I'm trying to get a friend's computer working again.
He had NIS 2011 installed, but apparently caught a virus anyway.
He called into Symantec support and after the technician tried cleaning and reinstalling unsuccessfully he told my friend to wipe the disk and start over.
I contacted the technician for details and he said:
The Rootkit itself protects itself the same as the Windows files are protected.
The tool that I ran from the command prompt that led me to believe there was a
rootkit was cacls
%windir%\system32\msvcr*.* . After running this command I saw a user account
created with full permissions to all files. This account was hidden and not
visible from the account administration page even with the admin account turned
on. This is also a common behavior of a rootkit
infection.
I ran the cacls command - this the result I got when I ran it:
C:\WINDOWS\system32\msvcr70.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
C:\WINDOWS\system32\msvcr71.dll BUILTIN\Users:R
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
TERESA\Teresa xxx:F
BUILTIN\Users:R
C:\WINDOWS\system32\msvcrt.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
C:\WINDOWS\system32\msvcrt20.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
C:\WINDOWS\system32\msvcrt40.dll BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Users:R
This is XP home edition, so I ran from the command line: "Control Userpasswords2" command to enumerate users showed only what I would expect:
Administrator, the two created users, and the ASPNET account.
Running from CMD: NET LOCALGROUP to enumerate the defined groups, and then run NET LOCALGROUP <GROUP_NAME>
for each listed group I do not see any abnormal items.
I have run
1) Norton NBRT tool - it came back clean
2) Microsoft Stand Alone System sweeper - it came back clean
3) started to run ComboFix (in safe mode) it pointed out that "Spyware Doctor with Anti-Virus" was installed
I uninstalled it rebooted back into safe mode and ran ComboFix with today's definition file (6/4/11)
it came back clean4) I ran Hitman Pro in safe mode - it came back clean with the exception of NIRCMD.EXE which may have been a false positive. I deleted it anyway.
5) I ran MalwareBytes in safe mode - it came back clean
6) Ran Super Anti Spyware - came back clean
So figuring I was safe I ran the current Norton Removal tool for NIS, rebooted and tried to reinstall NIS 2011.
The window with the yellow arrow-circle would come up, then disappear, then come up again and then the install appears to stop.
I rebooted into safe mode, again ran Norton Removal tool for NIS, rebooted BACK into safe mode and tried to reinstall NIS 2011 yet again - same result - The window with the yellow arrow-circle would come up, then disappear, then come up again and then the install appears to stop.
Sigh..............................................
Is there anything else i can try, or is it time to rebuid the system ....
[edit: Please do not post identifying information per the Participation Guidelines and Terms of Service.]
