Jump to content


Photo

***False positive Trojan.Downloader.ED***


  • This topic is locked This topic is locked
361 replies to this topic

#341 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 29 April 2013 - 08:56 AM

Symantec Endpoint Protection appears to have been broken by this update. I have already tried to uninstall, do a clean wipe of SEP and reinstall to get the same result on two PCs at my client site. You will find an attached photo below.

How do we go about resolving this?

-Will

Attached Images

  • IMG_18421.JPG


#342 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 29 April 2013 - 12:23 PM

@brachphotos

Hello Will

Can you please run the following on one of those computers and post back the logs

Please run the following scanner and send back the logs.


Please create an mbam-check log:
  • Download mbam-check.exe from here and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post

Next, Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.
  • When done, DDS will open two (2) logs:

  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

Thanks

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#343 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 30 April 2013 - 11:15 AM

I have 3 PCs at this client site that are showing the same thing with SEP. I have logs from two of the PCs. I am awaiting the third user to finish what she's working on before I can gain access to her system.

Each PC will post as a seperate reply.

PC #1 is attached.

Attached Files



#344 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 30 April 2013 - 11:22 AM

PC #2 is attached.

Attached Files



#345 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 30 April 2013 - 11:29 AM

PC #3 is attached.

All three were impacted by the false positive update two weeks ago.

-Will

Attached Files



#346 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 30 April 2013 - 01:08 PM

I have 3 PCs at this client site that are showing the same thing with SEP. I have logs from two of the PCs. I am awaiting the third user to finish what she's working on before I can gain access to her system.

Each PC will post as a seperate reply.

PC #1 is attached.


STEP 1
Machine #1

Please uninstall the following software as older code has been compromised.

Java Auto Updater
Java™ 6 Update 33


STEP 2
Please do a clean removal of MBAM but do not reinstall just yet.

MBAM Clean Removal Process

STEP 3
Please uninstall Symantec Endpoint Protection from the Control Panel, Add/Remove Programs and reboot

After the reboot download and then run the following Norton_Removal_Tool from Symantec and again reboot.

STEP 4
Please Run TFC by OldTimer to clear temporary files:
  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

STEP 5
Now reinstall Symantec Endpoint Protection and let me know if there are any issues with running it now or not.

Once we're sure that Symantec is working correctly then we'll look at installing MBAM

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#347 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 30 April 2013 - 01:11 PM

PC #2 is attached.

Please follow the same advice for PC#2 as listed for PC#1 except remove this Java.

Java 7 Update 21
Java Auto Updater
Java™ 6 Update 31
JavaFX 2.1.1



Then let me know if its working or not.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#348 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 30 April 2013 - 01:13 PM

PC #3 is attached.

All three were impacted by the false positive update two weeks ago.

-Will


Follow same advice as other computers except also please run a Disk Check on this computer.

Remove this old Java

Java 7 Update 17
Java Auto Updater
Java™ 6 Update 39


Let me know it's status.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#349 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 01 May 2013 - 01:16 PM

Followed the steps you provided me for PC #1. Same result on SEP. Re-ran the MBAM Check and DDS scans after completing the reinstall of SEP. Screenshot of SEP and logs are attached. I am right now starting to see if this makes a difference for PC #2. If not, I am NOT touching PC #3.

Please advise. Thank you.

-Will

Attached Images

  • IMG_19341.JPG

Attached Files



#350 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 01 May 2013 - 02:17 PM

PC #2 had the exact same end result. I am NOT going to bother attempting to approach PC #3 right now. I re-ran the mbam check and dds scans. Another screenshot and those logs are attached.

Please advise. Thank you.

-Will

Attached Images

  • IMG_19351.JPG

Attached Files



#351 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 01 May 2013 - 02:55 PM

Both computers have this entry in the Event Logs

5/1/2013 2:00:37 PM, Error: Service Control Manager [7030]  - The Symantec Management Client service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Please review the following article and remove the interactive portion.

Then restart the service and run the following please.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.


Thanks

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#352 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 03 May 2013 - 09:00 AM

Attached log from PC #1. I must have this resolved on all 3 PCs today. This cannot stretch to Monday. I will be going through there this afternoon. Please advise. Thank you.

-Will

Attached Files



#353 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 03 May 2013 - 03:06 PM

It appears that this is a 64-Bit version of Windows 7 and the files in the x64 catalog are still missing.

x64-Catalog5 01 H:\Windows\System32\NLAapi.dll [File Not found] ()
x64-Catalog5 02 H:\Windows\System32\napinsp.dll [File Not found] ()
x64-Catalog5 03 H:\Windows\System32\pnrpnsp.dll [File Not found] ()
x64-Catalog5 04 H:\Windows\System32\pnrpnsp.dll [File Not found] ()
x64-Catalog5 05 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog5 06 H:\Windows\System32\winrnr.dll [File Not found] ()
x64-Catalog9 01 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 02 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 03 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 04 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 05 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 06 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 07 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 08 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 09 H:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 10 H:\Windows\System32\mswsock.dll [File Not found] ()

Please see if you can compare these files from a working computer and then copy them from the working computer to this one that is not working.
If you have a list from the original issue with the quarantined files it should show you what files were removed that still need to be replaced.

Thanks

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#354 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 03 May 2013 - 03:53 PM

The H drive is their networked Home drive.

#355 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 03 May 2013 - 05:49 PM

Hi Will,

That is a bit odd that it would scan that as a location then. I wonder if there is some type of GPO that has that as a redirect location.

You can try this from an elevated command prompt and see if that corrects but I doubt that is the real cause here and probably will not make any real change.

netsh winsock reset catalog

The winsock registry keys are located here:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2]

I'm really sorry Will, but if you have to have this fixed by Monday then unfortunately you're going to need to back up the data and format the drive and reinstall or re-image the boxes. If I knew specifically what was wrong I'd certainly tell you but you're seeing an odd issue that has not been reported before and if you have no other signs of an issue that makes it pretty hard to diagnose what's really going on here in your specified time frame.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#356 richardsonjames1983

richardsonjames1983

    New Member

  • Members
  • Pip
  • 1 posts
  • Gender:Male
  • Location:london

Posted 08 May 2013 - 01:02 PM

I followed the steps above (reinstalling in safe networking mode) and still get that the program can't start because comctl32.dll is missing from my computer.


same to me :angry2:

#357 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 08 May 2013 - 02:40 PM

@richardsonjames1983

Please contact the Help Desk and they will assist you with this issue.

Thank you

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#358 jrhawk9

jrhawk9

    New Member

  • Members
  • Pip
  • 12 posts

Posted 09 May 2013 - 11:58 AM

I've been having an email conversation (Malwarebytes Support ticket #332015) with your "help desk" regarding this issue and the last response I got was on May 1st. I have since replied a few times since then and nothing. The person I am/was dealing with is "Tom Mercado". So far this "help desk" has been of no help regarding this issue. This was your guys screw up, now I need to know how YOU GUYS are going to replace the three DLL files which need to be replaced in order for Windows 8 to function as it did before your software decided to quarantine them.

#359 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,890 posts
  • Gender:Male
  • Location:US

Posted 09 May 2013 - 02:37 PM

@jrhawk9

I'm sorry that you're having issues contacting the Help Desk. It's possible that your email provider or ours is blocking the mail due to a high volume of emails or code in email that often trigger spam blockers.
Please send me a private message and I'll see if I can assist you with your issue.

Thank you

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#360 brachphotos

brachphotos

    New Member

  • Members
  • Pip
  • 11 posts

Posted 09 May 2013 - 03:52 PM

I just wanted to extend my Thank Yous to your support staff team, especially Chris, Pete and anyone else who listened in on the 4+ hour long conference call between me and Symantec's support team. I have just finished curing the other two systems at this one client. Again, Thank you for all of your help with helping to get this resolved.

-Will




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users