10-22-2009 05:55 AM - last edited on 10-22-2009 06:12 AM by JerryM
I got a sudden alert yesterday by my NIS09 Auto-Protect that I'm infected with Adware.BetterInternet. This happened out of the blue while I was working on my pc. I was not, at the time, even surfing in the Internet.
At the suggestion of Auto-Protect I chose fix all, and the result was that 8 registry entries, 1 file and 1 Browser Cache were quarantined. I did a subsequent FSScan, and the scanner again detected the Adware.BetterInternet threat, and again quarantined the specific items.
NIS09 informed me that the threat was fully removed. A couple os FSScans last night, and one more today shows no sign of the threat anymore. Fine.
The problem now is that when I go to view the risk details, because I want to know where did this threat all of sudden originated, I get only to see only 8 items, not 10, at the details section.
Further, only 4 of these items are detailed, and the rest 4 items are depicted as : [Restricted Item (permission required)].
So although, this threat is identified as a FILE Based Risk type, I cannot see the file in the quarantined items anywhere.
What happened all of a sudden and I got the alarm from auto-protect? Was not even on the net. Where is the file that caused the threat alarm? Why I cannot see the 4 [Restricted Item (permission required)]?
Further, in one of the registry keys quarantined, I can see that there is an http://www.microsoft.com/isapi entry.
Was the Alarm a false positive?
I would appreciate your help, since all these do not make any sense to me.
P.S. I have already submitted the threat to Symantec, BUT the well known issue of submitting through our NIS09, without tracking number (actually is a blind submission) cannot provide me with any guidance or feedback unfortunately, so as to restore the items.
<<edit: Image resized for better fit>>
10-22-2009 09:17 AM - edited 10-22-2009 09:21 AM
Hi TrDo :
I don't have much information about [Restricted Item(Permission Required). BUT on the image you provided ,
Click on the position I highlighted i.e. on "1 file " and you'll see the file where the threat was present.
2. As db mentioned , are you logged on as administrator ? ( If YES/NO then also I don't know why that [restricted (........)] is
present there!!! )
10-22-2009 09:53 AM
Are you logged in as the Administrator of the system?
I think this is the key question. Also, it might help to know if you are using XP, Vista, or Win 7; what service pack you have; and so on.
In Settings>Miscellaneous Settings>Product Security, there is an option as to whether or not a non-administrator can access various settings. You might want to check that setting; and if it is "on", turn it off. To do this, though, you need to log on as an administrator, which probably requires Safe Mode in Vista or Win 7. I don't know much about those products' users' options -- perhaps someone here can give greater detail?
10-22-2009 12:30 PM - edited 10-22-2009 01:28 PM
Thank you all for your help, and prompt replies.
Only one account in my pc. This account has admin rights. I'm on Vista-32 Home Premium.
Anyway, it looks as though the file in question (I followed Shridhar's suggestion and clicked on the file-look at the image), is the VirusTotal plug-in. This plug-in enables right-click action (on the context menu), to send a file directly to VirusTotal.com, for examination.
I take it then, that it's a False Positive. Further, I have installed this file since the 7th of October 2009. How come it was detected yesterday? Well, obviously a DB update overdid it.
I would appreciate if Symantec could re-examine this file and set it right.
Thank you all guys.
I appreciate it.
P.S. Funny thing is that before I installed it, I run the file through VirusTotal iteself and NIS09, on my pc, and it came all clean. Check the attachment; the txt file.
10-23-2009 03:01 AM
I would appreciate a feedback on the legitimacy of the file in question. The VirusTotal Uploader is a Legitimate file, and as such it should not create such FALSE Alerts, and being depicted as a Major Threat.
Please provide some feedback.
Thank you very much.