Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to stop antivirus from repeatedly detecting the same threat?

Created: 01 Jun 2012 • Updated: 04 Jun 2012 | 13 comments
This issue has been solved. See solution.

I'm using Symantec antivirus SEP version 12 on Windows 7 64-bit.  Every few minutes a window pops up notifying me SEP has detected a malware threat and tries to quarantine it. It's the same virus every time, "80000000.@"  How do I make this stop?  Any help will be appreciated. Thanks!

Here's the whole story.  I was recently infected by a Trojan that called itself Smart Fortress 2012.  I used MalwareBytes to detect and clean the Trojan by following some instructions from the internet.  After restarting, and thinking everything is ok, SEP pops up this message notifying that it has detected a virus "80000000.@" and tries to quarantine it.  So, I delete it after it gets quarantined.  Then a few minutes later, same message pops up again.  And I tried closing the window leaving this thing in the quarantine.  Didn't work.  The message pops up again a few minutes later.  If I leave the message there without taking any action, then the list of viruses found grows to like 6 or 7 rows long...all exactly the same, 8000000.@

The folder location where SEP found this virus no longer exists on my harddrive.  It was either deleted by MalwareBytes during its cleaning process or it was deleted by SEP when I tried to delete this virus.  Either way, I can't find the folder location so I can't manually delete anything.  I've gone thru my Registry looking for suspicious things but didn't find any.  I've uninstalled SEP and reinstalled it.  (Maybe the virus corrupted one of it's DLLs?)  That didn't work either.  I've used MSConfig to check up startup programs and services but there's nothing suspicious there either.  Googling 80000000.@ didn't yield any results.  On Symantec's website, I don't even know what to search to find out if a solution has already been reported.  "Recurring Virus"?  "Recurring Detection"?  I am at a loss for what to do next.  Please help if you've encountered something like this before. Thank you for reading through all this and thank you in advance for your help.

My computer information:

Win7 64-bit  /  SEP Ver 12.1.1000.157  /  Stand alone desktop PC (not managed)

Image of virus detection pop up message:

Comments 13 CommentsJump to latest comment

pete_4u2002's picture

i suggest delete the file if it is not required.THe file is shown in the path on the detection screen shot you posted. or select the file and click on button remove the risk now.

update the SEP with the latest signature and scan the system in safe mode.

Ashish-Sharma's picture

hi Check this forums it may be help.

https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-detected-risks-while-you-were-logged-out

http://www.symantec.com/business/support/index?page=content&id=TECH174565

New fixes and features in Symantec Endpoint Protection 12.1 Release Update 1

Unable to disable the "Threats were detected while you were logged out" message
Fix ID:
2608606
Symptom: When a virus is discovered as part of a scheduled scan while the user is logged out, they are notified that threats were discovered when they log in, even if notifications are disabled.  It is not possible for the administrator to disable this message.
Solution: The SEP client was modified to honor the notification settings that are configured by the administrator. If notifications are disabled, the message no longer appears.

Thanks In Advance

Ashish Sharma

deprotinator's picture

Wow, you guys are fast.  Thanks for the quick replies.  I am running a full scan in safe mode now. 

A few observations from your comments.  When my threat detection window comes up, my "Remove Risk" button is inactive.  The only buttons I can click on are "Details" and "Other Actions".  What is the problem here?

Regarding that other thread about the pop up window, I'm definitely experiencing something similar here, except for I'm on a stand alone PC.  Not managed on a company network or anything.  I also don't have a password on my PC so there is no "logging in".  Every time I turn it on, it just goes straight to my desktop.  I don't need to log in as a certain user. 

If I can fix the problem after finishing my full scan in safe mode, I'll be sure to update this topic.  Thanks for your input so far.  If you can think of anything else try, please let me know.  Thanks!

pete_4u2002's picture

let us know the result once scan is completed in safe mode.

hope the action is set to delete and quarantine for malware detection!

deprotinator's picture

I gave it all night to do a full scan in safe mode and when I woke up this morning, SEP found 3 things.  A tracking cookie which was deleted, the 80000000.@ thing, and another threat with a different name, but also deemed a trojan.  I thought "ah ha!"  That must be the associated virus that keeps running and messing things up on me.  So I deleted everything.  (Again, my "Removes Risks Now" button is grayed out)  I used the "Other Actions" button to do the deletion.

Restarted my computer, let it boot into normal windows, and a few minutes later, the SEP threat detected pop up came up again!  Exact same issue as my first post.  Very disappointed and more confused. If you guys have other ideas to try, please help.  Thanks a lot!

It's great that SEP can find and quarantine this virus, but it doesn't have to pop up a message every time and tell me about it...after I've already closed the window.  What worries me more is that this virus can't be deleted.  There's still a risk that my PC is still infected, but I just can clean it completely.  Very frustrating.

pete_4u2002's picture

can you post the risk logs?

i also suggest open a support case and collect the load point logs ( using Symantec support tool) and pass it to Tech executive. They will help you with the request.

deprotinator's picture

Thanks!  I'm trying to open a case, but what is a "Technical Contact ID"?  Or Support Number?  Or Technical Case ID?  It seems I need one of these numbers to open a case.

In the mean time, here are the logs that might be of use.

AttachmentSize
Risk Log.xls 13 KB
Network Threat Protection Log.txt 314.7 KB
deprotinator's picture

Thanks for the link.  I read through that and checked my folders and registry keys.  I do not have those folders/keys they mentioned in the link...unfortunately.  I'm definitely at a loss on what to do now...can't even open a case with Symantec without some tech ID I don't have.  I'm going to uninstalled SEP and scan my computer again with AVG.  See how it goes...

pete_4u2002's picture

there should be patch kind installed on system uninstall that as well.

%Windir%\$NtUninstallKB63471$

Beppe's picture

hi,

a possible reason not to see those folders and registry keys is a rootkit.

From help and support button of SEP, get the SEP Support Tool, launch it and then run its Power Eraser. It should help you.

Regards,

Giuseppe

BNH's picture

Can we have sample of that file ?

You can send the VBN file located under \Users\All Users\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Quarantine\<numbered_folders>

to https://submit.symantec.com/websubmit/retail.cgi .

Thank you.

-- Got new virus ? Try update your defs here : ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rap... --

deprotinator's picture

So as I mentioned last post, I uninstalled SEP and installed AVG...no offense Norton folks.  I am concerned that my SEP file may have been compromised by the virus.  I thought a new antivirus might come in and do something a little differently to get rid of the reminents of the old virus, and AVG just happens to be the easiest one to try.  Anyway, I included a screenshot of what AVG found.

As shown here, the good ol' "80000000.@" file was found.  But what surprised me was that it also found a bunch of other stuff.  So, after AVG fixed these issues my computer restarted fine and has been working well ever since. (I've had it on for about 3 hrs now)  I'm not really sure why SEP didn't fix these, but I suspect the virus may have done something to compromise the then current installation of SEP.  Either way, I think my computer is ok now.  Thanks to everyone for their help.  If anyone here would like more information regarding this issue, please let me know.  I'll be happy to forward any screenshots or log files you need. 

SOLUTION