Endpoint Protection

Hello,

Recently my system affected with this virus & I m getting lotsm of failure messages in my outlook.

Every time my SEP cleaning this, but it coming again - see attchment.

So, I just tried to run the removal tool, but getting this error - see attchmrnt.

Any suggestion, please...

~r

Have you tried running the tool in Safe-mode?

I would start with downloading the latest Rapid Release definitions,

 boot into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.

If that fails to detect and remove the threats,

there are useful some tools that are provided by Symantec for help with finding those hard to detect threats.

1.       The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

2. The SERT (Symantec Endpoint Recovery Tool)is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

3. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

Rapid Release Virus Definitions –

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

Power Eraser tool –

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions –http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Support Tool with Power Eraser Tool included –

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

If you are unable to remove the threat(s) from your systems, please submit the suspected files to Symantec for analysis. New signatures will then be created and included in future definition sets for detection.

http://www.symantec.com/business/security_response/submitsamples.jsp

Moving this thread to the Security/Endpoint forum for better visibility.

Thomas

From your screenshot we can't really see whether an inbound message or outbound message trigger that detection.

If its inbound, pretty much you can't do anything except to warn the sender
[if you know them]

If its outbound, that means something is lurking in your machine.
Best to ring up support after following steps advised by cycletech above.

Hi BNH,

"From your screenshot we can't really see whether an inbound message or outbound message trigger that detection" : So, how can I take the screen shot so that you can understand?

~r

W32.jpg screenshot in full would be nice.

We first would have to see, if this message comes up, even after the computer is disconencted from network or not. If it does not, then we can run a network analyser like  , wireshark, to found out why the messages are coming.

If it does also come, when disconnectd from the network, then, we wouls have to scan the  computer, using  SERT.

Hi,

BNH - Here the full texts are uploaded in the pdf file...plz look.

And others: the result of NPE (Power Eraser Tools) scanning in the 2nd attachment.
But still message is comming few times in the outlook.

How to use SERT? can you explain me the steps. Otherwise I've to format the C - how botharing!!!

So, SEP failed to delete this virus permanently???

Attachment(s)

w32_Error.pdf   7 KB 1 version

Hi akaki,

I strongly recommend removing that client from teh network and performing a full system scan with the latest definitions.

Reboot (preferably in safe mode) and scan it again.  Examine the risk history: what actions are being taken?  Is it Deleted in all cases?  Or is SEP also finding something that is being left alone?

As was recommended above: if these detections only occur when the computer is connected to the network, then the root of the problem is outside of this computer (an infected computer sending mail, which thsi client is detecting and blocking). 

The removal tools are not as good as a full system scan in safe mode: those tools are not always up-to-date with definitions against all of the latest known variants.

Hope this helps!

Mick

The log looks like its NDR being detected.
MyDoom.M@mm is a known mass mailer hence you should not be getting detection when NDR is received.

As Mick said,

update the machine definition with latest Rapid release , remove it off the network , run a full scan and observe for 15-30 mins post scan if detection occur again without connecting it back to your network.

If the threat is still inside your computer, you will get the same issue again.

If not, the detection comes from an inbound email which I believe you will need to employ a mail security system ie. our Symantec Mail Security on your mail server to shoot down bad email like this.

Refer to this:

http://www.symantec.com/security_response/writeup.jsp?docid=2004-072615-3527-99&tabid=3

It contains the manual removal instructions which you will use as reference. Check if the registry entries listed is found on your PC. Then check the running tasks. I suggest you use SysInternals Autoruns for this.

SEP does show that it cleaned the M variant, but there might already have been some damage done.

On another note, what do you use to protect your email server(s)? What prevents the malware from reaching your clients PC?