Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Internet Explorer Virus

Created: 07 May 2012 • Updated: 10 May 2012 | 21 comments

Hi,

In one of our machines we are having some sort of virus which is resetting the home page to this url hxxp://www.nuevaq.fm/

I do know what site is this..many IE applicatiosn are not opening.

Iam using SEP 12.1 RU1. definitions are up to date

Now 2 users are having this problem, when we tried full scan no risks found.

Please help

Comments 21 CommentsJump to latest comment

SUPPORT-2-SUPPORT's picture

Hi Shrikant,

Please specify the address (for e.g. http://www.symantec.com/enterprise/security_respon...) in AV/AS Policy --> Miscellaneous --> Internet Browser Protection to prevent browser attacks.

 

Regards,

S2S

 

Please don't forget to mark your thread solved with whatever answer helped you.

Ajit Jha's picture

By default this Symantec Security Site is added. I found this for you:

http://www.threatexpert.com/report.aspx?md5=83c749732492b43f6efc1687be2c8336

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Srikanth_Subra's picture

This i already read..Now how to block this?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

pete_4u2002's picture

collect teh load point log and open a support case and ask for review. The tech team will ask to submitthe suspicious file if present and that will fix the issue, assuming the threat ia active on the machine and is responsible for the home page.

Srikanth_Subra's picture

How to collect the logs?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Mick2009's picture

Power Eraser may also help to remove suspicious files:

About Symantec Power Eraser
Article: TECH134803   |  Created: 2010-01-09   |  Updated: 2012-04-13   | 
Article URL http://www.symantec.com/docs/TECH134803 
 

With thanks and best regards,

Mick

Srikanth_Subra's picture

I already tried the power eraser..but while doing the scan option itself is disabled and showing error as symantec reputaion database not found

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Mithun Sanghavi's picture

Hello,

In your case, Symantec is detecting such threat's as W32.Rontokbro!gen1 as Ajit pinpointed.

I agree with Mick as well for using the Symantec Power Eraser Tool.

However, in certain cases a strong Plan of Action is necessary.

Here are few Points which would assist you to prevent this.

1) Check the Host files. If they are changed make the necessary changes.

Usually Symantec does protect you from such changes, if proper policies are at place.

You can create a Application Control Policy, like to this below:

by Creating this policy, thereforth onwards all the modifications to the host file would be blocked.

2) Most of the times; such Threats are User Based. I would suggest if you could create a new user on the same machine and check if the issue exists on the new User Profile created.

If it does not exists then you can delete the Infected User Profile.

You could protect the User Profile from getting infected by creating proper policies in SEP.

How to Block Known Virus Executables that run from %UserProfile% using Application and Device Control

http://www.symantec.com/docs/TECH131741

3) Check the box for "Enable Browser Intrusion Prevention" within the Intrusion Prevention Policy of Symantec Endpoint Protection Manager which controls the user ability to enable/disable this feature.

 

4) Create a rule for Block / Log Browser Helper Objects.

How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94965

5) Incase, you find any suspicious files on the machines, you can follow this Article:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Srikanth_Subra's picture

Those policies are already available in my SEPM and all are enabled

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Srikanth_Subra's picture

We tried another tool to capture the virus, which caught and now the problem is solved..

but why symantec failed to capture this?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Srikanth_Subra's picture

Replies for this issue?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

pete_4u2002's picture

it may not be present in symantec database or it could be false positive from other AV tool you used. If you still have the file, you can upload that to symantec security response team.

Srikanth_Subra's picture

i will get the file and upload it to symantec security response

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

pete_4u2002's picture

Thats great ! pass on the tracking number once you upload the file

Srikanth_Subra's picture

Like wise many files i have submitted to security response but no reply from them....

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

pete_4u2002's picture

do you mean there is no tracking number?

can you open support ticket to identify why you not receiving the tracking number?

Thomas K's picture

Srikanth,

 

PM me the email address used for the submission, and I will see if I can find your tracking number.

 

Thomas

Srikanth_Subra's picture

Hi,

Please find the number of my submission 2674764

i have submitted same file several times, but no response.

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

pete_4u2002's picture

are you sure thats the tracking number? can you please re confirm

Mick2009's picture

Hi Srikanth.S,

Can you contact Thomas or myself via Private Message?  The tracking number supplied is not valid. 

Please let us known the name of the file you submitted, the email address you used, what contract portal you submitted it under (Gold?  BCS?  Retail?) and the MD5 of the file if possible.

Many thanks in advance,

Mick

With thanks and best regards,

Mick

cus000's picture

Hello,

 

Try to capture load points using SEP Support Tool then create a case to support.

 

You may also copy the suspicious files and check it to virustotal.com or Symantec sample submission.