Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Missing thead about what to do in case of a malware outbreak.

Updated: 21 May 2010 | 4 comments
jrudbecka's picture
jrudbecka
0 0 Votes
Login to vote
This issue has been solved. See solution.

Hi all

I'm in the process of making a procedure in what to do in case of a malware outbreak in our company.

To easen up the documentation process a little, I'm trying to find a post that was made some month ago:-)) 

The post was about what to do in case of a outbreak, is there anyone of you which have a link to this or can remember it?

I have seach for a long time now and can't seem to find anything releated to this issue. (maybe it was on the old board (?!)

Anyone there know if Symantec have a best practice document releated to this subject?

Or better, is there any of you that have a draft they what to share? :-))

Regards

discussion Filed Under:
, , , ,

Comments

Prachand's picture
27
Jul
2009
0 Votes 0
Login to vote
Prachand
Trusted Advisor

The 5 Steps of Virus Troubleshooting

The 5 Steps of Virus Troubleshooting
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)

Vikram Kumar-SAV to SEP's picture
27
Jul
2009
0 Votes 0
Login to vote
Vikram Kumar-SAV to SEP
Symantec Employee
Accredited

I guess you missed articles and BLog

If you are posting this then I guess you have missed the Articles and Blog section of Connect..
You will find so many articles and blogs about know /how about infections and how to control it..

VMWARE-- SEP 12.1 vs McAfee vs Trend Micro

SOLUTION
Prachand's picture
27
Jul
2009
1 Vote +1
Login to vote
Prachand
Trusted Advisor

Worms and threats that spread across networks

Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker

https://www-secure.symantec.com/connect/articles/worms-and-threats-spread-across-networks-network-shares-have-become-more-common-recent-yea-0

Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)

veerasatven's picture
16
Sep
2009
0 Votes 0
Login to vote
veerasatven
Symantec Employee

Best and Better step

 Best and Better step to work one pc and get the virus definition and updated the SEP manager that all 

1. To disable System Restore (Windows Me/XP):

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including Antivirus programs, from modifying System Restore. Therefore, Antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
 
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
How to disable or enable Windows Me System Restore
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam 
How to turn off or turn on Windows XP System Restore
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam 
Note:When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455). 
http://support.microsoft.com/kb/q263455/ 
 
2.To remove all the entries that the risk added to the hosts file
1.Navigate to the following location:
Windows 95/98/Me:
%Windir%
2.Windows NT/2000/XP:
%Windir%\System32\drivers\etc
 
Notes:
The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations.   If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
 
3.Double-click the hosts file.
4.If necessary, deselect the "Always use this program to open this program" check box.
5.Scroll through the list of programs and double-click Notepad.
6.When the file opens, delete all the entries added by the risk.
7.Close Notepad and save your changes when prompted.
 
3.Locations Where the infection gets frequency
C:\Documents and Settings\All Users\Application Data\ (Delete the  Suspious folders)
C:\Windows
C:\Windows\System32
C:windows\System32\Drivers
Note: Before ways of searching the infected or suspicious files is by changing view to Details and Sorting them by Dates modified and find the latest modified files and delete them.
Before deleting them make sure no suspious programs are running in the background {In task manager and msconfig(after stopping the start item delete the registry key as shown below in the location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tool\Msconfig\startupreg )}.
 
4.To delete the value from the registry
 
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document:
How to make a backup of the Windows registry.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam 
1.Click Start > Run.
2.Type regedit
3.Click OK.
 
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response   has developed a tool to resolve this problem. Download and run this tool http://www.symantec.com/security_response/writeup....  and then continue with the removal.
Navigate to and delete the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\ 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Delete all the keys below this key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ 
Delete all the keys below this key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Notify\
If you see any unknown or suspious files running deleted them.
HKEY_CURRENT_USER\Software\Microsoft\Search assistant\acmru\5603
HKEY_CURRENT_USER\Software\Microsoft\Search assistant\acmru\5604
HKEY_CURRENT_USER\Software\Microsoft\Search assistant\acmru\5647
Any folder with number understand Acmru should throughly serach for the infected keys and deleted them.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tool\Msconfig\startupreg
If you see any unknown or suspious files running deleted them.
Exit the Registry Editor.

All the best
 

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,911