Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 822
  • Last Modified:

Virus Problem

Hi,
I am currently having a virus/spyware problem on my network. The server and a few pc are reporting PE_SALITY.EK virus. Have updated av and ran scans it finds the file says it has cleaned it and reboot and run another scan it's back again. Am running trend micro worry free. Had tried also running malwarebytes, search and destroy and a w32/sality removal tool. But no joy virus still there any help you can give would be great.

Thanks.
0
MidComp
Asked:
MidComp
  • 4
  • 4
  • 3
  • +4
13 Solutions
 
Norm DickinsonGuruCommented:
You can try to turn off system restore, restart in safe mode and run the tools you have plus maybe some of the free McAfee tools, incluidng those found at this site: http://www.mcafee.com/us/downloads/free-tools/index.aspx

Sometimes it is difficult to remove a virus from a machine that is running. On the workstations you maybe able to power down the system, remove the hard drive and attach it as a secondary drive in a clean PC that is running up to date protection, then scan it and fix it.

Also as a last resort, McAfee offers very professional removal services for $90 or so. They may be able to help. http://home.mcafee.com/store/virus-removal-service
0
 
Norm DickinsonGuruCommented:
Specific information on that infection can also be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1105608#none
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Make sure you run a rogue process killer like RogueKiller before any scan.

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
karan90Commented:
You can follow below steps to remove it manually.  

1.Open Windows Task Manager and terminate its running processes or you can use sys internal tool for finding out more information regarding the processes running on your PC (http://technet.microsoft.com/en-au/sysinternals/bb795533)
     
2.Search and delete its associated files from command prompt. For an example: %User Temp%\\{random filename}.exe - detected as PE_SALITY.BA-O
     
3.With the help of Windows Registry Editor remove the following registry entries      
¿HKEY_CURRENT_USER\\Software\\zrfke
         
¿HKEY_CURRENT_USER\\Software\\bntrp
0
 
willcompCommented:
I've had good results with the AVG removal tool.  http://free.avg.com/us-en/remove-sality
0
 
myhcCommented:
Run something called combofix by bleepcomputers

Amazing tool for virus removal
0
 
Lionel MMSmall Business IT ConsultantCommented:
Sometimes the only way to truly clean an infected drive is to boot from a CD or USB with rescue tools from place like AVG, Kaspesky, etc. etc.
http://www.avg.com/us-en/avg-rescue-cd
http://support.kaspersky.com/viruses/rescuedisk
http://www.trendmicro.com/download/emg-disk.asp
I recently had a tough trojan horse I could not get rid of and used bit defenders rescue CD and it did the trick--sometimes more than one attempt is needed but I highly recommend booting from a CD or USB to make sure that none of the potentially infected files are in use and can thus be properly cleaned and dis-infected
http://www.bitdefender.com/support/How-to-create-a-BitDefender-Rescue-CD-627.html
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Boot cds are NOT recommended for many reasons.  See the article by yuonghv below.

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
0
 
Lionel MMSmall Business IT ConsultantCommented:
Actually in the link you gave (trucker) he starts out saying this is his way--his opinion and even once he gets down to discussing Boot CDs he does not say not to use them but things to be aware of, precautions to consider--things we can easily deal with. I don't know when he wrote this article but all the ones I use allow you to update the virus files,a nd the program files. However, in this case, asked by: MidComp, it is stated that he tried the "normal" way of doing it and it has not worked yet. So alternatives are been suggested, and one alternative is Boot CDs. If he had said he has a virus and has done nothing yet then suggestion he run a virus scan from within Windows in safe mode would be the first suggestion.  MidComp has indicated that he/she has tried several times to clean the systems and so these are alternatives--alternatives not made up by me or solutions created by me but ones provided by the anti-virus vendors themselves. I have been dealing with viruses since 1995, starting with floppy disks, and boot CDs have always been excellent ways to get rid of persistent viruses especially after other options have failed. These boot CDs give you the option to clean, move or delete infected files. I always try clean and move before moving onto delete. And sometimes that deleting may require some reinstalling of an app or a repair of Windows but it is better to get rid of the virus than to let it continue to infect the network and other systems--but the delete option is a last resort option not the first.
0
 
MidCompAuthor Commented:
Thank you very much for your responses i am going through them and will try them out and let u know how it goes.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
lionelmm,

I hear and understand and I also have been doing this a long time (actually since 1985).  Previously I worked almost exclusively with alternate boot devices, and still do on a much smaller scale.  I wrote an article not too long ago about using a SARDU created boot CD/DVD/USB to recover compromised systems.  I still use this sometimes, but much less frequently for the reasons discussed in younghv's article.

That said, if you are going to use an alternate boot device, I highly suggest one created using SARDU (see my article).  As is stated in the article you can update the various ISOs before created the boot device.  Or you can just create a boot USB and update it when you boot.  But having 100s of different boot options on 1 device is a godsend.
0
 
Lionel MMSmall Business IT ConsultantCommented:
Well I can't disagree with that--we seem to agree except that you are saying to use SARDU to boot from, which has all these Virus Rescue options included and I was saying to download them and create a bootable USB/CD directly from the anti virus vendors. I agree that having them all on one boot device is much more convenient, but in these cases I usually assume the asker is not an IT pro and wants several quick and easy options to try but I myself have SARDU but also have individual bootable USB drives with virus rescue software so I can clone them and give out to clients--both options will work just as well.
0
 
willcompCommented:
When addressing rescue CDs, don't overlook Windows Defender Offline. It is very good.
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

However, I don't think it will remove Sality or Virut.
0
 
MidCompAuthor Commented:
Sorry Guys have'nt been back sonner was out sick for a few days.
Have tried various of the above options above,
avg removal tool, both boot cd options, rougue killer etc but yo no joy.
Had to format and re-install one of the pc last week and i taught may have to do with the rest of the pc, but had the virus back on the pc within a week of formatting it and i don't know how this happened. Have logged a call with Trendmicro support today about. This will keep you updated and thanks for your help so far. I will be awarding points very soon regardless of the outcome and thank you for your input.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
I have not run into this particular virus, but there are some out there that write portions of themselves into either NVRAM (non-volatile RAM), BIOS or something similar.  These virii CANNOT be gotten rid of with a reformat and reinstall.  When one of these hits, you can try flashing the BIOS (this sometimes works), but you may end up being better off trashing the machine completely.

Like I said, I've only heard of these virii, but they do exist.
0
 
MidCompAuthor Commented:
Hi Guys,

Sorry for the late response but think i have it removed. Trend Micro support weren't much help could only e-mail the section that would help and it could take a day or more to reply to the e-mail. Found a removal tool on the trend micro website and also used the on line house call and avg removal tool.So between all these and various scan and reboots got the system clean.
0
 
MidCompAuthor Commented:
i believe i need the removal tool to removal what ever was stuck in the registry or ini files
Also he had dsamaged a lot of proghrams and need to wipe and re-install 2 pc and also re-install programs on other pc.

Thanks to all for your help.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 4
  • 4
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now