Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Need Help in getting rid of this virus! Cannot scan in safe mode on vista, cannot install the patch or any program

Created: 20 May 2010 • Updated: 28 Jun 2010 | 18 comments
This issue has been solved. See solution.

Hi Guys, I am not a computer person and need your help with this issue. My computer got this "Infostealer.Snifula.C" (filename: chknon32.dll, Action: left alone, cannot quarantine, cannot delete), "Tojan.Bredolab " (file name: ~TMDOF3.tmp, cleared partially) and few unnamed risks which were left alone (filenames: 947f9b6-41a17719, jar_cache7042177543918671295.tmp, jar_cache7334530863574069302.tmp. Action: left alone ). Other viruses that were quarantined successfully: Bloodhound.Exploit.293 and Trojan Horse and the one cleaned by deletion: Downloader.

My symantec 10.2.0.276 could not clear the bugs listed earlier. I tried to run it on safe mode, but the virus scan wont run in the safe mode. I tried to avoid using internet on the infected laptop--did use it for some time though. From this forum, I found that there is a patch, which needs to be installed. I downloaded two of them on a pen-drive and tried to install it on my computer, but the virus does not allow the installation application manager (or similar ) program to install these two files. It does not let any program like word, notepad to work. It wants to tempt me to connect to internet and find an online solution---and thereby tranmit the data (that much computer virus stuff, I have started to understand:-).

I dont know what to do. How do I manually get rid of these viruses, without the symantec scan working in the safe mode. I looked on the symantec website and this dude infostealer.snifula.c is not mentioned to exist in the vista platform. It is written up as a simple bug, but looks very smart bug to me. Does not let me do anything, except connecting to internet. The names of the viruses and location, I had to copy on a different computer, for my reference, as it wont let me  open notepad.

Guys, I will need micro instructions as I am not  a software person.
Thanks in advice.

Comments 18 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

1. Download the Latest RapidRelease virus definitions ,update your SAV client with it then run the scan.
ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/

open the 3rd folder then download and run
symrapidreleasedefsi32.exe

then run a full scan

2.If still no resolution try running Malwarebytes its a freeware.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Thomas K's picture

If after trying the latest rapid release definitions and that fails,  you can try the Norton Power Eraser tool.

http://security.symantec.com/nbrt/npe.asp?lcid=103...

Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

SOLUTION
Mick2009's picture

Hi Sunny,

If, becuase of thsi infection. you are having trouble running scans inside of Windows, then I advise you to scan without Windows.  This can be done by booting to a LInux-based LiveCD which has AV-scanning capabilities.

Here is a video that demonstrates how it works: https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert

Step-by-step instructions for creatin gthis CD can be found at: How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions (http://service1.symantec.com/support/ent-security....)

If you have a license ofr SAV rather than SEP, you will need to contact Technical Support for a copy of the .iso file necessary to create this CD.  With SEP, you can download it yourself from FileConnect.

Please do let the forum know of your progress!

Thanks and best regards,

Mick

With thanks and best regards,

Mick

Sunny_Paji's picture

Thanks Vikram, Cycletech and Mick for your guidance. Vikram, I have read some of other posts and have found it very useful. Have printed some of them to learn more about this world. I am from medical world:-)

Regarding my problem. I tried downloading the rapid release versions. The first time on both the computers (infected and uninfected), it showed the error that "some installation files are corrupt. Please download a fresh copy and retry the installation". I downloaded the version from the 4th folder, was able to run it on the uninfected computer. On the infected computer, again the same msg as before. During both attempts, it also showed some extraction process and said CRC failed in VIRSCAN.ZIP. The file "???" header is corrupt. The process would installation would pause in between. BTW my virus definitions were updated yesterday using the live update. I dont know the difference between this rapid release update and the regular live update.

I then downloaded the Malwarebytes on the uninfected computer and then using a flash drive, tried to install it on the infected computer, but the virus would not let it run.

Finally I tried the broad-spectrum anti-viral suggested by cycletech---Norton Power Eraser tool. It wanted the internet connection. I was scared, but there was no choice. It found 4 risks: inojaduxoxuxuvi.dll , poronpi.dll, chknon32.dll and command. It has also sent this information to symantec. It asked to restart the system to fix them. After restart, it was able to get rid of the first two, but not the chknon32.dll and command.  The good news is that after this, I was able to run malwarebytes. Currently the Malwarebyte is running, it has detected 1 Object infected so far. I disconnected the internet just now and am letting the malware to run. Once that part is done, I will install that patch for vista, which would allow me to go into safe mode. I hope I can get into safe mode and run the scan and get rid of these two bugs. The only fear being, if the broad-spectrum anti-viral was not able to get it out, would malwarebyte or safe mode scan, be able to get rid of them.

Mick, if none of this work, I might have to try your option. I will have to do it on this saturday--will need some time to understand it. BTW my symantec anti-virus is the one, which I got from my grad school, as our laptops were using the school's wireless system. I dont know what is SEP. Also, I have moved out of the school. They have given us the program on one CD

Any suggestions friends?
Regards,
Sohag

Vikram Kumar-SAV to SEP's picture

Hi Sohag,

Let us know how it went..These type malwares typically when they infect a computer they block all security softwares from loading..So you were unable to delete them however since few of them have been removed now you can try the normal steps..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Sunny_Paji's picture

Thanks Vikram, Cycletech and Mick!
The Malwarebytes found two other malwares named: "Malware.Trace" (category: file) and "Rogue.WinAntiVirus" (category: Registry key) and has quarantined both of them. I then could install the patch for vista, that would allow symantec to run in safemode. I could extract only one patch (not the other one---I dont know why. I could extract both on the un-infected computer). After that patch, I could run the symantec scan in the safe mode and it did not find any issues. I am currently running the symantec anit-virus in the normal mode and am waiting for the output.

Vikram and friends, my question is that initially the symantec antivirus could not get rid of 4 different viruses (different file names). Then Norton Power Eraser found 4 other different viruses. Only 1 name was common. It could not get rid of the common named file and one another file. Then when I run the the Malwarebytes, it found two other malwares and got rid of them. Now the symantec is not showing any of the previous ones. Those previous ones were never shown as "removed"/'deleted"/ "quarantined"/ taken care of in any other way. Should I assume that the ones, which symantec or Norton Power Eraser was not able to remove (suggesting it was kind of a resistant strain), has been removed? Not only those viruses had different names, the paths/locations were also different.

For future protection, is combination of Symantec and Malwarebyte, sufficient. My microsoft defender, does indicate that Firewall protection is on. Do I need a different program for firewall or protecting against any other computer micro-organisms:-)? Do you guys recommend any particular opensource name. I dont want my passwords to get stolen. I had one such instance last year, where someone got access to yahoo password and changed the password and also of another online account.

Thanks for all the guidance,
Regards,
Sohag

Grant_Hall's picture

"For future protection, is combination of Symantec and Malwarebyte, sufficient. My microsoft defender, does indicate that Firewall protection is on. Do I need a different program for firewall or protecting against any other computer micro-organisms:-)? Do you guys recommend any particular opensource name. I dont want my passwords to get stolen. I had one such instance last year, where someone got access to yahoo password and changed the password and also of another online account."

First off let me start by saying I am not trying to make a pitch for Symantec Endpoint Protection. There are many competing products that offer similar features, but since I am most familiar with SEP I will be talking a little bit about it and the difference between it and SAV.

Ok so SAV is a classic anti-virus solution. It contains a real time scanner which can scan the memory and hard drive of the computer (including external drives) for viruses, trojans ect. SEP includes many new features over its predecessor. Such features include application and device control which make it so admins can block usb drives programs ect. Also it includes a feature called Proactive Threat Protection which protects against 0 day threats. These threats are called that because they are threats that are recently released into the wild and ones we do not have a definition for. These threats can be stopped by using what is called heuristic detection. This just means that the threats are stopped when they try to access your computer in an unauthorized way. I see this as one of the main features you should look for in choosing a modern anti-virus. Anyway hopefully this is a very small overview of the difference between what you are running now and what you could/should be running. A more complete overview (many many pages) can be found in the solution to the thread below.

https://www-secure.symantec.com/connect/forums/com...

I hope this helps,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Sunny_Paji's picture

Thanks Grant for your guidance. I will certainly keep that in mind, if I go for a new anti-virus and anti-spyware program.

I have 2 questions. After all my previous exercises, Symantec auto-protect again detected a virus, in 3 files in temp folder. It did not quarantine it and could not clear it, left it alone. I tried to do symantec scan in the safe mode and then back again in the regular mode---neither of the scans were able to detect the same virus. I tried to do scan in the temp folder also separately. Where did the virus go?

Same thing from the previous scans with multiple softwares. There were certain virus names, which I never saw getting quaratined/deleted/removed, still I dont see them now with the same softwares, nor do I see any activity suggesting their presence.

I was wondering if you could guide on this.

Sunny_Paji's picture

Hi Bijay,

You can download it on a flash drive and install it on the infected computer (saving the time being on internet) However, when you activate it, it gives two options: Scan for risks and review past repair sessions and undo them. If you dont have internet, you CANNOT scan for risks. What it does is that it first collects information and sends it to symantec servers and then only does its job. I connected to internet only when I was ready to scan for risks, ie after installing it on my system--just at the time of running the show.

Gurus might want to add to this.

Vikram Kumar-SAV to SEP's picture

Some files come from internet / USB Stick or from Other computer on your network..
Once AV has taken any type of action it blocks it from writing to your machine..

Some files are installed as rootkits and you won't see it under folders in normal view..
However scanning in safe mode with the latest up-to-date definition is the best practise which should eliminate any such infections.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Sunny_Paji's picture

Thanks Vikram,
In my case, recently, the symantec AV identified the virus in regular mode, could not delete it and left it unchanged. However in the safe mode, it was not able to identify it, no question of deleting it. When I re-run the scan in the safe mode, it was not able to identify any viruses. This all happened recently (after my previous issue was resolved). Could the virus be hiding somewhere?

Vikram Kumar-SAV to SEP's picture

Does it get detected again in normal mode ?

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Sunny_Paji's picture

Hi Vikram,

Thats the strange part it never got detected after the auto scan mode. Neither in the safe mode nor in the normal mode. In neither modes, while running full scan or custom scanning the temp folder. During the autoscan: it was "left alone".

After two days of that instance, again today the autoscan detected the same virus in temp folder with a msg: "left alone". I have initiated the scan in the safe mode. Once it got terminated by itself in few minutes, showing completed. I initiated the scan again in safe mode and have left the computer on. Currently am at work. During both the instances, internet was on and I downloaded the rapid release before running the scan.

Vikram Kumar-SAV to SEP's picture

Delete all files from %temp% and Delete Temporary Internet Files from your Browser.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Sunny_Paji's picture

Thanks Vikram, I have deleted all files in the Temp folder of Windows (except 2, for which windows asked me special permission and I said "no"). and the temporary files in the browser(IE). However, In Mozilla, I could delete only browsing history. I asume the temp files were also deleted along with the browsing history. Do let me know if I need to do something else for Mozilla firefox.  Hope the same virus will not show up again.

Vikram Kumar-SAV to SEP's picture

This much should be let us know if it comes back again.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.