W32.Sality.AE virus W32.Sality.AE virus forumit (MIS) (OP) 9 Feb 10 08:51 Using Symantec EP but this virus is causing lots of problems and keeps on returning.Anyone have similar problems and have a permanent fix? RE: W32.Sality.AE virus kjv1611 (IS/IT - Management) 9 Feb 10 09:20 Here's one detailed solution:http://www.darfuns.com/virus-removal/steps-to-remove-sality-ae/ --"If to err is human, then I must be some kind of human!" -Me RE: W32.Sality.AE virus forumit (MIS) (OP) 12 Feb 10 07:01 This virus is also dropping files on our Windows 2003 servers and is causing mayor problems. It causes SEP AV to crash etc. Anyone have idea how to get ris of this virus on Windows 2003 Servers. Symantec only seems to detect this virus on a on-demand scan and not on-access scanner.Users cant map drives to servers as map network drives opens with notepad or minesweeper. RE: W32.Sality.AE virus BadBigBen (MIS) 13 Feb 10 07:30 The problem with Sality is that it changes EXE (and other extensions) files and Registry entries...see http://www.avira.de/en/threats/section/fulldetails/id_vir/4479/w32_sality.y.htmlBasically, what this points toward is, that you need to isolate each infected machine from the network and do the cleaning then... in the case of the Server, this should happen over the weekend or at night when the machine is not in use, or restore to an image that was not infected...8 Step to Remove W32/Sality.AEhttp://www.istanto.net/8-step-to-remove-w32salityae.htmlPS: Norman Malware Cleaner can be found under the following link:http://www.norman.com/support/support_tools/58732/en-ussuggestion: use MBAM as well as NWC (above) and rename both EXE files (as Sality infects those) as suggested in the article...Good Luck! Ben"If it works don't fix it! If it doesn't use a sledgehammer..."How to ask a question, when posting them to a professional forum.Only ask questions with yes/no answers if you want "yes" or "no" RE: W32.Sality.AE virus forumit (MIS) (OP) 14 Feb 10 12:10 I have Symantec Endpoint Protection 11 MR4 but it's not killing the virus. In most cases SEP reports access denied - clean failed. As soon as i add a new computer to the network it gets infected. MS malicious software removal tool and MBAM dont detect this virus. Also found that lots of the computers cant boot into safe mode which probably means it's already infected by this virus. This virus is much worse than what Symantec is reporting. This virus causes SEP to malfunction. RE: W32.Sality.AE virus kjv1611 (IS/IT - Management) 15 Feb 10 06:53 Quote (forumit):This virus is also dropping files on our Windows 2003 servers and is causing mayor problems. It causes SEP AV to crash etc.So, it's a political problem then? In that case, is the SEP like the DNC or GOP?Okay, enough corniness, I suppose, for a Monday morning.I'd have to agree with BadBigBen on this one. You may very well be to the point to where you have to seriously look at restoring your systems with an images made prior to the infection. --"If to err is human, then I must be some kind of human!" -Me RE: W32.Sality.AE virus goombawaho (MIS) 15 Feb 10 08:12 Isolation is defintely the first thing. Then run a bootable malware cleaner program on each machine.http://www.free-av.com/en/products/12/avira_antivir_rescue_system.htmlOr put the drive as a slave and run MalwareByte's Anti-Malware against it.If you don't want to slave it, use the bootable CD or run Combofix from Safe Mode. Read all warnings on the Bleeping Computer page related to running combofix. RE: W32.Sality.AE virus forumit (MIS) (OP) 15 Feb 10 16:25 I;m trying the following at the moment -:http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889Scanned all pc's again in safe mode and found no virusses, but found a few on a Windows 2003 file server with Kaspersky Sality removal tool.I will report back with final outcome... RE: W32.Sality.AE virus forumit (MIS) (OP) 15 Feb 10 18:02 Feedback: After scanning Windows 2003 Server in Safe Mode i rebooted server and login to domain----W32.Sality.AE back again. This time as tmp files.I'm no realy running out of ideas with this virus. RE: W32.Sality.AE virus goombawaho (MIS) 16 Feb 10 12:18 MalwareByte's Anti-Malware - scan on each machine with all machines disconnected from the network - including the server.Don't (Do NOT) scan in safe mode unless you have no choice. If you can only run it in safe mode, do that scan and then another in regular mode.The other thoughts that come to mind is:Clean out temp files before MBAM scan (CCLEANER)Turn system restore off before MBAM scan and then back on after the reboot at the end of the scan to flush it out of system restore. RE: W32.Sality.AE virus goombawaho (MIS) 16 Feb 10 12:20 You could also create a bootable Bart PE CD with the Mcafee plugin to scan. That would be a great "first thing to do" even before you run the MBAM scan. RE: W32.Sality.AE virus forumit (MIS) (OP) 17 Feb 10 02:58 I have never seen MBAM detecting this virus. Kaspersky salitykiller definitely detects and clean this virus.What worries why isn't SEP not detecting this virusses during full scan in safe mode or normal mode?Symantec should realy bring out a standalone removal tool for this virus.There will be no virus activity for days until someone executes an exe file on the server. Both client and server gets infected again. Once the virus "activates" itself i starts infecting almost all exe files. I have already lost half all my sofware installation exe's located on the server.I have been scanning offline computers & servers for days now without cleaning out this virus.