Endpoint Protection

 View Only

  • 1.  word2003_onegreen

    Posted May 05, 2009 10:54 AM
    Hi,

    Has anybody seen an infection where a folder called : word2003_onegreen is created on the desktop of the users profile.

    All of the users \Application Data\ is copied there from his profile and virus trigger files are also stored here. Even logging on as a domain admin won't allow me to delete the folders.

    naturally I would normally try and delete in safemode then re-image the machine if that failed.

    Unfortunately , I'm based in the UK and our user is based in China, giving them the local admin passwords to the machine are out of the question and re-imaging the machine is a last resort because of the shipping times etc...

    I was wondering if anyone had seen similar ? The only references I've seen are all written in Chinese and I'm not fluent :S

    SEP doesn't detect the virus , infact I think the virus may have disabled SEP because it had been malfunctioning ( multiple rtvscan process loaded and unable to access the gui ) . I had to uninstall it from the machine completely before I could try anything due to SEP errors flooding the screen.

    The infection installed some hidden non-plug and play drivers on the machine about 6 in total , that malware bytes detected and quarantined , but I'm still unable to remove the word2003_onegreen folder due to in-use files..

    any help would be greatly appreciated.

    Thanks





  • 2.  RE: word2003_onegreen

    Posted May 05, 2009 11:17 AM
    Boot in safe mode, launch IE and remove ALL browser helpers. I wonder if it's not installed as a BHO - so you'll need to get into safe mode, run Trojan Remover as well as the malwarebytes app you have run.
    It's most likely indeed disabled SEP. You'll need to get into safe mode and remove any browser helpers IF that's what has happened. Don't even trust those that appear to be from Adobe - I've seen them claim to be Adobe, but in reality, not.
    It's also possible you have a rootkit situation, if that's the case, you'll have little choice but to get into safe mode, administrator, run TR and manually delete the HIDDEN registry entries and hidden files and folders it's placed. TR will at least alert you to their existance.
    I think Trojan Remover is from Simply Super Software. Sorry, Symantec, there are cases where we need to pull out the sixshooter as a shotgun may have a nice spread pattern, but limited distance. The other guns are more precisely aimed at specific targets.
    A good mechanic always has another set of tools in the garage just in case.

    IF you can successfully find and quarantine any files, do submit them to Symantec!