I've tried it and programs as I stated earlier have been updated for it
TDL, TDSS, Tidserv, Alureon has been around since approx 2007, 2008. New variants just keep getting released.
There's nothing wrong in this
Info IPS Detection Statistical Submission Pending 3:00 Info Download Insight analyzed, mbam-setup-1.46.exe Access allowed Medium Unauth access blocked, Access process data blocked Medium Unauth access blocked, Access process data blocked Medium Unauth access blocked, Access process data blocked Info Statistical Submission Trojan.Bamital Pending High hlp.dat (trojan Bamital) detcted by Auto-Protect Quarantined 3:08
It's a process brushing up against Norton and Norton its blocking it, part of the anti tamper protection.
Heres the report of the from the installer for infecting "explorer.exe" and "winlogon.exe" downloaded by TDL3 by the looks although the report does not show the infected legit .exe's, seeing "hlp.dat" is being looked at
Kaspersky will detect the infected driver backed up in Combofix's Quarantine folder called Qoobox.
"Supposedly that tool is updated to detect this rootkit" are you talking about Combofix
Combofix disinfected the driver as I stated, but also creates a backup folder called Qoobox that is used by Combofix to hold the backups of any changes it made to the system.
Disinfected is "Fixed"
I have shown mine and how it is updated now to not only disinfected TDL3 (+) but the infected "explorer.exe" and "winlogon.exe" was also dealt with.
At the moment Nortons engine can't deal with rootkits that are inside drivers, like TDL3 (Tidserv) and Zeloaces. so will tell the user "Manual Removal is Required"
Symantec is working on it. it requires more than just definition updates for this.
After Kaspersky reported only bug copies in quarantine, the bug has returned.
The Norton website reports the removal of this as "easy".....Yeah, right! It has been what, seven days I have spent on this?
I have almost completely lost my faith in Norton's ability to protect us from Trojans, or detect them at least, as it had reported the machine clean, as well. It was literally just sitting there and got reinfected.
The statistical submission was Norton sending infor to Symantec to check.
If you click on the quarantined entry, and click more details, it will tell you where the file was prior to the quarantine. It may have quarantined it from the Combofix quarantine.
Unauthorized access blocked has nothing to do with malware, it is Norton reporting that the apps on your machine are accessing its files. It is Norton protecting itself from changes to its file system. Find out what is going on before having a panic attack.
I did that and actually, it was found in a restore volume. Didn't know that Norton looked at them. There's other bad stuff in those so I'll do a full scan and see what pops up.
I am not sure I stated exactly the sequence of events, here's what happened:
Statistical submission of Trojan.Bamital!inf Pending
You should still be asking these questions of Catbyte. They really don't like other opinions offered when they are spending time working on something. He/she will advise what to do about it. It isn't a particular issue at the moment.
I did that and actually, it was found in a restore volume. Didn't know that Norton looked at them. There's other bad stuff in those so I'll do a full scan and see what pops up.
[ ... ]
Not to interrupt your discussion on this but I gather it is a good idea to turn off the system restore function when you know you are infected because, as you found, if an infection gets into that part of the Windows System then as soon as you remove it from outside System Restore Windows will pop it back in again .....
That's a Windows function and is one reason why we can't always blame Norton for failing to remove an infection.
At least that's what has been explained to me in other places.
>>>>a virus/trojan in a restore file even if I don't restore it?
Hi madscien,
You can only be reinfected if you restore the malware from quarantine or restore your system using the infected restore point. Once everything is back to normal on your system and you are sure you will not need that restore point or quarantined file you should remove them by turning off system restore and then turning it on again, and clearing the quarantine entries in Norton.
I'm sure it will get a lot of use in these forums.
Delphinium,
I have to go back to my second day in this nightmare, on 8/18 when you sent me to whatthetech for clean-up, and give THAT posting by you the Kudos (looks like I can go back and do that). This is because they did, in fact, resolve the bug.
I have finally run un-eventful Kaspersky (last night) and full Norton (today) scans with nothing detected.
PHEW!
(<<wonder if that will post?)
Thanks to all for your help, with a special thanks to Delphinium for pointing me to the required, and very helpful exterminator. It was a long battle to rid myself of Backdoor.TidservI!inf
