Endpoint Protection

 View Only
Expand all | Collapse all

W32.Sality.AE

  • 1.  W32.Sality.AE

    Posted Aug 31, 2009 08:36 AM
    I have a SBS 2003 server that norton scanner identified 800+ w32.sality.ae infected files.  pretty much all .exe files.  some are o/s related.  i've tried a couple other AV solutions, but decidec to try SEP.  downloaded the trial, but it won't install on the infected pc.  i've reinstalled, but sys-state is currupt ~ no safe mode, hangs on 'preparing network'.  if there is a manual fix, it would be greatly appreciated.

    -chrisv



  • 2.  RE: W32.Sality.AE

    Posted Aug 31, 2009 09:00 AM

    Try Norton Security Scan.

    Try Norton Security Scan.

    ftp://ftp.symantec.com/misc/tools/nss/NortonSecurityScan.exe

     



  • 3.  RE: W32.Sality.AE

    Posted Aug 31, 2009 09:03 AM
    When a machine is infected , then SEP  will not get installed.
    So first remove the threat with the help of NSS and then try to install SEP.
    If it works good else go to Start run type %temp%
    And paste the SEP_Inst.log


  • 4.  RE: W32.Sality.AE

    Posted Aug 31, 2009 09:34 AM

    W32.Sality.AE is a virus that spreads by infecting executable files , using autorun feature.

    Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it. For more information, see the following document

    How to prevent a virus from spreading using the "AutoRun" feature

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648 

    It tries to stop and delete all the AV services and processes.It could also attempt to delete the AV definition files and block the domains for AV vendors.That's why you can't install AV after infection..if you are able to then it would be corrupted. 

    The best bet here is ..
    -First disable autorun feature in the infected system.
    -Install SEP in a different system in the same network.
    -Update SEP with the latest virus-defs.
    -Map a drive [of the computer which is infected] 
    -Run a full scan.

    Find the technical description here

    http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=2 

    Find the manual removal instruction here 

    http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=3

    I'm pretty sure SEP with up to date virus-defs takes care of W32.Sality.AE.  
     

     


  • 5.  RE: W32.Sality.AE

    Posted Aug 31, 2009 10:15 AM
    I thought NSS was a scan/report tool only? can it remove threats as well?



  • 6.  RE: W32.Sality.AE

    Posted Aug 31, 2009 10:21 AM
     NSS is a Small AV that will scan you PC with latest defintions without installing itself on PC and will remove threats as well..


  • 7.  RE: W32.Sality.AE

    Posted Aug 31, 2009 01:22 PM
    wow!  sounds good.  i'll let you know how it goes!

    -chrisv


  • 8.  RE: W32.Sality.AE

    Posted Sep 06, 2009 10:54 AM
    there was to much damage to the operating system.  Thanks for the suggestions though.
    i've got a new o/s on another hard drive, sharing the data from the infected (and cleaned)
    raid drive ~ which also includes the old o/s, which will remain since the original install
    didn't partition it off.

    new problem.  I've got a new O/S and trying to load SEP, but fails to install services.  I can't
    make heads or tails from the install log.  and it's to big to attach here.

    any ideas?

    -chrisv



  • 9.  RE: W32.Sality.AE

    Posted Sep 06, 2009 11:53 AM
    Please search for return value 3 in the SEP_Inst.log and Paste 5-6 lines above and below that.


  • 10.  RE: W32.Sality.AE

    Posted Sep 10, 2009 08:31 AM
    there is more than one "Value 3"

    Action 0:20:27: InstallLiveUpdate.FF07F38E_78C2_412E_B858_64488E808644.
    MSI (s) (C4:98) [00:20:27:753]: Executing op: CustomActionSchedule(Action=InstallLiveUpdate.FF07F38E_78C2_412E_B858_64488E808644,ActionType=3073,Source=BinaryData,Target=InstallLiveUpdate,CustomActionData=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HPRVKZTW\LiveUpdate\lucheck.exe)
    MSI (s) (C4:70) [00:20:27:769]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI6D.tmp, Entrypoint: InstallLiveUpdate
    LUCA: InstallLiveUpdate enter.
    LUCA: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HPRVKZTW\LiveUpdate\lucheck.exe
    LUCA: InstallLiveUpdate : CreateProcessAndWait( LUCHECK.EXE ) returned 206
    Action ended 0:21:14: InstallFinalize. Return value 3.
    MSI (s) (C4:98) [00:21:14:300]: User policy value 'DisableRollback' is 0
    MSI (s) (C4:98) [00:21:14:300]: Machine policy value 'DisableRollback' is 0
    MSI (s) (C4:98) [00:21:14:347]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=992477803,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
    MSI (s) (C4:98) [00:21:14:347]: Executing op: DialogInfo(Type=0,Argument=1033)
    MSI (s) (C4:98) [00:21:14:347]: Executing op: DialogInfo(Type=1,Argument=Symantec Endpoint Protection)
    MSI (s) (C4:98) [00:21:14:347]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
    Action 0:21:14: Rollback. Rolling back action:
    Rollback: InstallLiveUpdate.FF07F38E_78C2_412E_B858_64488E808644

    ------------------------

    InstSymProtect::cleanupFolder() -> DeleteFolderIfNoFileExists FAILED
    cleanupFolder:  exiting
    MSI (s) (C4:98) [00:21:31:925]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
    MSI (s) (C4:98) [00:21:31:925]: Error in rollback skipped.    Return: 5
    MSI (s) (C4:98) [00:21:31:941]: No System Restore sequence number for this installation.
    MSI (s) (C4:98) [00:21:31:941]: Unlocking Server
    MSI (s) (C4:98) [00:21:31:941]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
    Action ended 0:21:31: INSTALL. Return value 3.
    Property(S): DiskPrompt = [1]
    Property(S): UpgradeCode = {24BF7A02-B60A-494B-843A-793BBC77DED4}
    Property(S): CostingComplete = 1
    Property(S): VersionNT = 502
    Property(S): TARGETDIR = Z:\
    Property(S): ALLUSERSPROFILE = C:\Documents and Settings\All Users\

    ---------------------------

    Property(S): ProductToBeRegistered = 1
    Property(S): MsiFilterRebootMode_RebootAtEndModeBefore = 1
    MSI (s) (C4:98) [00:21:32:660]: MainEngineThread is returning 1603
    MSI (s) (C4:CC) [00:21:32:675]: Destroying RemoteAPI object.
    MSI (s) (C4:30) [00:21:32:675]: Custom Action Manager thread ending.
    MSI (c) (F4:28) [00:21:32:691]: Back from server. Return value: 1603
    MSI (c) (F4:28) [00:21:32:691]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
    MSI (c) (F4:28) [00:21:32:691]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
    Action ended 0:21:32: ExecuteAction. Return value 3.
    MSI (c) (F4:28) [00:21:32:691]: Doing action: SetupCompleteError
    Action 0:21:32: SetupCompleteError.
    Action start 0:21:32: SetupCompleteError.
    Action 0:21:32: SetupCompleteError. Dialog created
    Action ended 0:22:33: SetupCompleteError. Return value 2.
    Action ended 0:22:33: INSTALL. Return value 3.
    MSI (c) (F4:28) [00:22:33:816]: Destroying RemoteAPI object.
    MSI (c) (F4:1C) [00:22:33:816]: Custom Action Manager thread ending.


    thanks! chrisv


  • 11.  RE: W32.Sality.AE

    Posted Sep 10, 2009 09:49 AM
    The logs :

    LUCA: InstallLiveUpdate enter.
    LUCA: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HPRVKZTW\LiveUpdate\lucheck.exe
    LUCA: InstallLiveUpdate : CreateProcessAndWait( LUCHECK.EXE ) returned 206
    Action ended 0:21:14: InstallFinalize. Return value 3

    Title: 'Installation of Symantec Endpoint Protection Client rolls back with error LUCHECK.EXE returned 206
    '
    Document ID: 2009072709544048
    > Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009072709544048?Open&seg=ent