Endpoint Protection

Hi All,

Can someone please help me resolve this issue. I have searched extensively on the web and have not been able to find a trojan remover program to get rid of this. The advice posted on the following links did not help:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22172
http://community.norton.com/t5/Norton-Internet-Security-Norton/HTTP-Infostealer-Snifula-B-Activity-detected-every-30-seconds/td-p/198114

Thanks

This Activity is not a trojan but a attack..so make sure all Windows security updates are installed.Make sure Virus definition is upto date and once scan your machine in safe mode,
http://www.symantec.com/security_response/writeup.jsp?docid=2006-110710-2700-99&tabid=3

If the product is unable to remove the threat with a Safe Mode scan then we don't have a definition for the variant that you have.

In this case you will need to use some sort of tool to find the hidden executable that is running, more information about rootkits and tools to remove/see them can be found here:

http://en.wikipedia.org/wiki/Rootkit

Once you have found the files responsible you can submit them to security response via the usual method and we will update our signatures to detect/remove it.


EDIT: the above information assumes that the IPS detection that you are seeing refers to the local machine and not a remote IP address.

It sounds more like the IPS signature blocked it, you may not be infected with anything. Check your security log to determine if this is the case.

Hi,

Thanks for the feedback. Under client management logs - security log

Event type: intrusion prevention
Severity: critical
Direction: Outgoing
Protocol: TCP

This sounds like I am infected with something. Any further advice?

run a malwarebytes scan in safemode

Hi Brian,

I just ran malwarebytes. Unfortunately nothing was found :(

@Jeremy: I also tried Sophos Anti-Rootkit and F-Secure Blacklight and also nothing was found.

Are there any symantic tools that I can try?

Thanks

Is this a continuos detection or it was detected once..
Coz if it was detected once or twice then it might have come from some website and then would have been blocked.IPS detection does not mean you are actually infected it means somebody was trying to infect you but Symantec IPS has caught it and blocked it.

Hi Vikram,

The message is displayed whenever the brower is opened and also occasionally when browsing. Does this help. Where I can check?

Thanks

It means the very first you should do it Clear your browsing history,Temporary internet files, %temp% and Windows\Temp
Also Remove IE Add-Ons that are not required or Un-known
from Internet Options- Programs-Manage Add-Ons

Hi Vikram, thanks for the ideas. I tried this before and have just done it again. Still no luck. Any other ideas?

open your browser and in command prompt do a Netstat..check what all IP address it is connecting to..
If you find any Unknown or suspicious IP address block it.

Hi Vikram, the Network threat protection logs seem to provide useful information. when the message pops up there is a log created (direction is outgoing) and says the application is C:\WINDOWS\system32\ntokrnl.exe. The IP address changes so blocking it might be tricky.

Thoughts?

It looks there might be a rootkit on your system which is using Ntoskrnl.exe to attack other machines on your network.Try disconnecting your computer from the network then try loading the browser..
Have u deleted\removed all unknown Browser Add-Ons from IE ?

Hi,

I am actually using firefox. I have uninstalled and reinstalled but still get the same message. Any ideas of tools I can use to identify the rootkit?

Any more ideas?

First try running the Norton Power Eraser tool - http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

If that fails to find anything try the SERT tool - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041515464348

Thomas

You can use few rootkits revealers/Removers like GMER, IceSword1.2 ,Rootkitrevealer
https://www-secure.symantec.com/connect/articles/rootkit-intruder-living-your-kernel

none of the solutions listed work. i have the same issue as her and the hours of chat logs with clueless symantec agents to back it up. they will claim over and over again that the problem originates outside of the pc but heres the deal.
-boot up and log in
-wait for your start things to load
-go ahead and connect to the internet
-you can do anything as far as uploads and downloads and there are NO attacks. i chatted with a rep for 10 min with 0 attacks. that means that there isnt some evil force out there pinging away your pc 24/7 just waiting for its moment to strike
-open up either IE or firefox and immediately there is an attack followed by another every 30 seconds. that means its ORIGINATING from my pc. my GUESS is that something that is windows connected got infected with something and its pinging a server in russia (traced it back) telling it that its safe to send in the bigger virus or take info or whatever from my ip address. like a scout telling the main body of troops that its safe. than every 60 seconds no matter what is open or closed there is an attack

things i tried...
-erasure 6 times. twice in normal, safe and safe w/networking
-complet scan 21 times. again seven in each mode
-3 different symantec reps that couldnt even figure out that it was the browser triggering it and in fact called me a liar until i forced them to sit there and remotely view it happening. than all i got was "i dont know. pay 99 dollars for an initial look over and we might charge you more after that" all in broken english of course.
-downloaded chrome on a seperate pc put it on a brand new clean thumb drive
- uninstalled both IE8 and firefox than restarted
-loaded chrome.

strangely i didnt get the initial attacks but i think thats because something in chrom blocked it. the reason i believe this is because chrome would freeze up and crash if i typed in a website vs. googling it. or even randomly (im guessing that it only seemed random but was probably every 60 sec). on the other hand there were NO attacks

using chrome i downloaded firefox thinking that maybe the complete uninstall and re-install would help. it didnt. the moment firefox loaded i was getting attacked again. im going to attach a copy of the security report...

if anyone can really help it would be appreciated.

one more thing to prove it didnt originate outside. i just changes ISP's today from comcast to att... same problem

http://www.symantec.com/security_response/writeup.jsp?docid=2006-110710-2700-99&tabid=3