?
Solved

Symantec is detecting W32.Slugin.A!inf virus in SBS 2011

Posted on 2013-06-29
38
Medium Priority
?
983 Views
Last Modified: 2013-12-09
I am getting the virus alert after every few days.... the server SBS 2011 is new & all the updates & service packs are current & updated.

Having Symantec Endpoint protection 11.x

Please find the log files & screenshots.

Please guide me on how to get rid of the infection.
virus.csv
symantec.JPG
symantec2.JPG
0
Comment
Question by:Akash Bansal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 5
  • 5
  • +4
38 Comments
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39286481
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39288186
Thanks for your support.
I did what you have guided.
Please find the screenshot. I haven't applied the fix yet, as I guess its a false alarm by the NPE.

Need your suggestion.
npe status screenshotInfo20130630190309.xml
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39303652
I have deleted the user profile & created fresh one, but again got more than 250 notifications of this virus.

Also tried Dr. Web antivirus tool to remove infection.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 2

Author Comment

by:Akash Bansal
ID: 39306252
I have created another user with Network Administrator role, still getting virus detection. Have already full scanned using Symantec endpoint protection 10.x & Dr. web tool.


Still getting alerts ... all the files are detected in temp directory with file name as DWH****.tmp
0
 
LVL 64

Expert Comment

by:btan
ID: 39306556
Probably good to verify existence of the symptoms of files created by this malware to see if removal does really helps...

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus%3aWin32%2fSlugin.A!dll
0
 
LVL 20

Expert Comment

by:strivoli
ID: 39306641
I would use Kaspersky Rescue Disk.
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39306800
Kaspersky Rescue requirements lis do not have server OS as supported OS.
Can I install it on SBS 2011 safely?
0
 
LVL 20

Expert Comment

by:strivoli
ID: 39306810
You don't need to install it. Download the ISO, create your bootable ISO with it and boot the server from the CD.
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39306814
AVG has removal tool check if it works

http://free.avg.com/in-en/remove-win32-slugin
0
 
LVL 20

Expert Comment

by:strivoli
ID: 39306815
Sorry, there's a typo.
Create your bootable CD (not ISO).
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39306829
@takecoffee I tried AVG tool too.
@strivoli First I would take full block level back before I would consider running the tool from bootable CD. Secondly that task requires shutting down my server. :(
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39306838
0
 
LVL 43

Accepted Solution

by:
Davis McCarn earned 1000 total points
ID: 39306952
Slugin.A is a very old name (2008) and, if this started recently, what you probably have is a newly released variant that is not being handled properly by the removal tools.  Further; according to McAfee, it has infected the MBR and spreads via network shares so you may need to check every client machine to eradicate it. http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1065366#none
RogueKiller has been a very effective tool which I use regularly: http://tigzy.geekstogo.com/roguekiller.php  It doesn't do anything ubtil you hit the clean button after a scan.
0
 
LVL 20

Expert Comment

by:strivoli
ID: 39307062
A complete fresh backup of the server? Sure!
Shutting down the server? Yes. But it might be (sometimes) the only way to get a virus-free server.
0
 
LVL 64

Expert Comment

by:btan
ID: 39307220
I must agree with clean slate of health since it is critical server backend. Eventually you may not be able to have clean it with its remanence and doing already spread across the server repository and I do suggest a wide spread scanning to all server and file share this infected server is connected and try to contain the spread.

there is mentioned of manual removal but it is not effective as what if you come back and this is totally different variant since the last one is old named as shared by experts. go for clean slate
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 1000 total points
ID: 39320790
You're running SEP on a SBS 2011 server?  Wow.

Sounds like just another false positive, it's not like symantec's ever been much good anyway.  What do you get if you haul out one of these quarantined files and upload it to www.virustotal.com ?  Bit suspicious that it's only picking up temp files too.

A lot of us don't actually run real-time AV on SBS servers because of the issues it can cause...
0
 
LVL 64

Expert Comment

by:btan
ID: 39321088
Some even has AV running as vm appliance while server instance running under the blade hypervisor... wondering if there is any reporting of this infection and scan all portable storage used in this server as well to find more cahoots
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39350093
I have noticed one strange thing.... I never get any virus notification if I keep my self logout on the server but get notifications/detections whenever I keep my self login to the server locally (locked position)

I am managing the server remotely through logmein ... that is the reason I couldn't try fixing using boot media.
0
 
LVL 64

Expert Comment

by:btan
ID: 39350160
There are malware that evade Remote desktop and one example is shylock
http://www.darkreading.com/endpoint/financial-malware-detects-remote-desktop/240142738?nomobile=1
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39350265
How to get rid & protect from them.
0
 
LVL 64

Expert Comment

by:btan
ID: 39350307
I suggest clean install if viable as If it infected mbr you need to preboot into external cd to do clean up and I am not in full trust to the system though..
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39350337
installing & configuring all the services & all the connected clients is a nightmare.
Don't want to go with it.
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39351115
Did you try RogueKiller?
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39354729
The server is facing another issue... backup is not running .... have to fix it first before I could do any virus fixes.
0
 
LVL 38

Expert Comment

by:younghv
ID: 39419273
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39419274
I am managing the server remotely.  As the step requires my physical visit to the server location... I would do it at my next visit. I would update the thread thereafter. Please do not delete this thread.
0
 
LVL 2

Assisted Solution

by:Akash Bansal
Akash Bansal earned 0 total points
ID: 39568066
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39568092
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39568134
I scanned the server using Roguekiller.
I finds few registry infections. The tmp files I deleted manually.
Hope it would be fine now.
Moreover I would run Microsoft safety scanner just now.
Roguekiller findings..
0
 
LVL 2

Author Closing Comment

by:Akash Bansal
ID: 39579200
As it was an infection at server level, I was very apprehensive on running a new tool on the server.

I got same infection on a desktop recently, I did all the testing on that.
Found roguekiller as best. Virustotal.com gave me confirmation & details about the infection.
I guess mallwarebytes.org is loosing its charm. I used to use it most of the time but from some time its failing to detect repeatedly.
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39593364
Sorry to say, the virus is still there. :(
The issue seemed resolved but it did not.
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39593428
These dialog boxes i am getting repeatedly.

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: W32.Slugin.A!inf
File: C:\Users\itmanager\AppData\Local\Temp\DWH1D89.tmp
Location: C:\Users\itmanager\AppData\Local\Temp
Computer: IBMDC
User: itmanager
Action taken: Pending Side Effects Analysis : Access denied
Date found: 23 October 2013  13:31:22
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39593809
Try the newer versions of both RogueKiller and the safety scanner.
0
 
LVL 2

Author Comment

by:Akash Bansal
ID: 39594273
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1556281#none

As per above link; do you think MBR is infected?

Detection as per kaspersky: Trojan.Win32.Rozena.hod
Detection as per kaspersky
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39595367
That detection is for a PE Trojan which means there are EXE and/or DLL files which are infected.
Your best course would be to run MS Windows Defender Offline ( http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline ) or AVG's Rescue CD ( http://www.avg.com/us-en/avg-rescue-cd ); but, both will want you to burn a CD which you must boot to in order to run the scans.
Pay CLOSE attention to what files are detected as you may need to restore them from another source to finally fix th eproblem.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question