• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 748
  • Last Modified:

My network is infected with a variant of TROJ_AGENT.ZLN and PE_SALITY.DAM and Trend has been unable to help me stem the flow. No utilities we have tried seem to help. Please advise!!

The virus attacks executables and actually disables the most current office scan 8 client installations.  It also disables task manager and the registry editor.  At this point I have been up so long that I feel as though if I do not fix this quick I may have t look for a job.  Any assistance would really be appreciated.  Thanks.

2 Solutions
On a non infected system I woud download and follow the instructions for making the UBCD for windows. http://www.ubcd4win.com/ this will allow you to go to each computer and run antivirus scans against the harddrive from a live cd. If you don't want to do that, I'd download super antispyware, malware bytes, combofix, hijack this as well as another antivirus program to clean and remove the infection. You will need to remove all the pcs affected by this software from the network physically so you do not spread the trojan software.
Hi Dave,

Don't be too hard on yourself with this infection. Sality is very nasty. Both it and Virut (another nasty one and file infector "cousin") are running rampant right now and destroying machines all over the place. They are both very difficult to fix without a rebuild, but from my recent experience you at least have a chance with Sality, not with Virut.

Questions, how many machines are we talking about? Have you shut down your network and/or isolated the infected machines? I would give DrWeb CureIt and Sality_off from Kaspersky a run on 1 or 2 of them and see what you get.


Also, attach a HijackThis log from 1 or 2 of the machines. Maybe there is more?

The symptoms i.e disabled task manager and regedit are easily fix but to disinfect Virut and bring the system back to its working order is harder than any other infections.
Virut is a buggy file infector so all infected files will need to be replaced that's why it's much easier to reformat and reinstall.
If you manage to remove virut with DrWebCureIt etc and replace all infected files then that's good.

If you rebuild a virut-infected system, you can't backup any .exes, .scr, archive files(.rar and .zip), htm and html files because virut infects these files.

As for the disabled utilities, the VArestorepolicies.zip or the FixPolicies should do it or you can restore specific utilities using the reg files at Kelly's Korner which has a reg fix of just about anything.

VARestorepolicies.zip, extract it, then rightclick on the "VArestorepolicies.inf" and select Install. That should restore your C:\ drive in 'My Computer'.

Mohamed OsamaSenior IT ConsultantCommented:
Your best best is to first Isolate the infected machines , totally bring them offline / disconnect them from the network
once this is done , you can try those solutions
for Sality infected machines , the solution advised by IndiGenus should help, the Kaspersky tool (Sality_off)  does work to disinfect the infected executables if you run your scan in safe mode, I have packed it to script that may help quickly kill it , take a look at this solution
I am not sure why Virut is mentioned here as there is no evidence there is a Virut infection , the Trojan in Question is probably how you got sality from , try MBAM as advised above  , or the manual cleanup instructions http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FAGENT%2EZLN&VSect=Sn

the most important part is to isolate the Sality infected machines pronto , the Virus has a vicious spreading through file shares behaviour.


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now