Hi everyone,
I got a sudden alert yesterday by my NIS09 Auto-Protect that I'm infected with Adware.BetterInternet. This happened out of the blue while I was working on my pc. I was not, at the time, even surfing in the Internet.
At the suggestion of Auto-Protect I chose fix all, and the result was that 8 registry entries, 1 file and 1 Browser Cache were quarantined. I did a subsequent FSScan, and the scanner again detected the Adware.BetterInternet threat, and again quarantined the specific items.
NIS09 informed me that the threat was fully removed. A couple os FSScans last night, and one more today shows no sign of the threat anymore. Fine.
The problem now is that when I go to view the risk details, because I want to know where did this threat all of sudden originated, I get only to see only 8 items, not 10, at the details section.
Further, only 4 of these items are detailed, and the rest 4 items are depicted as : [Restricted Item (permission required)].
So although, this threat is identified as a FILE Based Risk type, I cannot see the file in the quarantined items anywhere.
What happened all of a sudden and I got the alarm from auto-protect? Was not even on the net. Where is the file that caused the threat alarm? Why I cannot see the 4 [Restricted Item (permission required)]?
Further, in one of the registry keys quarantined, I can see that there is an http://www.microsoft.com/isapi entry.
Was the Alarm a false positive?
I would appreciate your help, since all these do not make any sense to me.
Thanks alot.
TrDo.
P.S. I have already submitted the threat to Symantec, BUT the well known issue of submitting through our NIS09, without tracking number (actually is a blind submission) cannot provide me with any guidance or feedback unfortunately, so as to restore the items.
<<edit: Image resized for better fit>>
Hi TrDo :
I don't have much information about [Restricted Item(Permission Required). BUT on the image you provided ,
Click on the position I highlighted i.e. on "1 file " and you'll see the file where the threat was present.
2. As db mentioned , are you logged on as administrator ? ( If YES/NO then also I don't know why that [restricted (........)] is
present there!!! 
)
Thank you all for your help, and prompt replies.
Only one account in my pc. This account has admin rights. I'm on Vista-32 Home Premium.
Anyway, it looks as though the file in question (I followed Shridhar's suggestion and clicked on the file-look at the image), is the VirusTotal plug-in. This plug-in enables right-click action (on the context menu), to send a file directly to VirusTotal.com, for examination.
I take it then, that it's a False Positive. Further, I have installed this file since the 7th of October 2009. How come it was detected yesterday? Well, obviously a DB update overdid it.
I would appreciate if Symantec could re-examine this file and set it right.
Thank you all guys.
I appreciate it.
TrDo.
P.S. Funny thing is that before I installed it, I run the file through VirusTotal iteself and NIS09, on my pc, and it came all clean. Check the attachment; the txt file.
- �1995 - 2013 Symantec Corporation Legal Notice License Agreement Privacy Policy Cookies Site Map RSS
