Not what you were looking for? Ask our experts!
Reply
Contributor
UncleWillie
Posts: 31
Registered: ‎12-08-2009

Browser Hijacking - Why Can't Norton fix these?

I am having problems with IE and Firefox being hijacked.  The threads I have read here on this refer users to run malwarebytes, superantispyware, and other freeware (which I have done in safe mode and they haven't fixed the problem).  Why am I paying for Norton if they can't find and fix these browser hijacking issues any better than freeware?  I seem to have been able to keep Firefox from misbehaving by disabling all of the plugins.  But, shouldn't Norton be able to scan for rogue plugins???  Is anybody at Symantec working on this?  Thanks.

Willie
delphinium
Posts: 9,862
Kudos: 2,964
Solutions: 293
Registered: ‎11-21-2008

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie:

 

Different programs do different things, which makes them helpful.  The programs that we ask for provide logs, which  is one of the most useful things they do.  

 

Your antivirus, whether Norton or someone els's software act as blockers, more than removers, but they can't protect you from everything.  Nothing is 100% and it will never be.  Malware writers are constantly busy looking for ways in, and they also buy all the known software so that they can beat it.

 

Other programs like Adobe and the browsers, have vulnerabilities that let malware in.  P2P and torrents are very popular sites for malware insertions.  Things that are allowed into your computer are difficult for the antivirus to stop.

 

Redirects can frequently be seen and therefore dealt with by using Hijackthis, and some serious infections that require manual removal can be identified in Malwarebytes.  HJT will not act as a blocker, and Malwarebytes does not take the place of an antivirus program. 

 

Also runing more than one antivirus engine allows conflicts which give malware an opening.

 

We request these programs as much to find out what is happening as to fix things.

 

Security is a complicated procedure.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Contributor
UncleWillie
Posts: 31
Registered: ‎12-08-2009

Re: Browser Hijacking - Why Can't Norton fix these?

Still dissapointing.  Anyway, here is a log from Hijackthis.  ANy help would be appreciated.  Thanks.

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:46 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Utilities 14\nu.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\17.1.0.19\cltLMH.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NortonUtilities] C:\Program Files\Norton Utilities 14\nu.exe /H
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1516350078-377577214-2716412152-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162772332838
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe

--
End of file - 6532 bytes

Virus Trouncer
mijcar
Posts: 3,098
Registered: ‎08-01-2008

Re: Browser Hijacking - Why Can't Norton fix these?

The latest generation of spware are very aggressive, nasty, and have great ability to hide themselves.  Because they are being spawned so rapidly, they can't be detected until they've been discovered and "fingerprinted".  That window of time may be fairly neglible in some cases, but it's large enough for a lot of computers to get infected.

 

Even worse is removal.  How they embed themselves and where and what is necessary to unattach them is not a simple thing; and the lag time here can be serious.

 

One suggestion: Find a clean computer and download the Norton Recovery Tool from NRT.  This is an ISO image to be translated and burned to a CD - read the instructions on the site carefully.  If you own the NIS 2010 or NAV 2010 CD, it is already included on your CD and you can boot from it.  You will need the Activation Key.  The program will update the signature automatically and hopefully it will by this time be able to find and clean out the active part of the malware.

 

Good luck.

mij
N360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
delphinium
Posts: 9,862
Kudos: 2,964
Solutions: 293
Registered: ‎11-21-2008

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie:

 

We are just waiting for an analyst to have a look at your log.  This is a user to user help forum, scattered throughout several time zones.  Have you already dumped your browser caches, temp files, and prefetch folder?

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Contributor
UncleWillie
Posts: 31
Registered: ‎12-08-2009

Re: Browser Hijacking - Why Can't Norton fix these?

mijcar, I have NIS 2010 and I tried booting from the CD over the weekend.  It didn't find anything. 

 

Bill

Contributor
UncleWillie
Posts: 31
Registered: ‎12-08-2009

Re: Browser Hijacking - Why Can't Norton fix these?

Oracle of delphinium, I have not "dumped" the browser cache, temp files and prefetch folder.  When you say dump, do you mean clear them out?  Thanks.

 

Bill

floplot
Posts: 10,576
Topics: 215
Kudos: 2,051
Solutions: 365
Registered: ‎04-11-2009

Re: Browser Hijacking - Why Can't Norton fix these?

Hi UncleWillie

 

One thing I can tell you is that you are running a very old version of Java. Java is updated all the time for security reasons. Keeping java and adobe products up to date helps to keep your computer clean also.

Success always occurs in private and failure in full view.




Contributor
UncleWillie
Posts: 31
Registered: ‎12-08-2009

Re: Browser Hijacking - Why Can't Norton fix these?

Good point about old java.  I usually disable java in Firefox, but it was enabled on my wife's laptop that I am trying to debug. 

 

Willie

floplot
Posts: 10,576
Topics: 215
Kudos: 2,051
Solutions: 365
Registered: ‎04-11-2009

Re: Browser Hijacking - Why Can't Norton fix these?

Hi Uncle Willie

 

I think even if the program is disabled, it should still be kept up to date.

Success always occurs in private and failure in full view.