Norton logged valuable info but did not prevent infection and spreading

Norton Security | Norton Internet Security
1

I just got rid of a nasty infection. I don’t know what it was so I’ll try to describe it as good as I can.

 

System environment: Windows XP SP 3, Norton AntiVirus 2008 (16.2.0.7), Firefox 3.0.5

 

I had googled for “jamster.ca” and opened a few result pages.

 

Next, I got a cookie related message. My cookie settings are set to “always ask”, and this was not one of the familiar messages.

 

Then Norton reported:

Risk Level: High

Activity: A browser exploit was blocked

Recommended Action: No action required

Risk Name: Unauthorized File Download – URLDownloadToFile

Attacker URL: chome://cookie/content/cookieAcceptDialog.xul

 

Shortly after –I believe it was right after closing the Firefox window that had triggered the cookie message– my system restarted unexpectedly. Obviously, the blocking was not successful. Even running a full system scan did not show any threats. Fortunately, Norton did log subsequent malicious activities, although I never got a warning and it always stated: “Low Risk” and “No Action Required.” The activities were:

  • c:\documents and settings\myuser\local settings\temp\wjqs.exe modified c:\documents and settings\myuser\application data\google\xpsdg6420222.exe and c:\documents and settings\myuser\application data\upd.exe.
  • c:\documents and settings\myuser\application data\upd.exe modified \REGISTRY\USERS\S-1-5….\software\microsoft\windows\currentversion\run\SVCHOST.exe and c:\windows\system32\drivers\svchost.exe.
  • c:\windows\system32\drivers\svchost.exe accessed my network resources (I don’t know what it did, there’s no network related activity listed).
  • c:\documents and settings\myuser\application data\google\xpsdg6420222.exe modified \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtecg, c:\documents and settings\myuser\application data\amazon\xerks.exe, c:\documents and settings\myuser\application data\autodesk\gdi32.dll, c:\documents and settings\myuser\application data\google\kpldpl.dll, c:\documents and settings\myuser\application data\google\ xpsdg6420222.exe.

 

As a result of these modifications

  • The system crashed repeatedly, in particular when trying to open msconfig or the Windows Task Manager.
  • A fake (but very real looking) Windows Firewall window popped up, reporting a Zafi.B. (Win32.Zafi.B) infection with a link to www. defender-review. com. Check the Google Safe Browsing report http://www.google.com/safebrowsing/diagnostic?site= www. defender-review. com. Remove the extra spaces in the URL to see the Google results; I strongly recommend, NOT visiting this site directly!!
  • The Windows Firewall was disabled.
  • Firefox and IE6 stopped working. If I remember right, Firefox crashed the system and IE displayed a virus warning page with a link to somewhere (at this time the system wasn’t connected to the internet anymore).

 

Before manually removing and resetting all the modifications listed above, I run a scan with Malwarebytes, which did not discover any threats. It seems that I caught everything and I haven’t seen any more suspicious activities since then.

 

Does anybody know what this was? And why did Norton only log but not prevent the malicious activities?

 

I might have gotten the infection from this site:

http://www.google.com/safebrowsing/diagnostic?site=www. blogtoplist. com. Remove the extra spaces in the URL to see the Google Safe Browsing results; I strongly recommend, NOT visiting this site directly!!

 

 

2

Hi Victoria

 

You say you have run a full system scan, with no infections found. In this case, I would suggest you straight away update your NAV 2008 to the 2009 Version, for free, by going to the Norton Update Center. (Remember to uninstall your NAV2008 version prior to installing NAV 2009). Then run Live Update and do a full system scan.

 

Good luck.

Message Edited by johna on 01-30-2009 12:41 PM
3

<< I would suggest you download and run a full system scan with Malwarebytes' (remember to update the definitions prior to scanning). >>

 

Tucked away in there Victoria did say she ran Malwarebytes. Did you mean the other one? Superantispyware (?)

4

LOL, I managed to edit my post just before you picked me up on that one, Hugh. No, I didn't mean SuperAntiSpyware, but probably a good idea for the OP to run it anyway.

 

Cheers

5

Hi

 

NAV (16.2.0.7), is Version 2009 isn't it??

 

What you got was a Fake.Alert that looked legit in an attempt to get you to download a Rogue Security Program. 

 

Quads 

6

I was hoping you would give her the link to Superantispyware since there are a couple of applications with very similar names and since I’ve not used them, only Malwarebyte, I hesitate to give an incorrect and possibly dangerous link!

7

Hi

 

SuperAntiSpyware link

 

http://www.superantispyware.com/download.html

 

Quads 

8

Hi Johna, huwyngr, and Quads,

Thank you for all your suggestions. I really appreciate your
time and help.


I didn’t run the Malwarebytes update before I started the
scan this morning and at some point it appeared to be hung-up so eventually I
cancelled the full scan. I caught the infection very early and I did a very
thorough clean-up job so I would be really surprised if there are any traces
left on my system. But I took your advice and started the Malwarebytes scan
about 2.5 hours ago, the criticaldocuments and settingsfolder is
finished, and there were no infected objects so far.


I didn’t know that NAV 16 = 2009I wish Norton would display it clearly
in Help About; I remember getting confused with the Norton versions before. So
I’m all up-to-date. Still, I’m wondering why NAV logged everything correctly
but assessed the risk as low andno action required”.


After wasting hours researching and fixing, I was tempted to
just let it go. But then I thought, without sharing it’ll all be useless
knowledge. Perhaps it helps others victims; I couldn’t find much on Google.


I’ll let you know tomorrow morning if the scan still reveals
anything.

 

Thanks again

9
huwyngr wrote:
I was hoping you would give her the link to Superantispyware since there are a couple of applications with very similar names and since I've not used them, only Malwarebyte, I hesitate to give an incorrect and possibly dangerous link!

Actually I tried to, but the link inserter wouldn't work for some reason, it kept saying I was being redirected out of Norton Community when I clicked it..weird.

10

johna wrote:
"the link inserter wouldn't work for some reason, it kept saying I was being redirected out of Norton Community when I clicked it..weird."

It's been doing that with me too, but (maybe foolishly?) I went ahead and clicked "OK" to let it go to wherever it was being redirected to. I hope I haven't done something bad, :smileysad: clicking OK... too late now, I guess. I posted a question about it on the "Forum Feedback" forum (at http://community.norton.com/norton/board/message?board.id=forum_feedback&thread.id=1142), maybe someone will know why it's doing that. (darnit, now I've clicked OK yet again so that I could put the link without it being too long or whatever.) Anyway, I'm off-topic, sorry... not trying to hijack the thread or whatever the term is.

 

The redirect thing *is* kind of weird though, as you said.

 

11
j2000 wrote:

johna wrote:
"the link inserter wouldn't work for some reason, it kept saying I was being redirected out of Norton Community when I clicked it..weird."


 

We know there is a problem, we are working on fixing the toolbar!!  sorry!

12

Thanks for filling the gap.

13

Thanks for the information – see  you later.

14

I haven’t had that one – I do get the faulty HTML one sometimes and then I just press POST again and it goes through.

15

Just as I thought, Malwarebytes run for 5.5 hours and only reported one item which doesn’t appear to be related to my problem:

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

 

Thanks again for all your help.

16

Hi

 

If you want to create a Hijackthis log to be checked, Go ahead.

 

Quads 

17
Victoria wrote:

Just as I thought, Malwarebytes run for 5.5 hours and only reported one item which doesn't appear to be related to my problem:

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

 

Thanks again for all your help.

 

Don't know quite how this is the "Solution" (above)...

 

Anyway, I would suggest doing the Norton Full System Scan and Malwarebytes' Anti-Malware Scan in Safe Mode; remember Update before Scanning and make sure you are Dis-connected from the Internet before Running any Anti-Virus Scans.

 

 

How to Start your Computer in Safe Mode - Windows X.P. and Earlier: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam.

 

Message Edited by Floating_Red on 01-31-2009 11:56 AM
Message Edited by Floating_Red on 01-31-2009 12:08 PM
18

>Don't know quite how this is the "Solution" (above)...>

 

Good point, but so long as solved. :)

19

Thanks for the good news -- you are in good hands with the others here who know what they are doing!

 

Was the Solution flag on purpose or accidental -- see their questions. Or are you happy that nothing is there that should not be?

20

I am curious........I too, was infected with the same symptoms and had to download Malwarebytes' Anti-Malware 1.33 to clean out my machine.

 

Shouldn't Norton Anti-virus have stopped this infection??

 

I found it rather strange that Symantec would recommend

another product (i.e. non Symantec tool?)  rather than provide a removal tool as part of Symantec spyware which I have on my machine.

 

Comments?