Endpoint Protection

 View Only

  • 1.  STNETLIB.EXE HTTP.DLL VIRUS

    Posted Mar 26, 2009 02:22 PM
    Has anyone come across a problem whereby a server or PC have been made unusable due to the program STNETLIB.EXE loading +2000 time in the task manager and crashing the server.

    I have a Windows SBS 2003 server running Symantec AV and SSC 10.2.

    The process called STNETLIB.EXE is appearing in nuremous places in the registry and the actual file is shown as hidden in the c:\windows folder.

    The virus (or whatever it is) is doing the following:-

    1. Autospawing and creating thousands of processes in the task manager, eventually crashing the server.
    2. Adding Intel Physical Routine 1.2A =C:\WINDOWS\stnetlib.exe all over the registry.
    2. Disabling the ability to 'view hidden files' within explorer.
    3. Changing the HOSTS file to point all AV provider web pages and liveupdates to 0.0.0.0


    A full AV scan does pick up a file called HTTP.DLL which is imediately 'cleans by deletion' but it does not pickup STNETLIB.EXE

    Have anyone come across this as I am struggling for a cure!!

    Any help grately appreciated.

    Chris


  • 2.  RE: STNETLIB.EXE HTTP.DLL VIRUS

    Posted Mar 26, 2009 02:27 PM



  • 3.  RE: STNETLIB.EXE HTTP.DLL VIRUS

    Broadcom Employee
    Posted Mar 26, 2009 05:18 PM
    Update to the latest rapid release definitions and run a Full Scan in Safe Mode.
     
    Submit any files you have collected to our Security Response team for review:

    (Choose the link that matches your support.)
    https://submit.symantec.com/basic
    https://submit.symantec.com/gold
    https://submit.symantec.com/essential
    https://submit.symantec.com/platinum
    https://submit.symantec.com/bcs

    Title: 'Using Rapid Release virus definitions to update Symantec AntiVirus 10.x or Symantec Client Security 3.x clients and servers'
    Document ID: 2005041813344248
    > Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005041813344248?Open&seg=ent

    If you need assistance with any of this please feel free to open up a case with Technical Support so that we can assist you further.

    http://www.symantec.com/enterprise/support/contact_techsupp_static.jsp

    -or-

    https://mysupport.symantec.com

    Hope that helps!


  • 4.  RE: STNETLIB.EXE HTTP.DLL VIRUS

    Posted Mar 27, 2009 04:25 AM
    Thanks David.

    Overnight the Symantec Autoprotect picked up backdoor.greybird (stnetlib.exe) numerous times and requested a server reboot to totally remove the virus.

    Since the server reboot the virus appears to have been removed.

    Not entirely sure why autoprotect or full scan did not pick this up earlier in the day.
     
    Appreciate your response.

    Thanks.