So I have been receiving daily virus alerts on a client machine for a while now, and the more I look into the matter, the less sense it makes. The machine in question is running Windows XP pro and SEP 11. The majority of our workstations now run Avast, but this old dinosaur is not really worth purchasing a license for. Anyway, every day SEP generates a virus alert which it labels as SafeStrip. After doing some research on SafeStrip and examining the infected computer and its registry, I have concluded that the threat is definitely not what SEP claims it to be. SafeStrip is extremely intrusive, and this computer exhibits no symptoms whatsoever; also, none of the registry entries which would usually be associated with SafeStrip are present. I started digging deeper, using process explorer to try and find a rogue process or something—any sign of some kind of infection—to no success. Still, every single time SEP scans, it generates that same alert and then claims the virus has been successfully deleted but continues this over and over again. Unfortunately, looking at the properties of the alert tells me nothing; it does not have any information whatsoever except that name “SafeStrip”. I unplugged the computer from the network and ran a full scan, finding, as expected, the same thing. Then I ran an active scan, and this, also, found and deleted “SafeStrip”. Next, I ran another active scan, keeping my eyes glued on the screen, hoping to get some hint of a path where the threat was being detected. To my immense surprise, I spotted the supposed path: 74.125.45.100. Now my general frustration over the matter grew into genuine bewilderment; recall that the computer was, at this point, unplugged altogether from the network. In addition to that, I attempted to ping that IP (from another computer, obviously, which was plugged into the network), and it timed out; I could find absolutely nothing out via command line about that IP address. A Google search reveals that that IP is associated with a piece of malware, but none of the entries it is supposed to create on the system are present, and, if they were, I would expect that to be the path in which SEP found the threat. What was SEP actually scanning when it displayed that IP address?
Any suggestions for removal would be much appreciated.