Symantec Encryption Product Community

I am stationed in Germany and my wife is in the US.  Her and the kids managed to get Personal Internet Security 2011 Malware on the computer and it is malware/virus.  She has an up to date Symantic product as of yesterday and it does not see this problem or fix it.  What should I do to get rid of it via the phone to my wife?'

V/r CDR John Keating

First, make sure you have the latest definitions.

One you have the new definitions, boot into safe mode and run a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.

If that fails to detect and remove the threats,

try the Power Eraser Tool, it eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

A quick fix would be to try Hitman Pro or Malwarebytes. Both are second opinion malware scanners.

Hi,

If you are sure that SEP has latest virus definitions, boot the computer in safe mode with networking and run a full system scan using Symantec Endpoint Protection.

When you click on "Scan for threats" in Symantec Endpoint Protection console you would get a warning like..

"It appears that the Symantec Management Client service is not running. You will not be able to manage network protection settings through the main user interface until it is running. Do you want to start the service now?"

Click No to that message and continue the scan and wait until it finishes, it will catch the viruses and fix them.

Please let me know if it helped you.

Thanks and Regards,

KK
 

It is always better to try the above suggestions first.  This sounds like a low level malware I've been seeing though.  If the antivirus software does not detect it, which I've found to happen, I use a 'dedicated adware remover'. 

These MalWare (fake security software) are usually only installed in the original user's profile.  The makers are trying to achieve payload (annoyance) under a non administrative environment.  Therefor the MalWare is never really deep-rooted.

If the fake security software will not let you install any anti-malware products (some are annoying like that), you may have to try from another user account.

I use AdAware SE (Free Version).  This has always worked for me.  It's made by a company called LavaSoft.  Brain81 has a couple good product suggestions also.

Personal Internet Security 2011 loads shortly after the OS, and has a kill switch embedded into it that terminates any of your cut and dry AV programs, like MalwareBytes and Endpoint because its loads its executable before they can. 

The key is to have her hit ctrl+alt+del as soon as the desktop appears and then kill the process, which you will easily recognize if you are familiar with windows processes. Then run Endpoint and MalwareBytes to clean the drive. And symantec, because this virus is Adware, often doesn't pick it up.

It got through an updated Endpoint on a client machine yesterday.   We'll see how the safe mode scan and remove works - but considering that this thread was started Jan. 24th I'm wondering how it can be verified if this particular malware is now being picked up or not?

It depends.

FakeAV is re-coded multiples times per day, hundreds of times per week. New variants are always coming out.

Your best bet is to submit it to Symantec and run it thru a site like virustotal.com ir threatexpert.com to see what they show.

@ randgust, Are you running the latest definitions? Are you running the recommended SEP  security settings in your environment? If you have a sample, please submit it to Security Response ASAP. The engineers can then analyze the risk and see if this is a new variant. If it is, then new detections will be added.

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/business/support/index?page=content&id=TECH122943&locale=en_US

Submit Virus Samples

http://www.symantec.com/business/security_response/submitsamples.jsp

Best,

Thomas

This is a most impressive variant.  BTW this is Win7 Pro, 64-bit, and automatically updated and current.

Endpoint is disabled from startup but can be manually restarted, although scans have no response.  Nothing unusual shows in the logs - I can view them, and it was last updated with signatures yesterday  (2/10/11 at 11 AM).  Safe mode runs with no popups, not sure why.   Task manager is disabled in regular and safe mode.  REGEDIT works, I think, and I can still access the CD-ROM.  Windows Update is disabled.    While I can still get to the Internet, when I tried to download malawarebytes, it diverted me to another website ..... which is impressive because there is no entry in the proxy server connection in IE8.  Don't know if the installer has been compromised.

System restore has been compromised and it appears that the previous restore points have been erased.

Endpoint says, on its status page, that all antispyware and antivirus are disabled.  "Fix" is disabled.   "File System AutoProtect" is not functioning correctly.

At this point I'd even appreciate a recommendation on a trusted hunter-killer program that can be downloaded to CD-ROM and run.... remembering that task manager is DOA so any fix that relies on that is equally unusable.

Not sure how you'd submit anything when it apparently didn't detect anything and the quarantine is empty as well.

You need to run a second opinion scanner such as Hitman Pro or Malwarebytes in safemode. I recommend Hitman Pro. Once the scan completes, it will show the infector file(s) and you can zip up and submit before deleting.

I would run the SERT tool to get rid of this pesky bug.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Video - https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert

Downloaded the 64-bit Hitman Pro scan to CD (downloading it direct diverted me again to the Hitman game, nice touch), it gets to the scan and just freezes.   Since I can't run task manager there's no telling what's going on.    I'll try the recovery tool, but it's looking like put in a new hard drive and reload the computer time here.   Just glad I tried the free download scan first.... but I've been to this rodeo before and sometimes the horse wins.

I suspect the client is going to have me cut their losses and just install a fresh HDD and a full system reinstall here, so if anybody from Symantec wants the entire HDD to do a forensic on this thing, contact me.

It is odd that it is not letting Task Manager run in Safe Mode.  

You could try running Rkill to see if it will stop the Malware from running and let you get into Task Manager, etc..

http://www.bleepingcomputer.com/forums/topic308364.html

I use this alot to stop Malware from running so that I can run scans, etc..  If you run this and the Malware pops up a message that it prevented it from running just leave that message up and run rkill again.  Generally it will let it run the second time.  

After rkill runs then you can run Malwarebytes or HitMan Pro.  

Edit: Also just because HitMan Pro did not work I would not hesitate to try Malwarebytes also.  If HitMan will not run it probably will not either but there is no harm in trying.  

I've found some rogue (fake) AV programs (in particular) that disable your regular antivirus/antimalware programs, and do the same even in safe mode. Then, I have to boot to a live CD of some sort so that the infected Windows system is not running. I tend to use the Ultimate Boot CD (UBCD) that also has Malwarebytes and Spybot-Search & Destroy installed. I've also found some rogue AV software that hijacks the PC's hosts file and also changes the attributes of that hosts file so you can't edit or replace it.

Booting from the CD allows you to navigate the file system to remove any rogue AV files you can identify. This is of course easier the more experience you get with these sorts of files. A lot of the time they do try to hide in a user's temp folder space instead of in the system, but sometimes they do get into Windows system files too. Then you can update and run the AV/AM programs on the CD to find any other rogue files on the hard drive and delete them. Oh, yeah, Malwarebytes also has a feature that allows you to reset the hosts file even if it has been hacked as stated above.

I have had a number of times, though, when I was sure there was a rootkit on a harddrive and so ended up reformatting and reinstalling everything on that drive.

Garry K