Hi All,

Found a machine that had this "virus" - Every time a browser is opened (IE, Firefox, Chrome) by default the istartsurf.com is initiated.

Does anyone know whether this "virus" - istartsurf.com is detected / blocked or removed using SEP?

Any ideas welcome.

Thanks

See this norton report

https://safeweb.norton.com/report/show_mobile?name=istartsurf.com

also you can submit malicious url

https://www-secure.symantec.com/connect/forums/how-submit-malicious-url-symantec-verify

@James007, thanks - I have already checked this out and the site has been online for 2 months now.

How can I prevent the browsing hijacking using SEP? Note: I use all features except firewall.

How many system having problem ?

Have you scan Symhelp tool ?

You can scan your system symhelp tool

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

See this Url

http://www.techsupportall.com/how-to-remove-istartsurf-com-search-page-removal-help/

http://malwaretips.com/blogs/remove-istartsurf-virus/

Running the Symhelp tool now. Only one system found - but I really don't want to have this spread.

Will let you know .

If symhelp or a full SEP scan finds nothing, run AdwCleaner or JRT from bleepingcomputer.com

I managed to find registry entries searching for "istartsurf.com" and deleting them. I also removed some "freeware" and "adware" from the system. I then found that the actual shortcut to all browsers (IE, firefox and chrome) was modified to open the "istartsurf.com" webpage. I removed the amended entry and all is well again with the browsers.

ThaveshinP:

A couple of general bits of advice if I may, based on my own experiences. 

First, turn your users to Standard user, not Administrator on their own system.  This prevents most of this adware and related stuff from ever getting installed since their account has no rights to install software. 

Second, once a system is breached in this way, it might be safer to consider it a standard policy to always wip ethe machine and put in a fresh image (or manually rebuild).  Why? Because the old school mentality of the system admin thinking he knows better than the craftiest virus authors doesn't apply.  Like you, I have spent many hours of my career manually combating the effects of viruses.  However since almost all trojans and viruses these days tend to open a backdoor that then downloads additional malware, the base effect is that your system is completely open to every virus on earth (when you think about it, that really puts things into perspective doesn't it?). So there's no way we can outsmart them. 

Much like the concept of "defence in depth" is talked about at times, the less discussed concept of "offense in depth" is not.  Think of it this way:  a virus writer makes his stuff do two things:  one, insetall ab unch of commercial adware and other lame money-making gimicks on your system, make them relatively easy to find, because the vast majority of non-enterprise system admins won't wipe a system, they'll just chase after symptoms and once the system "appears" to be ok, they move on.  But second, then embed more deep-level stuff, rootkits and what not, that continue running on that system long after you've moved on. 

I've seen it many times, I spend lots of time trying to manually fix up a system, only to find out that more annoying 54645545.tmp files and so on are being flagged. 

Best to develop a strattegy to just wipe systems when this stuff occurs, but to greatly prevent it from occuring, set the user as Standard and not admin. 

Also I think if you turn off the SEP firewall you also turn off IPS, or maybe just browser-based IPS, I don't know for sure.  Consider re-enabling it as SEP relies heavily on cross-component integration for it's success. 

One last note:  I went about 1.5 yrs fighting that stupid Conduit SearchProtect.  FINALLY, Symantec has flagged as it malware or a PUP or whatever, and SEP stops it.  Your situation sounds exactly like SearchProtect.  So keep at Symantec and they'll make signatures for this too.