Endpoint Protection

Hello, 


Yesterday i installed a software from a website, which, unfortunatelly, was malicious. Laater some unusal things happen in my pc (like chome closed so). I Checked the Maintance and Secrurity and found tha SEP is snoozing. I tried to activate it, but it said "You cannot activate Symantech. This action is blocked by SEP administrator." 
 

Later i decided unsintall Symantech Endpoint Protetion and gowith basic windows defender, but whenever i try to uninstall it, i get an error like " Fatal Error occured could not uninstall file". Later i  installed CleanWipe tried with it. But it said

"15:28:48    FATAL    Fatal error: Could not copy file C:\Users\MyPC\AppData\Local\Temp\7zOC1F338FC\CleanWipe.db to C:\WINDOWS\Temp\CleanWipe_201601311528318\CleanWipeState.db.
15:47:52    FATAL    . Error code: 2 (0x2): The system cannot find the file specified." 

When i try to repair it, i get some fatal error message as well.

I run "smc -stop" with win+R to activate windows deffender, but it did not do any change. 
Later i typed start smc stop in the command propmt, it didnot work as well. 

Could you say, what would solve all these issues here? 

Regards, 
Said 

My I am using Win 10, my SEP is vesion 12.1.63

 

Try removing the SEP client manually by following this article.

Manually uninstall Endpoint Protection

Do you have a admin that locked SEP down? Clean wipe is the quickest way. When you extract it make sure both files are in the same location before running. Are you running it will admin privileges?

Hi,

I will suggest to clear the infection first if it's still there. Run the threat analysis scan with the help of Symhelp tool. Following article will help you.

Article: How to run the Threat Analysis Scan in Symantec Help (SymHelp)

URL: http://www.symantec.com/docs/TECH215519

CleanWipe tool should be used as a final solution for the removal of the Symantec Endpoint Protection product. Either support can proivde it or can downoad from fileconnect but need product serial number for that.

Dear All, 

Thank you for your responses. 

I tried Seyad's advice, but since it was extrimelly time consuming, i gave up somewhere in "Go to HKEY_CLASSES_ROOT, and delete the following keys if they are present  " part in the uninstalling section. Let me note that, i could not delete some of the keys  even though i found them. After this i tried to unistall sep again, but this time windows gone into trouble and shut off.  I run the saved registry andm thankfully,was able to uninstall it  (while getting some odd errors). 

I found out that "virus" was not malware, but PUP - that stupid Smartweb adware. Windows defender could not find it, I followed recomendadtion from the windows community and installed AdwCleaner and MilwareBytes. Adw could not solve, but Malware found and i deleted them.  

@Brian, there is no admin, both were in the same folder and i was running it as an admin. But i used it again after unistalling sep and deleting viruses and it worked. 

@Chetan, there was no symantec logo or so. I could never open sep or anything related in my comp. I was showing as snoozing in the sec and maintance menu, but i was never able to turn on it. 

Thank you for your responses once again. 


 

So all is now working as expected?

yes, that pup doesnot open new tabs in my browser and so. Seems malwarebytes pro did its job. And, as it might be clear, i donot hv sep now. 
 

Below i post report from Malwarebytes that would shed light some more light on the issue. @Chetan, perhaps it would be useful if you let your supervisors know about the issue. 

Registry Keys: 3
PUP.Optional.Elex, HKLM\SOFTWARE\CLASSES\TYPELIB\{8DD92279-9B04-4C6F-A862-EF3C24603804}, Quarantined, [57d9f44c5940b086fd41abbbbc46f30d], 
PUP.Optional.Elex, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{8DD92279-9B04-4C6F-A862-EF3C24603804}, Quarantined, [57d9f44c5940b086fd41abbbbc46f30d], 
PUP.Optional.Elex, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{8DD92279-9B04-4C6F-A862-EF3C24603804}, Quarantined, [57d9f44c5940b086fd41abbbbc46f30d], 

Registry Values: 4
PUP.Optional.SimpleFiles, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{751B806C-6A0B-4AFD-8213-1FC605D90DC3}, v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SimpleFiles\SimpleFiles.exe|Name=SimpleFiles|, Quarantined, [062afb4587121422a0b1979e09fba15f]
PUP.Optional.SimpleFiles, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{DD336ECF-DA89-4440-A040-662DADB76201}, v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SimpleFiles\SimpleFiles.exe|Name=SimpleFiles|, Quarantined, [5ed2152b11886acccd84fa3bf410cb35]
PUP.Optional.SimpleFiles, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{280F8143-EFB5-40BF-99BD-D43D98B8D0CD}, v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SimpleFiles\downloader.exe|Name=SimpleFiles|, Quarantined, [81af51ef2e6bd75f0a47f5401ce8619f]
PUP.Optional.SimpleFiles, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{A166A01D-1B91-4A32-8478-4E897AD2FE02}, v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SimpleFiles\downloader.exe|Name=SimpleFiles|, Quarantined, [59d79aa6e7b20135cf8270c527dd44bc]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
PUP.Optional.BundleInstaller, C:\Users\MyPC\AppData\Local\Temp\VfzEJq0gEX.tmp, Quarantined, [52dedc64c1d886b017bd2e9fbf4206fa], 
PUP.Optional.YourSearching.ShrtCln, C:\Users\MyPC\AppData\Local\Temp\hoxJFVuQqM.exe, Quarantined, [c16fc47c62379f975e4bed03749003fd], 
PUP.Optional.DeskCut, C:\Users\MyPC\AppData\Roaming\Mozilla\Firefox\Profiles\swbi9k74.default\prefs.js, Good: (), Bad: (deskCutv2@gmail.com), Replaced,[fd33ac942871c5711dd535c7c53f55ab]

These files would need to be uploaded to Symantec for review. Can't do much with just a log file.