07-07-2008 06:46 AM - last edited on 07-08-2008 06:55 PM by Allen_K
In the last week my PC became infected with a nasty piece of Malware or possibly Spyware, which, unfortunately the Norton 360 package did nothing to stop. My 360 was fully up to date and the full scans revealed nothing. The initial effect was just to display in addition to my chosen web page one of several others, whilst none were offensive or pornographic they were irritating to say the least.
Other identifiable symptoms included a warning displayed in the systray about Auto-update being turned off, despite it being “switched on” when viewed via the control panel. Auto-fill of web page forms also stopped functioning. Subjects of the rogue pages included dating, travel, music etc etc.
Naively, I though my best course of action was to delete IE7 and revert back to IE6, this had no effect at all. I still don’t know where the infection came from, but, during the course of last week, things got worse, to the extent, Norton 360, did attempt to help and finally purged my system of two “Trojans” one of which was Vundu.
However, the, additional web pages kept on appearing. I should probably explain at this stage I am an IT professional of some 20 years experience, So on another Pc I searched the web and gleaned some knowledge as to eradicate my problem, I found out about Hijack this, , and I downloaded this and had ran a scan and from my gleaned knowledge I could see some BHO’s identified with unusual looking file names, none of which I could find any information for by searching on Google.
During the week these dll’s kept on appearing. Some of these dll’s included (I deleted many others before making notes)vedaygh.dll
In addition to the dll’s several .ini files also arrived in windows\system32\ and all were dated on the day they attached themselves to my pc. None of these dll’s could be manually deleted as they reported to be “in use”, however, most could still be renamed and following a reboot could be deleted as the registry was then pointing to a none existent file. Even flagging the files for delete at next reboot had no effect Ultimately the only file I could not delete was jkkKaXRI.dll, which incidentally was the oldest most recent file (dated within the last week) to reside in windows\system32.
Despite repeatedly trying to manually to delete this jkkKaXRI.dll from the registry I could not delete it from the system32 folder even in safe mode. I deduced that this file loaded at windows logon and also re-updated the registry every few minutes or so.
Other features of this problem were that it set my privacy settings for cookies to “allow any” and as such it placed in both the documents and setting\”my username”\cookies & documents and setting\”my username”\local settings\temporary internet files\ other cookies and downloaded information, despite internet explorer not being run.
These cookies were all “my username”@ip address which included following IP addresses:-
So on initial system boot the jkkKaXRI.dll got loaded, and via the internet downloaded the next batch of dll’s with random names, which it then inserted new dlls’s for execution into the registry. As I stated above these dll’s were then immediately in use and couldn’t be deleted but could be renamed and deleted from the registry and then manually deleted from system32 folder on the next reboot.
The only way to stop further infection was to boot the PC in safe mode without networking. jkkKaXRI.dll was still in use in safe mode.
After many hours of pouring over this problem I was getting to the stage of a reformatting my C: drive and re-installing everything, not a task I was looking forward too, as this would have been a further 20 hours or so, as I would not have been able to trust my backup as I did not know where the infection came from or where it resided.
However, fortunately, I thought about booting my pc from a cd rom, I used an XP PRO cd, and then using the “R” repair option to get to a “DOS” prompt I was able to finally able to delete jkkKaXRI.dll
What this has highlighted to me is how clever these malicious people are becoming and by using what would appear to be random generated names for the “DLL’s” it will be harder for people such as yourselves at Symantec to indentify the threat.
Also what concerns me more is how vunerable both IE and XP are in that it has been very easy for someone to infect my PC, that not only took over the behaviour of IE (cookies and rogue pages), but was able to control the logon process to prevent the eroneous DLL being deleted by normal means and further control over the registry making this problem very hard to fix.
My biggest concern of all was I thought I had invested good money in the latest and greatest 360 package and was fully protected, but unfortunately not. !!!
I have not had any rogue pages since my fixing efforts and furthermore I have yesterday updated this PC to Norton Internet Security 2008, in the hope that is offers me more protection than Norton 360 did.
I will also be looking to acquire a new version of Ghost to replace my version 10 for my backup purposes.
One thing that is very clear Internet Security is far more efficient at everything, under 360 with the Phishing Filter ON IE7 performed very slowly before displaying a web page, using NIS 2008 it performs well, also scanning 950,000 files I have on this PC under 360 took about 3 hours, (this PC is a DELL 5150 Pentium D 2.9GHz with 3GB Ram) so not slow at most things, under NIS 2008 it did the same full scan in under half the time.
Over the weekend I must have spent in excess of 15 hours wrestling with this problem, and if I was charging my time out to a client, it would have got to the stage whereby my time would have cost more than the value of the hardware complete with OS, so there has to be a better way of fixing these problems and I would like to think that you people at Symantec are on the case and can offer me an easier solution I can deploy in the future and hopefully incorporate, “the where with all”, into NIS 2009 ????
Now for the question, as NIS 2008 has not detected anything on my PC now, can anyone offer any further advice, as to anything else I should do to ensure that my PC is totally clean, would it be still worth trying Norton Anti-Bot ?
Sorry for the long post, but i thought it worthwhile trying to demonstrate how time consuming and difficult resolving this type of problem was for me, should i have done anything different ?.
Any replies and advice gratefully received, thanks in advance
[edit: Broke IP's.]
07-07-2008 10:03 AM
I have just been having an almost identical problem to Andy_Milne.
Got infected with two virus/spyware pains in the same day.
WHY DOES NORTON 360 NOT PICK THEM UP !
Tried using the "Support" button on screen and found it very inappropriately named. All Symantec offered was to clean my machine for a charge of £69.99
Why on earth should I pay for them to fix what I consider to be a fault in 360 in the first place ?
Like Andy I resorted to searching the web to get information and then manually removed the problem. Spent the entire weekend doing it though.
Apparently the malware that hit me is very well known which makes it even more amazing that 360 failed ti pick up on it.
Even after it was on my machine the 360 full scan failed to find it.
The "support" team showed no interest in gathering any information about the problem with perhaps a view to understanding how it got through thier "protection" and maybe updating the signature database. All they wanted was the £69.99 fee.
Net result is that I have now totally lost confidence in the Norton range. Unlike Andy I shall not be "upgrading" to another Norton package. Upgrading? Yes Norton ? No way !
07-07-2008 12:50 PM
07-07-2008 01:34 PM
I have to agree too. Nortons 360 simply does not detect certain infections, does not stop their spread and cannot therefore remove them. I tried to get tech support to be interested and examine the infected original file, but they were only interested in offering the clean up service for more money. I did not have a problem to remove the infection - Microsoft onecare did that for me - I just wanted Norton to be better.
I have posted another thread recently about non detection and hope someone will take notice.
07-07-2008 03:43 PM
Hi and this is mainly to Tony.
I've read your how to detect and clean, however, none of this was helping in my case.
The registry, was being re-updated every few minutes by a DLL process that was being controlled by a task item that could not be stopped even when running in "Safe Mode" no amount of registry editing or task stopping helped. In fact if you edited the registry to remove the 5 references to the main rogue DLL then shutdown the PC the LOGOFF process also re-updated the registry.
QED the PC at next boot was still the same and as the DLL was hyper-active at re-boot, by changing IE cookie settings, and downloading further DLL's and .EXE's and .INI's it looked an impossible task to resolve. now my fix may have been unorthodox but it worked.
The main reasons for posting here was the need to alert people that may have been like me and thought they had the best solution, I'm not having a real dig about Symantec or 360 perse, but, it didn't stop me being infected. I realise my situation may well be unique or the infection methodology too new to have been detected, but my aim was to share my problems so that other don't have to go through the same pain as me.
I have not become dissolutioned with Symantec as i have already re-invested in NIS 2008, which already looks to be a more comprehensive solution, but one, now has to accept that 360 did not provide me with the comfort i was looking for.
I am also planning to update my version of Ghost.
I hope by these new pages that we all learn from each others experiances, and we that we can move forward, without getting into a "blame culture", and hope that the resposible people from Symantec are able to use or experiances to positively enhance the products so that we all ultimately benefit.
Had i been aware of the ability to submit suspiscious files, i would have sent a veritable package, but my main goal was to cleanse my PC without embarking on the last resort of formatting my hard drive.
07-08-2008 11:04 AM
The post on "How to troubleshoot a suspected Malware infection " does indeed give some interesting and useful advice.
It does however fall down on some critical areas.
1. It assumes a fairly high level of computer 'savvy'. To a typical user it might as well be written in Klingon for all the real help it gives.
3. Uses phrases like "look for anything suspicious". Define to me what is suspicious !
4. How many users really want to delve into the system registry. Risky and fraught with dangers of making mistakes.
5. I see no reference to Vista. Although I accept most of the advice for XP is transferrable.
I particularly like the advice on Task Manager/Process towards the end of the document.
"Look through the list for possible threats". How is anybody supposed to know what a "possible threat" is. These things do not come with process names like "I_am_Virus" or "Spyware". If they did then even Norton 360 could have spotted them......probably.
Looking through the suggested registry entries I now see an entry under StartupReg with a key of CMDS / Command saying
and another under StartupReg witha key of 1e7fdb82 / command saying
Both of these look suspicious to me but what do I do with them. Your guide does not say whether to delete them or whether to delete the whole key or just the command values.
And this now just worries me because I think I have found a problem, but do not know what to do about it.
This is why we purchase packages like Norton 360. To help in these situations.
I can undertsand that a virus might slip through the initial protection phase and allow a virus onto the machine (we, the users, do after all make mistakes ourselves and click the wrong button sometimes, or do not fully read a warning message or even allow our family free access to our beloved machines without a degree in computer sciences.)
What I can not accept is that a full scan then fails to find the virus after it has embedded itself in the system. Even a simple web search for geBTkHXO.dll,c tells you that it is a known spyware issue so why oh why does Norton 360 not identify it on a full system scan.
It is so dissapointing. I have used Norton products for a long time, thinking I was safe, but now this confidence is shattered.
And why, when I originally contacted "support" did they not tell me to submit the problem Symantec Security Response for analysis instead of just pushing the 69.99 recovery option. Once I declined this there was no willingness on thier part make any useful sugestions.
I am not even sure that I was in contact with a real person. I used the interactive message method of contact and long replies were coming back much faster than a human could have typed them and they did not really enter into a 'conversation'.
Either somebody was clicking standard replies and questions or they are experimenting with an AI support system.
Not a very helpfull option that one unless you have £69.99 to spend.
07-08-2008 11:24 AM
Reference the comment from Andy that he has "upgraded" to NIS 2008.
Can the guru and/or administrator give an honest comparison between 360 and NIS 2008.
I had always thought that 360 was supposed to be the stronger of the two packages but how do they really compare ?
Do they use the same technology and search engines/database or is there a specific advantage of one over the other.
Isn't 360 the same thing as NIS 2008 but packaged up a bit prettier and simpler for the less techically minded users.
Come on guys, give us an honest appraisal of the two alternatives. Which one really is the stronger.
07-08-2008 11:47 AM
Again I quite agree with you. I do suggest Autoruns from Microsoft. This is but one of a family of tools from some computer guys that did so good, Microsoft bought them inhouse (..at least I hope they were 'bought' rather than just 'brought'). I'm sure this is not the forum to discuss Autoruns fully, and therefore suffice to say that one advantage with Autoruns, is that you can suppress listing of Microsoft tagged entries and concentrate on the remainder. Examine all entries with blank publishers - this should be first on the list of "suspicious" or "possible threats". When you untick an entry it is no longer loaded on reboot, but rather the entry is copied to another safe area within the registry. It can be brought back by ticking empty boxes. Only when you are 100% positive that the entry is never required again, can you right mouse click an entry and delete it. If something is loading at boot up, it will be shown here.
In your case I would delete those two entries then are running an obvious (to me) fraudulent dll and in the temp directory too. As it happens, Norton 360 clean up would have deleted the temp directory in any event. What Autoruns also shows is pointers to files that no longer exists.