Video Screencast Help

Symantec showing up lot of viruses cleaned by deletion

Created: 23 Nov 2012 | 13 comments

Hi,

 

From some 2-3 days, we are seeing lot of messages from symantec that it has found virus and cleaned by deletion. It comes continuously and the sytem goes very slow. tried using Norton power eraser but it din't catch any virus. Please help.....

 

 

Regards,

Anish

Comments 13 CommentsJump to latest comment

pete_4u2002's picture

try scanning in safe mode.

are the threat on the system or from network system?

pete_4u2002's picture

identify the machine, scam the machine in safe mode using lates definition.

all all software updates to the machine.

whats the threat name?

Mithun Sanghavi's picture

Hello,

Could you please provide us a Screenshot OR probably upload us the Risk Logs, which would assist us in understand the Threat and root cause?

Which version of SEP 12.1 are you running?

Secondly, could you please Disable the System Restore, and run the Full scan again.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Anishk's picture

Hi,

 

Attached the screeb shot... The same issue is now seen in almost all the machines...!!!!

 

 

Regards,

Anish

Symantec.jpeg
Mick2009's picture

Hi Anish,

  • Are you isolating all the infected computers from the network?
  • Are you using IPS?
  • Are you using strong passwords throughout your network?
  • Are these computers fully patched?
  • Do you have a mail security product on your Exchange server/mail server?
  • Are you running a full system scan with the latest defintiions?
  • Are you using Threat Tracer to find the origin of the attack?

With these best practices, it is possible to bring almost any outbreak under control.

If professional recommendations / analysis of your logs would be of assistance, please do contact Symantec's Technical Support.

Hope this helps!  &: )

 

 

 

With thanks and best regards,

Mick

Anishk's picture

Hi,

 

No, we have not isolated the infected machine but we are using IPS and also performing a Full scan.

 

Regards,

Anish

Mick2009's picture

Hi Anish,

Chances are there is a computer on your network which is infected and attempting to infect those it can reach (including this one).

Make sure you are following all of these recommendations:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

If you are not using IPS, please add this component- incredibly powerful when it comes to stopping threat-related traffic.

Hope this helps!!
 

With thanks and best regards,

Mick

Anishk's picture

Hi,

 

We have disabled all the shares and still the threats keep on coming.. pop up saying W32.Rontokbro@mm threat detected and cleaned by deletion. It is making the system very slow. We are even facing dificulties unnstalling Symantec as we thought this would at least stop the threat detection...!!! but we are even unable to uninstall it as while uninstalltion , message comes "to close the threat detection" which we are not able to close.  Now, after long try, we have now been able to uninstall the product..

Please help....!!!!!

 

 

Regards,

Anish

Mithun Sanghavi's picture

Hello,

It is not suggested to uninstall Symantec Endpoint Protection OR any Security Product when the machine on the network is infected by a Threat.

Could you please upload us the Risk Logs, which could assist us with understanding of the Threats.

Secondly, you may like to check this Thread which may assist you as well - 

https://www-secure.symantec.com/connect/forums/how-delete-0

I would also request you to create a Case with Symantec Technical Support Team for a Faster Assistance on your issue - 

To create a Case, check these - 

How to Create and Validate a MySymantec (previously MySupport) Account

How to create a new case in MySymantec (formerly MySupport)

OR

Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ashish-Sharma's picture

HI,

Security Best Practice Recommendations

http://www.symantec.com/docs/TECH91705

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/docs/TECH122943

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

http://www.symantec.com/docs/TECH98360

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

Check this thread

http://www.symantec.com/connect/forums/virus-cleanup-exercise

Thanks In Advance

Ashish Sharma

 

 

Mick2009's picture

W32.Rontokbro@mm is a serious threat.  Here's the write-up on it:

http://www.symantec.com/security_response/writeup.jsp?docid=2005-092311-2608-99&tabid=3

Are you using IPS?  There's a specific signature against it that is quite effective.

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=22453

With thanks and best regards,

Mick

guwy's picture

Hello!

 

Try to run a Top sources attack report, with the help of that you can identify the source computer of infection.

On that computer made the steps find on the posts before.

 

Br

Arpad