Video Screencast Help

Have an infected, NO Security tool has been able to correct it.

Created: 30 Jan 2013 | 17 comments

I have used NP Eraser, I have used SEP 12, and Malwarebytes and NONE of these can find what the underlying issue is.

I have a user who whenever they open up Internet Explorer 8, it opens, then opens, then opens then opens, it does this endlessly. This also happens on ALL profiles and it has effected FireFox as well. The Browser pages continually open one after another. My manager sees traffic from the machine, but NOTHING is catching the underlying cause.

Any suggestions?

Windows 7 64 Bit system, use IE 8 as the browser (We can not upgrade the browseer at this time)

Comments 17 CommentsJump to latest comment

.Brian's picture

Flush your DNS cache and check your HOSTS file for malicious entries

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Can you check the traffic to see where it is going? Specifically the IP addresses...you may want to block those IPs if they are malicious.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Is this happening only on 1 machine??

Disable the Browser Helper Objects from the client machine.

Could you run the Symantec Support Tool and check if there are any suspicious file??

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SebastianZ's picture

You can try SERT us well - start it before booting the OS:

https://www-secure.symantec.com/connect/videos/sym...

...and use with the newest defs:

 

The Conquistador's picture

It found it and cleaned it, now it wants me to run Windows Defender offline, which I can not do since I am not at that office, any suggestions?

Thank you

.Brian's picture

You may need to physically access the PC. Typically with this piece of malware, the "fixmbr" utility needs to be run from the Windows disk because it overwrites the MBR. It is a very nasty piece of malware.

https://en.wikipedia.org/wiki/Alureon

Kaspersky also has TDSSKiller which may help in this case

http://support.kaspersky.com/2663

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

The Conquistador's picture

TDSSKiller is Running and SEP is trying to kill it, it's rather amusing.

.Brian's picture

Interesting. I've had no issue in the past with SEP and TDSSKiller interacting. I would just disable SEP and run it again. Than try a full scan with SEP.

Weird that SEP didn't catch it as this has been around for some time. Perhaps a new variant is out.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Yep, looks like that MBR needs some replacing...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

cus000's picture

sounds like a new variant...

 

you know... AV can only detect and clean as many as it can.... certain cases require us to dirty our hand ;)

 

my only suggestion is capture the source file of this threat (if possible) then submit it for analysis..

cus000's picture

How do you solve it?  did you repair the mbr?

I just found a Symantec KB for MBR sample submission:

 

http://www.symantec.com/business/support/index?pag...