Endpoint Protection

Hi Friends,
i am facing a new problem. after running a full scan on the systems SEP saying that new virus found (Adware.Hotbar) and needed reboot to delete. but it was not deleting. i tryied full scan in safemode also but the result is same. In symantec security_response site it is saying that a full scan and delete some registry entries is needed. In our network Hundred's of systems effected with this virus.

Can any one help me how to remove this virus from the server.

That probably is because it looks to be discovered today and the definitions are pending right now. Hopefully you should have them in some time, Though you should also submit the sample to ensure it.

http://www.symantec.com/security_response/writeup.jsp?docid=2003-080410-3847-99&tabid=1



 

I submited the samples and waiting for the updates from symantec.

H

What is the tracking number for the files submitted?

Not yet recivied our mail server is having problem. i will update once i received.

New? "Adware hotbar" is from the late 90's and early part of this century. I was dealing with a bug of that exact same name nearly a decade ago - it (hotbar) came via a tag at the bottom of emails encouraging users to "click here" to add fun and functionality to their email, and it installed adware.
Unless this is a variant - it's not new...............
I bet you can google it and find the responsible company.

Hi Shadow,

What u said is correct. even i found the removable tool from the other antivirus sites also but i am waiting for the symantec responce because it is effected over hundred's of systems in our network. i can not go each system and run the tool.

Possible false-positive or a new variant. Hard to believe you have that many infections since it was not really a virus, but adware, not able to self-replicate, unless that, too has changed!
Keep us posted!  Thanks.

Yeah, I noticed that as well. I wonder why Symantec shows it as pending.

Barkha,  Any clue?

I checked the latest files submitted by Satish Venturi.The result is as follows:

""country.exe has been detected with Current rr sequence 88203"

"hbinst.exe has been detected with current rr sequence 94884"

Hence we would strongly recommend you to download and install latest rr.

You can download .jdb (rapid release) on the SEPM,and make sure that all the clients get the updated definitions.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048

Also, make sure that all the clients in the network have latest virus definitions.If any client is not protected,for time being quarantine it.

...Barkha

When SEP/SAV detects an infection but not remove it, that almost always means either a new variant or something completly new that has some of the characteristics of something that is known.
Best thing to do is to submit whatever you can find to Security Response.
Also contact your Tech Sup. person and send all characteristics you find to him/her, like log files, scan logs, you name it, send it. Sometimes, it is better to send a bit too much inforation than not enough. It might also help to use third party removal tools, especially when they create log files and/or separate quarantined files.
Symantec has ways to read some of those 3rd party quarantined files as well.
When Security Response gets samples, they can write teh detection. That in turn means that you will not have to sneakernet dozens if not hundreds infected machines. 8-)

Whoa - a new variant.
hbinst if I recall was the name of the older brother years ago.

definitely not a false positive.

Any idea how it got in? Email? Web?

Is there a fix for this hbinst.exe virus?