Endpoint Protection

How to remove a malware from a system that is severely infected and will not allow any new software (including SEP) to be installed? I can login to the system (Desktop) but thats pretty much it. Previously, it didn't had SEP installed and thus was unprotected when it got infected. Malware is not allowing any other thing to be done. New security software installation is almost impossible. Running an online virus scanner is also not possible as it has disabled laptop's keyboard. I formatted C: drive and did fresh installation but that didn't helped at all. I have E: and F: drives as well but can't format them as they contain improtant data. The files on E and F drives are most probably infected as well because thats why after fresh installation, the malware reinfected the system. How can i clean and recover my laptop? Any suggestions?

you can use Power eraser in this situation .

How to run Symantec Power Eraser with the SymDiag utility

if power eraser is also not working then your last resort of option is 

Symantec Endpoint Recovery Tool (SERT)

Norton Power Eraser:

https://security.symantec.com/nbrt/npe.aspx

SERT has been discontinued and is no longer supported. NPE is the tool to use.

Hi,

Symantec Endpoint Recovery Tool 2014 is no longer supported and has been removed from Symantec FileConnect. Please use one of the following alternatives:

1. To scan workstations use the Norton Bootable Recovery Tool - https://security.symantec.com/nbrt/nbrt.aspx
2. To scan servers use the Symantec Diagnostic Tool's Threat Analysis Scan with "Scan for root kits" option enabled - 
   About the Threat Analysis Scan in SymDiag - http://www.symantec.com/docs/TECH215550
   Identify suspicious files with the Threat Analysis Scan in SymDiag - http://www.symantec.com/docs/TECH215519
   Using Today's SymDiag to Combat Today's Threats - http://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

There are two additional methods of removing malicious code from the drive, if the above are unsuccessful:

• Physically moving the hard drive to another system
• Mapping the drive and scanning across an isolated network connection

Can refer this guide: http://www.symantec.com/docs/TECH105518

Hello,

In your case if your machine is severely infected and the above steps does not work for you - my advice for you would be below -

1) Physically moving the hard drive to another system with AV installed and then running a full scan.

2) Mapping the drive and scanning across an isolated network connection.

3) In case the machine is Virtual machine, you may try to revert the snapshot to the older version.

4) In case of Physical machine, you may like to perform either a restore from your backup OR reimage of the machine.

It is advisable to have a backup of your assets / information of data.

Regards,

Hi sym_wizard,

It sounds like the machine is completely out of your control- drastic measures are the only way to confidently regaing ownership.  Isolating the computer completely from the network and then reformatting and reinstalling from scratch is the best course of action. Ensure it is secure before rejoining the network: fully patched, security software installed, all new strong passwords, etc.

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Please do keep this thread up-to-date with your progress!

With thanks and best regards,

Mick