Hi all.  New to the forum and need some help/suggestions. I am running a Dell 6500Latitude/WinXPsp3 with a relatively clean install (system built 01/15/2010) and NIS2010.  I connect to a small business server ever day with file synchronization and a roaming profile.

Background scan 2/7 5:38PM showed no major problems, "SafeStrip" is removed (I see this one every few days and have never tracked down the cause).  However, on 2/8 at 3:34AM there are suddenly 134 (that's right--one hundred thirty four) different pieces of MalWare and SpyWare on the machine.  Something had definitely changed because my homepage was now MSN.com vs. Google.com.  Here is the NIS2010 log:

---

2/8/2010 10:03 AM,Low,Movieland detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:03 AM,Low,Adware.AntiSpamBoy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Low,SpyOnThis detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,High,Spyware.SpyMyPC detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Low,Trackware.WebGuardian detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Low,Adware.Eurobarre detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 10:02 AM,Medium,Adware.Henbang detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,VirusBlast detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,High,Spyware.RealSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,RegistryCleanFix detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,UnSpyPC detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:47 AM,Medium,SafeStrip detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,OSBodyGuard detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,High,Spyware.SpyArsenalLog detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,High,Spyware.LocalKeylog detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:46 AM,Medium,CrisysTecSentry detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,SpyGuarder detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.Borzoi detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,AdvancedCleaner detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.SpyKy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,TitanShield detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Awola detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,KvmSecure detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.SpyMan detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:46 AM,Medium,AntiVirGear detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,High,Spyware.KeyCollect detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:46 AM,Medium,Spyware.Track4Win detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,ErrorProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,IEAntivirus detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,High,Spyware.PCTattletale detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,Spyware.SpyMail detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,WinZix detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,MalwareWipe detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,SpyShredder detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:45 AM,High,MagicAntiSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,SpyBlocs detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:45 AM,Medium,Torrent101 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.ActualSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,WinXDefender detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.QuickKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.ActiveKeylog detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,AntiSpywareExpert detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Spyware.AceScreenSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,SecurityToolFraud detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,High,Adware.AdRoar detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:44 AM,Medium,Spyware.MSNSpyMonitor detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,Spyware.FreeKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,SpywarePro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,RealAV detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:43 AM,High,Spyware.ChilyEMon detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,007AntiSpyware detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,High,Spyware.NSKeyLogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,High,Spyware.SuperKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,SpyKillerPro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,Spyware.TinyKeylogger detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:43 AM,High,SpyDeface detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:43 AM,Medium,LiveKill detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:42 AM,High,Spyware.Sa_PCSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,High,Spyware.PCSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,High,Spyware.SolidKeyLogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,PrivacyProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,3wPlayer detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,SpyShield detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,SpyReaper detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,Spyware.ISnake detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,VirusProtectPro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,SpywareIsolator detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,VirusLocker detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:42 AM,Medium,Spyware.AllInOne detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,Softstop detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,High,Spyware.RedPill detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:41 AM,High,Spyware.NeoSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,AgentSpyware detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,AntiSpyZone detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,MalwarePro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,AntiVermins detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,WinXProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,SpyCrush detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,PCClean detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:41 AM,Medium,Punisher detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,SpyDawn detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,High,Spyware.KeyProwler detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,SpyDestroy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,SpyLocked detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,ErrorSafe detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,PcTurboPro detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,1stAntiVirus detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:40 AM,Medium,WinAntiSpyware detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:39 AM,Medium,RegSort detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:39 AM,Medium,AntiSpywareGuard detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:39 AM,Medium,SuperSpywareKiller detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:39 AM,Medium,Spyware.CyberSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Fixiter detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Spyware.Redhanded detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Spyware.IMMonitor detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,SpyKill detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,Spyware.SmartKeylogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,RazeSpyware detected by Virus scanner,Quarantined,Resolved - No Action
2/8/2010 3:37 AM,High,Spyware.Systemsurv detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:37 AM,Medium,VirusResponseLab detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,Cleaner2009 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpyDevastator detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,EasySpywareKiller detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,TheRegistrySentinel detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpywareQuake detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpyHeal detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,AntiVirusGold detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,TraceSweeper detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,PCPrivacyCleaner detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,SpyLax detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,High,Spyware.EasyKeyLogger detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,IEDefender detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,PyroAntiSpy detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,High,Spyware.MSNChatSniffer detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:36 AM,Medium,RegistryDoctor2008 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:35 AM,Medium,MySpyProtector detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:35 AM,Medium,VirusRemover2008 detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:35 AM,Medium,VirusBurst detected by Virus scanner,Removed,Resolved - No Action
2/8/2010 3:34 AM,Medium,WinDefender detected by Virus scanner,Quarantined,Resolved - No Action
2/7/2010 5:18 PM,Medium,SafeStrip detected by Virus scanner,Removed,Resolved - No Action
2/5/2010 11:15 PM,Medium,SafeStrip detected by Virus scanner,Removed,Resolved - No Action

---

NIS2010 removed all threats with a few quarantines and then asks to restart.  During the reboot process after the WinXP splash screen the monitor goes dark and there is HDD access for about 1.5 minutes until the blue windows logon screen loads (as if new files are being written to the registry) and I am prompted to log in.  Upon login and rescanning with NIS2010, the same 134 threats are detected again.  After NIS cleans up the system, I am able to reboot into SafeMode and perform a NIS Fullscan (with limited feature in safemode) and see zero (0) threats.  Subsequenly loading Windows normally results in the boot delay and re-installation of the Malware/SpyWare; again with 134 instances.  So there is some service or startup item corrupted and set to install registry/files during boot.

When I got to work this morning, a colleague with a simliar Dell Latitude 6500 also reported having some problems.  We looked at his NIS2010 and it also had 134 instances of Malware/Spyware with the same names and difficulties for removal.  Interestingly, his first fullscan report of the problem was on 02/04 from last week (3 days before mine).  A few other people on our small business network run NIS2010 but report no problems.

Suggestions?  I am thinking clean-wipe and re-install... but I do not know what the initial problem was or the vector?  Also I do not know what was taken/compromized?  Passwords, files, etc.  Given that there are 2 people on the same small business server with the problem, will it come back?

Help is appreciated!

Brian

I think you have to start disconnected from the server and treat each machine separately including the server. It sounds like the server is infected and then infects the clients. Download Malwarebytes scanner and scan each machine. You may need something different for the server. You should also be able to click on one of your 134 infects and trace what was infected that may give a clue.

Hi Brian,

As cgoldman said, try a scan disconnected from the server. If the problem is with the server a reinstall of your system will not help.

It would be good to know exactly what files Norton detects. In the security history you should have the option to view the details of each threat. Mark the threat, click More Details and you should be able to see filenames and such. Check a few and see if there are any similarities, like in the file locations.

Regards

jAW

I re-ran several scans while disconnected from the server (using my local roaming profile).  After rebooting in each case, NIS would detect the 134 bits of bad code and I would start the process over.  If I booted into Safe Mode, I believe that NIS would NOT detect any problems.

Here is the interesting part...I followed both your suggestions to look at exactly what files were cleaned and where they were located... and the funny thing is that nothing was there.  Meaning according to the actions taken by NIS2010, it should have removed some links from the desktop, some program files and a bunch of keys in the registry.  However, there was nothing on the desktop, nor in Program Files or even in the registry for 4 Malware files that I selected at random from the list (there was no correlation between the files either).   After rebooting, I searched for these files/keys and was 0 for 4 in finding any evidence for the suspected files.  However, if I started a full scan NIS would say that it found them and resolve the issue.

When a Full Scan is started, it looks at common and startup files and then starts investigating each Virus, Malware and Spyware item that I showed in the first forum posting.  It actually takes a good amount of time to go through this listing, as if the NIS is thoroughly scanning the Registry and System Volume for each type of threat.  You watch the progress in the scan window.  Once it passes through the threat listing and starts to scan actual files in the directory tree...the 134 identified threats populate the table as NIS resolves each threat individually.

I am now suspicious (or hopeful!!) that there was never any major infestation in the first place, rather an error with NIS "thinking" that there were 134 different pieces of Malware and the program going through the motions to fix it.  Or there WAS an infestation and it was cleaned, but there is something embedded with my roaming (local) profile that is re-instated each time I log in.

I have not synchronized with the server for fear of putting something onto it... and try to contain any problem locally.  Maybe that woudl help?

Brian

Hi Brian,

If possible, try to create a Norton Bootable Recovery CD, boot the computer using it and run a scan from it. Refer to the instructions from the following Symantec Article:

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080612122232EN

Yogesh

Hello Brian03

I believe that you have some rogue anti-virus  programs on your computer.  You may have more than one of them which is why so many different malware is showing up. 007AntiSpyware is one of them. There may be others also. There may also be a rootkit involved if there are so many infections listed. You may have several of these rogue antivirus programs as I didn't Google the other threats listed. You may need some expert help on this one especially since it seems to have infected some one else's computer who uses that server. Are you using a corporate Symantec program since you have mentioned a server?

Did you actually run Malwarebytes on your system as recommended by others?  Safestrip is a rogue AV and it could be that parts of it that display a long list of malware on your machine are falsely triggering Norton.  Please run a full scan with MBAM, save the log in Notepad and attach via the add attachments link.

Hello Brian

It looks like there are a few rogue antivirus programs showing up in that Norton log.

---

Brian03 wrote:

Here is the interesting part...I followed both your suggestions to look at exactly what files were cleaned and where they were located... and the funny thing is that nothing was there.  Meaning according to the actions taken by NIS2010, it should have removed some links from the desktop, some program files and a bunch of keys in the registry.  However, there was nothing on the desktop, nor in Program Files or even in the registry for 4 Malware files that I selected at random from the list (there was no correlation between the files either).   After rebooting, I searched for these files/keys and was 0 for 4 in finding any evidence for the suspected files.  However, if I started a full scan NIS would say that it found them and resolve the issue.

 

When a Full Scan is started, it looks at common and startup files and then starts investigating each Virus, Malware and Spyware item that I showed in the first forum posting.  It actually takes a good amount of time to go through this listing, as if the NIS is thoroughly scanning the Registry and System Volume for each type of threat.  You watch the progress in the scan window.  Once it passes through the threat listing and starts to scan actual files in the directory tree...the 134 identified threats populate the table as NIS resolves each threat individually.

---

If Norton finds a file or similar thing that it has a full definition for, Norton will check the system for these files and registry values as they are stated in the definition and try to remove them. All these will later show up in the history as removed regardless of if they were in the system to start with. I have seen this several times.

 

---

Brian03 wrote: 

I am now suspicious (or hopeful!!) that there was never any major infestation in the first place, rather an error with NIS "thinking" that there were 134 different pieces of Malware and the program going through the motions to fix it.  Or there WAS an infestation and it was cleaned, but there is something embedded with my roaming (local) profile that is re-instated each time I log in.

---

 

I am leaning towards that too, the question is what triggers Norton. But the original detection of SafeStrip should probably be checked first since that was there before the 134 detection.

 

Since you have one more computer that get the exact same detection it should be something that is similar between the two systems, like a program. Any recent changes or updates? It could also be something from the server that is now on your local profile, being recreated as you say. You could try and create a new local account while disconnected from the server and log into that to see if Norton detects anything on that also.

 

As for Norton not detecting anything in safemode. Since it probably is Auto-Protect or Sonar making this detection (134) and not the scans it would not give a detection in safemode since those functions does not load there. Also, if it is a false positive that triggers Auto-Protect or Sonar it is likely that a full scan would not detect anything even in normal mode.

 

Regards

jAW

You could also try and got back to a Previous Re-Store Point if this is possible. 

Am also thinking that perhaps Norton is Detecting the Threats that a Threat is producing so, even although Norton keeps Detecting the same 134 Threats, perhaps Norton has not got the Signature for the Threat which is producing these other Threats?  Have a look around you computer - if you wish - and see if you spot any Suspicous Files which Norton is Failing to Detected and Send them symantec Security Response, should you Find any: https://submit.symantec.com/websubmit/retail.cgi. 

I have new information that is leading our team to suspect a problem with Norton.  It has taken several days, so sorry for the delayed post.

We tried Norton bootscan, MalwareBytes, AVAST w/bootscan, Rootkit Revealer, and did not come up with any malware, viruses or rootkits.  I ran process explorer and hijackthis to monitor autoruns.  No problems were detected, even with the bootscans.  One interesting note is that the NVidia 160M system tray icon would occassionally show up, disappear or not appear at all.  I have read some people seen the Norton icon disappear... is there a correlation?

Since this was affecting two Dell 6500 Latitude laptops and bringing productivity to a halt, we gave in and did complete reformats, winXP reinstalls and driver updates from the Dell CDs.  As I mentioned, our small business uses "roaming" user profiles from our central server that is copied to the local machine.  When the laptop is disconnected from the server, a "local" copy of the profile is used to execute tasks and then changes are later synchronized when the machine is reconnected.

Here is the interesting part.  We reinstalled the base OS with updates, NIS2010 (17.5.0.127), MS Office 2003 suite, Adobe Acrobat 9, and did driver updates as well.  This was done by our system adminstrator.  A full scan showed 0 threats and a clean system.  I then logged into the machine, copying my "profile" from the Server and performed a synchronization to bring over my documents and desktop files.  We ran a full scan and there was also 0 threats, clean system.

I then logged out, shutdown and took the computer home.  With the WLAN radio is off, I rebooted and the computer loaded my "local" profile.  I immediately did a full scan and BANG --134 threats found.  The same listing as reported in the first posting.  The other E6500 user with NIS 2010 (17.5.0.127) reported a similar event after a complete reformat, re-install and test.

We have a third person at our company using Norton AV (16.8.0.41) with a Dell D810 Latitute that did a full scan last week and there were no problems found.  However, his machine was never disconnected from the small business server (i.e. it used the server profile for his login) and stayed at his desk.  As a test, we disconnected his laptop from the LAN, rebooted and logged in with his "local" profile and BANG --134 threats found with the full scan with Norton AV!  So once the machine used the "local" profile, Norton became "aware" of threats on the computer.

Just to clarify, the SONAR and auto-protect do not catch anything.  For me, the quick idle scan detected SafeStrip (as per my original post) and the full system scan would detect all 134 threats.  Looking for some of the actual folders, files, and registry entries never revealed the presence of the MalWare.... it is as if something with logging in with a local profile setting triggers an event that makes Norton think that there is a major infection.  During the Full Scan, the threats are identified when Norton is looking for specific virus definitions or fingerprints.... not when scanning files (e.g. it will say, looking for WinFixer and pause for 1 minute).

On 02/07 when I had the first 134 threat detection, my IE browser was redirected to MSN (but maybe that was due to a critical update from Microsoft at 3AM... and not an actual hijack).  However, our other E6500 user DID report that on 02/04 his web browser was redirected to msn.com or m.yahoo.com (vs. google) on several occassions, during his boot and winlogin process the desktop background would revert from his personal image--to the windows farm fields--and then back to his personal image.  Plus text boxes under desktop icons would have white backgrounds instead of the normal transparent where there is no text.  So he could actually have been "patient zero" and something got onto our local network through his machine.

I am not sure if this also matters, but when the incident first happened to me on 02/07-08, after the first system clean I did encounter a problem where 1-click support popped up ever few minutes saying the computer was not protected with error Module 3039, Error 65554.  It lasted while the computer was unplugged from LAN cable until the next reboot.  I read that someone else had this error pop up.

So our scenarios are:

#1 we actually had something get into a machine and spread itself onto our small business server and then filter down to multiple machines.  However, it only affects computers that are running Norton and they manifest when a local profile is run.  Other computers on the network domain run McAfee and report 0 problems.  We have run full scans and have realtime monitoring--- 0 threats, they are always connected to the network.

#2 there is a problem with Norton IS and AV when computers are running roaming profiles.... and somehow virus definitions are "seen" during boot of the local profile and Norton trys to remove them.

If you immediately do a full scan after threats have been resolved, all 134 will show back up again.

Help!

Hello Brian03

Other computers on the network domain run McAfee and report 0 problems. 

I don't know, but I'm wondering if that statement could have anything to do with the problem. I'll have to leave that for someone else to answer.

Norton has better Detection Rates than McAfee - and no, am not just saying that. During tests, Norton Scored higher than McAfee.

So if Norton fixes the 134 threats and the full scan is complete.  If you immediately run another full scan, the 134 threats will reappear as if nothing is changed.  If you reboot and scan, the 134 threats are back again.

Our observation is that once you do a full scan on a computer disconnected from the network (using a local profile) then the 134 threats are detected and they never go away.  If you reconnect to the network or reboot, the Norton will detect threats.

On our test case computer (Dell 810) that was connected to the network (using the server profile not a local profile), when the full scan was run with NAV there were NO threats detected.  As soon we unplugged this computer from the domain and rebooted, NAV saw the 134 threats.   Subsequent full scans kept showing the 134 threats.

We then tricked Windows by renaming the local copy of the profile in (C:\documents and settings\... sort of a reversible deletion of the local profile as far as windows is concerned), and logged onto the domain, the user's server copy is transferred to the machine and there are NO threats detected.  If the machine is rebooted on the network, there are NO threats.

We then disconnected the computer from the domain, and VOILA--134 threats detected with the Full Scan.

What is going on here!  It seems that NIS and NAV cannot handle local roaming profiles!

Has anyone ever experienced this before?  We are lost at what to do....

Do we actually have compromised machines?

When I reformatted/reinstalled winXP and synchronized with the server (copying my user profile over), there were 0 threats with the full scan.  However, the threats were apparent on the subsequent reboot with the local profile.  So that would mean that whatever rootkit/malware code resides in the profile and upon reboot edits/changes/compromises the machine during winlogon.

I will post a HiJackThis log soon, maybe there is something in there that someone could spot.

Here is the HiJackThis log running from the Administator account that would have 134 threats detected.

Comments?

---

Brian03 wrote:

...

So our scenarios are:

#1 we actually had something get into a machine and spread itself onto our small business server and then filter down to multiple machines.  However, it only affects computers that are running Norton and they manifest when a local profile is run.  Other computers on the network domain run McAfee and report 0 problems.  We have run full scans and have realtime monitoring--- 0 threats, they are always connected to the network.

#2 there is a problem with Norton IS and AV when computers are running roaming profiles.... and somehow virus definitions are "seen" during boot of the local profile and Norton trys to remove them.

 

---

#3 you actually have something serious on your machine and only Norton can detect it.

This actually sounds like the most likely scenario.

It is possible that you have a Zero Sector malware, which is very difficult remove and sometimes even evades reimaging.  It certainly cannot be removed by simply reinstalling the OS.  Best removal procedure would consist of reformatting the harddrive, then restoring the original factory image, then rebuilding the current system.

Regrettably, this new family of zero sector/boot sector infections is complicated to recognize and/or delete and most AV programs (so far including Norton's) are not up to the task.  The process at the moment consists largely of recognizing the symptoms and going on from there.  The symptoms include both redirection of the browser, reappearance of removed malware -- and you and your colleague have experienced both of these.

At the moment, our recommendation is to look for a site that specializes in cleaning up such infections.  There are a number of such sites that help with this for no charge.  A google-search should find some of these; and you can be sure that you will recommendations from a number of others here; in fact there may already be some up ahead in the thread that I haven't seen yet.

Mij-

We booted from the winxp CD, did the long NTFS reformat (not quick one), repartitioned the HDD (eliminating the dell partition) and then re-installed the OS.  The machine was clean until disconnecting from the domain and running the "local" profile.

Is there way to prevent boot sector changes?  Admin password in the bios or something?

Maybe your Servers/Web Site are Infected that you use?  Just remember that Threats can come from anywhere when you do not have a Firewall installed.

---

Brian03 wrote:

Mij-

 

We booted from the winxp CD, did the long NTFS reformat (not quick one), repartitioned the HDD (eliminating the dell partition) and then re-installed the OS.  The machine was clean until disconnecting from the domain and running the "local" profile.

 

Is there way to prevent boot sector changes?  Admin password in the bios or something?

---

You are right in that the process should have cleaned the drive.  My knowledge of rootkits is not so extensive that I can say that for certain, though.

Another thing that occurs to me is that when you imported your settings, you imported something (probably in Outlook if that is what you use) that reintroduced the infection; and that it wouldn't show up until you did a reboot.