• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

Browser Hijacking - Why Can't Norton fix these?

I am having problems with IE and Firefox being hijacked.  The threads I have read here on this refer users to run malwarebytes, superantispyware, and other freeware (which I have done in safe mode and they haven't fixed the problem).  Why am I paying for Norton if they can't find and fix these browser hijacking issues any better than freeware?  I seem to have been able to keep Firefox from misbehaving by disabling all of the plugins.  But, shouldn't Norton be able to scan for rogue plugins???  Is anybody at Symantec working on this?  Thanks.

Willie

Replies

Kudos2

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie:

Different programs do different things, which makes them helpful.  The programs that we ask for provide logs, which  is one of the most useful things they do.  

Your antivirus, whether Norton or someone els's software act as blockers, more than removers, but they can't protect you from everything.  Nothing is 100% and it will never be.  Malware writers are constantly busy looking for ways in, and they also buy all the known software so that they can beat it.

Other programs like Adobe and the browsers, have vulnerabilities that let malware in.  P2P and torrents are very popular sites for malware insertions.  Things that are allowed into your computer are difficult for the antivirus to stop.

Redirects can frequently be seen and therefore dealt with by using Hijackthis, and some serious infections that require manual removal can be identified in Malwarebytes.  HJT will not act as a blocker, and Malwarebytes does not take the place of an antivirus program. 

Also runing more than one antivirus engine allows conflicts which give malware an opening.

We request these programs as much to find out what is happening as to fix things.

Security is a complicated procedure.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Still dissapointing.  Anyway, here is a log from Hijackthis.  ANy help would be appreciated.  Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:46 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Utilities 14\nu.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\17.1.0.19\cltLMH.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NortonUtilities] C:\Program Files\Norton Utilities 14\nu.exe /H
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162772332838
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe

--
End of file - 6532 bytes

Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

The latest generation of spware are very aggressive, nasty, and have great ability to hide themselves.  Because they are being spawned so rapidly, they can't be detected until they've been discovered and "fingerprinted".  That window of time may be fairly neglible in some cases, but it's large enough for a lot of computers to get infected.

Even worse is removal.  How they embed themselves and where and what is necessary to unattach them is not a simple thing; and the lag time here can be serious.

One suggestion: Find a clean computer and download the Norton Recovery Tool from NRT.  This is an ISO image to be translated and burned to a CD - read the instructions on the site carefully.  If you own the NIS 2010 or NAV 2010 CD, it is already included on your CD and you can boot from it.  You will need the Activation Key.  The program will update the signature automatically and hopefully it will by this time be able to find and clean out the active part of the malware.

Good luck.

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie:

We are just waiting for an analyst to have a look at your log.  This is a user to user help forum, scattered throughout several time zones.  Have you already dumped your browser caches, temp files, and prefetch folder?

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

mijcar, I have NIS 2010 and I tried booting from the CD over the weekend.  It didn't find anything. 

Bill

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Oracle of delphinium, I have not "dumped" the browser cache, temp files and prefetch folder.  When you say dump, do you mean clear them out?  Thanks.

Bill

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie

One thing I can tell you is that you are running a very old version of Java. Java is updated all the time for security reasons. Keeping java and adobe products up to date helps to keep your computer clean also.

Success always occurs in private and failure in full view.
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Good point about old java.  I usually disable java in Firefox, but it was enabled on my wife's laptop that I am trying to debug. 

Willie

Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Hi Uncle Willie

I think even if the program is disabled, it should still be kept up to date.

Success always occurs in private and failure in full view.
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Of course, floplot.  Not sure why auto update for Java wasn't on. 
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie:

Let me chime in a bit about Java, since floplot has a good point.

Go into add/remove programs and check for multiple instances of different versions of Java.

Uninstall the old ones.

Sometimes the Sun Java Updater fails to do that.

Just my two cents.

      Plankton - MCSE, CSQE     - NIS 2009 • NIS 2010 -Windows XP • Vista • 7 • IE 8
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Hi Uncle Willie

I have found over the years that I can't always trust these auto update programs all the time. I think most of the time I just have to go to the Java site to check out if there is an update and the same thing with Adobe Reader, flash, shockwave player etc. Usually, by the time you have to wait till they get around to you, the newer version has been out for quite some time. They don't put the updates on the servers for everyone at the same time, so someone is always having to wait for their newer product unless they go to the website and check themselves. I find it a good habit to go and check like once a week these sites and programs and doesn't really take much time either if you do make a stop at these sites.

Success always occurs in private and failure in full view.
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Hi

I think the newer versions of java do delete the previous version now, but if you have really old java's, then yes they have to be deleted also even if not in use.

Success always occurs in private and failure in full view.
Kudos2

Re: Browser Hijacking - Why Can't Norton fix these?

I think we are veering slightly off track. It is likely that Java is the least of his problems.

We are suspecting that UncleWillie has a Gen 3 rootkit.  The only real symptoms of this, unfortunately, are the redirects.  It will not show on HJT or MBAM.  I am just hoping that clearing the browsers, temp files, and prefetch might get rid of the redirects.  If so, we started small enough not to harm the machine, and get the job done.

If that doesn't solve the problem, we must assume more serious malware is on the machine and get him to where he can get assistance.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi delphinium:

What about using GMER?

      Plankton - MCSE, CSQE     - NIS 2009 • NIS 2010 -Windows XP • Vista • 7 • IE 8
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi

Unfortunately, some of the newer rootkits can even hide from Gmer also, although it may work . These new rootkits are getting sneakier and sneakier.

Success always occurs in private and failure in full view.
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Sorry if this is a stupid question, but is the way to "dump your browser caches, temp files, and prefetch folder" is to go toe Tools-> Options->Advanced->Offline Storage -> Clear Now.  Is there more to it than that?  Thanks.

Willie

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Is the Trend Micro RootkitBuster useful?
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Well, hI ran Trend Micro RootkitBuster version 2.80.0.1077 and it found nothing.  No hidden files, no hidden registry entries, no hidden processes, no hidden drivers.
Kudos2

Re: Browser Hijacking - Why Can't Norton fix these?

UncleWillie:

If you do have a Gen 3 rootkit, and you continue to fool with it, you may actually manage to remove the infected file.  If that happens, you will no longer be able to access your computer. 

In your IE go to tools> Internet Options>History>delete

In FF go to tools>clear recent history>all

For prefetch go to My Computer>C:>Windows>prefetch.  These files let your computer find things faster, but it won't hurt anything to get rid of them.  They will rebuild.  Leave the boot folder be.

For temp files Go to My Computer>C;>Windows>Temp Delete what you can.  Not all of them will delete probably.

Doing that won't hurt anything.

I don't think it shows on GMER but if you want to try it:  Scan only!

http://www.gmer.net/

After it is downloaded to your desktop, right click on the icon, run as admin.  Uncheck all but services, history and files.  It may cause a blue screen.  If so, try again in safe mode.  You will need to save the log to Notepad.

Message Edited by delphinium on 12-08-2009 08:37 PM
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

"I don't think it shows on GMER but if you want to try it:"

It depends on the Gen 3 in question.

I actually enjoyed infecting my PC with a Gen 3, testing to see which scanner found the one I had ( if any) then I removed it.

Quads 

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Getting ready to run GMER.  When it starts up, it lists a ble c:\WINDOWS\system32\drivers\atapi.sys      suspiscious modification

Now I will scan...

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Delphinium, I don't see "history" as an option in GMER.  It has System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries, Services, Registry and Files. 

Willie
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?


UncleWillie wrote:

Delphinium, I don't see "history" as an option in GMER.  It has System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries, Services, Registry and Files. 

Willie

I think she was referring to "registry".

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

OK, thanks.  I will run the GMER scan thsis evening as my wife has the laptop.

BTW, I noticed on another PC that I got a ton of Windows XP security updates today.

Willie

Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Good morning Uncle Willie.  I'm glad to see you are still with us.  I would ask you to do one little thing.  When you have the laptop back, go into the computer pane>settings> scroll down to Exclusions >configure and add atapi.sys to both the scan exclusions and to auto protect exclusions.

Unfortunately, the GMER mention of atapi.sys pretty much confirms that you do have a rootkit active on that machine.  If your wife is still using the laptop, it is extremely insecure.  There should be no banking done, or credit card purchases, or sensitive information transmitted.  You will need to change all passwords for this type of usage.

Oracles have long been noted as the bearers of bad news. 

I will give you the names of a couple of malware removal sites, where they have the tools and know-how to assist you in the safe removal. Save all of the data that is important on the laptop, first thing.  The removal is a risky business.

www.bleepingcomputer.com


http://www.geekstogo.com/forum/

Get back to us if you can and let us know how it goes for you.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi Uncle Willie

When you go to these sites for help, please remember to ask any questions you have before you try a process or scan that they tell you to do. It is always better to ask to clarify something than to wait till after when it may be too late. Good luck.

Success always occurs in private and failure in full view.
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Delphinium, My wife drove to the office with the scan still running, but I did not have "registry" checked.  Good thing I got her that new heavy duty battery! As soon as I saw the strang pop-ups I told her no bankig or credit card transactions. I will also check those removal sites.  I didn't quie understand "computer pane>settings> scroll down to Exclusions >configure
and add atapi.sys to both the scan exclusions and to auto protect
exclusions."  Is that from inside NIS?  Thanks.

I will ask her to rescan with "registry" checked.  FWIW, here is the output of the GMER scan with  services, system and files chosen:

GMER 1.0.15.15273 - http://www.gmer.net

Rootkit scan 2009-12-09 10:23:37
Windows 5.1.2600 Service Pack 3
Running: 2gb4ssq1.exe; Driver: C:\DOCUME~1\MA\LOCALS~1\Temp\fgtdypob.sys

---- System - GMER 1.0.15 ----

SSDT  8A035E80    ZwAlertResumeThread
SSDT  8A2E80E8    ZwAlertThread
SSDT  8A49E0C0    ZwAllocateVirtualMemory
SSDT  89E38100      ZwAssignProcessToJobObject
SSDT  89200460      ZwConnectPort
SSDT  \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)                     ZwCreateKey [0xA4283210]
SSDT  8A0B6C28   ZwCreateMutant
SSDT  89EA28C0   ZwCreateSymbolicLinkObject
SSDT  89F6DC60   ZwCreateThread
SSDT  89E380C8    ZwDebugActiveProcess
SSDT  \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)                     ZwDeleteKey [0xA4283490]
SSDT  \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)                     ZwDeleteValueKey [0xA42839F0]

SSDT  8A301948   ZwDuplicateObject
SSDT  8A0F8E58  ZwFreeVirtualMemory
SSDT  8A3C9440  ZwImpersonateAnonymousToken
SSDT  8A321100   ZwImpersonateThread
SSDT  891DB830  ZwLoadDriver
SSDT  89F3AC00  ZwMapViewOfSection
SSDT  8A304A48  ZwOpenEvent
SSDT  \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)                     ZwOpenKey [0xA42837A0]
SSDT  8A49C538  ZwOpenProcess
SSDT  8A096E60  ZwOpenProcessToken
SSDT  89E37158   ZwOpenSection
SSDT  8A30C308  ZwOpenThread
SSDT  8A0F8F78  ZwProtectVirtualMemory
SSDT  8A169A98  ZwResumeThread
SSDT  89EEDCF0 ZwSetContextThread
SSDT  8A0CAE08 ZwSetInformationProcess
SSDT  89E37660    ZwSetSystemInformation
SSDT  \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)                     ZwSetValueKey [0xA4283C40]
SSDT  8A10DD60  ZwSuspendProcess
SSDT  89E37C58                                                                                                       ZwSuspendThread
SSDT  \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)  ZwTerminateProcess [0x9D9370B0]
SSDT  89E33A30    ZwTerminateThread
SSDT  89F05BA0    ZwUnmapViewOfSection
SSDT  89E339E0     ZwWriteVirtualMemory

---- EOF - GMER 1.0.15 ----

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi delphinium:

Two questions -

1) How do you know that atapi.sys is actually compromised?

2) How did NIS 2010 let it get infected? (New generation of Rootkit not detected yet by NIS?)

Curious... thanks.

Message Edited by Plankton on 12-09-2009 11:56 AM
      Plankton - MCSE, CSQE     - NIS 2009 • NIS 2010 -Windows XP • Vista • 7 • IE 8
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Plankton, For #2, My wife's PC was running McAfee when it got infected, not NIS.  NIS was installed after the fact to try to fix the problem.So that question would have to go to a McAfee board.  :) Although it is disappointing that Nortion can't detect it after the fact.  :(

Willie

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie:

All these threats are getting so sophisticated, that it may not be possible to pin it on a particular product.

Thanks for the info!

      Plankton - MCSE, CSQE     - NIS 2009 • NIS 2010 -Windows XP • Vista • 7 • IE 8
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Just for info.  Antivirus software is extremely sticky.  It has to be that way.  So if you just removed McAfee from the computer using Add/Remove, you would not have removed it completely.  Each antivirus has its own removal tool.  That kind of thing interferes with the correct operation of the newly installed antivirus, no matter whose it is.

Second, rootkits come with their own list of antivirus names and sites to block.  This prevents many products from accessing updates, their own websites, and prevents you from accessing, downloading and running products that could interfere with the rootkit.

Thirdly, downloading an antivirus into a severely infected machine, corrupts the installation, and prevents it from doing what it is supposed to do.  So try not to think too badly of Norton, it never had a chance.

 The 2010 antivirus engines have cut down the number of rootkit infections to almost nothing on this forum.  The problem is that the malware writers have had to get more creative in their bid to infect machines.  The malware always comes out first.  Once it is discovered, Symantec takes it apart and writes changes into their product to block the attacks. Then it begins again.  This is very sophisticated malware, frequently acquired by a careless click of the mouse in the wrong place.

Sorry, yes.  The settings are in the main screen for Norton.  The top pane is the computer, settings you will find on the right side.

Message Edited by delphinium on 12-09-2009 09:37 AM
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Gen 3 and GMER, if GMER is able to show it should show up for one in the "devices" section, so no point in just scanning the "services", "registry" .......................,

UncleWillie stated further up


Getting ready to run GMER.  When it starts up, it lists a ble c:\WINDOWS\system32\drivers\atapi.sys      suspiscious modification
Which sounds like Gen3 (TDL3) that's why it has, in this case luck enough appeared.

Quads 

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Delphinium, 

1) I did use McAfee uninstall.

2) Thankfully access to the Norton website has not been blocked and it was able to download updates.

3) True, but I also tried booting from the CD, downloading updates and running a scan.  That didn't find anything either. 

Microsoft released a bunch of drive-by security updates today, including a modified version of MRT.exe.  Unfortunatly they came a couple of weeks to late from my wife's laptop.

http://blogs.zdnet.com/security/?p=5096&tag=nl.e539

Will Windows 7 be any better?

Willie

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi Delphinium:

How do you know that atapi.sys is actually compromised?

Didn't get your answer on this one just yet.

Thanks.

      Plankton - MCSE, CSQE     - NIS 2009 • NIS 2010 -Windows XP • Vista • 7 • IE 8
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

Maybe I am a cynic, but I don't believe there will ever be anything developed that some other individual can not find holes to take advantage of.  There will always be browser vulnerabilities, program vulnerabilities, and errors in judgment.

Security is composed of patching software vulnerabilities, such as in Java, MS Office, Windows, Adobe, and a multitude of others.  It also depends on the things we do, such as P2P, file sharing, torrents, Facebook, etc.  The more popular the site, the more likely malware will be inserted.  There is no point in placing your malware in a place where nobody goes.

Doubling up on real-time antivirus scanners is problematic, and many of the rootkit infections we have seen here were on machines with more than one active antivirus engine.

In the end, no matter how careful and prudent we are, sooner or later, we will get infected.  It is good to know what to do about it and where to go for help. Malware is now a fact of internet usage and as unavoidable as death and taxes.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Plankton:

Regarding your question:

We are forced to deal with indications with these infections.  If you read the articles provided by Voyager 10, and Quads's posts, it will help you.  It is simply one of the files that the rootkit over-writes.  It is not necessarily the only one, but if you notice, the OP did say that it showed in GMER.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi delphinium:

Understood.

I will take a look at this more deeply, as it is of great interest to me.

Thanks for the reply!

      Plankton - MCSE, CSQE     - NIS 2009 • NIS 2010 -Windows XP • Vista • 7 • IE 8
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?


delphinium wrote:

 ... the OP did say that it showed in GMER.


What does "showed" mean here?  Doesn't GMER list a lot of things, not just infected entries and files?

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

mijcar, as I posted previously, when GMER starts up, it displays a few lines including this:  

c:\WINDOWS\system32\drivers\atapi.sys      suspiscious modification

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi Mijcar:

For those of us who do not know or understand the complexities of GMER, SysProt, or Rootrepeal, the best we can hope for is the recognition of the one item that is either indicated as a problem, or is in a place it should not be.  Uncle Willie was kind enough to share with us the following info:

Getting ready to run GMER.  When it starts up, it lists a ble c:\WINDOWS\system32\drivers\atapi.sys      suspiscious modification

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?


delphinium wrote:

Hi Mijcar:

Getting ready to run GMERWhen it starts up, it lists a ble c:\WINDOWS\system32\drivers\atapi.sys      suspiscious modification


AhhhhAnd here I thought it was the spelling of "suspicious" itself that was suspiciously modified.  :-)

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Hi mij

I think that was a typo when Uncle Willie typed what it said at the start of the scan.

Success always occurs in private and failure in full view.
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Yes, my fault.  I was copying from my wife's laptop to mine, and I didn't use the spell checker.
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

GMER Registry scan turned up nothing.

I just tried to do a Windows Update, hoping some of theMS security fixes would help.  I got an error message that "Files required to use Windows Update are no longer registered of installed on your computer.  To continue:

Register or reinstall the files for me now (recommended)

Let me read about more steps that might be required to solve the problem.  

When I select #1) I get 403 forbidden: Access is denied.  You do not have permission fo view this directory or page using the credentials that you supplied.The second options just lets me search by typing in keywords.  

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Gen 3 (TDL3) does not show in the registry.

How are Windows updates suppose to fix TDL3 ???

Quads 

Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Quads, One of the updates was a new version of MRT.exe.  That is the Microsoft malware removeal tool.  Are you saying that MRTis not able to handle TDL3?
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

That would be correct; the MRT does not handle TDL3.
Win7 x32 SP1
Kudos0

Re: Browser Hijacking - Why Can't Norton fix these?

Even if I get rid of the rootkit, if I can't get Windows Updates anymore, I am hosed, no?  I am getting ready to punt and reinstall the OS.  Too bad the laptop didn't come with the Windows DVD. 
Kudos1

Re: Browser Hijacking - Why Can't Norton fix these?

UncleWillie:

Those two links I gave you to malware removal sites are the only thing you can do short of cleaning off the hard drive (reformat) and starting over.  You need a specialist in malware removal, and the specialized tools and programs necessary.  When I say bad news, I really meant it.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain

Replies are locked for this thread.