There is evidence that malware is on a system but anti-malware software is not able to remediate it. Assistance is required to determine which files on the system may be malware.
The Symantec Diagnostic Tool (SymDiag) is a diagnostic utility used to help automate support for multiple Symantec products. SymDiag features a utility, the Threat Analysis Scan, that can help to identify suspicious files on a system.
How to run a Threat Analysis Scan
1. Download SymDiag...
2. Double-click SymDiag and accept the EULA...
3. Click the button 'Start Scan' next to 'Threat Analysis' in step 1 under the 'Scans' section of the Home page
4. In the Threat Analysis Scan dialog click 'Next' to begin a scan
5. If a connection to the Symantec Reputation database cannot be established a link to a proxy configuration dialog will be offered. You can run a scan without connectivity to the Symantec Reputation database but not all of the features available in the Threat Analysis Scan will be available. (See TECH215550: 'About Threat Analysis Scan')
6. If the scan is run with access to the Symantec Reputation database, once the scan is complete a list of files requiring further investigation is displayed. Options include...
- Copying files to one or more zip containers in preparation for submission to the Security Response online submission web site
- Removing files
- Filtering the files displayed
- Examining data collected about the files
Note: Unless otherwise instructed, if you are working with Symantec Support, do not remove any suspicious files unless you have copied files into a zip container. Symantec Support may request that you submit suspicious files to the proper web site so that they can be analyzed by Security Response. Do not send any suspicious files to a Symantec support agent directly even if they are zipped and password protected.
7. If you are working with Symantec Support or if you have run the scan without connection to the Symantec Reputation database, save the Threat Analysis Scan. Choose the 'Save' tab to display the Save page in SymHelp. Select the directory to save to and click 'Save'. This will produce a file with the extension .sdbz. This file does not contain any copies of suspicious files so it is safe to send directly to Symantec support.
8. To complete a scan that was run without connectivity to the Symantec Reputation database run SymDiag on a system with access to the Internet and from the Home page, in the menu at the top, choose File > Open Report and open the saved .sdbz. Select the 'Threat Analysis' tab and then click the 'Complete Report' button. Once the action is complete you will see similar results windows as in step 6, and you may then proceeed from that point.
For more information about SymDiag... if you have questions that are not answered in use of the threat analysis tool please contact your Symantec Support Representive or visit the Symantec Connect Forums.