Video Screencast Help
Search Video Help Close Back
to help

w32.sality!dr infection

Created: 12 Nov 2012 | 11 comments
andrew00's picture
andrew00
0 0 Votes
Login to vote

Hello,

i need some help getting rid of a virus on a server 2008 R2 x64 domain controller/file server.

im using symantec endpoint protection small business 2013.

symantec finds and removes/quaratines the file, but it keeps coming back.  as a test, i disconnected the internet, deleted the infected file and it did not reappear.  as soon as i plugged the internet back in, the file reappeared.

the file names show as xskd.exe, cjxnd.exe, vmeil.exe

ive tried numerous other programs, such as malwarebytes, tdsskiller, sep support tool, etc.

i used process explorer to try and get more info on the infected files, but it will not see or find the infected files listed above.

the other workstations in the enviroment have endpoint 2013 installed as well and do not show this infection.  on the server, the c:\ appears clean, just the d:\ is showing the infections.

the windows firewall is enabled and the router's built-in firewall is active as well.

any thoughts or suggestions on how to get this removed will be greatly appreaciated!

thanks,

Andrew

Discussion Filed Under:
, , , , , ,

Comments 11 CommentsJump to latest comment

Black_N's picture
Black_N
w32.sality!dr infection - Comment:13 Nov 2012 : Link

There are recommendations about removal W32.Sality!dr

http://www.symantec.com/security_response/writeup.jsp?docid=2010-090107-1254-99&tabid=3

Submit a suspicious file to Symantec

http://www.symantec.com/business/support/index?page=content&id=TECH102419

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

0
Login to vote
Brian81's picture
Brian81 Trusted Advisor
w32.sality!dr infection - Comment:13 Nov 2012 : Link

A great removal tool is sality killer, get it here:

http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889

All check for the presence of a hidden autorun.inf file on root of C: and a corresponding executable randomly named.

You likely won't find malicious files per se but this virus injects itself into legit processes so you nede to use sality killer which will kill the infected threads

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
andrew00's picture
andrew00
w32.sality!dr infection - Comment:13 Nov 2012 : Link

thanks for the responses!  i will be trying them out and let you all know how it goes

 

 

0
Login to vote
andrew00's picture
andrew00
w32.sality!dr infection - Comment:14 Nov 2012 : Link

ran the sality killer apps, i couldnt run the registry one because it said there were keys in use.

so i rebooted in safe mode, ran salitykiller.exe, disable autorun and then safeboot.reg, but when i run safeboot, i get an error saying cannot import, not all data was successfully written to the registry. some keys are open by the system or other processes

is there a way i can get the registry safeboot to work?

 

0
Login to vote
andrew00's picture
andrew00
w32.sality!dr infection - Comment:14 Nov 2012 : Link

in addition, if i pull up which users are using files on teh share drives, there are multiple that show they are running autorun.inf

i loaded one of these in notepad and its the virus....i just cant get rid of it!!!!

this autorun.inf shows in multiple places on d:\ but so far i have not found it anywhere on c:\

0
Login to vote
Brian81's picture
Brian81 Trusted Advisor
w32.sality!dr infection - Comment:14 Nov 2012 : Link

I have a small program created to run sality killer remotely, silently as well.

I dealt with this roughly a year ago (exact same scenario as you with the autorun files and not being able to remove them) and the we created this program to run it remotely on all infected machines. Eventually we go it fixed.

If you need further assistance we can take this off line. Send me a PM.

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
andrew00's picture
andrew00
w32.sality!dr infection - Comment:16 Nov 2012 : Link

so far no luck.  tried the sality kill and Brian81 script....keeps coming back

this site is connected to 5 other sites via vpn

we are taking down all vpns, and deleting the virus file manually (which has changed to a qcwqu.pif instead of a .exe)

bringing 1 vpn up at a time to see if the infection is coming from another site or the internet.

0
Login to vote
Brian81's picture
Brian81 Trusted Advisor
w32.sality!dr infection - Comment:16 Nov 2012 : Link

Do you have users with mapped drives as well? From what I've seen, one user brings in an infected USB drive and that's where it all starts.

You definitely need to disable autorun on USBs.

Following this article:

http://www.symantec.com/business/support/index?page=content&id=TECH98330

I put this file on the root of our mapped shares, which helped stop the issue.

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
andrew00's picture
andrew00
w32.sality!dr infection - Comment:16 Nov 2012 : Link

yea i used symantec to disable all usb storage devices from teh work stations

the only this is though, we host the company's exchange and some of their software in our data center, and it looks like that is were its coming from

we killed the colo vpn, and that .pif file has not reappeared yet, but we are brining up the other vpns to the other sites, and so far no weird files are appearing

0
Login to vote
Brian81's picture
Brian81 Trusted Advisor
w32.sality!dr infection - Comment:16 Nov 2012 : Link

Once you find the autorun.inf file(s) and remove those, than the cleaning can begin.

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
pandher's picture
pandher
w32.sality!dr infection - Comment:31 Jan 2013 : Link

Hi we are seeing the same issue and after repeated scans it is not going away;

 

W32.Sality!dr

0
Login to vote