Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Help removing virus that redirects web page

Created: 30 Aug 2009 • Updated: 21 May 2010 | 10 comments

I have endpoint installed, and have run the full virus scan in an attempt to find this obvious virus.
Can anyone tell me if this is a common virus and if there is a particular filename I can scan for?
Or is there a different way to use Endpoint in order to find the virus?  Virus decscription:  Every so
often, any selected link will be redirected to a different commercial website.  Clicking back will not
work.  Very annoying. 

I have used live update and rerun the full scan with no success.  Any help would be appreciated.

Comments 10 CommentsJump to latest comment

Grant_Hall's picture

 Check out this article, it is our 5 steps of virus troubleshooting. Essentially you want to do a full scan in safe mode. This is different from just the full scan, and hopefully this will get rid of the virus. You should try that first and then post back to let us know how it went. Also try to post what version of SEP you are running, and what OS you have. Thanks,

Grant-

Here is the link: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Please don't forget to mark your thread solved with whatever answer helped you : )

jlduncan's picture

Hi Grant,
Thanks for your response.  I'm using vista enterprise SP2 version .286
The version of endpoint is 11.0.4014.26

Is there a more detailed explanation of how to run the virus scan in safe mode?
Thanks!

Grant_Hall's picture

Well what part are you having trouble with? Is it starting the computer in safe mode? Turning System Restore Off? Or starting the scan?

Starting The Computer In Safe Mode:

For most computers you simply restart the computer, and when the computer starts to turn on start tapping the F8 key. This will bring you to a prompt that lets you select what mode you want to start in. Select safe mode. Try this guide if you still have troubles: http://www.pchell.com/support/safemode.shtml

Turning Off System Restore:

Once in safe mode go to Click start -> All Programs -> Accessories -> System Tools -> System Restore. You should see a box pop up select the link that says System Restore Settings. Then check the box that says turn off system restore on all drives

Running The Scan:

Should be the same process as running the full scan when in normal mode. Probably able to just click on the shield in the system tray and select full scan.

If you have a little bit of a more advanced computer knowledge try this link: http://service1.symantec.com/support/ent-security....

It goes over how to start in safe mode with command prompt only and run the scan. I wouldn't suggest this if you don't regularly use the command line.

Hope this helps
Grant

PS Also the most recent version of SEP is 11.0.4202.75 so if I were you I would upgrade as soon as possible. ; )

Please don't forget to mark your thread solved with whatever answer helped you : )

jlduncan's picture

Thanks again for your response.  Once in safe mode, I tried to go into system restore, but it said there were no restore points created.
So, I went ahead and tried to run the full scan with endpoint.  It gave a message saying the management client was not yet running, would
I like to start it.  "yes" gave the error: failed to start symantec management client service error code 0x8007043c

fjorq's picture

Jlduncan - Try the option  "Safe Mode with networking".  This should allow you to run a full system scan in safe mode..

Thanks,

Grant_Hall's picture

Yes this is the correct option. The article that states this can be found here http://service1.symantec.com/SUPPORT/ent-security....

Thanks fjorq for pointing that out.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Vikram Kumar-SAV to SEP's picture

Webrowser redirectors are normall a DLL file that gets loaded in your web-browser as a add-on.
They install silently in your browser when you click on malicious link where they are hooked.

Once downloaded they can live anywhere in your system preferably c:\windows\system32 or
C:\Documents and Settings\All Users\Application Data\Microsoft\Network
C:\Documents and Settings\Default User (or you user account)\Application Data\Microsoft\Internet Explorer

how to disable/remove them when using Internet explorer

Open Internet Explorer -Tools - Manage Add-ons

or Tools-Internet Options-Programs -manage Add-Ons -

Select -- Add-ons currently Loaded on your IE.
then sort it by publisher--disable/remove the add-ons that look suspicious and have no publishers.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Grant_Hall's picture

Whats the latest on this? Did you ever get the full scan to work in safemode?

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

jlduncan's picture

Hi Grant,
I started in safe mode and selected "no" for the management client message.  Then, when I brought up endpoint, there was an alert saying something like "auto protect malfunctioning", etc..  I ran full scan anyway, but it only found a couple of cookies.  I did find an add-on that looks suspicious by following Vikram's suggestion (applied to Firefox).  The maker is "windows presentation foundation".   Other authentic looking windows add-ons have the Microsoft trademark included.  I would like to make sure I'm using endpoint in a way that will find and remove this.  Please let me know if I can re-run full scan in a different way so it will do this.

Thanks!

Grant_Hall's picture

Hi again,

Sorry for the slow reply been gone all weekend. Well if you haven't already done so please run the scan with system restore off. I don't think this will make a difference since it said that the full scan is "malfunctioning", but this is the procedure that we usually try to follow. If that doesn't work there are other options that I can think of. Some are easier than others depending on what resources you have at yoru disposal.

1. If this is a networked computer try using anther computer with sep installed on to run the scan of the infected computers harddrive.

2. If you have another hard drive to boot from then slave the infected drive and boot off of the other drive. Then run the scan on the infected drive. This is similar to the networked option above.

3. You can make (or if you call in I think we can provide a link for download) a bootable cd that runs a scan off the system without ever even touching the drive. That way you know 100% that any infection isn't altering the scan. This sort of cd isn't officially supported but I have had very good luck with it thus far. Basic instructions for making it are below, and if you have any questions feel free to pm me.

1. Get WinPE (instructions here: http://apcmag.com/windows_pe_20_a_tiny_version_of_...)
2. Download and update Norton Security Scanner(NSS)
3. Copy the NSS folder on the WinPE CD/USB
4. Boot the infected machine using the WinPE live cd or usb stick
5. Browse to NSS folder and run nss.exe too to scan and clean the infected machine.

Hope this helps,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )