09-19-2009 07:11 PM
21 Days ago, while browsing the local paper, there was a flash and something appeared on my Desktop. Norton ignored it. I scanned it manually, nothing was found. I deleted it and emptied trash. Ran full scan. No problems found.
Over the next weeks, I got a couple of those annoying popups "your computer is infected" but no other issues. I did see more spam email.
Today, Norton stopped. Live Update failed. I contacted Tech Support and ended up having Norton Reintalled (free) and a rootkit removed by remote assistance ($$$). He found no other issues but that. No other spyware/malware.
1 - How do I know the rootkit and all components are gone? It seems more complicated than what I watched him do. A couple of reg edits. Delete a file. He worked fast.
2 - What do I have to do now? What should I watch for? I have 7 days to contact them if problem persists.
It's not that I don't trust the technician but this computer is my bread and butter. Anyone have suggestions?
Solved! Go to Solution.
09-20-2009 02:51 AM - edited 09-20-2009 02:53 AM
Here is my root scan. Thank you!
From your original post it would seem very unlikely that you originally had a rootkit infection.
There is nothing untoward in your sysprot log. Are your Norton scans running clean? No other issues on your system?
We look forward to the time when the Power of Love will replace the Love of Power. Then will our world know the blessings of peace. ~William Ewart Gladstone
09-20-2009 03:15 AM
09-20-2009 12:46 PM
This is what the Malwarebytes scan found today:
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Should I allow the program to remove those last two?
Thanks in advance for your advice.
09-20-2009 01:53 PM
Those are just the registry entries made when Norton turns of the Windows firewall and notification. There is no problem with those entries.
If you tell MBAM to fix, you will just have to go back and turn off the same items to prevent conflict.
For info, what rootkit did tech support say that you had?
09-20-2009 02:19 PM
He only used the word rootkit to describe it. He used a cmd prompt to copy a hidden? file to another file, then copied the name of that file into our chat session.
I should have written it down but I thought it would be in the transcript... frankly, it looked like he was typing gibberish. When I looked at my saved transcript, nothing was there.
I have emailed Norton to ask for more specific information, maybe they keep records. I need to pursue the events of 9-19 a little further.
I really appreciate everyone's help on here. I'm glad to know that my machine is somewhat healthy right now.That was my main concern.
09-20-2009 02:57 PM
Go ahead and get MBAM to take out the two popcaploader files if you haven't already. I had the log rolled up too far.