Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

w32.sality!dr infection

Created: 12 Nov 2012 | 11 comments

Hello,

i need some help getting rid of a virus on a server 2008 R2 x64 domain controller/file server.

im using symantec endpoint protection small business 2013.

symantec finds and removes/quaratines the file, but it keeps coming back.  as a test, i disconnected the internet, deleted the infected file and it did not reappear.  as soon as i plugged the internet back in, the file reappeared.

the file names show as xskd.exe, cjxnd.exe, vmeil.exe

ive tried numerous other programs, such as malwarebytes, tdsskiller, sep support tool, etc.

i used process explorer to try and get more info on the infected files, but it will not see or find the infected files listed above.

the other workstations in the enviroment have endpoint 2013 installed as well and do not show this infection.  on the server, the c:\ appears clean, just the d:\ is showing the infections.

the windows firewall is enabled and the router's built-in firewall is active as well.

any thoughts or suggestions on how to get this removed will be greatly appreaciated!

thanks,

Andrew

Comments 11 CommentsJump to latest comment

.Brian's picture

A great removal tool is sality killer, get it here:

http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889

All check for the presence of a hidden autorun.inf file on root of C: and a corresponding executable randomly named.

You likely won't find malicious files per se but this virus injects itself into legit processes so you nede to use sality killer which will kill the infected threads

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

andrew00's picture

thanks for the responses!  i will be trying them out and let you all know how it goes

andrew00's picture

ran the sality killer apps, i couldnt run the registry one because it said there were keys in use.

so i rebooted in safe mode, ran salitykiller.exe, disable autorun and then safeboot.reg, but when i run safeboot, i get an error saying cannot import, not all data was successfully written to the registry. some keys are open by the system or other processes

is there a way i can get the registry safeboot to work?

andrew00's picture

in addition, if i pull up which users are using files on teh share drives, there are multiple that show they are running autorun.inf

i loaded one of these in notepad and its the virus....i just cant get rid of it!!!!

this autorun.inf shows in multiple places on d:\ but so far i have not found it anywhere on c:\

.Brian's picture

I have a small program created to run sality killer remotely, silently as well.

I dealt with this roughly a year ago (exact same scenario as you with the autorun files and not being able to remove them) and the we created this program to run it remotely on all infected machines. Eventually we go it fixed.

If you need further assistance we can take this off line. Send me a PM.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

andrew00's picture

so far no luck.  tried the sality kill and Brian81 script....keeps coming back

this site is connected to 5 other sites via vpn

we are taking down all vpns, and deleting the virus file manually (which has changed to a qcwqu.pif instead of a .exe)

bringing 1 vpn up at a time to see if the infection is coming from another site or the internet.

.Brian's picture

Do you have users with mapped drives as well? From what I've seen, one user brings in an infected USB drive and that's where it all starts.

You definitely need to disable autorun on USBs.

Following this article:

http://www.symantec.com/business/support/index?page=content&id=TECH98330

I put this file on the root of our mapped shares, which helped stop the issue.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

andrew00's picture

yea i used symantec to disable all usb storage devices from teh work stations

the only this is though, we host the company's exchange and some of their software in our data center, and it looks like that is were its coming from

we killed the colo vpn, and that .pif file has not reappeared yet, but we are brining up the other vpns to the other sites, and so far no weird files are appearing

.Brian's picture

Once you find the autorun.inf file(s) and remove those, than the cleaning can begin.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pandher's picture

Hi we are seeing the same issue and after repeated scans it is not going away;

W32.Sality!dr