Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
I'm a 2005 Toshiba 17" laptop OEM Win XP SP3 user, with Symantec's NIS 2008, GHOST 14 and NSW 2005.
Was on what seemed like a fairly legit Web-site trying to view a TV show I missed this week. In the space of about 1-minute, NIS 2008 shows several "High Risk" attempts to attack my computer, including one by a Trojan.Zlob. NIS said all were blocked.
But... thinking "this isn't good," I tried to use Windows System Restore (SR) to undo any potential harm that might have occurred by these attacks. [I'd created a System Restore point just shortly before I started on this "TV viewing" thing.]
Yet, System Restore (SR) would not work. Typical message: " Your computer cannot be restored .... Pick another restore point and try again." Tried a whole bunch of different restore points, in Normal and Safe Modes, with "Administrator" log in, (and not), etc. Nothing worked.
Have had this problem in the past. So, I learned back then (off the Web) that whenever I create a SR point, I always turn off NIS Auto-Protect, as well as un-check "Turn on protection for Norton products." And then, when I want to use SR to restore to a prior-created point, I do the same thing -- turn Auto-Protect off, and un-check the "Turn on...".
This generally has always worked in the past (and saved my rear a number of occasions). Not this time.
So, I did a NIS Full System Scan. It found a different "High Risk" Trojan.Blusod, and removed/resolved it -- as well as a number of other "Low Risk" Spyware/Adware files.
I looked at the removal "Details" of the Trojan, and NIS said it had made 34 Registry changes and 1 File change. Looking at these changes there were some to the "SystemRestore" Key, etc. Unfortunately, I didn't copy these down. NIS said they had all been fixed.
But, on restart (in Safe and Normal Mode), System Restore still won't work. Again, tried every restore point and log-in method that seemed feasible. Nothing works.
Appreciate any help on this.
Kind Regards,
Robert
Hi
Here was a post work through for "Trojan.Blusod" here http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=9075
Quads
Tks for prompt reply, Red.
01. How do I upgrade to NIS 2009?
02. I'm on Auto LU now, with NIS 2008 (every 6 hours). Maybe should do every 2 hours, etc?
03. and 0.4 You think 2009 will do the job, where 2008 didn't?
I'm uncertain about upgrading to 2009. Have had "subscription date" problems every time I do this.
But... if you think 2009 would really do the trick, guess I'd try it.
Alternatives:
1. Just disable System Restore (SR) and wipe out all the restore points. Then try and create a new one and see if that works OK. Hate to lose my "last valid restore point" -- but..
2. Use GHOST to restore my entire system. Have Backup to about 1-week ago. Lose some stuff, but...
What do you (and/or any others on the Forum) think?
Kind Regards,
Robert
01. Please click on this Web Link to get your free Upgrade: http://www.symantec.com/home_homeoffice/support/special/upgrade2007/product_nis_download.jsp
02. N.I.S. 2009 Auto. runs every few minutes and installs all Updates; when using N.I.S. 2008 and Earlier, should be Set to every-two-hours.
03 and 04. Yes; N.I.S. 2009 is more advanced.
Just keep in mind that bugs are being discovered still with N.I.S. 2009. Please report any problems having with N.I.S. 2009.
Floating_Red wrote:Removal instructions for Trojan.Blusod: http://www.symantec.com/security_response/writeup.jsp?docid=2008-062711-5534-99&tabid=3
01. Upgrade to N.I.S. 2009 for free.
02. Run Norton LiveUpdate.
03. Do a Full System Scan in Safe Mode.
04. If not Removed, do a Full System Scan in Normal Mode.
Technical Details for Trojan.Zlob: http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=2
Message Edited by Floating_Red on 09-28-2008 02:47 AMMessage Edited by Floating_Red on 09-28-2008 03:13 AMMessage Edited by Floating_Red on 09-28-2008 03:13 AMMessage Edited by Floating_Red on 09-28-2008 03:14 AM
Have you click on these Web Links?
Did Malwarebytes Antimalware work as it did for "LisaB" on page 2 of the post that is the link just in an above message??
It even works out the disabled features like wallpaper and screensaver as "LisaB" showed me in the log list.
Quads
Yes, Red, I looked at those links.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan.
- Delete any values added to the registry.
Didn't seem to tell me much?? Am I being stupid (again)?
R
RobyStellarSeed wrote:Yes, Red, I looked at those links.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan.
- Delete any values added to the registry.
Didn't seem to tell me much?? Am I being stupid (again)?
R
On that Web Page, it should tell you how to do each of those Steps.
Hi Quads,
Malwarebytes Antimalware -- I don't even know what this/those are. <g> My inclination is to stay with Norton (unless those *are* Norton, or.. there is a very good reason to "jump ship").
My System Restore is not "disabled" -- just won't work. [Maybe Windows "knows" the restore points are infected?]
And, although my Desktop "color" was all bright blue (normally black) after the NIS scan and removal (?), it was easy to change back to black.
Screen saver tab in Dispaly is OK, too.
And.... I'm reluctant to dig into my Registry settings -- unless I'm forced to (later).
But... thought occurs to me that maybe this virus problem has been around "a while."
[I had another really bad virus back in August -- "XP Antiviurus" and "Downloader" -- Symantec said "Low Risk" (one place said "High") -- really tore my system up, though. Finally got System Restore to get me back to "zero." Yet, I'm thinking the "bugs" may have still been out there, even w/System Restore.
If so, a GHOST recovery will still have the same problem(s).
R
Trojan. BLUsod could be the reason system restore is disabled.
you don't delete all the entries, sometimes just change the value. for example,
Change the value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1" That Trojan Blusod could have changed back to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "0" (this enables System Restore again.) That's as long as the files for the Trojan have been deleted.
Malwarebytes finds Trojan.Blusod and corrects these values, well seem it did for the other person. This is a free download from Malwarebytes website.
Download and try Malwarebytes with the database up to date and see if the Antimalware software fixes it for you.
Quads
Yes, I read those over. I think I knew how to do those, already?
R
Hi
Malwarebytes, Antimalware is a free program like Ad-aware or Superantisypware. The free version is an "on demand scanner only " Not realtime.
You still keep Norton and can have Anti Malware http://www.malwarebytes.org/mbam.php
Also finds the Trojan Zlob Anti Malware is not realtime where Norton is.
The XP Anti Virus or Antivirus2008 XP is a rogue security program.
Quads
I did look at my Registry settings (w/regedit) and "DisableSR" is indeed set to "0" (as it should be?). So, it's OK?
Like I mentioned before, SR is not "disabled" -- the "box" in SR is un-checked -- it just won't do a Restore.
Gonna give NIS 2009 a try first. If it won't get rid to the problem, may try Malwarebytes Antimalware. Price is right. <g>
Got to sign off for tonight. Appreciate all the help, from everyone. [And nice Forum "communication tools."]
Kind Regards,
Robert
We seem to be typing at the same time
Quads
That's cool. *Very* real time. Talk to you tomorrow.
R
Yep no problem.
Please follow the instructions on the Web Pages I provided. It is up to you if you do this first or Upgrade to N.I.S. 2009. I know Zlob only has Technical Details, which is where N.I.S. 2009 comes in as this may Fully Remove this Trojan.
Another tip is to be dis-connected while Running a Scan.
Floating_Red and Quads,
Apprecitate all your help. Issues may be mostly resolved, now.
Decided to d/l and install Malwarebytes-Antimalware. Google search seems to think it's a pretty good package.
Did a scan w/it on my C: drive (Normal and Safe Modes). It found (9) infections (several in System Volume Information/restore areas). Then deleted them.
Wonder why NIS 2008 didn't find these?
Anyway, things seem back to "normal." Well, mostly.
Still can't get System Restore (SR) to load my last, best check point (before the Trojan). My theory is that when the Trojan turned "off" SR, those points were lost anyway. They still show up on the SR calendars. But, they're not "really there."
However, I tried creating a new checkpoint in SR (after Malwarebytes scan); then tried restoring to it. And it worked OK.
Gonna wait on NIS 2009 for a while. Nice to know it's there, though.
Need to think about a "Best Practices" work-flow to keep these virus things from happening to me (had 3 *serious* ones in last 6 months). Learned some lessons, here.
Again, appreciate all the help.
Kind Regards,
Robert
Hi
I my experiance a lot of antivirus software can't remove things from the system restore as it's protected.
That is why a lot of removal instuctions for instructions say to 1. Turn off System Restore, after cleaning the infected PC Turn System Restore back on and create a restore point.
Quads