Endpoint Protection

 View Only

  • 1.  SAV-Corporate Edition Event ID 5 - Trojan Found, Clean Failed, File Missing?

    Posted Apr 01, 2009 02:34 PM
    Log: Application
    Type: Error
    Event: 5
    Agent Time: 3:48:44 pm 31-Mar-09
    Event Time: 7:48:44 pm 31-Mar-09 UTC
    Source: Norton AntiVirus
    Category: None
    Username: N/A
    Computer: LCOC-W6
    Description:
     
     
    Virus Found!Virus name: Trojan.Adclicker in File: C:\WINDOWS\system32\udxfytw.sys by: Defwatch scan. Action: Clean failed : Leave Alone succeeded :


    My boss has been receiving alerts/emails like this. With quite a few he has went in to try to delete the file himself, however like this one whenever he browses the directory, the file isn't there. Any Ideas?

    Thanks in advance,

     


  • 2.  RE: SAV-Corporate Edition Event ID 5 - Trojan Found, Clean Failed, File Missing?

    Posted Apr 01, 2009 04:38 PM
    That happens at times with us too. There are also other alerts accompanying this alert that the file has been deleted\quarantined.

    This can also be a downloaded\extracted part of the threat that is loaded into memory and deleted as soon as it should be. So, SEP detected it but couldnt delete it as it deleted itself before that.


  • 3.  RE: SAV-Corporate Edition Event ID 5 - Trojan Found, Clean Failed, File Missing?

    Posted Apr 02, 2009 09:59 AM
    Thanks for your response,

    Sorry that I didn't fully understand though. We are not receiving alerts that it has been deleted or quarantined yet we get the same alert over and over again, the one pasted above. Do you mean that SEP is able to delete it from the memory or not?

    Sorry, Thanks again though



  • 4.  RE: SAV-Corporate Edition Event ID 5 - Trojan Found, Clean Failed, File Missing?

    Posted Apr 07, 2009 12:33 AM
    What Sandeep is trying to say is that there could be another Trojan or Downloader involved and the alerts you're getting is only the payload. Does the logs indicate if the file you posted is cleaned/deleted/quarantined afterwards and if there is another alert for a different file being treated? Most AVs would have problems accessing a file if the operating system currently uses it either reading or writing to it and would have to wait until the OS is done with it.

    I also suggest you check the Symantec/Norton website for the manual removal instructions. This usually includes making changes to the registry.


  • 5.  RE: SAV-Corporate Edition Event ID 5 - Trojan Found, Clean Failed, File Missing?

    Posted Apr 07, 2009 03:24 AM
    Or that could be some nasty rootkit that hide himself.
    You can get that HDD out and check it on other computer, or boot and check from LiveCD.