Video Screencast Help

SEP finding virus threat at IP address

Created: 27 Jul 2013 | 5 comments

So I have been receiving daily virus alerts on a client machine for a while now, and the more I look into the matter, the less sense it makes. The machine in question is running Windows XP pro and SEP 11. The majority of our workstations now run Avast, but this old dinosaur is not really worth purchasing a license for. Anyway, every day SEP generates a virus alert which it labels as SafeStrip. After doing some research on SafeStrip and examining the infected computer and its registry, I have concluded that the threat is definitely not what SEP claims it to be. SafeStrip is extremely intrusive, and this computer exhibits no symptoms whatsoever; also, none of the registry entries which would usually be associated with SafeStrip are present. I started digging deeper, using process explorer to try and find a rogue process or something—any sign of some kind of infection—to no success. Still, every single time SEP scans, it generates that same alert and then claims the virus has been successfully deleted but continues this over and over again. Unfortunately, looking at the properties of the alert tells me nothing; it does not have any information whatsoever except that name “SafeStrip”. I unplugged the computer from the network and ran a full scan, finding, as expected, the same thing. Then I ran an active scan, and this, also, found and deleted “SafeStrip”. Next, I ran another active scan, keeping my eyes glued on the screen, hoping to get some hint of a path where the threat was being detected. To my immense surprise, I spotted the supposed path: 74.125.45.100. Now my general frustration over the matter grew into genuine bewilderment; recall that the computer was, at this point, unplugged altogether from the network. In addition to that, I attempted to ping that IP (from another computer, obviously, which was plugged into the network), and it timed out; I could find absolutely nothing out via command line about that IP address. A Google search reveals that that IP is associated with a piece of malware, but none of the entries it is supposed to create on the system are present, and, if they were, I would expect that to be the path in which SEP found the threat. What was SEP actually scanning when it displayed that IP address?

 

Any suggestions for removal would be much appreciated.

Operating Systems:

Comments 5 CommentsJump to latest comment

.Brian's picture

74.125.45.100 is a Google IP Address.

Have you tried running a secondary scanner such as Symantec Power Eraser or Malwarebytes or Hitman Pro?

The registry/file locations may not be exactly the same as what's in the technical details written up by Symantec. Malware changes it's signature quite frequently to avoid dectection.

I would proceed with a second opinion scanner first. You can also try the SymHelp tool. See here:

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

Article:TECH203027  |  Created: 2013-02-21  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH203027

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Beppe's picture

Hello,

May you attach a piece of SEP Risk log and a screenshot of the detection? they will allow you and us to know more about this detection.

Regards,

Giuseppe

Shaneo's picture

Brian: I do have Malwarebytes Pro running on this computer; the initial MWB scan I ran generated a few alerts, but they do not seem connected, and MWB has, since removing these, produced no further alerts, while SEP continues to generate that same "SafeStrip" alert. The MWB alerts were connected to a piece of malware, vGrabber, which I removed successfully; I guess it's not impossible that these are connected, but, since even running MWB full scan in safe mode no longer produces any results, I tend to believe that it was not connected.

 

Beppe: Here are the screenshot and the scan log you asked about. The log is from a scheduled full scan done last night, and the screenshot is from an active scan I ran just to grab the shot.

sepscreenshot.JPG
AttachmentSize
scanlog.txt 357 bytes
.Brian's picture

Is the location empty? I don't see it showing a file or location of the infection in question. Did MWB show a file location and/or registry location of the infection?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Shaneo's picture

That's exactly why this has been baffling me so thoroughly. SEP does not produce a location whatsoever. I had to keep my eyes glued to the active scan in order to even come up with that IP address. MWB did show a few file and registry locations, which I looked at manually, only to find that MWB did successfully delete them all (neither the registry entries, nor the files it flagged are there anymore); this is part of why I think the MWB alerts are not connected; the other part is the fact that MWB is no longer finding anything with further scans. It's only SEP which is generating alerts now.

Thanks for your responses.