Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Redirect infection and Trojan.Gen alert

Created: 17 Nov 2012 • Updated: 23 Nov 2012 | 7 comments

Hi,

Here are the details of my issue with some logs info. I posted questions after that. Any help is greatly appreciated!

Nov 8 or 9: Google redirect me to suspicious page. Next day, Chrome when crazy, opening a bunch of ‘new taps’.

          -Redirected to d37u147w1ofw0w.cloudfront.net and click.livesearchnow.com

          -UPDATE (nov 20) : There's a file with cloudfont.net associated to Shockwave Flash. So I disabled the Chrome (Pepper) plugin. No more     redirects! Still  Autoprotect keep detecting and scanning DWHs and APQs!

Nov 9: SEP pop-up detection: yybqca.dll (Trojan.Gen)

            -After running a full scan I was asked to restart the compt

            -Once restarted the following box appeared: Top: Run DLL; Message: There is a problem

            starting c:\user\me\AppData\Local\MicrosoftHelp\yybqca.dll

           -On the Event Viewer for Application’sLogs:

Security Risk Found!Trojan.Gen in File: C:\Users\me\AppData\Local\Microsoft Help\Microsoft\yybqca.dll by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was quarantined successfully.

Security Risk Found!Trojan.Gen in File: C:\ProgramData\Symantec\Symantec Endpoint Protection\I2_LDVP.TMP\msl-4408-2 by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Nov 10: New SEP detection pop-up: DWH6730.tmp

            -similar messages continue to appear one or twice a day.

            -On the Event Viewer for Application’sLogs:

Security Risk Found!Trojan.Gen in File: C:\Users\me\AppData\Local\Microsoft Help\Microsoft\yybqca.dll by: Auto-Protect scan. Action: Access denied.

Security Risk Found!Trojan.Gen in File: C:\Users\me\AppData\Local\Temp\0.011350514919953758 by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Nov 13: yybqca.dll issue happened again together with new DWH alerts.

           -On the Event Viewer for Application’sLogs (Nov 11-13 (similar episodes of this, but diff DWH…):

Security Risk Found!Trojan.Gen in File: C:\Users\me\AppData\Local\Temp\DWHEDF5.tmp by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Security Risk Found!Trojan.Gen in File: C:\Users\me\AppData\Local\Temp\DWH3139.tmp by: Auto-Protect scan. Action: Delete failed : Leave Alone failed. Action Description:

Security Risk Found!Trojan.Gen in File: C:\Users\me\AppData\Local\Temp\DWH1BC5.tmp by: Auto-Protect scan. Action: Delete failed : Leave Alone failed. Action Description:

Nov 14: Similar episodes, this time APQ…. files were detected.

            -Now these are on the folder C\ProgramData\Symantec\SRTSP\Quarantine

            -I also run a MSS scan and it found Trojan:Win32/Tracur.AV, which I deleted.

            -I also deleted from SEP, all DWH on the “view quarantine” window.

Nov 15

            -After 2 days reading many posts here, it seems that one of my problems is that SEP is rescanning the quarantine files when it installs new     definitions. So, I set the new definition for 12pm of Nov 16 (today), and, voila, I didn’t have any pop-up that night! ...Yet I need those new definitions. So my questions:

1. If I delete the rest of the files on the SEP quarantine window, would that eliminate the re-scan issue? (Not sure if that deletes them from the SRTSP folder also, to which I have no access.)

2. The main file I’d like to understand is yybqca; it was the first detected. If I browse that name, at least on site suggests it's related to redirect infections.

3. There is a suggestion on https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder by Ryan_Dasso that: “3rd party software … may be causing SEP to stop trusting DWH files.”

             -How could I check if that’s the case?

             -He writes: “Setup exclusions for SEP's working directories.” Me: How do I setup those exclusions?

4. Also, Should I uninstall and re-install Chrome and set new passwords?

5. How do I upgrade to SEP 12?

- ** I downloaded SEP from my University website (I graduated, so no upgd). I have: 11.0.6100.463

HUGE THANKS to anyone helping! [Hope the lenght of the mssg is useful and not annoying.]

Comments 7 CommentsJump to latest comment

pete_4u2002's picture

1. If I delete the rest of the files on the SEP quarantine window, would that eliminate the re-scan issue? (Not sure if that deletes them from the SRTSP folder also, to which I have no access.)

upgrade the client to newer version or configure not to scan when new definition arrives.

2. The main file I’d like to understand is yybqca; it was the first detected. If I browse that name, at least on site suggests it's related to redirect infections.

it could, did you reboot the machine after this detectoin and action is not completed against threat detcetion.

3. There is a suggestion on https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder by Ryan_Dasso that: “3rd party software … may be causing SEP to stop trusting DWH files.”

             -How could I check if that’s the case?

             -He writes: “Setup exclusions for SEP's working directories.” Me: How do I setup those exclusions?

configure not to scan when new defiition arrives.

4. Also, Should I uninstall and re-install Chrome and set new passwords?

install newwer version if the existing is old. set trong password.

5. How do I upgrade to SEP 12?

Upgrading or migrating to Symantec Endpoint Protection 12.1.2 (RU2)

http://www.symantec.com/docs/TECH197426

Michel12's picture

Thanks for your help. I'll try to follow ur recommendation once I'm back home.

One quick question regarding the pop-up Run DLL that appears after I restart the computer.

The messg is: c:\user\me\AppData\Local\MicrosoftHelp\yybqca.dll could not be found.

(BTW, I deleted all quarantine files, including yybqca)

If the system detects or classifies the file as missing, it must be because it needs it. So, if I'm getting that messg, is it a sign of something corrupt still present on my computer (something that was using the yybqca.dll file)? How should I interpret the fact that the computer is generating that pop-up? 

Many thanks!

Simpson Homer's picture

Kindly contact Support and have a case created to get further help.

 

 

 

Phone numbers to contact Tech Support:-

 

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

India: Toll-Free 000 800 4401 456 directly

IDD call: +61 2 8220 7111

 

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

 

Customer Care Contact Numbers for Licensing Issues:-

http://www.symantec.com/support/assistance_care.jsp

 

 

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

 

Where to upload a suspected File?

https://submit.symantec.com/websubmit/gold.cgi

BAECtechnician's picture

Hi,

My network has one computer infected with this Browser search hijack, and shows as livesearchnow.

I've tried all Symantec tools and none detect any infection or help clearing the problem.

Clearing browser and returning to default settings works for 5 minutes. I've got a log file from Endpoint Protection Support tool but it shows nothing.

Shall I still open a contact case and upload the file?

I've run out of options!

Thanks in advance for your help.

Kind regards,

BAECtechnician

cus000's picture

Hi BAE,

 

If SEP Support Tool didn't manage to find anything, you'll need to find the sample manually

or

create a case and request assistant from Symantec Support

 

Most of the time SEP Support Tool will able to detect suspicious files (due to it connects to Symantec File Rating db and gives out scores)...

 

but in certain cases e.g where registry has been altered, a manual fix is required...

 

 

p/s: try disable browser add-ons one by one... or uninstall suspicious one

BAECtechnician's picture

Thanks cus000,

Symantec support got in contact with me but could not find any issues on the computer in question. The support engineer asked me to run again all the Symantec cleaning tools with him connected to the machine but to no avail.

Since then the problem has got worse and the infection that was only on restricted user side has now taken over the administrator side as well with some applications now self running as if they were remote controlled!

We've taken the machine from the network and unplugged from internet and run hardware diagnostic tests just in case and the hardware is fine.

We are trying now different antiviri to see if they are any better than Symantec.