Endpoint Protection

Hi All

I have tried all the recomended steps to take to get rid of this particular virus but seems like the virus it still coming back, reffer below the steps i took


1. All USB ports disabled
2. Disable auto-run from gpedit
3. Disable system restore
4. Run a full system Scan

I even tried using AVAST boot scans still coudnt remove virus, anyone have any fixes would be great, you can email me direct on my email addy if you have any suggestion: hapawa@steamships.com.pg

ta, Hale

Hi Hale,

Can you provide more details-?  What Symantec product are you using, and what is this threat being identified as?  Is it not being detected at all?  Or is it one that keeps coming back-?  What action do the logs show is being taken against the threat-?

Here is an article that may help: Best practices for responding to active threats on a network (http://service1.symantec.com/support/ent-security.nsf/docid/2010011510455048)

Thanks and best regards,

Mick

Boot from the SERT CD and run that:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/750ab70cd21259ae88257706004bafc9?OpenDocument

You can also try running malwarebytes in safemode if the above doesn't work.

Hi Mick

I'm using NAV 10.1, refer this AVAST log file i took earlier with a boot scan by avast, everytime the SVCHost (Generic Host) error message appears this virus is present, and yes is is is removed my AVAST it keeps coming back and also i've have advice the this threat denies access to shared drives, correct me if i'm wrong.

File C:\WINDOWS\system32\run.vbs is infected by BV:Agent-AO [Trj], Deleted


ta, Hale

svchost.exe is a genuine file of windows..Unfortunately many virus will use the same file name for creating it's own process.Can you tell us from which path this file is running?What is the exact error you are getting?

Hi Brian81

Mate heres the error messge...

HI Brian81

Mate i used to have the svchost error but now on the generic host seem to be apearing.

Steps to be performed:
1. SVCHost.exe is used by genuine and malicious processes where malicious processes use this name to hide themselves.
2. You are using very old product of Symantec. So you need to upgrade it soon. It is important because there have been many AV engine updates which can handle the current threats more efficiently than the version you have.
3. As recommended by Brian81, first try to scan the computer with SERT tool and see if it cleans the threat.
4. If issue persist, contact Technical support. As it would require some log analysis to find source of the threat.

open a case with Symantec support , they will help you to find the suspicious file. Howver you can look at the files at common loading points , if suspicious submit to symantec analysis team.