Video Screencast Help

Auto Protect Scan reports adware but I think there is none

Created: 26 Apr 2013 • Updated: 08 May 2013 | 23 comments
This issue has been solved. See solution.

Hi,

For the past 2 days I've received a notification from the SEP stating that I have adware on my machine. Today it's Dealply but yesterday it was popuppers.
I've searched for the files / registry settings mentioned in both security responses. To no avail.

The malisious files only show up in my chrome cache files... I tried deleting the cache files but the message reappears almost immedialty.

I've ran a full scan but that gave no results.
I'm currently running a SUPERantispyware scan but I doubt it will give any results.
I ran the Power erasor tool, but that didn't find any problems.

 

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Adware.DealPly
File: C:\Users\DDC\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016
Location: C:\Users\DDC\AppData\Local\Google\Chrome\User Data\Default\Cache
Computer: TIEPC00010
User: DDC
Action taken: Pending Side Effects Analysis : Access denied
Date found: vrijdag 26 april 2013  9:11:22
 
I have on other user that reported the same problem.
Risk name: Adware.Popuppers
File path: C:\Users\NVDW\AppData\Local\MICROSOFT\Windows\TEMPORARY INTERNET FILES\Content.IE5\TJVQKOVG\ie_content[1].js
Event time: 25-apr-2013 17:29:46
Database insert time: 25-apr-2013 17:43:56
Source: Real Time Scan
Description: ""
User: NVDW
Any suggestions how to fix this?
 
I'm on a windows 7 ent x64 fully up to date, my client is running a 32bit version.
Both have updated SEP's.
 
Thank you,
Domien
Operating Systems:

Comments 23 CommentsJump to latest comment

W007's picture

Hello,

Symantec has aware this virus and already release virus defination

Look this artical

http://www.symantec.com/security_response/writeup....

http://www.symantec.com/security_response/writeup....

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Grandeco's picture

Hi,

I read those security reports before posting this thread.

For both the popuppers and the dealply virusses there should be some files located in the program files folder, there should be some settings in the registry... but I can't find any of them... 

I've updated to the latest security definitions and running a full scan now.

The symantec power eraser found no files to remove.

After the scans have completed I will open a security ticket I think.

 

Kind regards,
Domien

SameerU's picture

Hi

Please scan the system in safemode

Regards

 

Grandeco's picture

Full scan reported no problems.

I will run the scan in safe mode this weekend... needed my laptop to much today !!

I'll keep you updated.

 

Have a nice weekend !
Domien

oalsafadi's picture

SEP client ver: 12.1.2015.2015 DOES NOT work in Safemode.

Scan for Risks in power erasir ( Support Tool ) DID NOT clean the Risk.

Can you please help me.

 

Thanks

W007's picture

hello,

How to scan in safe mode when Symantec Endpoint Protection 12.1 is installed.

 

Article:TECH176971 | Created: 2011-12-15 | Updated: 2012-07-28 | Article URL http://www.symantec.com/docs/TECH176971

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SameerU's picture

Hi

Please schedule a full scan on the infected system

Regards

 

Grandeco's picture

Hi,

Just booted into safe mode and ran a active scan, quick scan and full scan.
No results were found (not that I saw).

When booting back into the normal mode I immediatly get the same error messages again.

Where can I open a support ticket?

 

Thank you,
Domien

.Brian's picture

Tech Support Numbers

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
India: Toll-Free 000 800 4401 456 directly
IDD call: +61 2 8220 7111
 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Grandeco's picture

I live in Belgium so none of those are a viable option.

I found the following page and will create a ticket tomorrow.

http://www.symantec.com/support/contact_techsupp_static.jsp

 

I'll keep you updated.

Domien

Grandeco's picture

I have created a support request and I'm awaiting response from Symantec.
It should be within one or 2 days.

Domien

Tomba40's picture

Hello, did you receive any help from Symantec?

I have this same Dealply and popuppers malware in couple of workstations too.

 

Berino's picture

If you are still getting notifications but you are not able to spot any suspicious files or registry entries in the load points then run the Symantec Endpoint Point Support Tool / SymHelp after checking the Load Point.

This will give you a list of files that you might want to submit to Symantec for a lookup.

Grandeco's picture

Hi,

I ran the SEP support tool and performed the load point scan, and any other scan.
It only came back with 1 file that might be suspicious but that was a script I'm working on.
The power eraser found 2 files but those are internal softwares so no harm there.

I just got off the phone with Symantec Support and they told me to uninstall Google chrome, downgrade internet explorer. Reboot and reinstall both.

I will do so now and report back when it's done (today or early tomorrow morning)

 

Domien

Grandeco's picture

Goodmorning,

I did as the technician instructed and uninstalled both Chrome and Internet Explorer.Ran a full scan and reinstalled both. The problem reappeared almost instantly.

I then proceeded to uninstall all extentions from chrome and tested.... no problems
one by one I reinstalled my extentions... no problems

So my conclusion is somehow the extentions get corrupted. Uninstalling chrome does not fix this completely. So uninstall the extentions and try.

I will try this solutiion on my users device and report back.

Domien

SOLUTION
Berino's picture

Thats a good point there Domien  :) do keep us posted on any updates  :)

Max59's picture

Hi,

We have here the same problem, So I am really interested by the result of your solution.

Maxime

Grandeco's picture

Hi,

On my device, with Google Chrome the problem has not reappeared after removing all extentions (plugins).

On my users device I was hoping to do it today, but she is out of the office until next week tuesday / wednesday. Sorry.

Regards,
Domien

 

Berino's picture

Symantec has released definitions for this attack but the SEP client is unable to access this cache file to clean it... why dont you try a more efficient scan like the SERT

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

 

Article:TECH131732  |  Created: 2010-01-15  |  Updated: 2012-06-25  | 

Article URL http://www.symantec.com/docs/TECH131732

 

It is necessary against specific threats which have the ability to completely hide from Windows, or that have techniques that manipulate Windows into protecting the malicious process against Symantec Endpoint Protection's scanning and remediation components

I would suggest you try this scan and see what the result is. All the best!!

Berino's picture

If you would want to boot the SERT from the USB then follow this article,

How to make the Symantec Endpoint Recovery Tool boot from a USB memory stick

 

Article:TECH131578  |  Created: 2010-01-08  |  Updated: 2012-06-25  |  Article URL http://www.symantec.com/docs/TECH131578

 

Berino's picture

Do keep us posted on what happens in your User's Device when you get to work on it!!  :)

Grandeco's picture

Hi,

Update: I was able to have a look at my users machine.

From the logs I learned that the dealply software was installed late december 2012.
But symantec moved the crx file to the quarantine on the 26th of april this year. Around the same time the problems started happening.

The system then quarantined a file from within the "temporary internet files" almost every few minutes.

This all stopped the 6th of may after the system was able to succesfully remove a file after a reboot. Most likely from new definitions allowing symantec to remove it completely.

I browsed the interwebs for (safe) sites I know to have ads and would cause the dealply message to appear. But had no issues.

 

None the less I did some extra cleanups.

On her device the software "DealPly" was still installed. So I removed it from programs en features. I also removed remaining files from the "program files" folder. Afterwards the plugin was removed from Internet explorer plugins, so I saw no reason to reinstall IE.

I ran CCleaner to clean out the registry, and allowed SuperAntiSpyware to run, but found only tracking cookies.The SEP ran a full scan and returned no issues.

 

So my conclusion is: symantec most likely has better definitions allowing the SEP to clean the system.
If that does not work try looking for any installation files from dealply.
As a last resort uninstall the internet browser or uninstall the extentions (plugins).

 

Hope this helps,
Domien

 

dealply1.png

dealply2.png

dealply3.png

 

dealply4.png

dealply5.png

dealply6.png