Since you're using Sophos this might help: Sophos: Disinfecting PE executables
We are having major problems on our SIMS server with the w32/sality-am virus, we have sophos installed and its is cleaning up detected items but then some of the exe files will not run and become infected again, does anybody know a way of permanantly removing this virus.
thanks james i have done that and followed the instructions but it still keeps re-appearing.
I recently attended a site with this exact virus on their SIMS server.
My advice to you would be to isolate the server (first action always upon infection) and in parallel ensure the virus is not elsewhere on the site whilst taking a very light back up of only the most crucial files, the SIMS ldf/mdf and docstorage should be sufficient I'd think but check with your support provider if you have one.
Format + reinstall the server, SIMS, etc, and restore your light back up.
It's the only safe and sure way to know you've eradicated the virus as like you said, it's annoying when it breaks EXE's especially when it does it to everything in the setups dir!
I was afraid someone would say that we have 4 other essential software programs on this server so to do a re-install would be a nightmare.
Have you tried a different AV product, there are some online scanners along with some other solutions that can run off Windows PE/UBCD4Win that may be able to disinfect your machine while it is offline.
I haven't tried that is there any you would suggest to use.
The server is compromised. You can no longer trust it to work as expected. A format, reinstall and recovery from a known good backup is your only choice.
Dr.Web LiveCD is a software product that features a standard, Dr.Web scanner
Try this one as well:
UBCD for Windows with ClamWin and Trend Micro SysClean from the additional downloads.
That and following the removal instructions from here:
W32.Sality.AE Removal - Removing Help | Symantec
Edit: As Geoff says above, it is a server and the only way to be completely sure it is trusted is a reinstall unless it is an old easily identifyable and removable virus that has been fully explored and understood.
Last edited by SYNACK; 20th January 2009 at 01:19 PM.
If you have a known good backup then as people have said that's the best course.
You should be able to take off the SIMS database, and any others you may have on there, and reattach them once the backup is restored to prevent data loss.
Since the virus (supposedly) infects .scr and .exe files the data itself should be safe, but I'd recommend doing a scan on each of the data files before reattaching them.
There are currently 1 users browsing this thread. (0 members and 1 guests)