Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

W32.Sality.AE virus

W32.Sality.AE virus

W32.Sality.AE virus

Using Symantec EP but this virus is causing lots of problems and keeps on returning.
Anyone have similar problems and have a permanent fix?

RE: W32.Sality.AE virus

This virus is also dropping files on our Windows 2003 servers and is causing mayor problems. It causes SEP AV to crash etc. Anyone have idea how to get ris of this virus on Windows 2003 Servers. Symantec only seems to detect this virus on a on-demand scan and not on-access scanner.
Users cant map drives to servers as map network drives opens with notepad or minesweeper.

RE: W32.Sality.AE virus

The problem with Sality is that it changes EXE (and other extensions) files and Registry entries...

see http://www.avira.de/en/threats/section/fulldetails/id_vir/4479/w32_sality.y.html

Basically, what this points toward is, that you need to isolate each infected machine from the network and do the cleaning then... in the case of the Server, this should happen over the weekend or at night when the machine is not in use, or restore to an image that was not infected...

8 Step to Remove W32/Sality.AE

PS: Norman Malware Cleaner can be found under the following link:


suggestion: use MBAM as well as NWC (above) and rename both EXE files (as Sality infects those) as suggested in the article...

Good Luck!

"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

RE: W32.Sality.AE virus

I have Symantec Endpoint Protection 11 MR4 but it's not killing the virus. In most cases SEP reports access denied - clean failed. As soon as i add a new computer to the network it gets infected. MS malicious software removal tool and MBAM dont detect this virus. Also found that lots of the computers cant boot into safe mode which probably means it's already infected by this virus. This virus is much worse than what Symantec is reporting. This virus causes SEP to malfunction.

RE: W32.Sality.AE virus

Quote (forumit):

This virus is also dropping files on our Windows 2003 servers and is causing mayor problems. It causes SEP AV to crash etc.

So, it's a political problem then? wink

In that case, is the SEP like the DNC or GOP?

Okay, enough corniness, I suppose, for a Monday morning.

I'd have to agree with BadBigBen on this one.  You may very well be to the point to where you have to seriously look at restoring your systems with an images made prior to the infection.


"If to err is human, then I must be some kind of human!" -Me

RE: W32.Sality.AE virus

Isolation is defintely the first thing.  Then run a bootable malware cleaner program on each machine.


Or put the drive as a slave and run MalwareByte's Anti-Malware against it.

If you don't want to slave it, use the bootable CD or run Combofix from Safe Mode.  Read all warnings on the Bleeping Computer page related to running combofix.

RE: W32.Sality.AE virus

Feedback: After scanning Windows 2003 Server in Safe Mode i rebooted server and login to domain----W32.Sality.AE back again. This time as tmp files.
I'm no realy running out of ideas with this virus.

RE: W32.Sality.AE virus

MalwareByte's Anti-Malware - scan on each machine with all machines disconnected from the network - including the server.

Don't (Do NOT) scan in safe mode unless you have no choice.  If you can only run it in safe mode, do that scan and then another in regular mode.

The other thoughts that come to mind is:
Clean out temp files before MBAM scan (CCLEANER)
Turn system restore off before MBAM scan and then back on after the reboot at the end of the scan to flush it out of system restore.

RE: W32.Sality.AE virus

You could also create a bootable Bart PE CD with the Mcafee plugin to scan.  That would be a great "first thing to do" even before you run the MBAM scan.

RE: W32.Sality.AE virus

I have never seen MBAM detecting this virus. Kaspersky salitykiller definitely detects and clean this virus.What worries why isn't SEP not detecting this virusses during full scan in safe mode or normal mode?
Symantec should realy bring out a standalone removal tool for this virus.There will be no virus activity for days until someone executes an exe file on the server. Both client and server gets infected again. Once the virus "activates" itself i starts infecting almost all exe files. I have already lost half all my sofware installation exe's located on the server.I have been scanning offline computers & servers for days now without cleaning out this virus.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close