Norton Security Suite, 2 Comprehensive scans and still viruses

Eminence · ‎04-11-2010

Hi guys, I'm having some trouble with my computer, I always keep track of what processes are running on my computer all the time, so I always can tell when I have viruses or unwanted processes in the background, well I visited this one website when I didn't have norton installed and it installed a rougebot antivirus called XP Pro Antivirus I think, anyways I used malwarebytes' antimalware to remove it, but then something went wrong afterwards so I just did a system restore, but after that my computer was still infected, I notice that it's running 2 iexplore.exe's in the background, which means it's using my internet without me knowing, so the only way I can start up internet explorer is if i end the process first, I know iexplore.exe always opens as 2 .exes anyways, but firefox only opens as 1 exe, when I open firefox I see 2 firefox.exes and I know one isn't mine, I think I had WIPTIS.exe or something (I've had that trojan before) but after I installed norton it was gone, I had a few more but I don't know what happened to them, norton didn't say anything about removing the viruses, but it didn't show up afterwards.

My current concerns now is that norton sonar advanced protection randomly turns off sometimes and I always run liveupdate and i've done 2 comprehensive scans and all it finds are tracking cookies, also there's a process called "msnmsgr .exe" without quotes in my task manager, I believe it is fake, because of te spaces between messenger and .exe, so I haven't logged into MSN for that reason, and this site named "zl091kha644.com" no quotes as a "HTTP Tidserv Request" keeps attacking me everytime I search or go to a new web page. Also I have hp programs installed for my HP printer, but I believe the virus keeps re-opening them "hpgs2wnf.exe" and 2 "hpswp_clipbook.exe" these seem to be clean files, but the virus is changing them or something, I don't know, and there are more iexplore.exes open as I stated earlier, and I'm not sure about "rundll32.exe", last the User Name shows up only as "user" for some reason. The 2 comprehensive scans only found tracking cookies, 32 in the first scan and 10 in the second.

If there is any other specs or details you need to know, let me know, your help will be greatly appreciated, thank you in advance.

yogesh_mohan · ‎07-29-2008

Hi Eminence,

Welcome to Norton Community!

Let us know the Operating System you use. It seems like a rootkit infection. Try to boot your computer to Safe Mode, and then run a Full System Scan using Norton Security Suite.

Yogesh

Eminence · ‎04-11-2010

That computer that's infected is running Windows XP.

Turbo · ‎05-02-2009

and this site named "zl091kha644.com" no quotes as a "HTTP Tidserv Request" keeps attacking me everytime I search or go to a new web page.

This, along with your other problems, leads me to believe that you are infected with a TDSS rootkit. If I were you I would run TDSSKiller, if it is able to remove the rootkit you should run Malwarebytes again to clean up any leftovers. You can read more and download it here: TDSSKiller

Note: TDSSKiller is an excellent App. but there is always an element of risk when attempting to remove deeply embedded malware such as rootkits.

floplot · ‎04-11-2009

Hello

If this is one of the new generation rootkits, these programs may not work either yet.

Success always occurs in private and failure in full view.

Eminence · ‎04-11-2010

Well, I ran a comprehensive scan last night, it found 3 trojans and 33 tracking cookies, i did not finish the scan because I turned off my computer because i was going to sleep, I started it in regular mode after i scanned in sleep mode last night and half my norton antivirus was disabled, it was still stated as "On" but in red instead of green color, One click support told me to uninstall and reinstall norton, the first time i did this, it did not uninstall correctly but this time it did. So I'll reinstall it and run that program you gave to me, but I have a question, why run malwarebytes again when i now i have norton security? Also, what do you mean the killer won't work if it's recent?

Also, I remember using gmer, do I use that as well? I read the link, would you like a log as well?

Eminence · ‎04-11-2010

Okay so I reinstalled the program and everything worked fine, i did liveupdate, scanned it in safe mode, it found the trojans, I then disabled system restore to clear unwanted restore points, and turn it back on later.

One problem, I still get redirects and the same site keeps trying to attack me, there was this other site attacking from asia as well (it was .asia) but I didn't get the full name.

Problems: I ran TDSSkiller.exe as suggested, it removed some rootkits but it states "atapi.sys" is infected by a TDSS rootkit, and TDSSkiller does not remove it on reboot.

something called "tidserv" is still messing with my connection, it is fine on my other computers and it's connected wirelessly with the laptop, it works with google but when I try to go the the windowsupdate website it will act if the internet has been disconnected, but if I go to a common site it works, so I can't update windows from the site, also my firefox and internet explorer crash everytime I close them.

Small Concern: msnmsgr.exe I know is msn messenger, it seems like a legitimate executable file, but when I go into the windows live messenger file i find multiple msnmsgr.exe's and it goes as so "msnmsgr .exe" each one having another space before the .exe, I don't know if this is a virus, spyware or what, but it bothers me that it is spaced, because it seems fake to me.

Solution: How do I get rid of this rootkit, make my internet browsers work correctly and not crash upon closing them, update windows, and is my msn messenger safe, and how will I know if my computer is completely rid of these pests? I will turn on system restore after I have finished cleaning the computer.

I appreciate the help you've given me, but I need a little more, thanks.

Quads · ‎07-21-2008

If the New TDL4 (unofficial) infects 2 drivers, one being the disk controller (atapi.sys) the other is randomly choosen

GMER with a full scan and log after, shows both drivers infected,

BUT at this point I have no idea how to clean for forum users as both drivers have to be swapped with clean versions at the same time before the next reboot happens.

I have tested this with my PC and manually cleaned TDL4 from it. without tools that are made for TDL3, as they are not able to detect the second driver causing on the reboot the clean disk controller "atapi.sys" to be infected again.

Quads

admonster · ‎04-16-2010

Im having exacly same problems is there any solution by symantec?

Any ideas hot to get rid of this rootkit?

Eminence · ‎04-11-2010

Is there a way to remove this rootkit? Will this solve my other problems, since I don't seem to be having trojans anymore, but the problem of some websites such as windowsupdate site not working still persists.