ISB.Downloader!gen252

Archive
21

Please tell us what Norton is telling you regarding this event.
For information regarding this event > from Norton pop-up > View Details > Copy to Clipboard &or from Norton history > More Options > Copy to Clipboard > paste here.

Malwarebytes offers free second opinion on-demand scanner. 
Malwarebytes Malware Removal Help offers free one-on-one help.
Malwarebytes staff & experts help all.  Malwarebytes subscription is not needed. 

22

Hello... I've been following this thread for several days as I am experiencing the same recurring issue .... T9 and Malwarebytes haven't solved this ISB.Downloader!gen252 issue that seems to be hiding in PowerShell from November 14, 2023.  Any more recent thinking absent reinstalling PowerShell or other reset options?  Many thanks and Happy New Year...

23

Good advice.  I have been comparing where I could to other backups, looking for changed file sizes, but haven't found any.  This points out the importance of one-time offline backups as opposed to cloud syncing or continuous backups -- those would be saving any contaminated files and so wouldn't help for restoring.

So far, no more warnings from Norton, and those had been kicking in within minutes of a startup before.

The thought of reconstructing from scratch was pretty awful.  I have some utilities dating back maybe to Win-95, from companies that are gone, and the reinstall media might be floppies.  (At least on 3.5, not 5.25!)  LOL (the funny kind, not the virus kind)

24

Thanks for the post back. As a good measure, check the restored install for possible file corruption right away. 

SA

25

Well, we'll never know. I have given up and done a full restore from an Acronis backup last May. Fingers crossed. 

26

I will clear the Host file but without much hope. The NAS is only local, inside two routers, no passthrough from outside.

Restarting with all startup apps disabled did not help. Several times, SFC /scannow has not found anything to repair. 

I think it was a popup on a webpage where I did a reflexive fast finger click, too late digesting that it was suspicious.

 

27

Indeed this appears to be a LOL malware instance, which is why I am personally dragging things the way they are to try to come to that conclusion. I would have a look at your email, past and present for attachments that are suspicious. 

When you replied this, and a NAS device has its IP address in the host file I squirm. I also have a NAS that I do not use because of one reason. The OEM refuses to patch a serious issue with outside access, its a serious external threat so I keep it local and not visible on the net for any reason. Reset your hosts file and restart the system. Then see if it changes again. 

The entries in my Host file are for another PC and an NAS box with fixed IPs. 

SA

28

Thanks SA for the advice.  I see the comments on the reparse point but don't see what I can do.  The entries in my Host file are for another PC and an NAS box with fixed IPs.  My DNS is pointing to Google's 8.8.8.8

Today I booted into Safe Mode and ran the MS Malicious Software Removal Tool, which found nothing.  It suggests the MS Safety Scanner as a further step.  I ran the quick scan, which found 7 hits, apparently 'suspicious' code bits, but at the end reported no threats.  Apparently at the end the hits are uploaded to MS for a better opinion, and the "MAPS" report was that they were false alarms.  Then I started a Full scan.  After 4+ hours and 13+M files and the progress bar full, it choked on the Install35.swm file in my recovery drive.  The Cancel button let me confirm I wanted to cancel, but it didn't close.  Eventually I used the Task Manager to kill it.  It had accumulated 248 hits, but without really diagnosing them.  

I am computer experienced but rusty from too-long retirement, so still looking for suggestions.  I am gathering this is a LOTL virus that is invisible to pattern scanners.  The feeble Norton message suggests it is in or using PowerShell, which I would try disabling or removing but I haven't figured out how to do that.

I downloaded Autoruns.  None of the startup entries looked inappropriate.  I had it feed all the ones that were not tagged as 'verified' Publisher to VirusTotal.  Only three were non-zero, and those were 1/75 but I disabled them anyhow.  Now I have disabled all the entries in the Task Manager Startup tab and will see what happens after booting into a real session.

 

29

This could possibly happen due to hijacked DNS or corrupt DNS or Winsock 

Have you done Flush DNS and Reset Winsock?
Have you tried checking for bad DNS entries?

In any case, this might be a serious issue, I would contact support and see if you can use their Virus Protection Promise policy.

30

When you open Task Manager and look at the startup tab, is there anything there that doesn't look normal? Have you used Autoruns from the Microsoft SysInterals suite to identify processes loading as malware? It will also show a VirusTotal number for each process.

https://learn.microsoft.com/en-us/sysinternals/downloads/

Or Microsoft MRT? https://www.microsoft.com/en-us/download/details.aspx?id=9905

Edited: Looking at your Rkill log I see:

* Reparse Point/Junctions Found (Most likely legitimate)!

 * C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir]



Searching for Missing Digital Signatures:


    

  • No issues found.
    • 



Checking HOSTS File:


    

  • HOSTS file entries found:
    • 



192.168.0.110 DIANE-UUQPARD

192.168.0.11 MYCLOUDEX2ULTRA

The reparse point issue is discussed in this forums, it can be a serious issue since it redirects programs to start in areas other than expected: 

https://answers.microsoft.com/en-us/windows/forum/all/questions-about-how-to-fix-problem-that-program/00d568bb-ad5f-4a9f-a53a-74f1f4fd5972

Also, are the two entries in your Windows Hosts file there for a reason? I would reset your hosts file as well. 

https://support.microsoft.com/en-us/topic/how-to-reset-the-hosts-file-back-to-the-default-c2a43f9d-e176-c6f3-e4ef-3500277a6dae

 

SA

31

I have run Live Update and another Smart Scan and then started Norton Power Eraser.  Twice it has died at about 50% with Internal Error 0x8000ffff.

32

I have been using Google Drive, with syncing of several of my folders.  Thinking that GDrive might be copying back some file that Norton has removed, I opened the Settings for GDrive and clicked to Pause Sync.  Unfortunately that is apparently not the solution either - there have now been several cycles of Norton detecting and 'removing' ISB.Downloader!gen252 but it keeps reappearing.

33

William AAMI:
File Attachment: Partial screen captures of Norton messages.



How to post an image in the forums
https://community.norton.com/en/forums/how-post-image-forums-0

Malwarebytes Malware Removal Help offers free one-on-one help.
Malwarebytes staff & experts help all.  Malwarebytes subscription is not needed. 
Were my machine: just to know-peace of mind-what's what
Malwarebytes Malware Removal Help
https://forums.malwarebytes.com/forum/108-malware-removal-help/ 

What is Norton Virus Protection Promise?
https://support.norton.com/sp/en/ca/home/current/solutions/v62458994

34

After starting up in Diagnostic move, Rkill was again clean, but I could not run any scans because there is no internet in that mode.  I switched to Startup in Selective mode with system services but not startup apps.  I immediately ran Rkill, again with no issues.  Norton popped up its same threat warking, blocking, and "removal" messages - just about immediately as Rkill was terminating.

35

This was not the cure.  I deleted the caches and cookies from Chrome, Firefox, Edge, and Opera.  I emptied \Windows\Temp and my \appdata\local\temp.  I have had Hibernate turned off so there is no Fast Startup.  I shut down and restarted into Safe Mode.  There I ran Rkill64 which reported no issues (log attached).  Then I ran a Full Norton scan and Malwarebytes with no threats reported.  Then I shut down and restarted again into a real session, and ran Rkill again, still no issues.  Then another Full Norton scan and then NPE with no threats reported.  Then I shut down yet again and restarted, and ran Rkill64.  While it was running (in the Miscellaneous stage) Norton popped up the same series of warning messages !  (I have bundled these into the attached zip file.)  These messages recurred periodically.  Curiously, none appeared during the previous session while I was running the Full scan, which took over an hour because I have a lot of files, so perhaps it senses Norton to hide from the scan.

I am going to try using MSconfig to change the startup to Diagnostic and try Rkill there.

36

Hello William. Delete all temp files on the computer, including Windows/Temp. User temp files by running CMD then %temp% and remove everything in that directory. Remove ALL cookies and caches in all browsers you have installed. Disable fast startup in system settings so that all files being held in memory will be released and scanned, then reboot. 

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-1...

Next run this small tool that was developed by our friends over on Bleeping Computer, lets see if it detects any running processes to stop and logs them.

https://www.bleepingcomputer.com/download/rkill/

SA

 

37
William AAMI:

No scanner says it has removed any threats, so it is unlikely that Chrome Sync is restoring anything.
 

Okay...I was thinking Sync because Chrome + "about every four minutes" + "reinstalled Chrome browser"
Feels like you recently installed something? 

Regarding: Chrome reinstall
Did you remove/rename Chrome Profile?   AppData\Local\

Were my machine: just to know-peace of mind-what's what
Malwarebytes Malware Removal Help
https://forums.malwarebytes.com/forum/108-malware-removal-help/

38

No scanner says it has removed any threats, so it is unlikely that Chrome Sync is restoring anything.

Here is the 'copy to clipboard' from the first Norton 'Details' window that opens

Filename: ISB.Downloader!gen252
Full Path: Not Available

____________________________

____________________________


On computers as of 
Not Available

Last Used 
12/19/23 at 4:51:45 PM

Startup Item 
No
Launched 
No
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.


____________________________


ISB.Downloader!gen252
Locate


Unknown
It is unknown how many users in the Norton Community have used this file.

Unknown
This file release is currently not known.

High
This file risk is high.


____________________________


Source: External Media


____________________________

File Actions

File: PowerShell_C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1No fix attempted

____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

-------------------- and here is the second window that opens

Filename: powershell.exe
Threat name: SONAR.UserProc!g3Full Path: c:\windows\system32\windowspowershell\v1.0\powershell.exe

____________________________

____________________________


On computers as of 
11/14/23 at 8:42:56 PM

Last Used 
12/19/23 at 4:50:00 PM

Startup Item 
No
Launched 
Yes
Behavioral Protection monitors for suspicious program activity on your computer.


____________________________


powershell.exeThreat name: SONAR.UserProc!g3
Locate


Many Users
Millions of users in the Norton Community have used this file.

Mature
This file was released 2 months  ago.

High
This file risk is high.


____________________________


Source: External Media


____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

39
William AAMI:

My system is Windows 10, with a reinstalled Chrome browser.

 

Chrome Sync?

https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/ 

https://forums.malwarebytes.com/topic/258886-chrome-secure-preferences-detection-always-returns/

40

Please tell us what Norton is telling you regarding this event.
For information regarding this event > from Norton pop-up > View Details > Copy to Clipboard &or from Norton history > More Options > Copy to Clipboard > paste here.

Malwarebytes offers free second opinion on-demand scanner. 
Malwarebytes Malware Removal Help offers free one-on-one help.
Malwarebytes staff & experts help all.  Malwarebytes subscription is not needed.