The threat can be detected under some or all of the following names (this will be the name that is displayed if the threat is detected by NAV/NIS).

Backdoor.Tidserv

OSX.RSPlug.A

Adware.Virtumonde

Infostealer

Hacktool.Rootkit

We note that when the threat is present on the system, it installs several files, often with the following words in the file names:

skynet

kungsf

msivx

uac

tdss

msqp

ovsth

gaopdx

gxvxc

ndisp

If you do not have NAV/NIS 2009 currently, a free trial with 15 days expiration can be found here:

http://www.norton.com/nis09

Also, to bring up another way of exposing a threat, is to turn on Windows boot logging. Use the command "msconfig", then check the BOOT.INI tab, and check the box marked /BOOTLOG.

After rebooting, check c:\windows\ntbtlog.txt. If there are any entries containing the above words (e.g. skynet) then a threat driver is attempting to be loaded.

Hi OscarL

has Symantec fixed the problem has with not being able to work properly with this group of rootkits (UAC PG.200, gxvxc, SKYNET, MSIVX........... and others).

Symantec did keep adding detections for these, but with Norton not being able to remove the threats, work properly etc.   over the weeks on the forum I have been having to script from logs for removal.

With DesiT asking and us giving info, and hopfully me giving files and logs,  DesiT was able to recreate the problem in the "lab" and is working to fix the problem.

As for,

The threat can be detected under some or all of the following names (this will be the name that is displayed if the threat is detected by NAV/NIS).

Backdoor.Tidserv

OSX.RSPlug.A

Adware.Virtumonde

Infostealer

Hacktool.Rootkit

We note that when the threat is present on the system, it installs several files, often with the following words in the file names:

skynet

kungsf

msivx

uac

tdss

msqp

ovsth

gaopdx

gxvxc

ndisp

If you do not have NAV/NIS 2009 currently, a free trial with 15 days expiration can be found here:

http://www.norton.com/nis09

Also, to bring up another way of exposing a threat, is to turn on Windows boot logging. Use the command "msconfig", then check the BOOT.INI tab, and check the box marked /BOOTLOG.

After rebooting, check c:\windows\ntbtlog.txt. If there are any entries containing the above words (e.g. skynet) then a threat driver is attempting to be loaded.

Oh well a bit late in coming,  already worked out the names for the group, and what to look for in the logs,

another name is "seneka" 

Quads 

Quads is laughing,

UAC, (P.G.200) has been detected for awhile now and I still get Norton not being able remove the files,   The person\people whoi created this has done well and has one over Norton at the Moment.

Wonder what would have happened If all of the people posting needing help over the last few months for the variants and, If I just disappear, so the Norton users would be stuck, no scripting, to remove the rootkit so Norton will run again.

Norton users all stuck.

The fact DesiT said In House  "remediation' with updated detections, then with him asking us questions, the same Norton problem was able to then be recreated, says something.

Also the fact the Rookits do thouther things and other malware are on people's PC like DNS changers, is a bit of another issue, as the fact I have to script to remove the rootkit first, also says something.

Oh well maybe it is the fact I think outside the square and find way around things also.

I also don't use that site. 

It looks like we have a brand new rootkit to deal with.  I suggest that the user make his choice of attack quickly because we are about to become busy. 

Oscarl will possibly be more successful on this MSIVX infection here and would be a more fair appraisal of Nortons removal abilities than a SKYNET.

http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=15375

zulfie -

If you're still here, I would recommend you uninstall AVG by using their Remover utility (download from this LINK)  and install NAV2009 (download from here).  You can use NAV2009 as aTrial for 15 days to see how you like it.  It is much lighter on your system than AVG and has several new features to help keep itself updated but out of your way.  Also,at least for the support here, it would be easier to make sure the AV is not going to interfere with the removal process.  Thank you.

It may be "band new" to us, but could have been kicking about the Internet for a few months.

---

dbrisendine wrote:

zulfie -

 

If you're still here, I would recommend you uninstall AVG by using their Remover utility (download from this LINK)  and install NAV2009 (download from here).  You can use NAV2009 as aTrial for 15 days to see how you like it.  It is much lighter on your system than AVG and has several new features to help keep itself updated but out of your way.  Also,at least for the support here, it would be easier to make sure the AV is not going to interfere with the removal process.  Thank you.

---

Norton AntiVirus 2009: No Firewall: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=18195.

Floating_Red -

I beleive that the statement of "brand new" to us meant another new user that needs our help.  The RootKit has been handled here previously.

Thanks everyone, took Oscar's advice and loaded the 15 day trial of NAV/NIS and it was able to remove the threat. I ran GMER afterwards to confirm and it didn't find anything....

Ray

That's Great news! 

Since you were the one who started this thread, you can mark one of the posts as the solution to your problem.  Please do so, as it will help others with this problem find a quick answer. 

Come back if you need any help on the Norton product or any questions we can answer for you.