Symantec repeatedly detects and removes an infected file that is not there. Please Advise.
Created: 25 Dec 2010 | 5 comments
Whenever I turn on the computer (and usually after I run chrome) Symantec pops up claiming to have detected a bloodhound.exploit.324 and that it has cleaned/quarantined the file. The only thing is, that file and the directory were deleted a long time ago. Yet, it claims that it detects and removes it every time the computer boots. I considered the possibility that something was spawning it, have been unable to locate the source. Is it possible that symantec is simply glitching? I've heard of repeated detections in the past being due to temp files or something. Please advise.
Discussion Filed Under:
Comments
reoccuring detections
Hi,
one possibily is the MS System Restore. Check if this is turned on and it tries to reestablish the file previously removed by Scanner.
second (and with higher possiblity) is that malware reoccures because by shutting down the machine it protects itself by writing randomized file (e.g. temp file). This happens if malware is attemped to be repaired but for some reason this fails. As variants of malware are increasing massivly you might have a variant which diviates from the information known to SEP. Hence it repairs it but a part is missed.
a.) check if file is in quarantain and send it to symc via https://submit.symantec.com/websubmit/gold.cgi
b.) change countermeasure to deal with malware from "repair" to "clean".
Measure B help in majority of cases I have dealed with in the past. Bear in mind that this also includes the risk that a vital file of OS can be wiped, but I have never seen it before.
Hope this helps.
Sven
hi
remove all the logs from c:\docs and settings \all users \symantec \sep\logs
run a full scan in safe mode.
check if that reoccurs
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Hello! Thanks for your quick
Hello! Thanks for your quick replies, much, much appreciated! So the countermeasures are already set to "Clean" and unfortunately the file is not in quarantine. I think it must be a false reading because the directory that its claiming it is in is not even there (and I know cleaning a file seldom removes an entire directory). I tried deleting the logs as rafeeq said but when I entered safemode the detection popped up again. Additionally, I can't actually run symantec in safemode, it says there is some error (although RTVscan etc are running). Thanks again! I'll keep trying
Are you sure the folder does
Are you sure the folder does not reappears and is not hidden? You can check it with Process Monitor for example. Maybe it is a rootkit?
Moreover, you can use SERT to scan the system offline:
How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
http://www.symantec.com/business/support/index?pag...
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
hi
in safe mode open sep interface, it would say ' service is not running do u want to run, click NO for that, this would open the interface and then run a full scan.
u can map this C:\ drive on another machine and run a scan
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Would you like to reply?
Login or Register to post your comment.