Endpoint SWAT: Protect the Endpoint Community

 View Only
  • 1.  istartsurf.com - browser hijacking - startup page on all browsers

    Posted Sep 25, 2014 03:28 AM

    Hi All,

    Found a machine that had this "virus" - Every time a browser is opened (IE, Firefox, Chrome) by default the istartsurf.com is initiated.

    Does anyone know whether this "virus" - istartsurf.com is detected / blocked or removed using SEP?

     

    Any ideas welcome.

    Thanks

     



  • 2.  RE: istartsurf.com - browser hijacking - startup page on all browsers

    Broadcom Employee


  • 3.  RE: istartsurf.com - browser hijacking - startup page on all browsers

    Posted Sep 25, 2014 03:46 AM

    @James007, thanks - I have already checked this out and the site has been online for 2 months now.

    How can I prevent the browsing hijacking using SEP? Note: I use all features except firewall.



  • 4.  RE: istartsurf.com - browser hijacking - startup page on all browsers

    Broadcom Employee
    Posted Sep 25, 2014 04:05 AM

    How many system having problem ?

    Have you scan Symhelp tool ?

     

    You can scan your system symhelp tool

    How to run the Threat Analysis Scan in Symantec Help (SymHelp)

    Article:TECH215519 | Created: 2014-03-03 | Updated: 2014-07-10 | Article URL http://www.symantec.com/docs/TECH215519

    See this Url

    http://www.techsupportall.com/how-to-remove-istartsurf-com-search-page-removal-help/

    http://malwaretips.com/blogs/remove-istartsurf-virus/



  • 5.  RE: istartsurf.com - browser hijacking - startup page on all browsers

    Posted Sep 25, 2014 05:03 AM

    Running the Symhelp tool now. Only one system found - but I really don't want to have this spread.

    Will let you know .



  • 6.  RE: istartsurf.com - browser hijacking - startup page on all browsers

    Posted Sep 25, 2014 06:25 AM

    If symhelp or a full SEP scan finds nothing, run AdwCleaner or JRT from bleepingcomputer.com



  • 7.  RE: istartsurf.com - browser hijacking - startup page on all browsers
    Best Answer

    Posted Sep 25, 2014 08:48 AM

    I managed to find registry entries searching for "istartsurf.com" and deleting them. I also removed some "freeware" and "adware" from the system. I then found that the actual shortcut to all browsers (IE, firefox and chrome) was modified to open the "istartsurf.com" webpage. I removed the amended entry and all is well again with the browsers.



  • 8.  RE: istartsurf.com - browser hijacking - startup page on all browsers

    Posted Sep 25, 2014 10:14 AM

    ThaveshinP:

     

    A couple of general bits of advice if I may, based on my own experiences. 

    First, turn your users to Standard user, not Administrator on their own system.  This prevents most of this adware and related stuff from ever getting installed since their account has no rights to install software. 

     

    Second, once a system is breached in this way, it might be safer to consider it a standard policy to always wip ethe machine and put in a fresh image (or manually rebuild).  Why? Because the old school mentality of the system admin thinking he knows better than the craftiest virus authors doesn't apply.  Like you, I have spent many hours of my career manually combating the effects of viruses.  However since almost all trojans and viruses these days tend to open a backdoor that then downloads additional malware, the base effect is that your system is completely open to every virus on earth (when you think about it, that really puts things into perspective doesn't it?). So there's no way we can outsmart them. 

     

    Much like the concept of "defence in depth" is talked about at times, the less discussed concept of "offense in depth" is not.  Think of it this way:  a virus writer makes his stuff do two things:  one, insetall ab unch of commercial adware and other lame money-making gimicks on your system, make them relatively easy to find, because the vast majority of non-enterprise system admins won't wipe a system, they'll just chase after symptoms and once the system "appears" to be ok, they move on.  But second, then embed more deep-level stuff, rootkits and what not, that continue running on that system long after you've moved on. 

     

    I've seen it many times, I spend lots of time trying to manually fix up a system, only to find out that more annoying 54645545.tmp files and so on are being flagged. 

     

    Best to develop a strattegy to just wipe systems when this stuff occurs, but to greatly prevent it from occuring, set the user as Standard and not admin. 

     

    Also I think if you turn off the SEP firewall you also turn off IPS, or maybe just browser-based IPS, I don't know for sure.  Consider re-enabling it as SEP relies heavily on cross-component integration for it's success. 

     

    One last note:  I went about 1.5 yrs fighting that stupid Conduit SearchProtect.  FINALLY, Symantec has flagged as it malware or a PUP or whatever, and SEP stops it.  Your situation sounds exactly like SearchProtect.  So keep at Symantec and they'll make signatures for this too.