Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Virus problem

Created: 25 Oct 2013 • Updated: 26 Oct 2013 | 7 comments
This issue has been solved. See solution.

Team,

Please help me on urgent basis. I am not able to do anything on my desktop (XP). Because of w32.salaty.u virus attack.

 

Operating Systems:

Comments 7 CommentsJump to latest comment

raju123's picture

Updateyour system with latest defintion

Scan the system in safe mode

also try the npe tool for clean the virus

http://security.symantec.com/nbrt/npe.asp?lcid=1033

 

.Brian's picture

Run sality killer, this will take care of it

http://support.kaspersky.com/us/1874

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Sality is a persistent and dangerous threat to have in your network. 

Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it. For more information, see the following document:

Here is a very good set of steps for how to proceed: 

Best practices for troubleshooting viruses on a network  

http://www.symantec.com/business/support/index?page=content&id=TECH122466&locale=en_US

It will take time to identify the computer which is infected and attempting to infect others.  Stick with the process, though- it will work.

You could also use the Symantec Power Eraser from the SymHelp

OR

Symantec Endpoint Recovery Tool (SERT)

https://www-secure.symantec.com/connect/articles/symantec-endpoint-recovery-tool-sert

Since, There is no Tool for removal of Sality , but if you need to do the following to get the threat out of the network

1.         Disable Autoplay
2.         Disable System restore
3.         Disable the open shares, and C$ and Admin$,
4.         Repair or reinstall SEP, If SEP is corrupted.
5.         Apply the Application and Device Control policy.
6.         Make sure that IPS policies for Sality is there.    
7.        Apply the latest Rapid release signatures and start the scan on the network.
 

One other thing to note, for SEP 12.1.x users, an Application and Device policy is available to combat the W32.Sality.U threat in the event of an outbreak.

For full details read the W32.Sality.U page from Security Response - 

http://www.symantec.com/security_response/writeup.jsp?docid=2006-080910-0104-99

Check this Article as well:
 
Check this Article:
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ecguy's picture

This tool from Microsoft may also be helpful:

http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline

I usually load it to a cd and add an empty usb drive to the computer when scanning.  I like to copy anything that is newly discovered to the usb drive and than check the file at https://www.virustotal.com/en/ and if it shows that Symantec is not detecting the infection, submitting the file directly to Symantec.http://www.symantec.com/security_response/submitsamples.jsp