• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Virus seems to be blocking Norton and Windows Defender

Hello...

A few days ago I noticed that my Norton Internet Security had stoped working. When I tried to click on Norton Icon in the Start menu, the program just didnt open and I was conducted to Norton Homepage, where I was told to uninstall Norton and reinstall again. I also noticed that my Windows Defender (Im running on Vista 32k) also wasnt working. Tough, I tried to reactivate Windows Defender, every time I restart my computer, it automatically gets unactive.

My next step was to run my cpu on SAFE mode. Surprisingly, Norton Icon was working there and I was able to do a Complete Sacan, but nothing really important was found. I also had checked my cpu with both SuperAntiSpyware Free and Spybot and, altough some threats were found and removed, things are all the same: no Norton, no Windows Defender.

Is there something I can do?

Replies

Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Hello...

A few days ago I noticed that my Norton Internet Security had stoped working. When I tried to click on Norton Icon in the Start menu, the program just didnt open and I was conducted to Norton Homepage, where I was told to uninstall Norton and reinstall again. I also noticed that my Windows Defender (Im running on Vista 32k) also wasnt working. Tough, I tried to reactivate Windows Defender, every time I restart my computer, it automatically gets unactive.

My next step was to run my cpu on SAFE mode. Surprisingly, Norton Icon was working there and I was able to do a Complete Sacan, but nothing really important was found. I also had checked my cpu with both SuperAntiSpyware Free and Spybot and, altough some threats were found and removed, things are all the same: no Norton, no Windows Defender.

Is there something I can do?

Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Could you please provide us with a Hijackthis log.  We have several very good analysts that will be able to assist you.  Please download HJT from here:  http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Also, in case it is required, please download the Norton Removal Tool from here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Just hold onto the tool for the time being until we look to see that there is no obvious malware on your machine.

Also please download Malwarebytes here: http://www.malwarebytes.org

If it won't download or install, please let us know and we will provide instructions.

Message Edited by delphinium on 06-03-2009 08:25 AM
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Hi reneforster -

Please follow the above steps.

Be sure to update Malwarebytes after installing (if you can install it.)

Exactly what NIS version are you running (see Help-About, etc.)?

The real issue, is to determine wether NIS is at fault or if you might have an active infection, even a rootkit.

Are you able to log into Safe Mode with Networking and perform a Live Update?

Let us know how you do. We will go from there.

Message Edited by Compumind on 06-03-2009 12:08 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Please be advised that the Liveupdate engine does not function in Safe mode, so if that doesn't work, not to worry.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Hi -

delphinium said:


Please be advised that the Liveupdate engine does not function in Safe mode, so if that doesn't work, not to worry.


Yep, true. I stand corrected!

What about using the Intelligent Updater?

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

The MBAM log will give us an idea of what we are dealing with.  Let's see what it tells us.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Intelligent Updater can be used in normal mode, won't work in Safe mode.
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Hi Yogesh -

That's too bad about the Intelligent Updater - it rather limits the overall diagnostic functionality.

Thanks for your info.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

yogesh -

Intelligent updater just ran in Safe Mode on my system.  Perhaps it has been changed / enhanced recently?

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Thank you all!!

I will follow these steps and as soon as I complete them all I will post the results....

See you...

Kudos1 Stats

Re: Virus seems to be blocking Norton and Windows Defender

Hi Reneforster:

Please just send us the Hijackthis log and the Malwarebytes log.  Everything else can wait til we see what's up.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Well ... Back again.

My first step was to run Malwarebites, here is the log:


Processos da Memória infectados: 1
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 1
Valores do Registro infectados: 1
Ítens do Registro infectados: 0
Pastas infectadas: 1
Arquivos infectados: 1

Processos da Memória infectados:
C:\Users\Renê\AppData\Roaming\msiexeca.exe (Trojan.Agent) -> Unloaded process successfully.

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Quarantined and deleted successfully.

Valores do Registro infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup (Trojan.Agent) -> Quarantined and deleted successfully.

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Arquivos infectados:
c:\Users\Renê\AppData\Roaming\msiexeca.exe (Trojan.Agent) -> Quarantined and deleted successfully.


My next step was to uninstall NIS 2009 and reinstall it again. After reinstalation, NIS came back to duty, but Windows Defender keeps being unactive. Even if I activate WD manually, it turns to be unactive every time I restart my computer. Ive heard that Windows Defender and Norton might not work together, is that true?

I had also performed a scan with Hijack, heres the log:


Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\C&E\OSD\osd.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 139.82.115.10:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: YcySoft Save Flash - {891F621C-85C4-406A-9666-1B7C822A91F4} - C:\PROGRA~1\ycysoft\SAVEFL~1\IEFLAS~1.DLL
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Save - Flash - Player - {58112A01-1F24-4EFE-A6B2-297DC7CDFEF2} - C:\PROGRA~1\ycysoft\SAVEFL~1\IEFLAS~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [OSD] C:\Program Files\C&E\OSD\osd.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe


Thank you all, folks...

Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Hi Reneforster:

Someone with greater skill than my own will be along to have a look at these logs.  One issue I can see is that Spybot S&D with Teatimer is going to cause problems.  When you have two antivirus engines trying to work together, they don't play nice.

We have found as well that when trying to remove malware from a mchine, Spybot S & D will prevent the removal of certain malware.  This program should be uninstalled as soon as possible.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Hi

Follow the intructions carefully, just do the log

1. Download Gmer http://www.gmer.net/ Personal message me the Log possible in parts and I will create a script to remove (hopefully) the files. To personal Message me the log click on my name, "Quads" the you will see something like "personal message this user"

2.  Run GMER, click the scan button, when the scan is finished, click the "Save" button to save the log.

Quads 

Kudos0

Re: Virus seems to be blocking Norton and Windows Defender

Message moved to another thread for better exposure

This thread is closed from further comment. Please visit the forum to start a new thread.