Endpoint Protection

 View Only
Expand all | Collapse all

Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

Migration User

Migration UserJul 20, 2010 12:17 AM

  • 1.  Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 09:36 AM
    so I was in the process of uninstalling symantec antivirus 10.2 on windows vista, and I got pretty far. I'm in the last step of deleting the ProgramData\symantec\SRTSP folder and ProgramData\symantec\symantec antivirus corporate edition folder but it keeps saying I need permission. I have administrator control so I don't know what's going on. I have a feeling that it could be infected with a trojan which might be denying me access to it. When I restarted the computer a couple of times before uninstalling when symantec was fully installed auto-protect was disabled and when I re-enabled it it would auto-protect results would pop up saying I was infected with TrojanFake.AV and that it cleaned it. The infection was in the quarantine folder of symantec (SRTSP-quarantine) but when I looked there the .tmp file that was supposedly infected wasn't even there. So I was wondering could this be the reason why I can't finish unistalling and if there is a solution to this. please help


  • 2.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 09:40 AM

    Please run a scan with with NSS
    ftp://ftp.symantec.com/misc/tools/nss/NortonSecurityScan.exe



  • 3.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 09:46 AM
    It says the product is expired and can no longer be used


  • 4.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 10:59 AM
    If you must repair the system instead of formatting and reinstalling from scratch, the best way to do it is to plug its hard drive in to another computer as a USB drive using a USB enclosure or adapter. Be sure the other computer is well-protected and then clean it with tools in which you are confident. If you want to be really complete, also load its registry hives in regedit and look in the run sections for auto-run files. It can be difficult or impossible to clean a running system sometimes.


  • 5.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 11:56 AM
    it's possible that the detection in the Quarantine directory is a red herring, i.e. related to the rescan of items in Quarantine:

    Title: 'When new virus definitions are in place and the quarantine is being scanned, a DWHxxx.tmp file is created and detected by Auto-Protect'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548

    Were you trying to remove SAV because you suspected an infection?  Have you tried starting in Safe Mode?

    If you are an Enterprise customer with a current support contract, you should be able to download the Symantec Endpoint Recovery Tool ISO via Fileconnect.  This will allow you to burn a bootable disc from which you can scan the drive.

    sandra




  • 6.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 12:25 PM
    ok..so an update...I rescanned my computer with two other antivirus malware technology and they both pointed to the SRTSP folder of symantec. here's the output of what microsoft security essentials gave me:


    Trojan: Win32/FakeSpypro

    file:C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4F0A.tmp

    file:C:\ProgramData\Symantec\SRTSP\Quarantine\APQ77F.tmp

    regkey:HKCU@S-1-5-21-1783274142-4070146523-2555629788-1000\Software\Classes\VirtualStore\Machine\Software\avsoft

    regkey:HKCU@S-1-5-21-1783274142-4070146523-2555629788-1000\Software\Classes\VirtualStore\Machine\Software\AVSuite.

    I recognize the AV suite as the thing that attacked my computer before, I cleaned the risk at the time but apparently there were some remmnats left in my symantec. I remember when it was infected symantec didn't detect it. apparently it removed the risk, but I still can't delete the same two folders because they contain the Quarantine folder.



  • 7.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 12:27 PM
    yes I was removing it due to the trojan infections. I don't have current support contract because I received the software through my university. I'll try safe mode but I tried it in the beginning and I still couldn't get access.


  • 8.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 12:46 PM
    tried removing the folders in safe mode but it still gives me the message "Destination folder access denied" you need special permission. I guess as long as it's not infected anymore I won't worry about it. but if I wanted to install an updated version of symantec antivirus later on, this would probably affect the process correct?


  • 9.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 12:53 PM

    I would not worry too much about the detections being made in those files.  Ideally you probably should have emptied the Quarantine prior to removal (is there some reason you did not remove SAV via Programs and Features?).  And registry keys are pretty much meaningless if there are no files for them to call.

    For future reference, if you suspect a trojan, one thing you probably don't want to do is remove your AV solution.  Was it that SAV could no longer be updated?

    Are you able to tell who does own the files?

    ...if I wanted to install an updated version of symantec antivirus later on, this would probably affect the process correct?

    Not sure, to be honest.  If the System account owns them it might not make a difference.

    sandra


  • 10.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 01:21 PM
    Run Norton Power Eraser first then remove/Install SAV/SEP
    http://security.symantec.com/nbrt/npe.asp


  • 11.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 19, 2010 11:41 PM
    when I tried to uninstall SAV it wouldn't do it through the unistall shield that came with my SAV or through the programs and features. The actual quarantine folder when I run the SAV program said that it was empty but when I looked in the quarantine folder under the SRTSP folder there were tmp files in there that were infected with the trojan. Also I noticed that when I tried to scan my computer with other software they usually froze when they got to the C:\ProgramData\Symantec\SRTSP\xxx.tmp files...this lead me to uninstall SAV. I don't know who owns the files but as I said before after I removed the bulk of SAV (registry values etc...) and scanned again with the program I said before and had that program delete those .tmp files that were infected my computer has been running fine. I just think that when my computer got infected the first time with the AV suite trojan it attacked SAV as well (even though it was kept up to date via live update).


  • 12.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 20, 2010 12:10 AM
    I tried that at the beginning but for some reason the power eraser didn't pick up the trojans when I did a directory scan and as I stated above the normal methods of uninstalling SAV weren't working. (either it would freeze, or roll back any changes it made when it tried to delete SAV (SAV uninstall shield)). The folders are just the remnants of SAV that I tried to delete from the hard drive...as long as they're still scannable through my other malicious software protection I won't worry about it.


  • 13.  RE: Manual uninstallation of Symantec Antivirus 10.2 possible trojan infection

    Posted Jul 20, 2010 12:17 AM
    Thanks everyone for your help!