W32.Sality.AE
Updated: 21 May 2010 | 10 comments
I have a SBS 2003 server that norton scanner identified 800+ w32.sality.ae infected files. pretty much all .exe files. some are o/s related. i've tried a couple other AV solutions, but decidec to try SEP. downloaded the trial, but it won't install on the infected pc. i've reinstalled, but sys-state is currupt ~ no safe mode, hangs on 'preparing network'. if there is a manual fix, it would be greatly appreciated.
-chrisv
discussion Filed Under:
Comments
Try Norton Security
Try Norton Security Scan.
Try Norton Security Scan.
ftp://ftp.symantec.com/misc/tools/nss/NortonSecuri...
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
I thought NSS was a
I thought NSS was a scan/report tool only? can it remove threats as well?
NSS is a Small AV that will
NSS is a Small AV that will scan you PC with latest defintions without installing itself on PC and will remove threats as well..
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
When a machine is infected ,
When a machine is infected , then SEP will not get installed.
So first remove the threat with the help of NSS and then try to install SEP.
If it works good else go to Start run type %temp%
And paste the SEP_Inst.log
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Map drive Scan
W32.Sality.AE is a virus that spreads by infecting executable files , using autorun feature.
Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it. For more information, see the following document
How to prevent a virus from spreading using the "AutoRun" feature
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648
It tries to stop and delete all the AV services and processes.It could also attempt to delete the AV definition files and block the domains for AV vendors.That's why you can't install AV after infection..if you are able to then it would be corrupted.
The best bet here is ..
-First disable autorun feature in the infected system.
-Install SEP in a different system in the same network.
-Update SEP with the latest virus-defs.
-Map a drive [of the computer which is infected]
-Run a full scan.
Find the technical description here
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=2
Find the manual removal instruction here
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3
I'm pretty sure SEP with up to date virus-defs takes care of W32.Sality.AE.
Inviting good karma to CPU...0xal0ne
wow! sounds good. i'll let
wow! sounds good. i'll let you know how it goes!
-chrisv
Thanks but
there was to much damage to the operating system. Thanks for the suggestions though.
i've got a new o/s on another hard drive, sharing the data from the infected (and cleaned)
raid drive ~ which also includes the old o/s, which will remain since the original install
didn't partition it off.
new problem. I've got a new O/S and trying to load SEP, but fails to install services. I can't
make heads or tails from the install log. and it's to big to attach here.
any ideas?
-chrisv
Please search for return
Please search for return value 3 in the SEP_Inst.log and Paste 5-6 lines above and below that.
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Return Value 3
there is more than one "Value 3"
Action 0:20:27: InstallLiveUpdate.FF07F38E_78C2_412E_B858_64488E808644.
MSI (s) (C4:98) [00:20:27:753]: Executing op: CustomActionSchedule(Action=InstallLiveUpdate.FF07F38E_78C2_412E_B858_64488E808644,ActionType=3073,Source=BinaryData,Target=InstallLiveUpdate,CustomActionData=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HPRVKZTW\LiveUpdate\lucheck.exe)
MSI (s) (C4:70) [00:20:27:769]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6D.tmp, Entrypoint: InstallLiveUpdate
LUCA: InstallLiveUpdate enter.
LUCA: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HPRVKZTW\LiveUpdate\lucheck.exe
LUCA: InstallLiveUpdate : CreateProcessAndWait( LUCHECK.EXE ) returned 206
Action ended 0:21:14: InstallFinalize. Return value 3.
MSI (s) (C4:98) [00:21:14:300]: User policy value 'DisableRollback' is 0
MSI (s) (C4:98) [00:21:14:300]: Machine policy value 'DisableRollback' is 0
MSI (s) (C4:98) [00:21:14:347]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=992477803,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (C4:98) [00:21:14:347]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (C4:98) [00:21:14:347]: Executing op: DialogInfo(Type=1,Argument=Symantec Endpoint Protection)
MSI (s) (C4:98) [00:21:14:347]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
Action 0:21:14: Rollback. Rolling back action:
Rollback: InstallLiveUpdate.FF07F38E_78C2_412E_B858_64488E808644
------------------------
InstSymProtect::cleanupFolder() -> DeleteFolderIfNoFileExists FAILED
cleanupFolder: exiting
MSI (s) (C4:98) [00:21:31:925]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (C4:98) [00:21:31:925]: Error in rollback skipped. Return: 5
MSI (s) (C4:98) [00:21:31:941]: No System Restore sequence number for this installation.
MSI (s) (C4:98) [00:21:31:941]: Unlocking Server
MSI (s) (C4:98) [00:21:31:941]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 0:21:31: INSTALL. Return value 3.
Property(S): DiskPrompt = [1]
Property(S): UpgradeCode = {24BF7A02-B60A-494B-843A-793BBC77DED4}
Property(S): CostingComplete = 1
Property(S): VersionNT = 502
Property(S): TARGETDIR = Z:\
Property(S): ALLUSERSPROFILE = C:\Documents and Settings\All Users\
---------------------------
Property(S): ProductToBeRegistered = 1
Property(S): MsiFilterRebootMode_RebootAtEndModeBefore = 1
MSI (s) (C4:98) [00:21:32:660]: MainEngineThread is returning 1603
MSI (s) (C4:CC) [00:21:32:675]: Destroying RemoteAPI object.
MSI (s) (C4:30) [00:21:32:675]: Custom Action Manager thread ending.
MSI (c) (F4:28) [00:21:32:691]: Back from server. Return value: 1603
MSI (c) (F4:28) [00:21:32:691]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (F4:28) [00:21:32:691]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
Action ended 0:21:32: ExecuteAction. Return value 3.
MSI (c) (F4:28) [00:21:32:691]: Doing action: SetupCompleteError
Action 0:21:32: SetupCompleteError.
Action start 0:21:32: SetupCompleteError.
Action 0:21:32: SetupCompleteError. Dialog created
Action ended 0:22:33: SetupCompleteError. Return value 2.
Action ended 0:22:33: INSTALL. Return value 3.
MSI (c) (F4:28) [00:22:33:816]: Destroying RemoteAPI object.
MSI (c) (F4:1C) [00:22:33:816]: Custom Action Manager thread ending.
thanks! chrisv
The logs : LUCA:
The logs :
LUCA: InstallLiveUpdate enter.
LUCA: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HPRVKZTW\LiveUpdate\lucheck.exe
LUCA: InstallLiveUpdate : CreateProcessAndWait( LUCHECK.EXE ) returned 206
Action ended 0:21:14: InstallFinalize. Return value 3
Title: 'Installation of Symantec Endpoint Protection Client rolls back with error LUCHECK.EXE returned 206
'
Document ID: 2009072709544048
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009072709544048?Open&seg=ent
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Would you like to reply?
Login or Register to post your comment.