Symanec Protection Suites

 View Only

  • 1.  SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 14, 2011 11:24 AM

    Every 2 minutes a popup  occurs on 3 computers in our office stating:

    [SID: 24235] System Infected. Trojan SpyEye Activity detected.

    When I go to the client management logs - Security Log, it shows that this is happening every 1-2 minutes for the last 3 or so hours.

     

    Event Type: Intrusion Prevention

    Direction: Outgoing

    Protocol: TCP

    Remote Host: this is several different IP addresses

    41.222.11.122

    218.24.113.3

    195.214.238.241

    71.32.80.211

    Different IP addresses for each time an intrusion occurs.

     

    When I click any one of these logs below it shows

    [SID: 24235] System Infected. Trojan SpyEye Activity detected.
    Traffic has been blocked from this application: C:\Windows\explorer.exe

     

     

    What do I do about this, it keeps happening over and over, I have ran an active and full scan and nothing is found??



  • 2.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 14, 2011 12:30 PM
    I'm having the same problem in my office! I really need help ASAP!!!!!


  • 3.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 14, 2011 01:26 PM

    Apparently, your Intrusion Prevention System is blocking malware.

    Here is a thread treating the same problem:

    https://www-secure.symantec.com/connect/forums/trojan-spyeye-detection

    Try a full scan in safe mode. If that doesn't work, I would use Symantec PowerEraser (integrated in the free Symantec Support Tool).

     

     



  • 4.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 14, 2011 01:48 PM

    I used the free MalwareBytes and it ended up removing it.



  • 5.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 14, 2011 02:13 PM

    I am assuming you were running the latest AV signatures.The Power Eraser tool and the SERT utility can usually get these types of threats off your system.

     

    PE - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010070913065448

    SERT - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041515464348

    Spyeye removal - http://www.symantec.com/security_response/writeup.jsp?docid=2010-020216-0135-99&tabid=3

     



  • 6.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 14, 2011 05:29 PM

    I will try this on the computers that Malwarebytes didnt remove it from.



  • 7.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 15, 2011 09:43 AM

    Run the Endpoint Support Tool and run a Load Point Analysis..

    You should be able to find a file in system 32.

    either a dll or a .sys file submit that to symantec..or just place it in a different location and reboot the machine and check...

    About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool

    http://www.symantec.com/docs/TECH96291



  • 8.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 15, 2011 09:50 AM

    C:windows\system32\drivers\uphcleanhlp.sys

    this is a hidden file...this is the suspicious file in one instance..



  • 9.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 15, 2011 10:09 AM

    SERT is not free? It wants me to enter some serial number to download it...?



  • 10.  RE: SEP is giving me a pop up but not any option to do anything about it. Trojan SpyEye Activity detected. [SID: 24235]

    Posted Jun 15, 2011 11:14 AM

    True, you need a valid product serial number to download from Fileconnect.