Norton 360 version 2.5 fails to quarantine Spyware Protector 2009

Yesterday, my computer received this nasty infection from Spyware Protector 2009. After reading several great security articles from Symantec regarding to the Conflicker attacks, I got really scare when I see my computer was infected with this rogue antivirus. I was using GOOGLE when the attack was happened. Ironically, Norton 360 v. 2.5 did not block the attack like NIS 2009. Anyway, the point is that Norton 360 v. 2.5 was not able to find this threat on my PC. My question is "Because I havent update to Norton 360 version 3.0, is the old version of 360 was not able to receive adequate protections from the live update antivirus definitions???" After my subscription for Norton 360 v. 2.5 have already expired by [today], I have installed the new version of Norton 360 on my deskstop.

 

I am planning to submit the infected files that Malwarebytes found to Symantec.

 

Info:

Windows XP Home Edition SP3

IE 8 and FF3.08

IS able to receive update the latest definition from Symantec and Windows Update.

 

Yesterday, my computer received this nasty infection from Spyware Protector 2009. After reading several great security articles from Symantec regarding to the Conflicker attacks, I got really scare when I see my computer was infected with this rogue antivirus. I was using GOOGLE when the attack was happened. Ironically, Norton 360 v. 2.5 did not block the attack like NIS 2009. Anyway, the point is that Norton 360 v. 2.5 was not able to find this threat on my PC. My question is "Because I havent update to Norton 360 version 3.0, is the old version of 360 was not able to receive adequate protections from the live update antivirus definitions???" After my subscription for Norton 360 v. 2.5 have already expired by [today], I have installed the new version of Norton 360 on my deskstop.

 

I am planning to submit the infected files that Malwarebytes found to Symantec.

 

Info:

Windows XP Home Edition SP3

IE 8 and FF3.08

IS able to receive update the latest definition from Symantec and Windows Update.

 

Thanks for reply my post, sendofjive. When my computer was infected with this rogue, I didnt see any popup or redirection from a site that I was searching on google.com. The rogue purposely infected my computer. After that incident, I thought my computer was infected with conficker

 

I scanned my computer by using Norton's Conflicker Removal Tool. The tool did not find any infected files due to conficker. Does this mean that I have conficker on my computer????????

 

Should I be worry that my computer still has conficker???? Not only that I scanned my computer using Norton, Malwarebytes, and Norton Rescue Disk, I also use other antivirus vendors's bootable antivirus disk to see if I have infected with this malicious threat.

 

Thanks,

 

DD09

diddo09,

 

It's certainly possible that Spyware Protect and Spyware Protector are unrelated.  I didn't mean to unnecessarily alarm you.  I posted just to alert you in the event that what you saw was possibly the former.  If you are using Norton and keeping Windows up to date on security patches you are probably not infected with Conficker.  One of the hallmarks of infection is that you cannot connect to many security sites online.  Just the fact that you can get to Symantec/Norton sites probably means you are ok.  There is a really nifty Conficker eye-chart test at the Conficker Working Group site.  Click the "check for infection" link on the home page.  If all of the logos, some of which link to sites blocked by Conficker are visible, then you are not infected.  Worth a visit for some peace of mind.

 

http://www.confickerworkinggroup.org/wiki/
Message Edited by SendOfJive on 04-11-2009 11:10 AM
Message Edited by SendOfJive on 04-11-2009 11:12 AM
Message Edited by SendOfJive on 04-11-2009 11:55 AM

Just so you know, I am using my other computer to visit Symantec site. I pretty sure that I dont have conficker on my infected rogue antivirus computer. Before you reply my post, I was very alarmed because some of my clients were infected conficker on their pc[s] and now the problem is happening to me [personally].

 

Also, I am scanning my other computers for possible conficker attacks because my main computer was infected Spyware Protect 2009.

 

Question: If Symantec removal conficker tool did not find any conficker infected files, does this mean that my computer is okay?

 

Thanks,

 

DD09


diddo09 wrote:

 

 Question: If Symantec removal conficker tool did not find any conficker infected files, does this mean that my computer is okay?

 


I would think so.  I would still check out the eye chart at the Conficker Working Group for confimation. If you are able to update your malware scanning programs online prior to doing your scans, I would view that as an indicator that you do not have Conficker (on that machine, anyway).

Message Edited by SendOfJive on 04-11-2009 11:41 AM

I pretty sure that my computer is okay [for now].

 

Is it possible that Symantec did not find any conficker infected files because the malware itself has hidden [stealth mode]???

im pretty sure since the symantec conficker tool did not find anything, you should not have the conficker infection. but just to be on the safe side i would suggest that you do a scan with malwarebytes antimalware and superantispyware in safemode. install the products and update both of them. then disconnect the computer from the internet. then go into safemode in your computer and do a scan with malwarebytes and then with superantispyware. if there is any type of malware in your computer these programs will find them and remove them.

Symantec Conficker Removal Tool just finished scanning my laptop for any trace of conficker. It is so interesting that there are some files that the removal did not scan them.

 

Here is the log after it finshed scanning my computer:

 

Symantec W32.Downadup Removal Tool 1.1.0.2


ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\90ms-RKSJ-UCS2; file not scanned

ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\90pv-RKSJ-UCS2C; file not scanned

ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\UCS2-90ms-RKSJ; file not scanned

ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\UCS2-90pv-RKSJ; file not scanned

ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\UniJIS-UCS2-H; file not scanned

ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\UniJIS-UTF16-H; file not scanned

ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\UniJIS2004-UTF16-H; file not scanned

ERROR: Can't change ACL/permissions for file C:\Program Files\Adobe\Acrobat 9.0\Resource\CMap\UniKS-UTF16-H; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Adobe\Adobe PDF\Settings\Oversized Pages.joboptions; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Adobe\Adobe PDF\Settings\PDFA1b 2005 CMYK.joboptions; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Adobe\Adobe PDF\Settings\PDFA1b 2005 RGB.joboptions; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0e36f4f6f28a7356fac5aa1c5f253b2c_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2af8bc7785933a0bf630d8675efacb0c_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\39cf2e31055d878433db141255d6ce2a_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6ce96bdb8c1add701e934ac3abdeba83_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ef0be79b2fcfe852f9f60653797863b6_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Adobe\Adobe PDF\Settings\Oversized Pages.joboptions; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Adobe\Adobe PDF\Settings\PDFA1b 2005 CMYK.joboptions; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Adobe\Adobe PDF\Settings\PDFA1b 2005 RGB.joboptions; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0e36f4f6f28a7356fac5aa1c5f253b2c_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\2af8bc7785933a0bf630d8675efacb0c_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\39cf2e31055d878433db141255d6ce2a_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6ce96bdb8c1add701e934ac3abdeba83_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't change ACL/permissions for file C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ef0be79b2fcfe852f9f60653797863b6_d7b7ab52-a581-43fc-861e-8294e72e9f30; file not scanned

ERROR: Can't scan the file C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

ERROR: Can't scan the file C:\WINDOWS\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
W32.Downadup has not been found on your computer.

A Note

 

A-Squared Free and A-Squared Emergency USB files, detect Conficker.

 

Quads 

diddo09,

 

You can also download and run the Microsoft Malicious Software Removal Tool which will find and eliminate Conficker, as well as a host of other types of malware.

 

http://www.microsoft.com/security/malwareremove/default.mspx

Quads wrote:

A Note

 

A-Squared Free and A-Squared Emergency USB files, detect Conficker.

 

Quads 


I am using A-Squared Free and the program found other infected files that Norton 360 version 3.0 missed. It is not finish but I am hoping that my computer is not infected with Conficker.

 

Thanks everyone for answering my questions regarding Conficker attacks.

 

DD09

Hi

 

A-Squared will create a log of files found, if you are unsure of if Malware or Not.

 

Quads 

A-Squared finished scanning all files and folders on my deskstop. Overall, I dont have any trace of conficker worm attacks.

 

 

Hello all, new member here. 

 

I've done everything suggested in this thread and am still having problems with Spyware Protect 2009.  I've loaded the latest updated versions of Malwarebytes' antimalware and Super, booted up in safe mode, ran all scans and removed all infected items.  Everything seems clean until I re-connect to internet.  No surfing, nothing runing like Outlook, just make the connection.  In about 5 minutes I have Spyware Protect 2009 again!

 

I've tried to manually delete it as well following a link on another board.  I also modified my hosts file to redirect all the known websites associated with this virus and it even rewrites or reloads a new host file.

 

I'm at a loss here, anyone got any more suggestions besides those earlier in this thread?  I've spent all day trying to fix this, and right now I'm on another laptop, FYI.

 

Thanks,

 

John

Hi what Manually did you remove??

 

Quads 

I followed the manual delete instruction found here.  That's how I noticed that the hosts file was being re-written each time I conneced to the internet.  I now believe that its being removed, but somehow each time I connect my computer is being attacked.  Is that possible even if I have no open programs?

 

Is Norton 360 known to block this intrusion?  If so, then my computer is not being cleaned by Malware or Super.  If Noton is not blocking this attack, then most likely it is being removed and then reinstalled.  

 

Anyone know for sure if Norton 360 can stop this from coming back?  Or if something else can?

 

John