what I typed in the second post. You have now had a virus problem for over a month and have probably spent many hours trying to surgically clean your system. The steps you take to that end may or may not work and you likely might not even know for some time. Unless there is some overriding reason for not reinstalling your situation calls for it. Bite the bullet and you can be certain that you will be virus free.
Either way, good luck.
Either way, good luck.
Never mind the process being used message, there are some files locked by the operating system & can not be infected anyway , like Pagefile.sys ,etc..
did you receive a message about cleaned files in the first run ?, there should be a log.txt containing the results
also , have you really done your scans in safe mode ?
such virus can be removed without issue if the scans were run in safe mode, as the main infector which runs as a service will not be running.
if you had iniotial problems running this from safe mode , then you should be able to boot into safe mode now after the registry fix is applied.
did you receive a message about cleaned files in the first run ?, there should be a log.txt containing the results
also , have you really done your scans in safe mode ?
such virus can be removed without issue if the scans were run in safe mode, as the main infector which runs as a service will not be running.
if you had iniotial problems running this from safe mode , then you should be able to boot into safe mode now after the registry fix is applied.
ASKER
one of the servers has at least 40 different users connceting to it via terminal services . what is the best way to delete the contents of these users temporary folders other than going to each individuals profile.
also what if the default key for getting dell and HP computers into safe mode?
also what if the default key for getting dell and HP computers into safe mode?
Do a computer search for
*.tmp
files and search all hidden files and folders. When they appear, select all and delete them.
*.tmp
files and search all hidden files and folders. When they appear, select all and delete them.
ASKER
admin3k
how do i use the kapersky file sality_off.exe to scan the SAN, for example if map the san to Z:\ drive how do i scan the Z:\ drive on the computer i have mapped it to?
how do i use the kapersky file sality_off.exe to scan the SAN, for example if map the san to Z:\ drive how do i scan the Z:\ drive on the computer i have mapped it to?
Map the drive from any clean machine & run a full scan using your Antivirus program after updating definitions, if the virus is not active in memory this infection is cleanable.
ASKER
I ended up downloading symantec endpoint protection which worked better than any other anti virus the ..kapersky tool also helped some because it prepared ther servers. thank you all.
Download Malwarebytes' Anti-Malware to your desktop, check for Updates before running a scan.
http://www.malwarebytes.or
If it's those file infectors that can't be cleaned by your antivirus like Virut etc(it sounds like) then not much choice we have in cleaning them.