Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Porn.exe, sexy.exe, passwords.exe, etc Virus Cleanup

Created: 28 Dec 2011 | 6 comments

I have had a couple of instances whereby users have experienced that their folders in USB flash drives are turned into .exe files, and the following are added:

porn.exe, sexy.exe, passwords.exe, secret.exe, m.mpeg, and another random .exe file.

For some reason symantec is not able to contain the virus/worm. I have to gamble with the manual removal of the worm which is impractical most of the times.

Any heads up..... ?? solutione?

Comments 6 CommentsJump to latest comment

Edwin_Mu's picture

so the detection and the deletion is manual? thats what i learnt on the other page...

Mithun Sanghavi's picture

Hello,

In your case, there are few suggestions.

1) Check if these machines are updated with the Latest Microsoft Updates and Security Patches.

2) Check if the Autorun is disabled.

3) Symantec is carrying the Latest Virus Definitions and Run a Full scan in Safe mode.

Also, you can Run the Symantec Support Tool which may assist you to submit the suspicious files to the Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

It is always advisable to Work on the Best practices for troubleshooting viruses on a network

http://www.symantec.com/docs/TECH122466

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Ideally USB flash drives are blocked for security reason.

If you have enabled it please review it's necessity.

Check risk logs on clients machines, check whether  it' new threat ? or happening due to system vulnerability ?

To check whether it's new threat or not ?

Run SEP support tool & submit files to Symantec for analysis.

http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe

System vulnerability can be avoided with following ways.

Use all three features i.e Antivirus/Antispyware , Proactive Threat Protection , Network Threat Protection.

Make sure all three feature have latest definitions.

Upgrade OS with latest service pack and windows updates.

Upgrade third party software's with latest patches. (e.g acrobat reader)

Disable auto-run .

Use latest Symantec Antivirus version i.e RU7 MP1 or 12.1 RU1

As you said you are able to remove it manually ? which threat it is ? Symantec is detecting with manual scan or how ?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Edwin_Mu's picture

I am removing it manually from the following:

registry edit..a couple of things..

c:/users/documents/().exe

Mithun Sanghavi's picture

Hello,

Removing the Enteries Manually does not Guarantee, that these Threat would not re-appear.

Registries are not Threats.

I would still recommend you to Run the Symantec Support Tool which may assist you to submit the suspicious files to the Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Again, could you check if you Login as a Different User, do you see the same issue occurying??

If not, you can simply Delete the Infected User Account (profile) and keep a newer one.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.