My network is infected with a variant of TROJ_AGENT.ZLN and PE_SALITY.DAM and Trend has been unable to help me stem the flow.  No utilities we have tried seem to help.  Please advise!!

Posted on 2009-02-11
Last Modified: 2013-11-22
The virus attacks executables and actually disables the most current office scan 8 client installations.  It also disables task manager and the registry editor.  At this point I have been up so long that I feel as though if I do not fix this quick I may have t look for a job.  Any assistance would really be appreciated.  Thanks.

Question by:dcompton1966
    LVL 7

    Expert Comment

    On a non infected system I woud download and follow the instructions for making the UBCD for windows. this will allow you to go to each computer and run antivirus scans against the harddrive from a live cd. If you don't want to do that, I'd download super antispyware, malware bytes, combofix, hijack this as well as another antivirus program to clean and remove the infection. You will need to remove all the pcs affected by this software from the network physically so you do not spread the trojan software.
    LVL 20

    Accepted Solution

    Hi Dave,

    Don't be too hard on yourself with this infection. Sality is very nasty. Both it and Virut (another nasty one and file infector "cousin") are running rampant right now and destroying machines all over the place. They are both very difficult to fix without a rebuild, but from my recent experience you at least have a chance with Sality, not with Virut.

    Questions, how many machines are we talking about? Have you shut down your network and/or isolated the infected machines? I would give DrWeb CureIt and Sality_off from Kaspersky a run on 1 or 2 of them and see what you get.

    Also, attach a HijackThis log from 1 or 2 of the machines. Maybe there is more?

    LVL 2

    Expert Comment

    LVL 47

    Assisted Solution

    The symptoms i.e disabled task manager and regedit are easily fix but to disinfect Virut and bring the system back to its working order is harder than any other infections.
    Virut is a buggy file infector so all infected files will need to be replaced that's why it's much easier to reformat and reinstall.
    If you manage to remove virut with DrWebCureIt etc and replace all infected files then that's good.

    If you rebuild a virut-infected system, you can't backup any .exes, .scr, archive files(.rar and .zip), htm and html files because virut infects these files.

    As for the disabled utilities, the or the FixPolicies should do it or you can restore specific utilities using the reg files at Kelly's Korner which has a reg fix of just about anything., extract it, then rightclick on the "VArestorepolicies.inf" and select Install. That should restore your C:\ drive in 'My Computer'.

    LVL 23

    Expert Comment

    Your best best is to first Isolate the infected machines , totally bring them offline / disconnect them from the network
    once this is done , you can try those solutions
    for Sality infected machines , the solution advised by IndiGenus should help, the Kaspersky tool (Sality_off)  does work to disinfect the infected executables if you run your scan in safe mode, I have packed it to script that may help quickly kill it , take a look at this solution
    I am not sure why Virut is mentioned here as there is no evidence there is a Virut infection , the Trojan in Question is probably how you got sality from , try MBAM as advised above  , or the manual cleanup instructions

    the most important part is to isolate the Sality infected machines pronto , the Virus has a vicious spreading through file shares behaviour.


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
    The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now