The norton's history is not showing anything
Delete System Restore Points and empty all temp folders
Have no Autorun.ini on c:
The varning dont contain any suggestion like remove......
When I run a scan nothing virus or worm found.
Pls help me I want reinstall my os.
Vista Ultimate 64 NIS 2009
//Apollo70
[edit: Resized image.]
Did that work?? (Malwarebytes)
Could be that auto-protect removed the Autorun.inf or other related files
Quads
Quads,
Hope you have read this:
The funny thing is that when I went into the NIS2009 security history, I could not find any entry that is related to the W32.SillyFDC detection. I have looked into Fully History, Recent History, Scan Results, Resolved Security Risks, and Unresolved Security Risks.
If Autoprotect removed the infected files, won't that show in History?
Yogesh
Hi
Occasionally I would get a pop-up message on the bottom right of my screen. The pop-up window has a title of "Norton", and the message says "Auto-Protect detected security risk W32.SillyFDC.".
The funny thing is that when I went into the NIS2009 security history, I could not find any entry that is related to the W32.SillyFDC detection. I have looked into Fully History, Recent History, Scan Results, Resolved Security Risks, and Unresolved Security Risks.
I have also followed the instruction on the website link below
http://www.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99&tabid=3
by running a full system scan (could not find anything) and went into the windows registry (could not find any entry that has any relations to the W32.SillyFDC.
I just want to know if there is anything else I could do to 'remove' this virus if there is one.
I'm running Windows Vista Home Edition. According to the website link above, the W32.SillyFDC does not affect Windows Vista. Can I assume that I am safe from this 'virus'?
Thanks
Thomas
yogesh_mohan wrote:Quads,
Hope you have read this:
The funny thing is that when I went into the NIS2009 security history, I could not find any entry that is related to the W32.SillyFDC detection. I have looked into Fully History, Recent History, Scan Results, Resolved Security Risks, and Unresolved Security Risks.
If Autoprotect removed the infected files, won't that show in History?
Yogesh
Yes it should, though I have come across, where there is no history entry, actually had it where it detected "1 virus" didn't give me a file name that it detected, no infection name, just "1 virus" and no history entry for it.
If the poster doesn't have it come back (auto-protect doesn't detect again) then must have done something to the file(s) that were detected to start with.
Quads
I have recently had this detection (it comes when a USB flash drive is infected, with, say, Knight or similar).
It was duly recorded in NIS 2009 history. One has to consider the human factor then: could someone else have been clearing your logs perhaps?
TomiRed wrote:I have recently had this detection (it comes when a USB flash drive is infected, with, say, Knight or similar).
It was duly recorded in NIS 2009 history. One has to consider the human factor then: could someone else have been clearing your logs perhaps?
If you are asking me (Quads) NO no one else uses this PC, no one else to use this PC. I wouldn't let anyone anyway, too much software for the advanced user.
But months ago, it did pop-up saying it has detected a virus, but never gave it a name etc..................
Quads
This is the result from the first scan. They were all related to VideoEgg which have now been removed. The scan was run in normal Windows session. I did a second scan in safe mode. Nothing was picked up.
After all these, I am still getting the same error message
"Auto-Protect detected security risk W32.SillyFDC." The norton's history is not showing anything.
The log would not have been deleted by anyone from my household as my wife was still asleep when I did both the scans. She does not know much about computers. I do not believe she would have jumped on to the PC and deleted the log behind my back.
Does anyone know what this virus actually do? There isn't much information on the Symantec's virus information page.
Thanks
Thomas
==========================================================
1st Scan
Malwarebytes' Anti-Malware 1.31
Database version: 1520
Windows 6.0.6001 Service Pack 1
20/12/2008 2:19:05 a.m.
mbam-log-2008-12-20 (02-19-05).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 198889
Time elapsed: 1 hour(s), 31 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 37
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 153
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3124ad41-99ee-4e18-a605-ed5ee59466bc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4a2b9ad8-5540-46a3-bbb4-8ded5fb09de8} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5484d9fa-6c4f-4c0b-8946-1b8ef15897a4} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a4566604-f73b-4dd5-8a21-87e7a808d426} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5478d59a-b281-4f58-ad2e-103474434377} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videoegg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sohu R&D (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Users\Sandy\AppData\Roaming\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Loader (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Loader\4665 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Publisher (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Publisher\4520 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Publisher\4520\resources (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Publisher\4520\resources\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Publisher\4520\resources\VideoEgg\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Publisher\4520\resources\VideoEgg\messages (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Publisher\4665 (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Updater (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Users\Sandy\AppData\Roaming\VideoEgg\Updater\4665 (Adware.VideoEgg) -> Quarantined and deleted successfully.
The rest of the scan results just said that all the files related to VideoEgg have been 'quarantined and deleted successfully'.
2nd scan result shows up nothing.
I'm starting to see a pattern where the Norton message only comes up when I just booted into Windows. I wonder if there is a program onthe 'startup' that is being detected by NIS2009.
I will see if I can get a list of my startup programs.
Open MBAM. Click the Quarientine Tab. Delete all files in quarientine.
Tech0utsider wrote:
Open MBAM. Click the Quarientine Tab. Delete all files in quarientine.
Just like to point out that Malwarebytes' Anti-Malware said it has Deleted the File as well as Quarantine it.
Often times AVs can detect files in another program’s quarientine as malicious. Happened to me.
Hi guys
I solved the problem. I no longer gets the Norton auto-protect message.
What I did was, I went into
"C:\Users\[user login name]\AppData\Local\Temp" and deleted all the files in the directory.
This directory I believe is specified to the Windows Vista OS. Windows XP/2000 will probably store the temporary files in a different directory.
Thanks for all your help though. Good to get rid of all the other junk on my PC (i.e. VideoEgg).
Thomas
Norton Internet Security told me that they have removed W32.sillyFDC back in early December .
But wherever I put in a CD/DVD, Windows Explorer tells me that there are { file ready to be written } to the DVD, although the DVD is already closed and no more files can be written there. Checking the list on Windows Explorer reveals that { Desktop.ini } in ready to be written .
( I am running Vista Business )
I recently noticed Directories that was not there before :
1. $Recycle.Bin
2. Boot
3. ProgramData
4. System Volume Information .
I plugged in my LaCie Drive today that I haven't uses for 4-5 months.
Immediately thereafter, I noticed 2 new Directories on the LaCie Drive :
1. $Recycle Bin
2. System Volume Information
The { autorun.inf } on the Lacie Drive is now 83 bytpes but there is another file in the root directory - { ._autorun.inf } that is some 100-300 bytes ( couldn't remember exactly )
Seems like the virus / worm is still there , just waiting for an opportunity to do something .
Hi FCFHKG,
I also think that there are some remnants of the W32.sillyFDC still left in your computer. The below information is taken from the Symantec Security Response Article for W32.sillyFDC (Technical Details):
"The worm may attempt to copy itself to removable drives and mapped drives, as well as creating the following file so that the worm runs every time the removable drive is attached to a computer:
[REMOVABLE DRIVE]:\Autorun.inf"
You can find/follow the removal instructions from the same Symantec Security Response Article.
To check whether any programs is accessed by some threat, download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
You need download the third in the list (Excutable), install it and click "Do a system scan and save a log". Then open the log in Notepad. Either post the log in this same message board or send it as a private message to me.
You can also download/install Malwarebytes Antimalware program, reboot your computer to Safe mode and then run a full system scan from Malwarrebytes. Click Malwarebytes AntiMalware to download it, it's a free download software which may help you in detecting removing such threats.
Yogesh
Since I am running 4 PC's, 1 Vista - 2 XP's -1 W98, I am riding this one out on the Vista to see what it does.
Report One - Tried to copy a folder C:\riehtm22 onto a DVD using Roxio Easy Media Creator 10. Before going into the Data Verification Stage, the DVD Drive went into a highspeed spin. Sure enough, Desktop.ini was written onto the DVD and harddisk folder C:\riehtm22, both hidden file.
I immediatley copied all files to a new directory C:\riehtm33 via DOS PROMPT and copied alright onto DVD using Roxio EMC 10 again.
Report Two - I now have many Directories added including
Users\$Default
$RecycleBin\RecycleBin
AppData
Application Data\Roaming
List is very long because Application Data shows up in 2-3 places with sub-directories like Adobe, Acrobat, Roxio, etc.
Everytime I try to delete a [ Desktop.ini ] file from the RecycleBin, that file was deleted and a new file with a long name came up. When I try to delete that file, the [ Desktop.ini ] file resurfaces.
My Question : the fastest way is to reboot is to use Toshiba to reboot to out-of-box state. But will I have probems now since I now have the Users/$Default Directory which may mean my password might be hijacked on reboot.
What do you think ?
I checked today and my C:\ drive is now at 60+ GB usage.
By my own estimation, usage should only be around 40 GB because I checked in Nov/08 and in Dec/08 and I know how many 1 GB files I’ve on there. ( largest file I have in only 1.03 GB ) .
Secondly, I also see a [ Desktop.ini ] in a Network Drive , when the high-speed cable was not even plugged-in.
The Window Explorer shows 3 drives , [ C:\ the hard disk ] , [ D:\ the DVD drive ] , [ Network , I don’t know what this is ].
I went to control panel and looked at the set-up. Apparently there is now a new folder named [ Administrative Tools ] with the [ Desktop.ini ] and shortcuts such as [ iSCSI initiator ] , [ Reliability and Performance Monitor ] , [ System Configuration ] .
Couldn’t recall this folder being there previously.
Most of the time when I try to delete one of these files, [ access denied ] comes up.
I was running another program and I noticed a new [ recently run program ] named [ SQL Server Configuration Manager ] , I clicked on this and Windows tells me I need authority to run this. But I am the only user and Administrator on this computer, so how come somebody was able to run this [ SQL Server Configuration Manager ] without my knowledge.
Anyway, the mouse arrow shows these two files : [ C:\windows\system32\mmc.exe ] / 32 , and [ C:\windows\system32\SQLServerManager.msc ] .
I think this computer will go kaput next week. If I can’t reboot it myself, I‘ll bring it in to Toshiba and they can reformat the Hard Disk.
More things to report on W32.SillyFDC.
Yesterday, Feb 2 at 6:58:33 p.m. , I turned on the computer, but didn’t log-on until 5-minutes later.
After log-on, I went to clicked onto [ Computer ] and noticed 3 Drives :
1. Hard Disk Drive (1)-- S3A6xxxD004 (C:) -- Local Disk
2. Device with Removable Storage (1) -- DVD RW Drive -- CD Drive
3. Network Location (1) -- desktop.ini -- Configuration Setting
But both the Telephone Line and the High-speed LAN Cable are unplugged, so how did I get a Network Location ?
( desktop.ini is apparently only 6 bytes , as opposed to the usual 174 bytes )
Today, Feb 3, I looked again at the Norton Security History Log for this log-on on Feb 2, and it reads as follows :
Item 1 : 6:58:33 p.m. -- Firewall rules were automatically updated for Local Security Authority Access.
Item 2 : 6:58:42 p.m. -- Firewall rules were automatically updated for Services and Controller App.
Item 3 : 6:58:42 p.m. -- Firewall rules were automatically updated for Services and Controller App.
Item 4 : 6:58:48 p.m. -- Firewall Configuration updated: 105 rules .
Item 5 : 6:58:48 p.m. -- Firewall Configuration updated: 105 rules .
Item 6 : 7:05:11 p.m. -- User logged in
This Log is different from the one I looked at on Feb 2, within the first 15 minutes after logging-in that day.
This item is now missing from the log :
Item ? : 6:58:45 p.m. -- connected to a protected network ( 127.0.0.0 / 255.0.0.0 )
Something funny is going-on.
xxxxxxxx
I also noticed that when I turned on the computer, quite often the DVD Drive goes into a high-speed spin.
There is no bootable DVD here, only a closed Music DVD I made way-back in early 2008.
But before Dec/2008 when W32.SillyFDC first surfaced, my Toshiba Computer never goes into a high-speed spin on booting.
xxxxxxxx
There are actually 2 Users on the Toshiba Computer, namely :
1. MYSELF - Administrator - password protected.
2. ASP.NET Machine Account - Standard Account - password protected.
I don’t know whether the second account created for Visual Studio / Internet would be a problem here.
Keeping watch until re-boot to Out-Of-Box condition.
Hi
This type of infection uses the "Autorun.inf" form of infection in the hard drive /flash drive "C:\autorun.inf"
Quads
I still have not rebooted my computer to out-of-box condition, some portion of W32.Silly FDC is probably still around.
Four things to report .
ONE.
I’ve given my computer a name [ TOSIHBA-M200 ] , all capital letters, a long time ago.
One time last week, right after booting but with both the High-Speed LAN Cable and Telephone-Line unplugged, I clicked on [ Computer ] , then [ Desktop ] , and [ Network ] .
To my surprise, there were 2 computers there :
The first computer : [ toshiba-m200 ] , all small letters.
The second computer : [ TOSHIBA-M200 ] , all capital letters.
There is a possibility now that I am running 2 computers on the same machine [ TOSHIBA-M200 ] an [ toshiba-m200 ] , a [ shadow computer ] situation.
TWO .
I booted today 2-18-2009 with both the High-Speed LAN Cable and Telephone-Line unplugged.
Two items of interest in the Norton Log :
7:03:46 p.m. -- Connected to a protected net work ( 00 19 CB 3E 21 48 )
7:03:46 p.m. -- Connected to a protected net work ( 127.0.0.0/255.0.0.0 )
The first item could be the [ toshiba-m200 ] computer.
But only one computer now shows up at [ Network ] , namely [ TOSHIBA-M200 ] .
THREE.
I also found a file in the Recycle Bin named [ ntuser.ini ] , 20 bytes , certainly not deleted by myself.
FOUR.
For word processing , I use MS WORD [ .docx ] , with both Calibri font and PMingLiU font.
The mouse is usually positioned either on the Typing Area or to-the-lefty in the blank-blue-area.
Now, whenever I use either the [ forward-arrow ] or [ backward-arrow ] to move around, the mouse-arrow temporarily display a [ round-logo ] for a split-second.
I seems to me that there might be a [ keyboard tracker ] around, whenever I type something, it is recorded and the new letter/result is displayed immediately, so no one will notice anything.
But on a [ forward-arrow ] or a [ backward-arrow ], there is nothing new to display, so the screen re-coups for a split-second, and causes the [ round-logo ] is displayed for a split-second.