Solved

Symantec is detecting W32.Slugin.A!inf virus in SBS 2011

Posted on 2013-06-29
38
933 Views
Last Modified: 2013-12-09
I am getting the virus alert after every few days.... the server SBS 2011 is new & all the updates & service packs are current & updated.

Having Symantec Endpoint protection 11.x

Please find the log files & screenshots.

Please guide me on how to get rid of the infection.
virus.csv
symantec.JPG
symantec2.JPG
0
Comment
Question by:Akash Bansal
  • 16
  • 5
  • 5
  • +4
38 Comments
 
LVL 21

Expert Comment

by:Haresh Nikumbh
ID: 39286481
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39288186
Thanks for your support.
I did what you have guided.
Please find the screenshot. I haven't applied the fix yet, as I guess its a false alarm by the NPE.

Need your suggestion.
npe status screenshotInfo20130630190309.xml
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39303652
I have deleted the user profile & created fresh one, but again got more than 250 notifications of this virus.

Also tried Dr. Web antivirus tool to remove infection.
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39306252
I have created another user with Network Administrator role, still getting virus detection. Have already full scanned using Symantec endpoint protection 10.x & Dr. web tool.


Still getting alerts ... all the files are detected in temp directory with file name as DWH****.tmp
0
 
LVL 61

Expert Comment

by:btan
ID: 39306556
Probably good to verify existence of the symptoms of files created by this malware to see if removal does really helps...

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus%3aWin32%2fSlugin.A!dll
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39306641
I would use Kaspersky Rescue Disk.
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39306800
Kaspersky Rescue requirements lis do not have server OS as supported OS.
Can I install it on SBS 2011 safely?
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39306810
You don't need to install it. Download the ISO, create your bootable ISO with it and boot the server from the CD.
0
 
LVL 21

Expert Comment

by:Haresh Nikumbh
ID: 39306814
AVG has removal tool check if it works

http://free.avg.com/in-en/remove-win32-slugin
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39306815
Sorry, there's a typo.
Create your bootable CD (not ISO).
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39306829
@takecoffee I tried AVG tool too.
@strivoli First I would take full block level back before I would consider running the tool from bootable CD. Secondly that task requires shutting down my server. :(
0
 
LVL 21

Expert Comment

by:Haresh Nikumbh
ID: 39306838
0
 
LVL 42

Accepted Solution

by:
Davis McCarn earned 250 total points
ID: 39306952
Slugin.A is a very old name (2008) and, if this started recently, what you probably have is a newly released variant that is not being handled properly by the removal tools.  Further; according to McAfee, it has infected the MBR and spreads via network shares so you may need to check every client machine to eradicate it. http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1065366#none
RogueKiller has been a very effective tool which I use regularly: http://tigzy.geekstogo.com/roguekiller.php  It doesn't do anything ubtil you hit the clean button after a scan.
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39307062
A complete fresh backup of the server? Sure!
Shutting down the server? Yes. But it might be (sometimes) the only way to get a virus-free server.
0
 
LVL 61

Expert Comment

by:btan
ID: 39307220
I must agree with clean slate of health since it is critical server backend. Eventually you may not be able to have clean it with its remanence and doing already spread across the server repository and I do suggest a wide spread scanning to all server and file share this infected server is connected and try to contain the spread.

there is mentioned of manual removal but it is not effective as what if you come back and this is totally different variant since the last one is old named as shared by experts. go for clean slate
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 250 total points
ID: 39320790
You're running SEP on a SBS 2011 server?  Wow.

Sounds like just another false positive, it's not like symantec's ever been much good anyway.  What do you get if you haul out one of these quarantined files and upload it to www.virustotal.com ?  Bit suspicious that it's only picking up temp files too.

A lot of us don't actually run real-time AV on SBS servers because of the issues it can cause...
0
 
LVL 61

Expert Comment

by:btan
ID: 39321088
Some even has AV running as vm appliance while server instance running under the blade hypervisor... wondering if there is any reporting of this infection and scan all portable storage used in this server as well to find more cahoots
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:Akash Bansal
ID: 39350093
I have noticed one strange thing.... I never get any virus notification if I keep my self logout on the server but get notifications/detections whenever I keep my self login to the server locally (locked position)

I am managing the server remotely through logmein ... that is the reason I couldn't try fixing using boot media.
0
 
LVL 61

Expert Comment

by:btan
ID: 39350160
There are malware that evade Remote desktop and one example is shylock
http://www.darkreading.com/endpoint/financial-malware-detects-remote-desktop/240142738?nomobile=1
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39350265
How to get rid & protect from them.
0
 
LVL 61

Expert Comment

by:btan
ID: 39350307
I suggest clean install if viable as If it infected mbr you need to preboot into external cd to do clean up and I am not in full trust to the system though..
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39350337
installing & configuring all the services & all the connected clients is a nightmare.
Don't want to go with it.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39351115
Did you try RogueKiller?
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39354729
The server is facing another issue... backup is not running .... have to fix it first before I could do any virus fixes.
0
 
LVL 38

Expert Comment

by:younghv
ID: 39419273
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39419274
I am managing the server remotely.  As the step requires my physical visit to the server location... I would do it at my next visit. I would update the thread thereafter. Please do not delete this thread.
0
 
LVL 1

Assisted Solution

by:Akash Bansal
Akash Bansal earned 0 total points
ID: 39568066
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39568092
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39568134
I scanned the server using Roguekiller.
I finds few registry infections. The tmp files I deleted manually.
Hope it would be fine now.
Moreover I would run Microsoft safety scanner just now.
Roguekiller findings..
0
 
LVL 1

Author Closing Comment

by:Akash Bansal
ID: 39579200
As it was an infection at server level, I was very apprehensive on running a new tool on the server.

I got same infection on a desktop recently, I did all the testing on that.
Found roguekiller as best. Virustotal.com gave me confirmation & details about the infection.
I guess mallwarebytes.org is loosing its charm. I used to use it most of the time but from some time its failing to detect repeatedly.
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39593364
Sorry to say, the virus is still there. :(
The issue seemed resolved but it did not.
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39593428
These dialog boxes i am getting repeatedly.

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: W32.Slugin.A!inf
File: C:\Users\itmanager\AppData\Local\Temp\DWH1D89.tmp
Location: C:\Users\itmanager\AppData\Local\Temp
Computer: IBMDC
User: itmanager
Action taken: Pending Side Effects Analysis : Access denied
Date found: 23 October 2013  13:31:22
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39593809
Try the newer versions of both RogueKiller and the safety scanner.
0
 
LVL 1

Author Comment

by:Akash Bansal
ID: 39594273
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1556281#none

As per above link; do you think MBR is infected?

Detection as per kaspersky: Trojan.Win32.Rozena.hod
Detection as per kaspersky
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39595367
That detection is for a PE Trojan which means there are EXE and/or DLL files which are infected.
Your best course would be to run MS Windows Defender Offline ( http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline ) or AVG's Rescue CD ( http://www.avg.com/us-en/avg-rescue-cd ); but, both will want you to burn a CD which you must boot to in order to run the scans.
Pay CLOSE attention to what files are detected as you may need to restore them from another source to finally fix th eproblem.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now