Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Lot of W32.Rontokbro@mm infection

Created: 14 Feb 2013 | 19 comments

Hi,

In one of the node, we are getting lot of W32.Rontokbro@mm virus detections. it has been found to take lot traffic. Ran many of the tools suggested by Symantec but the issue still persists. Can i create an exception for this known detection from the server level? The user is annoyed because the computer hangs because of the continuos detection of this threat. Please help.

Regards,

Anish

Comments 19 CommentsJump to latest comment

Ashish-Sharma's picture

Hi,

Check this tool

http://www.symantec.com/security_response/writeup.jsp?docid=2005-092311-2608-99

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/you...

If symantec not detect virus you can submit Supicious file

Submit Suspicious Files

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Thanks In Advance

Ashish Sharma

Sanishku's picture

Hi Ashish,

The infected computer seems to be running with some application which is also shared by other users. The application is used internally and accessed by only 5-10 people from their computers. It is been found that as and when these users share their folders, they also get those virus detection. Please let me know how to add exceptions for application and what type of exception would be better in my case ?

Regards,

Anish.

Regards,

Anish

Ashish-Sharma's picture

HI,

Check this artical how to add

Configuring Exceptions for Symantec Endpoint Protection (SEP) 12.1

Article:TECH176906  |  Created: 2011-12-14  |  Updated: 2012-08-23  |  Article URL http://www.symantec.com/docs/TECH176906

Thanks In Advance

Ashish Sharma

Ambesh_444's picture

Hello Anish,

1) Make sure your system is updated with latest antivirus definiton.

2) Your system should have all patches installed including KB958644

3) Do a full scan on the system and then restart the system.

Please check with this..

http://www.symantec.com/security_response/attacksi...

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Sanishku's picture

Hi Ambesh,

The Computer is updated wiht latest antivirus defintions. Also, the above patch has been installed. Full scan has been done.

Regards,

Anish

Regards,

Anish

Ambesh_444's picture

Hi Anish,

Thank you for revert,

Please check with this,

http://www.symantec.com/security_response/writeup....

http://www.symantec.com/security_response/attacksi...

http://www.symantec.com/security_response/writeup....

And please let me know...

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Ambesh_444's picture

Hi Anish,

Please let me know if your issue is resolved?

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Sanishku's picture

Hi,

We are still facing with the issue.

Regards,

Anish

Regards,

Anish

Ambesh_444's picture

Hello Anish, 

Have you done above thing on system.

Please go through with below link and let me know.

http://www.symantec.com/security_response/writeup....

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Ashish-Sharma's picture

symantec not detect virus you can submit Supicious file

Submit Suspicious Files

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Thanks In Advance

Ashish Sharma

Mithun Sanghavi's picture

Hello,

I would suggest you to check this Thread: https://www-secure.symantec.com/connect/forums/how-delete-0

What version of SEP are you carrying?

Checking it carefully, found this:

Your Symptoms looks very similar to these as below:

You run a scan multiple times and it continually finds threats previously quarantined in C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine. A full system scan will find the files and claim that it successfully quarantined the file but will be found my another full system scan in the same location.

Cause: Unknown. It is suspected that the SRTSP is a middle point for the main quarantine typically located in C:\Documents and Settings\All Users\Application data\Symantec Endpoint Protection\Quarantine 
 
Solution:

Disable the System Restore from the Machine.

When trying to access C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine you will probably get an access denied.

  1. Right click on the folder, go to Properties then Security.
  2. Add the user who is currently logged on with Full Control.
  3. Open command window (Start > Run > cmd).
  4. At command prompt, navigate to the directory (cd "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine")
  5. Delete all files by typing the command del *.* and hit enter.
  6. Restore the default privileges by removing the user added with Full Control.
  7. Initiate a full system scan.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ambesh_444's picture

Hi Anish,

Kindly update us about your virus related problem?

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

cus000's picture

Are you able to identify the source?

I'm afraid the attack won't stop until you track the source and clean it all together...

Sanishku's picture

Hi,

whenever a user in our network try to share some folders, the virus is found. Users have been told not to share folders. At the same time, the application currently running on the machine is planned to be put in a dedicated machine. Will have to perform few other stesp once the user is free. Thanks for your suggestions.

Regards,

Anish

Regards,

Anish

Mithun Sanghavi's picture

Hello,

Are all the client machines installed with Latest and updated SEP client??

Could you please make sure you have the machines run a Full scan on them.

And when the users share a drive or a folder a strong password protection to be used.

I would also recommend you to disable the AutoRun Feature via GPO.

To find the Source of the Threat, it is advised to Enable the "Risk Tracer" feature from the SEPM.

Risk Tracer -

http://www.symantec.com/docs/TECH102539

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH94526

A few extra notes....

  • Risk Tracer relies upon the Windows File and Printer Sharing. If this is disabled (as per MS Article 199346, http://support.microsoft.com/kb/199346) Risk Tracer will not work.
  • Risk Tracer may be disabled in order to reduce SAV's performance impact on an overburdened computer.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Sanishku's picture

Hi,

Is there any inbuilt option in windows 7 or XP with this password protection for shared folders?

Regards,

Anish

Regards,

Anish

Mithun Sanghavi's picture

Hello,

You cannot password protect individual folders in XP. You restrict access by assigning permissions to drives, folders and files.

Check this Article: http://support.microsoft.com/kb/307874

Whereas in Windows 7 you could turn on the password protected sharing, check this Article: 

http://windows.microsoft.com/en-US/windows7/Share-files-with-someone

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SameerU's picture

Hi

Please scan the system in safe mode

Regards