Files 00000001.@ and 80000000.@ with Symantec Endpoint Protection

Norton Security | Norton Internet Security
21

The ESET online scanner is uninstalled.

22

Disable Norton for say 30 minutes

 

Start OTL,   under   Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom)  and run the script. (Red Run Fix Button)

 

The output log, should be placed in the C:\ _OTL folder after.

 

Quads

 

23

Here is the output log from the last OTL scan using the file "MirageMobile_script.txt".

 

 

24

How is your system running now??

 

Quads

25

No OS reboots or alert windows from symantec (have not re-enabled it yet).

 

Everything appears normal.

 

I am not familiar with a few of  the "moved files", but the ones I recognize are not important.

 

Shall I enable symantec now?

26

Disable Norton

 

Start OTL again but this time click the Black CleanUp button, then make sure the C:\_OTL folder is deleted.

 

After that you are free to go on your merry way.  You are now fixed / Solved.

 

If you want Malwarebytes download the Free version to install and don't click the Trial button

 

If you want to, you can turn off System Restore wait for it to clear the Restore Points and then Turn it back on once you find all is happy. today, tomorrow whenever.

 

Quads

27

Ok the OTL folder has been deleted.

 

Thank you QUADS for the personal time investment in assisting me with this issue.

 

What can I do to compensate you for your work?

 

Also, would you care to enlighten me about this type of attack on my system and how I can prevent it in the future?

28

Just be wise, like if an ad appears saying you have won $1,000 or someone wants to chat to you,   Just think  OH NO, I' not that dumb to click it.

 

Malware is always changing,   It's just a matter of keeping up with it.

 

Quads

29

I updated the database for Malwarebytes and did a full scan  (1hr50min) and found zero threats.

 

I re-enabled symantec

 

1 hr later, the auto-protect found file "APQE03B.TMP" and labled it a trojan.zeroaccess.

 

only one instance of this file has appeared so far with the "auto-protect" system

 

I am currently doing a full scan with symantec

 

 

30

You might be going to a site that has a drive by.

 

If it's just a .tmp file that has tried to come in Symantec may have just done it's job, WHAM grab, or it's just a temp file you can just delete it.

 

Quads

31

Moved to own thread for better exposure.

32

Today my Symantec Endpoint Protection started giving me messages about both of these files. Prior to coming here I did run a full scan with Malwarebytes' Anti-Malware (turned up nothing) and a full scan on Symantec Endpoint Protection which turned up some kind of "unavaliable trackware" that it deleted and I hope that doesn't compromise anyone's ability to help me. I'm running Windows 7 64 bit and version 11.0.5002.333 of Symantec Endpoint Protection.

 

Thanks in advance to whoever may be able to help. Let me know if any other information is needed to proceed.

33

Yes I do.

34

Read Slowly and all of it.

 

Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/   You need to download the 64bit version.


Transfer it on to the Flash Drive.

Enter System Recovery Options

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

 

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive.  restart the system and load Windows Please copy and paste it to your reply.

 

Quads

35

Here it is!

36

 Now that is a stuff up

 

Uninstall McAfee,   that is one way to screw with the AV's and the system  also use the McAfee removal tool after the standard uninstall http://service.mcafee.com/FAQDocument.aspx?id=TS101331

 

You do have an older CLSID variant to get later.

 

Quads

 

37

Alright, McAfee has been uninstalled and thank you for the heads up on the CLSID variant.

38

Download the script attached, needs to be the same file name as well, Copy across to flash drive

 

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again. Like previously

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe or frst64.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Quads

39

Here it is.

40

does your system / Windows load OK??

 

Quads