Endpoint Protection

Ok so I encountered a worm that seems to either be A) fairly new or B) fairly crafty. Either way, my SEP did not detect the worm as it invaded the computer from a flash drive. I was careless as I did not scan the drive. The worm prevented me from doing much on the computer, as it emulated Memory Write errors in applications. A lot of the currently running programs were crashed, and I was prevented from reopening them. I found some suspicious processes running on the machine, so I used a program to disable suspicious processes on the computer (Called Advanced Program Terminator). It stopped the worm from running (There were a few shortcut files created created on the flash drive, such as my pictures, my music, my documents, and a shortcut to a text file called passwords. These all pointed to %flashdriveletter%\kaiez.scr. There were also files called kaiez.exe, kaiez.scr, and an autorun.inf, all disguised as protected system files, and these were stashed inside c:\docs and settings\myusername, as well as inside the root of the flash drive.) I found and deleted these files, as well as the ones created on the flash drive. This killed the worm. However, when I went to check symantec to see if it detected the files, half of my UI options were grayed out. I rebooted, and the options were still gone. I believe the worm got to the applications data folder, because a lot of the programs that use this folder to store data were reset, as if they had just been installed (foobar2000 music player was one of the programs affected) I uninstalled SEP using Your Uninstaller 2008 Pro, which deletes all traces of a program, from orphaned files, to dead reg keys associated with the program. Now I am unable to reinstall SEP client 11 from a silent installer file. I need help to reinstall this application, because this computer is on a very insecure network, where other users are careless, and protection is minimal. There are no error logs in installation, as it uses a silent installer, which I obtained from my network admin.

Also, I have saved a copy of the files that infect the docs and settings folder and flash drive inside a rar file, inside another rar file with a readme describing the operations of the worm.  I attempted to obtain the autorun file from the GUI, but was denied access. I tried through CMD with admin level privlages, but was still denied access. I cannot add the file to a rar archive either. The file is 1kb however, so I would guess that the contents were something like this:

[autorun]
open=kaiez.exe

Without the autorun.inf, I believe this worm is harmless, unless you run kaiez.exe or .scr.
Any help in reinstalling SEP from a silent installer would be greatly appreciated, as would an update to your Virus Definition files so that this worm does not spread any more.

I deleted the virus.zip file. Please do not post virus files on this site. You need to submit these files to Security Response for analysis.

http://www.symantec.com/business/security_response/submitsamples.jsp

Thanks,
Thomas

Ah alright then. Will do. Any help on the above mentioned issue however? The reinstalling part?

To create a new custom client installation configuration

1. Open the Symantec Endpoint Protection Manager console.
2. On the Admin Tab, under Tasks, click Install Packages.
   The current default client installation packages appear on the right.
3. Under View Install Packages, click Client Install Settings.
4. Under Tasks, click Add Client Install Settings.
5. Specify the name you would like the Client Install Settings group to have.
6. Give the Client Install Settings group a description.
7. Select an installation type from the following:
   • Unattended (Displays notification, but requires no user input)
   • Interactive (User input required)
   • Silent (No user input or display)
8. Select either Restart after installation or No restart after installation.
9. Select the installation location.
10. Enable or disable installation logging.
11. Select whether or not to add the program to the start menu.
12. Select whether or not to maintain all previous logs, policies, and client-server communication settings.
13. Click OK.

See the fllowing KB for complete instructions -

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/c741ec26fa674b1e8825738a0076abf3?OpenDocument

I cannot access the SEP manager, as I had uninstalled the entire program. All files were deleted from the computer (including reg keys), save for 1 DLL file from the symantec folder in program files. I believe it was Sysmanres.dll. I attempted to reinstall the SEP from a silent installer, but after an hour and a reboot, there was still no SEP installed on the computer. I know the intstaller works fine, as I have used it before. I need to know if there is a way to reinstall SEP from the same installer, without reinstalling the OS on the computer.

Thanks again.

Well Yes..So ..
when you tried re-installing it failed without giving any errors ..
But it does create a log file under
start - run - %temp%\SEP_INST.log

open the log search for return value 3 (the first one )

just above that you will find the reason for failure..if you don't find paste 10-15 lines above return value 3 and we should give our inputs. 

Alright, Ill check for the logs and post them in a couple of hours. The computer in question is off of the network at the moment for saftey purposes, and out of my reach at this current point and time. Thanks for the help.

gentMainCA: The product is currently installed.
AgentMainCA: ERROR: MsiEnumFeatures failed with error 1605
AgentMainCA: GetInstalledFeatures() failed
AgentMainCA: 敖楲祦慌杮慵敧敆瑡牵健敲潣普杩(1385) error=643 GetLastError=2
Action ended 21:41:37: VerifyLanguageFeaturePre.1CBEC0D3_E547_4E51_828B_44B9C47C0EA5. Return value 3.

I believe the problem is that the product is installed. When it is NOT. I uninstalled it FULLY, down to the last registry key (at least I thought I did, but there seems to be something floating around that is indicating otherwise.) If there are other files that are indicating to the installer that the program is indeed installed, a pointer to them would be nice. I have File assassin, so obtaining permissions to delete these files should be of little issue (I hope).

Well only delete
:\Program FIles\Symantec
\Program FIles\Common Files\Symantec Shared
\Docs and settings\all users\application\symantec

restart your computer then try installing again. 
Why is there a chinese entry is this OS in chinese ? Make sure threat is completely removed...

If possible can attach the full log file.

in the computer change the language setting to english under the regional settings
install symantec endpoint 

That is what was in the error log. I set the computer to have the ability to be able to display and write out all the oriental languages, as users frequent sites out of country. That is japanese, although why it is in an error log, I am unsure. I'll post the logs in a day or two, because I am out of town at the moment, visiting my family.

Thanks for the help.

The error log is posted below. I tried the language settings, but still the install failed. The process just disappears.

 VerifyLanguageFeaturePre.1CBEC0D3_E547_4E51_828B_44B9C47C0EA5. Return value 3

In Windows XP

1. Open Control Panel
2. Open Regional and Language Options
3. Under 'Standards and Formats' select 'US English'
4. Click OK
5. Attempt to install SEP11

 If that doesn't fix it then install Windows Installer Cleanup Utility
Check if any Symantec Product is showing up in that
Highlight and remove it

Download WIndows Installer Cleanup Utility from here
http://support.microsoft.com/kb/290301