Hi snug,
It's good to see you are being looked after by Quads and others. If you are still having trouble and come across files on your computer that you believe are malicious - but Norton still does not detect - please submit them via the following site:
https://submit.symantec.com/retail
Then post the tracking number from the automated email you receive here in this thread, and I will have the files analyzed right away.
JohnM
Symantec
“Security Center Alert” have a look in C:\Documents and Settings(User Name)\Local Settings\Application Data\Google that’s where i found the files that cause it on my computer.
also if there is something like kjzna1562565.exe file in there, search ur registry for it, most likely in current user/software/microsoft/windows/current version/run/
fixed my problem so hopefully this info may help someone else… you may also look in your video codec for a xtgo6119471
Hi Lukridus,
I am not able to see the file in explorer, although running msconfig shows that it is in the start up list of executables. Removing it manually from start up by de-selecting it caused problems. I am going to try and run Malwarebytes.
You could use the windows search to find the file and delete from there, Could it be that you are looking in the wrong username folder (mum,dad,son, daughter, gran..........).
Doesn't matter Malwarebytes and SuperAntispyware should detect it as long as they are up to date etc.
Quads
Hi Quads,
I did try windows search but couldnt find it. I managed to run a Malwarebytes scan after configuring NIS to allow MBAM to access the internet. The scan found and deleted 9 items but not Defender-Review or Perfect Defender (see list below). I was running in my own user id, so I logged on using my son's and started another scan.... 1 object found so far....
Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3
17/12/2008 21:39:07
mbam-log-2008-12-17 (21-39-07).txt
Scan type: Quick Scan
Objects scanned: 106938
Time elapsed: 29 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stuart\Local Settings\Temp\xrun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
Hi Snug
Ok, a little bit strange, oh well variations are variations.
You could log in to your sons account, Make sure the "msconfig entry is ticked (running) then start the browser affected, then download Hijackthis to a scan and save the log, then PM me the full log.
I am having people PM me directly for Malware help instead of by the forum help. One person I did not hear back from after instuctions, So i thought must be fixed. This morning I got the reply saying that worked. One more down.
Will keep researching.
Quads
Hi Quads, Tech0,
Sorry I couldn't reply last night, Norton Forum website seemed to be down!
I re-ran Malwarebytes under my son's id and it did manage to root out the last of the Trojan.fakealert related stuff (see below). Msconfig does not have kjznal562565.exe in the startup anymore. So I guess that's cured it for now. It seems my son's PC is now a known target for malware because Norton seems to be very busy Auto-protecting, for the past few nights. The logs show may instances of blocking and removal of Downloader.Trojan, Downloader.MisleadApp, Downloader and Torojan.Vundo.
I will add the running of a Malwarebytes scan as regular to-do task. Thanks once again for all your help.
Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3
17/12/2008 22:17:57
mbam-log-2008-12-17 (22-17-57).txt
Scan type: Quick Scan
Objects scanned: 107278
Time elapsed: 27 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Smax4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I do not understand why Norton is not finding this malware. Thanks snug for posting your solution. I am running Malwarebytes now. But why do I have to install another antivirus program? Why has Norton still not addressed this problem?
Thank you JohnM for letting us know we can post suspicious files, but I have looked and looked and I cannot find the file that is infecting my computer. I cannot even find the process that is posting the fake warnings. It is very frustrating. I did find one suspicious msconfig entry, but it is blank -- no information. JohnM, there are many websites discussing this malware. Why is Norton ignoring it? If I have to download a competitor's software the one time I get infected with a virus, this does not look good for Norton!
And guys, Firefox was no help. I do not use IE, but I got infected just the same, apparently from a rogue website.
Hi
With the blank entry ticked (checked) in msconfig, then use Hijackthis to create a log and post, for someone to look at the log to find infection entries, if Malwarebytes doesn't work because it is blocked from running or updating.
Download Hijackthis http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download and download the third in the list (Excutable) and click "Scan with log" open the log in Notepad, the paste me the results
Quads
Thanks, Quads. For the moment, I have just unchecked it and rebooted. I ran Malwarebytes and it found a program in Application Data\Google and removed it. The virus seems to be gone. At least I don't get those annoying Security Alert messages any more. Still don't know why Norton hasn't gotten on top of this yet. I sent the file Malwarebytes fournd to Symantec, as JohnM suggested in an earlier post.
This is the first virus I've had in years. I'm disappointed Norton couldn't handle it and that the accepted solution in the Symantec Forum is to run to a competitor's software. This thing has been around for months!
It is very disappointing. I am totally up to date on Norton Internet Security (subscription), ran a full scan (let it run all night and checked in the morning) and it finds nothing. I renamed the 2 files in the directory(user/appdata/google or some such), rebooted (because you cannot delete them), logged in and then deleted them and the pc seems much better. It is my wifes machine and it really shook up her confidence in this product. Didn't help my confidence either. And to see recent entries here about the problem still existing and norton has effectively no answer for their product finding and handling this is very discouraging. And then for people to have to use their paid support to get this handled is also not good.
There should have already been an update or at least an announced update about their product handling this.
Hi RSexton,
I can understand your dissapointment. I am still getting my boys to run a Malwarebytes scan once a week. The last hit was on 9th Jan. I would have thought JohnM may have had a result by now... maybe the incentive is not there, if you can charge £60 a go to remove the problem. No offence John, but you you must see it from our point of view....
Good luck,
S
Unfortunately JohnM can only help if he has access to the files which are affecting your computer. Please post the tracking numbers here and I will follow up.
Thanks for helping JohnM. I like Norton and would like to see them get on top of this. But I still wonder how this one slipped by you guys. I would be curious to know the scoop on this thing ... How does it work? I'm afraid I didn't even know a web site could download programs to my computer without my permission. Call me naive, but this is the first virus I've had in years and I guess I've gotten complacent. When the first hoax "warning" popped up, I thought it was the real thing. It looked so real. But I didn't download anything from their website.
Tracking #: 10290114
Added as Downloader.MisleadApp. This is a generic name as there are many flavors of these things. Google it and have a read.
snug, no offence taken. £60 is a lot of money. Unfortunately none of it comes to me, so there is no incentive to stall :)
Hi JohnM, so are you saying that it's another version of Downloader.MisleadApp and will be (has been?) taken care of by NIS from now on? I notice that in the NIS history log on my son's PC today, it did pick up Trojan.fakeadvert.
Hi
There are New variants of "Trojan.Fakealert" s come out all the time to, like with Vundo.
Quads
Thanks, JohnM, for helping get this thing fixed. So this is another in a long line of similar viruses? Only this one did NOT arrive via e-mail, as the Downloader.MisleadApp says these things usually do. I am fairly certain it installed itself from a Philippines website. (I was looking for an illustration in Google Images and clicked one that took me to a website that was clearly downloading funny, so I closed my browser. But not in time.) I still want to understand how this happens and what I can do to protect myself in the future. None of the recommendations on the Downloader.MisleadApp page are helpful (I do nearly all of them anyway). Do these things use Java (which I need for my work)? Is there anyway to block websites from installing junk on my computer without permission in Firefox? I have every security setting ticked that I can tick and still use the websites I need to use. (I need Java and JavaScript.) Any advice for helping me be a safer surfer?
seberle,
These threats can spread in any number of ways. A common method is via web pages that contain exploit code - and yes, Javascript is often used. The threat usually attempts to download and run an application to try to fool the user into believing their computer is infested with (bogus) malware and have them purchase a program to remove it. The only way to be sure a threat that uses (only) Javascript doesn't affect you is to disable it in your browser - which you said is not an option in your case. Regular and timely patching is also a must, as many threats attempt to exploit vulnerabilities for which patches exist.
There are many other things you can do to help secure your computer but at the end of the day 100% security is really not possible. Due to the nature of the Internet there will always be a trade-off between security and usability, and there will always be bad guys trying to find new ways to circumvent whatever security they come up against. I'm sure this won't come as a surprise, but studies have shown that if a security solution is too rigorous and impedes the user experience or annoys the user, said user ends up switching off or disabling the security solution. I believe that works out well for the bad guys.
JohnM