Endpoint Protection

Thw W64.Viknok.B!.inf virus was detected by the Endpoint but cannot be cleaned. I used the SymDiag and Norton Power Eraser tools with no success. Is there a manual method to follow to delete the virus or some other tool I can use.

Thanks....Bob

Have you tried manually deleting? In safe mode?

Thanks, let me now how it goes.

I have not but will try on endusers computer this afternoon.

Thanks...Bob

I had a similar issue once where the infected file kept reappearing. symantec suggested to restart the PC so the infection gets flushed out of the memory. so I would suggest you the same. if you are facing a similar issue.

Hi Bob,

W64.Viknok.B!inf is a detection for 64-bit files infected by Trojan.Viknok. Here's a little more on that one:

Sophisticated Viknok Malware Proves That Click-fraud Is Still a Moneymaker for Scammers
https://www.symantec.com/connect/blogs/sophisticated-viknok-malware-proves-click-fraud-still-moneymaker-scammers

What action is SEP taking-? And where are these files located-?  With AutoProtect or manual scans?  It might help if you posted an excerpt from the Risk Report.

SEP states "no repair currently available" - so its just logged - AutoProtect found it - file name - eoxcy.dll - I also ran a full manual scan and infected file is - hrngeej.dll - same SEP msg "no repair currently available"  I can't get the Risk Report at the moment but I will post later when I visit the end user

Thanks....Bob

Thanks Mick2009 , was trying to find any article that explained exactly what Viknok Malware does. 

I tried Malwarbytes - found nothing doing a full scan last night. I will check the link provided. Attached, please find the XLS risk report from SEP.

Thanks, 

Bob 

Attachment(s)

RiskRpt.zip   490 B 1 version

Here' the risk Report. 

Attachment(s)

RiskRpt_0.zip   490 B 1 version

According to the report:

The non-repairable infections are related to copies of legitimate infected dlls, which can be safely deleted without affecting the computer. 

Have you tried deleting the DLL named 'hrngeej.dll' ? 

I ran the PC in safe mode but SEP was unable to delete the virus.

Thanks, 

Bob 

According to the report:

The non-repairable infections are related to copies of legitimate infected dlls, which can be safely deleted without affecting the computer. 

Have you tried manually deleting the DLL named 'hrngeej.dll' ? 

If what the report says is true, I don't expect SEP to delete it. It will need to be removed manually.

Many thanks Bob!

Have you tied manually deleting this "c:\users\mazura\appdata\roaming\hrngeej.dll" -?  Even if SEP's engines cannot automatically access and act upon that file, it's good that the product is raising a red flag.

Explanation of Action field values in Symantec Endpoint Protection 12.1 and 14
http://www.symantec.com/docs/TECH102052
 

I deleted the file including the entire user path and then ran a scan - the virus was not detected but an odd behavior is occurring. I logged out of the PC and logged back in and the user path I deleted was recreated. I ran a quick scan only on the user directory and it was clean but this evening I will run a full SEP scan. 

.....Bob 

I deleted the file including the entire user path and then ran a scan - the virus was not detected but an odd behavior is occurring. I logged out of the PC and logged back in and the user path I deleted was recreated. I ran a quick scan only on the user directory and it was clean but this evening I will run a full SEP scan. 

.....Bob 

Thanks for the update.  It sounds like there is something in the load points which re-created that file you deleted. 

You may wish to open a case with Tech Support for their help in hunting that down, if the full system scan does not find anything.

I deleted the entire user directory again and ran Symdiag full scan - virus is gone and user dir was not recreated on logon following a reboot. 

Thanks....Bob 

Thanks for the update.

-Brian