08-13-2009 07:00 PM
I have a nasty infection that actually seems to be using Norton AV 2009 as part of its infection scheme. I am looking for some help in removing it. Norton AV does not prevent the infection and cannot identify it or remove it.
I have a Compaq Presario with XP Home, SP3. It has Norton AV 2009, version 184.108.40.206 installed an running before the computer was ever put online. Updates have been automatic and current. Norton AV is the only real-time anti-virus software installed.
The PC became erratic and started generated fake virus warnings. The task manager, and many other programs were disabled. It will not reboot in Safe mode as it crashes and then starts the boot process over again.
I ran Norton AV full scan which did not find any problems. However, a while later Norton reported blocking a virus that appeared (I lost the name of the virus in the logs when I reinstalled Norton AV later).
I ran Malwarebyte’s Anti-Malware program (log attached – mbam-log-2009-08-12 (23-55-56).txt). It removed several items and stopped the fake virus warnings, but the computer would still crash often (quietly, no blue screen and no re-boot), after a period of idle time. Safe mode still does not work.
I ran GMER (log attached = gmer.log) and found unknown code hooking Norton SYMEVENTS.sys and SYMEFA.sys in the SSTD. The SYMEFA.sys call was now redirected to a non-existent file. Evidently the computer crashed when the idle scan was about to start. I turned off Norton Idle scan (Norton AV is stil enabled) and the computer stabilized. It hasn’t crashed during a system idle in many hours now.
I uninstalled Norton AV 2009 and reinstalled. Ran GMER again (log attached – gmer2-3.log <first part of the file>). The SSTD hooks appeared to have been removed. But still could not re-boot in safe mode.
Rebooted and ran GMER (log attached – gmer2-3.log <second part of the file>) again. The SSDT hooks returned. The computer is stable (as long as Idle-time scan is disabled). Likely there is a device driver that is re-hooking the SSTD on Boot-up. I ran RootRepeal (log attached – RootRepeal report 08-13-09 (13-53-11).txt).
Any suggestions as to how to proceed to identify and nullify the software that is infecting this computer?
08-13-2009 07:08 PM
You have a Rogue security Program with fake allerts with UAC or part of
Could you please Download and run Hijackthis creating a log. 3rd executable version http://www.trendsecure.com/portal/en-US/tools/secu
08-14-2009 07:57 AM
Go back into HiJackThis and check the following enteries please:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
Then click on Fix Checked in HIjackThis.
After that I would recommend you upgrade NAV2009 to the latest version. Directions for this are below.
1) Copy your Norton key for safe keeping just in case you need it. You should not need this but it is better to have the key on hand than to need it and not have ready access to the key. You can find a copy of your currently installed key in My Documents\Symantec\Norton AntiVirus_Key.txt.
2) Download the Norton Removal Tool from this link. Norton Removal Tool Choose the 2009 product link and the Norton Removal Tool (NRT) to your desktop. Directions are on the link page.
3) Download the latest version of NAV2009 from this link. Reinstall After Removal Choose the 'I have Norton Antivirus 2006 or later' link on this page. On the next page you can download the latest NAV2009 installation software.
4) Disconnect from the Internet until your system needs the connection later in the process.
5) Go to START > Norton IAntiVirus > Uninstall and let NAV2009 uninstall itself. It will want to reboot the machine. Let it.
6) During the booting of your system, go to Safe Mode by tapping the F8 key until the Advanced Options menu is shown. Choose the Safe Mode option (no network or command prompt).
7) In Safe Mode, run the NRT tool. When the tool is finished, click on the Reboot to restart your system.
8) Let Windows boot into normal mode now.
9) Install NAV2009 by double clicking the file you downloaded and saved to your desktop in step 3.
10) When the installation asks for your key or says activating your product, reconnect to the internet then (plug your cable in or turn on the wireless card). [Note: The installation may not ask for your key and activate by using the previous key on the system. Your system will still need to connect to the internet at this point so updated definitions can be downloaded.]
11) Run the Live Update process manually until Live Update reports that there are no more updates to download, NAV2009 is fully up to date.
12) Reboot your system now to insure that any components updated during step 11 are loaded properly.
13) See if your error is fixed now.
Report back here with how this works for you.
08-14-2009 12:07 PM
Thanks. This was partially successful. I was successful through step 5.
However at step 6, the computer still would not boot in safe mode. I rebooted in normal mode instead and ran the NRT tool. It seemed to run successfully. I ran HJT (log attached as hijackthis2.log) and the items checked for removal were indeed removed. I ran GMER again and the SSTD hooks to SYMEFA.sys and SYMEVENTS.sys are now gone, although there still is one SSTD entry (not a hook, I don’t think) listed. So it is still a mystery why the XP refuses to boot in safe mode.
As it is booting to safe mode and listing the drivers, the last thing on the screen is the loading of a driver called MUP.sys (supposedly a Microsoft driver). I suspect the driver following (whatever that is) is causing the problem. Is there any way to get a boot log from an unsuccessful safe mode boot attempt?
I did not re-install Norton AV yet.
08-14-2009 12:17 PM
Please run the following and post / attach the log here. Thanks.
Please download SysProt here http://homepages.slingshot.co.nz/~crutches/SysProt and run it.
Choose the Log tab and select all the items in the Write to log box. Then select Create Log to start scanning. When it is done, a message window will appear with the location of the log file.
Please attach the log file to a post here; the Add Attachments links is below the orange Post button. Thanks
08-18-2009 02:09 PM
The problem I am having is that XP will not boot in safe-mode. I was unable to complete step 6 of the instructions that dbrisendine sent me (see posts 4 and 5 above) and have not yet re-installed Norton AV. As the list of device drivers are displayed on the screen, the load information for MUP.sys is displayed just before the screen goes blank and XP starts another re-boot cycle. As this was one of the original symptoms of the infection (not able to boot to safe mode) I am concerned as to whether there is some residual device driver or device driver contamination still infecting the machine. At any rate, I need to restore the ability to boot in safe-mode to have a maintainable machine.
Thanks for any suggestions you can give me.