134 Threats Detected!

Brian03 · 02-08-2010

Hi all. New to the forum and need some help/suggestions. I am running a Dell 6500Latitude/WinXPsp3 with a relatively clean install (system built 01/15/2010) and NIS2010. I connect to a small business server ever day with file synchronization and a roaming profile.

Background scan 2/7 5:38PM showed no major problems, "SafeStrip" is removed (I see this one every few days and have never tracked down the cause). However, on 2/8 at 3:34AM there are suddenly 134 (that's right--one hundred thirty four) different pieces of MalWare and SpyWare on the machine. Something had definitely changed because my homepage was now MSN.com vs. Google.com. Here is the NIS2010 log:

---

2/8/2010 10:03 AM,Low,Movieland detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:03 AM,Low,Adware.AntiSpamBoy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Low,SpyOnThis detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,High,Spyware.SpyMyPC detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Low,Trackware.WebGuardian detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Low,Adware.Eurobarre detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Medium,Adware.Henbang detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,VirusBlast detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,High,Spyware.RealSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,RegistryCleanFix detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,UnSpyPC detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,SafeStrip detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,OSBodyGuard detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,High,Spyware.SpyArsenalLog detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,High,Spyware.LocalKeylog detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:46 AM,Medium,CrisysTecSentry detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,SpyGuarder detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.Borzoi detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,AdvancedCleaner detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.SpyKy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,TitanShield detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Awola detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,KvmSecure detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.SpyMan detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:46 AM,Medium,AntiVirGear detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,High,Spyware.KeyCollect detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.Track4Win detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,ErrorProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,IEAntivirus detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,High,Spyware.PCTattletale detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,Spyware.SpyMail detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,WinZix detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,MalwareWipe detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,SpyShredder detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:45 AM,High,MagicAntiSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,SpyBlocs detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,Torrent101 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.ActualSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,WinXDefender detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.QuickKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.ActiveKeylog detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,AntiSpywareExpert detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.AceScreenSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,SecurityToolFraud detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Adware.AdRoar detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,Spyware.MSNSpyMonitor detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,Spyware.FreeKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,SpywarePro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,RealAV detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:43 AM,High,Spyware.ChilyEMon detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,007AntiSpyware detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,High,Spyware.NSKeyLogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,High,Spyware.SuperKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,SpyKillerPro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,Spyware.TinyKeylogger detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:43 AM,High,SpyDeface detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,LiveKill detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:42 AM,High,Spyware.Sa_PCSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,High,Spyware.PCSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,High,Spyware.SolidKeyLogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,PrivacyProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,3wPlayer detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,SpyShield detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,SpyReaper detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,Spyware.ISnake detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,VirusProtectPro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,SpywareIsolator detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,VirusLocker detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,Spyware.AllInOne detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,Softstop detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,High,Spyware.RedPill detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:41 AM,High,Spyware.NeoSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,AgentSpyware detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,AntiSpyZone detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,MalwarePro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,AntiVermins detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,WinXProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,SpyCrush detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,PCClean detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,Punisher detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,SpyDawn detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,High,Spyware.KeyProwler detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,SpyDestroy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,SpyLocked detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,ErrorSafe detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,PcTurboPro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,1stAntiVirus detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,WinAntiSpyware detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:39 AM,Medium,RegSort detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:39 AM,Medium,AntiSpywareGuard detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:39 AM,Medium,SuperSpywareKiller detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:39 AM,Medium,Spyware.CyberSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Fixiter detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Spyware.Redhanded detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Spyware.IMMonitor detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,SpyKill detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Spyware.SmartKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,RazeSpyware detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:37 AM,High,Spyware.Systemsurv detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,VirusResponseLab detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,Cleaner2009 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpyDevastator detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,EasySpywareKiller detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,TheRegistrySentinel detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpywareQuake detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpyHeal detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,AntiVirusGold detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,TraceSweeper detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,PCPrivacyCleaner detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpyLax detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,High,Spyware.EasyKeyLogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,IEDefender detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,PyroAntiSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,High,Spyware.MSNChatSniffer detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,RegistryDoctor2008 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:35 AM,Medium,MySpyProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:35 AM,Medium,VirusRemover2008 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:35 AM,Medium,VirusBurst detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:34 AM,Medium,WinDefender detected by Virus scanner,Quarantined,Resolved - No Action
2/7/2010 5:18 PM,Medium,SafeStrip detected by Virus scanner,Removed,Resolved - No Action
2/5/2010 11:15 PM,Medium,SafeStrip detected by Virus scanner,Removed,Resolved - No Action

---

NIS2010 removed all threats with a few quarantines and then asks to restart. During the reboot process after the WinXP splash screen the monitor goes dark and there is HDD access for about 1.5 minutes until the blue windows logon screen loads (as if new files are being written to the registry) and I am prompted to log in. Upon login and rescanning with NIS2010, the same 134 threats are detected again. After NIS cleans up the system, I am able to reboot into SafeMode and perform a NIS Fullscan (with limited feature in safemode) and see zero (0) threats. Subsequenly loading Windows normally results in the boot delay and re-installation of the Malware/SpyWare; again with 134 instances. So there is some service or startup item corrupted and set to install registry/files during boot.

When I got to work this morning, a colleague with a simliar Dell Latitude 6500 also reported having some problems. We looked at his NIS2010 and it also had 134 instances of Malware/Spyware with the same names and difficulties for removal. Interestingly, his first fullscan report of the problem was on 02/04 from last week (3 days before mine). A few other people on our small business network run NIS2010 but report no problems.

Suggestions? I am thinking clean-wipe and re-install... but I do not know what the initial problem was or the vector? Also I do not know what was taken/compromized? Passwords, files, etc. Given that there are 2 people on the same small business server with the problem, will it come back?

Help is appreciated!

Brian

cgoldman · 06-25-2008

I think you have to start disconnected from the server and treat each machine separately including the server. It sounds like the server is infected and then infects the clients. Download Malwarebytes scanner and scan each machine. You may need something different for the server. You should also be able to click on one of your 134 infects and trace what was infected that may give a clue.

jAW · 05-19-2008

Hi Brian,

As cgoldman said, try a scan disconnected from the server. If the problem is with the server a reinstall of your system will not help.

It would be good to know exactly what files Norton detects. In the security history you should have the option to view the details of each threat. Mark the threat, click More Details and you should be able to see filenames and such. Check a few and see if there are any similarities, like in the file locations.

Regards

jAW

Brian03 · 02-08-2010

I re-ran several scans while disconnected from the server (using my local roaming profile). After rebooting in each case, NIS would detect the 134 bits of bad code and I would start the process over. If I booted into Safe Mode, I believe that NIS would NOT detect any problems.

Here is the interesting part...I followed both your suggestions to look at exactly what files were cleaned and where they were located... and the funny thing is that nothing was there. Meaning according to the actions taken by NIS2010, it should have removed some links from the desktop, some program files and a bunch of keys in the registry. However, there was nothing on the desktop, nor in Program Files or even in the registry for 4 Malware files that I selected at random from the list (there was no correlation between the files either). After rebooting, I searched for these files/keys and was 0 for 4 in finding any evidence for the suspected files. However, if I started a full scan NIS would say that it found them and resolve the issue.

When a Full Scan is started, it looks at common and startup files and then starts investigating each Virus, Malware and Spyware item that I showed in the first forum posting. It actually takes a good amount of time to go through this listing, as if the NIS is thoroughly scanning the Registry and System Volume for each type of threat. You watch the progress in the scan window. Once it passes through the threat listing and starts to scan actual files in the directory tree...the 134 identified threats populate the table as NIS resolves each threat individually.

I am now suspicious (or hopeful!!) that there was never any major infestation in the first place, rather an error with NIS "thinking" that there were 134 different pieces of Malware and the program going through the motions to fix it. Or there WAS an infestation and it was cleaned, but there is something embedded with my roaming (local) profile that is re-instated each time I log in.

I have not synchronized with the server for fear of putting something onto it... and try to contain any problem locally. Maybe that woudl help?

Brian

yogesh_mohan · 07-29-2008

Hi Brian,

If possible, try to create a Norton Bootable Recovery CD, boot the computer using it and run a scan from it. Refer to the instructions from the following Symantec Article:

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080612122232EN

Yogesh

floplot · 04-11-2009

Hello Brian03

I believe that you have some rogue anti-virus programs on your computer. You may have more than one of them which is why so many different malware is showing up. 007AntiSpyware is one of them. There may be others also. There may also be a rootkit involved if there are so many infections listed. You may have several of these rogue antivirus programs as I didn't Google the other threats listed. You may need some expert help on this one especially since it seems to have infected some one else's computer who uses that server. Are you using a corporate Symantec program since you have mentioned a server?

delphinium · 11-21-2008

Did you actually run Malwarebytes on your system as recommended by others? Safestrip is a rogue AV and it could be that parts of it that display a long list of malware on your machine are falsely triggering Norton. Please run a full scan with MBAM, save the log in Notepad and attach via the add attachments link.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

floplot · 04-11-2009

Hello Brian

It looks like there are a few rogue antivirus programs showing up in that Norton log.

jAW · 05-19-2008

Brian03 wrote:
Here is the interesting part...I followed both your suggestions to look at exactly what files were cleaned and where they were located... and the funny thing is that nothing was there. Meaning according to the actions taken by NIS2010, it should have removed some links from the desktop, some program files and a bunch of keys in the registry. However, there was nothing on the desktop, nor in Program Files or even in the registry for 4 Malware files that I selected at random from the list (there was no correlation between the files either). After rebooting, I searched for these files/keys and was 0 for 4 in finding any evidence for the suspected files. However, if I started a full scan NIS would say that it found them and resolve the issue.

When a Full Scan is started, it looks at common and startup files and then starts investigating each Virus, Malware and Spyware item that I showed in the first forum posting. It actually takes a good amount of time to go through this listing, as if the NIS is thoroughly scanning the Registry and System Volume for each type of threat. You watch the progress in the scan window. Once it passes through the threat listing and starts to scan actual files in the directory tree...the 134 identified threats populate the table as NIS resolves each threat individually.
If Norton finds a file or similar thing that it has a full definition for, Norton will check the system for these files and registry values as they are stated in the definition and try to remove them. All these will later show up in the history as removed regardless of if they were in the system to start with. I have seen this several times.

Brian03 wrote:
I am now suspicious (or hopeful!!) that there was never any major infestation in the first place, rather an error with NIS "thinking" that there were 134 different pieces of Malware and the program going through the motions to fix it. Or there WAS an infestation and it was cleaned, but there is something embedded with my roaming (local) profile that is re-instated each time I log in.

I am leaning towards that too, the question is what triggers Norton. But the original detection of SafeStrip should probably be checked first since that was there before the 134 detection.

Since you have one more computer that get the exact same detection it should be something that is similar between the two systems, like a program. Any recent changes or updates? It could also be something from the server that is now on your local profile, being recreated as you say. You could try and create a new local account while disconnected from the server and log into that to see if Norton detects anything on that also.

As for Norton not detecting anything in safemode. Since it probably is Auto-Protect or Sonar making this detection (134) and not the scans it would not give a detection in safemode since those functions does not load there. Also, if it is a false positive that triggers Auto-Protect or Sonar it is likely that a full scan would not detect anything even in normal mode.

Regards
jAW

Floating_Red · 05-30-2008

You could also try and got back to a Previous Re-Store Point if this is possible.

Am also thinking that perhaps Norton is Detecting the Threats that a Threat is producing so, even although Norton keeps Detecting the same 134 Threats, perhaps Norton has not got the Signature for the Threat which is producing these other Threats? Have a look around you computer - if you wish - and see if you spot any Suspicous Files which Norton is Failing to Detected and Send them symantec Security Response, should you Find any: https://submit.symantec.com/websubmit/retail.cgi.

Tuesday, March 09, 2010: ThreatCon Changed to Level 2: Elevated - Microsoft Released their March 2010 Patches, which customers are advised to install as soon as possible. There is also a new, Un-Patched Vulnerability being Exploited In-The-Wild. | Wednesday, February 03, 2010: Microsoft Released a Security Advisory to detail an Un-Patched Vulnerability in Internet Explorer.

Norton Internet Security / Norton AntiVirus

134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!

Re: 134 Threats Detected!