Endpoint Protection

Hi all,

I'm new to the forum and need some HELP with my Symantec Antivirus program. 

A few days ago, I visited a site where I suspect I picked up a Trojan Horse virus that Symantec AntiVirus acted on and quarantined. However, for the past 2 or 3 days, everytime I do a LiveUpdate, Symantec Antivirus tells me (immediately after the update) that it has found a new Trojan Horse Virus via auto-scan, and that it has been quarantined. I usually do a Full scan immediately thereafter to check for more threats but it usually reports that it finds nothing more. This incident immediately after LiveUpdate has happened about 4 times consecutively and I now have 4 or 5 items in quarantine.

Is my Antivirus program really picking up newly detected Trojan horses that could only be detected with every new update?? I'm afraid to go to anymore personal websites or really do anything because I'm afraid of there being more Trojan horses lurking around in my computer that Symantec AntiVirus has been yet to be capable of detecting.

I've also been getting this notification from my Windows Security Center:
"Symantec Antivirus is on but is reporting its status to Windows Security Center in a format that is no longer supported. USe the program's automatic updating feature, or contact the program manufacturer for an updated version"
(From what I understand other people in other discussions have mentioned this)

What should I do specifically??

I'm using Vista Home Premium (32 bit) and I think I have program version:  10.2.0.276

 

No one can help??

PLEASE?

Try  submitting the file to these link:

https://submit.symantec.com/websubmit/retail.cgi  or https://submit.symantec.com/websubmit/gold.cgi


What the name of the trojan found? Did you try deleting the file instead of letting it in quarantine? What the file name and where is it locate on your pc? (C:/...??)

I have 4 Trojan Horses quarantined.

Filenames are:  update[1].exe
                             DWH9F9D.tmp
                             DWH7AAF.tmp
                             DWH2927.tmp

Location: C:/Users/Allan/AppData/Local/Mi...
                  C:/Users/Allan/AppData/Local/Te...
                  C:/Users/Allan/AppData/Local/Te...
                  C:/Users/Allan/AppData/Local/Te...

I haven't tried deleting any of them yet.  Should I "clean"? or "delete permanently"?

I've been trying visit only safe sites, updating and scanning frequently, how else can i protect myself from new infections? For the past 3 or 4 days it seems like a new virus pops up everytime i update.
                             

 Your two issues don't have anything to do with each other. So lets start with the easier of the two:

"Symantec Antivirus is on but is reporting its status to Windows Security Center in a format that is no longer supported. USe the program's automatic updating feature, or contact the program manufacturer for an updated version"
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/4b349a3fa4af870c802575f30057b77b?OpenDocument

Essentially this just is saying that Microsoft made changes to their program that no longer lets your antivirus talk to it. So you need the updated version to get rid of that error message. However you are still FULLY protected no matter what this message says. That is why I think your two problems have nothing to do with each other.

Now on to the second problem

You should do as frank suggest above and submit the files to Symantec first. Next you should do a full system scan IN SAFE MODE with system restore off. This is much better than a simple full scan and will be a better indicator of whether you are infected. Also try to visit www.symantec.com (usually a virus will stop the person from visiting our site). A scan using a free program called Malwarebytes might also be a good idea. If this doesn't help please report back with the filename and location of the file being detected.

Cheers
Grant

 Sorry I was still writing my last reply when you posted back. Please see my post below, but from the sounds of it you are infected. Did you submit those files to Symantec yet?

Grant-

If it in "Temporary Internet Files" folder just clear your internet browser temporary files or delete the files.

@Grant Hall - Thank you for your input. I tried to go to safe mode and perform a full scan, but when I tried to scan,  I got a message that read: "Scan engine returned error 0x20000003". So I was unable to scan. I am, however, able to visit www.symantec.com. I've scanned with Spybot Search and destroy as well, and it finds nothing as well.  Just to re-iterate:

Filenames are:  update[1].exe
                             DWH9F9D.tmp
                             DWH7AAF.tmp
                             DWH2927.tmp

Location: C:/Users/Allan/AppData/Local/Mi...
                  C:/Users/Allan/AppData/Local/Te...
                  C:/Users/Allan/AppData/Local/Te...
                  C:/Users/Allan/AppData/Local/Te..

Is there anything I can do to prevent more infections? Each time I do a live update, it seems like it finds something new...





@Frank019 - Thanks to you too. I'm going to delete all the files then from Symantec AntiVirus Quarantine. (Does it make a difference if I 'delete permanently' or 'clean'?).  I can delete them, but I can't seem to clean them.

Delete permanently while remove the file from your computer.

Clean will try to remove the infected part of the file.

@Frank019 - Ok thanks. So deleting them is sufficient?
I also have one other question (it's kind of basic...) - but when I delete these files, am I free of infection (ie) is the virus and the infected file the same thing)? Or could the virus still be lurking around waiting to infect other files? How can I get rid of the virus itself?

 Hi Blorgan,

Well it doesn't necessarily mean that you will be completely virus free if you delete the files in question. Modern viruses can replicate, hide, and alter other system files. However you should select delete and see if the virus remains after your next call to liveupdate.

The error you saw "scan engine returned error 0x20000003 used to happen on older versions of SAV (which you have). After we get this virus cleaned up I suggest you do an upgrade to the latest version. Obviously you should not do the upgrade while you still might be infected, but it is something you should consider. Really the next step that you should do is submit the files to Symantec so we can process them. Also have you tried the scan with malwarebytes (I think it is much better than spybot)?

Cheers
Grant

Even after scanning in safe mode with latest virus defs (it should have latest patches also) if you are facing problem this infection may be reoccurring from another pc in the network. Risk tracer will be helpful in this case, for more info refer below article
Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker 

The virus and the infected files are not always the same files. Like AravindKM said, you should scan in safe mode if deleting is not working. You could also try  "clean" in safe mode, it might work.

@Grant Hall - Oh I see. Thanks for the info.  I tried submitting the files before, but when I browsed for file name to try to upload the files, I couldn't find it in a search. Now, I've deleted all but 1 file. Is there an easy/safe way to submit the files directly through Symantec Antivirus?

I've downloaded Malware, and am now doing a full scan with it.  


@Frank/AravindKM  - Thanks for the suggestions/info, I've pretty much deleted all but 1 file. When I'm in safemode though, i can't really do anything (including a scan, as I mentioned earlier), and the files aren't even in quarantine to delete or modify.

When new virus definitions are in place and the quarantine is being scanned, a DWHxxx.tmp file is created and detected by Auto-Protect

 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548

See my thread here, to which there's been no response. The risk SPECIFICALLY TARGETED all Symantec LU files!! It was VERY specific like it knew what to hit, what to go after.

https://www-secure.symantec.com/connect/forums/attack-symantec-processes-lu-etc

It was the self-preservation (TAMPER PROTECTION) from SEP that alerted me to it, and I modified my custom application control piece to prevent any EXE from being created in the %userprofile%\local settings\application data\*\*.exe area.
It was targeting files here:
C:/Program Files/Symantec/LiveUpdate/LUALL.EXE
which would have crippled SEP's LU abilities had tamper protection not stopped it.

This is a trick used by BHOs, and other phony AV risks to get in when the user is a peon and not an admin. Install and run from the user profile area.
I was blocking only DLLs in that area, and now block the creating of EXE files as well (I've got an article written up on this from last year)
Yes, it can be a pain and you have to put in exclusions for some office products and valid applications, but IMO, anything INSTALLING to or running from the user profile is a risk until proven otherwise.
And on a similar topic - anyone like Google, etc. who installs there should be horse-whipped!
That does NOT comply with MSs original plan and leaves things open to great risks.
So I lock it down, and exclude only as needed. Never again will an EXE come in and start hammering away at SEP from that area, anyway.

@Grant Hall - So I did the malware full scan and found a "Trojan.Downloader" in C:\Users\Allan\AppData\Local\Temp\pdfupd.exe

I'm going to remove it and see what happens.

Hope after you delete the file every thing is clean for you.

Thanks for the help. I deleted everything and did a liveupdate and haven't found anything more... yet. So I'm cautiously optimistic.  I've also been told this:

"you may have a trojan hidden elsewhere on your computer, such as within your System Restore points (which happens to be a very common location for them to hide within.) As such, you should disable your system restore to clear out your restore points,restart your computer to see whether the problem continues and than re-enable your system restore regardless."

Does anyone suggest doing this?  If I do do this should I disable system restore, restart and perform a full scan to check for any hidden problems? And then restore system restore?

Is there any more of a definitive way that I can ensure I am free of infection?

Thanks!

 The first suggestion after an infection is to disable / delete old restore points.

Oh ok I see. After I disable system restore, and restart the computer, should I run a full scan, and then re-enable system restore?

 well...Full scan..Yes but with latest virus definitions. It might be possible that the news might catch few extra ones if they are hidden.
Well after that you can re-enable system restore.

Ok thanks! I'll do it, we'll see what happens.

If after that full scan (with latest definitions) goes without finding anything and I re-enable system restore... Would it be safe to upgrade my symantec antivirus 10.2.0.276 to the latest version (11.0.5)?

 

 You always want to be on a current if not the latest and greatest build.

The product has changed drastically to keep up with the virus authors that write their malware to elude AV vendors.  SEP 11.x includes even more protection than 10.x did.

Just want to make sure you are well informed before your upgrade. SEP 11 (11.0.5) is a completely different  product from SAV 10. SEP has tons of news features compared to SAV 10. However I was simply referring to upgrading your version of SAV before. I said "The error you saw "scan engine returned error 0x20000003 used to happen on older versions of SAV (which you have). After we get this virus cleaned up I suggest you do an upgrade to the latest version. Obviously you should not do the upgrade while you still might be infected, but it is something you should consider. Really the next step that you should do is submit the files to Symantec so we can process them. Also have you tried the scan with malwarebytes (I think it is much better than spybot)?" This error you saw only happened on older SAV versions like yours. You can upgrade SAV without having to go to SEP. However I think SEP is a great product and I think you would like it, but the choice is up to you. If you don't go to SEP then simply download your latest version of SAV from fileconnect here: https://fileconnect.symantec.com/

Please don't for get to mark the answer that most helped you as the solution. This helps future users find a quick solution to a similar problem

Cheers
Grant

Ok - so i am currently downloading the a more recent build (11.0.5) of Symantec Antivirus. Once I begin installing the new build, will it automatically uninstall and replace the old build?


and @GrantHall - Thanks again for your help and information. Yes I did the scan with Malwarebytes and found the Trojan.downloader and deleted it as mentioned above. I do agree that Malwarebytes is an excellent malware scanner. I also mentioned that I tried to upload the files earlier but failed to, but now I've deleted all of the infected items.  I also disabled system restore, restarted and scanned with both SAV and malwarebytes, and then re-enabled system restore. So now I'm going ahead and downloading SEP 11.0.5. Is it Okay to begin installing with SAV still on my computer? Will SEP automatically uninstall SAV and replace it seamlessly?

> Will SEP automatically uninstall SAV and replace it seamlessly?

Yes. SEP will replace SAV automatically.

@pkh - Thanks for the quick response.

Quick question, does SEP normally disable Window's defender? Cause i installed it just now, and Window's Defender was turned off in the process.

SEP does disable windows firewall. However for windows defender you will have to set a policy to disable it. 

Actually, in our case, it does seem to disable it. Someone tried to enable it and SEP didn't allow. And on my home notebook, I installed SEP and it disabled defender........
I know we don't have a policy here..............
Maybe XP and Vista and 7 all do differently, in our case, it was XP. Defender no longer works.

hmmm... I'm using vista on a home notebook  and it was disabled as soon as I installed SEP as well...  Windows Defender offers minimal protection anyway.  I was just wondering if this was abnormal, but I guess not.

Problem persists: 

so I thought I cleaned the infection from my computer, but found another trojan horse via SEP autoscan.  The file was quarantined and I went  ahead, disabled restore points, went into safe mode and tried to perform a full scan with SEP to check for more infections. But SEP doesn't appear to be working in safe mode at all. Is there a way to change settings so that SEP works in safe mode?

Is it still the same trojan?

@Frank019 - This time the infected file was found in - install_flash_player(4).exe
Not sure if its the same trojan, but I can't think of where I picked up a new one. I'm pretty cautious with the things I download and sites I visit.
Any ideas? Or any idea why SEP isn't working in safe mode?
Thanks

Or anyone have ideas on why SEP isn't working in safe mode and how I can change that?

Have you try sending the new files to the link I gave you before. Have try updating you flash player recently?

https://submit.symantec.com/websubmit/retail.cgi  or https://submit.symantec.com/websubmit/gold.cgi

His every thing working now?