I just joined this forum to vent a little bit...I have NIS 2010 and it has been working swimmingly, from what I'm aware, until yesterday. It somehow let a nasty trojan virus through and now my system is a wreck. I am trying to clean the virus off but will most likely have to reformat my hard drive and reinstall the operating system. I was surfing pictures on Google when I clicked on a picture that apparently had a vicious website associated with it. Before I knew what was happening two little java things popped up in my bar and a pop up, which I closed immediately came up. Since then, Norton has been giving me warnings claiming Sonar or Auto-protect found --insert trojan name here (about 6 different ones)-- and that my computer was secure. But it's not secure. I no longer have access to antivirus and security software websites and every scan I do with third party software (malwarebytes and superantispyware) comes up with 4-6 trojans that they try to remove but keep finding over and over. LiveUpdate hasn't run since yesterday because the virus blocked access to security sites and I ran a full system scan anyway (since the definitions updated about 5 minutes before I got the bug) and it said my system was clean. Then today I am getting millions of "email errors" that pop up every second or so. Doesn't sound like a clean system. For your info, here are some of the trojans the other malware scanners have said I have: trojan.agent/gen-reader_s, trojan,agent/gen. And here are the viruses Norton claims it blocked: suspicious.cloud, suspicious.mh690.a, downloader, infostealer.wowcraft, trojan.gen, trojan.mebroot
I don't know which one is actually infecting my machine, but thanks NIS 2010 for protecting me!
Hi, lilkel35,
Sorry to see this happening to you. Please be aware that not all Anti-Virus Products have the exact same Definitions, and, in this case, it appears that Norton hasn't got the V.D. for this Trojan at the time it happened which is why it let it through. If you find any Threat Files on your computer that Norton is not Detecting, you can Submit them here: https://submit.symantec.com/websubmit/retail.cgi.
Now, to try and get rid of this, I'd first of all suggest that you Delete all your previous Restore Points as the Threat can just re-create it-self using this, and then do a Full System Scan with Malwarebytes' Anti-Malware and SUPERAntiSpyware Free Edition both in Normal Mode and Safe Mode, dis-connected from the Internet. If you do not wish to this, I'd suggest doing Full System Scans in Safe Mode, dis-connected from the Internet, making sure you Update each Product before going in to Safe Mode.
I'd also be interested to know what other programs you Downloaded and Installed. I'd recommend that you do not pay for Malwarebytes' as this will add Real-Time Protecton which will interfer with each others' Scanners which will reduce your Protection, which is why you should only have your Norton-branded Product with Real-Time Protection; if you did buy them, be sure to Turn Off any Real-Time Protection that is On.
I'd also highly recommend that you make sure you've got all Mirosoft Updates installed, as well as for your other products installed that they all have Patches installed and are the most recent Version compatible with your Operating System (O.S.).
If you have any questions or concerns, please let us know before doing anything as we'd be happy to assist you in any way we can.
So, according to some other computer gurus I've been chatting with, it seems that I may have a Virut problem. I have a program running at startup called reader_s.exe (not to be confused with adobe reader speedlaunch, reader_sl.exe.) This program keeps running at startup even when I remove it using CCleaner, etc. Plus, I cannot find the actual file anywhere. Also, I rebooted my computer and this is from my Norton Security History of an intrusion attempt that it claims it "blocked."
Here's the attempted intrusion that Norton claims to have "blocked" (the same one that pops up each time I reboot.) Risk name HTTP GoldInstall Downloader Activity
attacking computer:
attacker url:
destination address: desktop (with my IP address, 3919)
source address: 91.206.201.40
The attack was resulted from \device\harddiskvolume1\windows\system32\winlogon.exe
[edit: removed malicious website location per the Participation Guidelines and Terms of Service.]
Just wanted to post a last update-- I am in the process of reformatting the drive and reinstalling the operating system and am even using this as a chance to upgrade my hard drive (had a 320gb external WD laying around that the casing died on).
Anyway, some last notes for your general perusal:
I was looking around this morning before I started the reformat and found the following:
In my running processes--peresvc.exe (reader_s.exe was no longer running because I disabled it in CCleaner and it stayed disabled.)
In my Services--btwsvc and peresvc---I stopped both and then disabled them as well
In my system32 folder---1003794.exe, 1063761.exe, 1077952.exe, 4032359.exe, 6989359.exe, 7040369.exe, 8203852.exe and 9894785.exe all by a company called Tencent their description was two symbolsQQ2010 1.00 Installation
Also is system32 folder--opear.exe, peresvc.exe, powerdes.exe, reader_s.exe, w.exe, btwsvc.dll
opear, powerdes, and w are all by a company called dread Haus--uses a viking head icon--they should be destroyed for this crap
So, for the fun of it, I deleted each one of the exe files I found and emptied the recycle bin. Then I decided to check system volume information and delete all the SR points in there. The last system restore point, would not delete--said it was in use. When I originally saw the warnings of an attack, I immediately started running a Norton scan, not knowing about turning off system restore first. Maybe the trojans were working from this restore point?? Regardless, deleting those exe files and rebooting didn't work (not that I expected it to.) I wonder which one actually started it all?? Anyway, I have already reformatted that drive and all is wiped.