RESTART REQUIRED - never ending NAV 2009 pop up message loop

Norton Security | Norton Internet Security
1

Similiar story to others in the forum. 

Norton Antivirus 2009, installed 3-user pack, 3/29/2009,  version 16.5.0.134,  Current SKU 14159016

Windows XP, Service Pack 3, All urgent/recommended/optional Windows Updates applied.

 

There are no entries in "Unresolved Security Risks" log

 

In Quarantine log, there are 18 entries.  All "resolved - no action" recommended.

The most recent were detected after the v2009 installation:

 

1.  Backdoor.Tidserv, virus, HIGH risk, affecting 5 files, 1 browser cache, 3 system actions.

      Status:  Removed    No recommened action.

      Component:  Auto-Protect     Definitions Version:   2009.03.29.021   ERASER Version:  109.1.0.61

      Risk state:   Fully Removed.

 

2.  Backdoor.Tidserv, virus, HIGH risk, affecting 5 files, 1 Service,  1 browser cache, 3 system actions.

      Status:  Removed    No recommened action.

      Component:  Virus Detection    Definitions Version:   2009.03.29.021   ERASER Version:  109.1.0.61

      Risk state:   Fully Removed.

 

No other activity for the since January - again, all entries state fully removed, no recommended action.

 

The quick scans have run clean.

I'm running a full scan now, only 100K files into the 770K list.   Clean scan so far.

2

Hi - hope you can help, as I am getting close to unistalling NAV 09 altogether and trying a new application as this is frustrating the heck out of me

 

version I am using is  2009 (16.5.0.134) on windows XP SP2

 

In the history are to be honest a long list of entries covering many weeks.  For today (9/3/09) for example I have the following 4 entiries listed below which are pretty much the same entires I get whenever I restart my machine as requested by the security request.

 

In the UNRESOLVED SECRITY RISKS section I have a message which says "their are currently no items to view for this category"

 

Here are my recent history entries for my most recent restart (and again the norton pop up asking me to restart yet again has just appeared as I write this)

 

1:

SEVERITY:Medium

ACTIVITYUnnauthorised access logged (Access process Data)

STATUS Logged

DATE: 09/03/09 10:38

2
SEVERITY: Info
ACTIVITY: Intrusion Prevention has been enabled
STATUS: detected
DATE: 09/03/09 10:37

3
SEVERITY: Info
ACTIVITY: Intrusion Prevention Engine version 4.1.0.61 Defintitions set version 20090303.001
STATUS: detected
DATE: 09/03/09 10:37

4
SEVERITY: Info
ACTIVITY: Intrusion Prevention is monitoring 1333 signatures Driver version 9.0.3.10
STATUS: detected
DATE: 09/03/09 10:37

This is more or less the same set of history entries I get whenever I restart the machine after the request from Norton to do so

The details for item 2 Above is
Date as above
Actor: c:windows\system32\rundl32.exe
Actor PID: 1044
Target: C:\program files\norton antivirus\engine\16.5.0.13\ccSvcHst.exe
Target PID:3480
Action: Access Process Data
Reaction: Unathorised Access Logged
Reccommended Action: No Action required
3

Hi Popsynic:

 

It looks like most of those entries are from the intrusion prevention log, which normally indicates that some program or other is poking at Norton and Norton refuses.  You have the newest version, which most of us haven't got yet.  Have you done a full scan since that update showed up?   What firewall are you using?  Do you have any other active security programs?

4

popsynic, try booting from a Symantec Recovery Disk and scanning your system. This should allow the infection to be cleaned up properly.

5

 

delphinium:  I have windows firewall running as a software solution, but also my ASDL router has a built in hardware firewall.  Never had a conflict runnung both at same time previoulsy, but always a first time I suppose?  I have done a scan every day for the last three days, and no security risks are detected, or anything else.

 

reese_anschultz: I will try your suggestion and report back

 

Thank to you both by the way for your suggestions so far

6

I'm hardly in an endless loop - but have been surprised that my main PC (Vista Ultimate x64 SP2 RC) has come up with this message at least 3 times during the past week. I don't recall having ever seen it before. My NIS 2009 is 16.2.0.7. This morning I was sleepy and clicked "Restart Now" while Outlook was downloading messages. Boof! Vista shut down instantly which corrupted a couple of Outlook add-ins. This evening my laptop with XP x86 SP3 came up with the message. This time at least the rebooot was orderly.

 

In both cases there's nothing at all dramatic in the log.Just very run of the mill activity.

7

Any help out there?,  I am running Norton Antivirus 2009 in a windows XP (SP2) machine.  I keep getting a Norton Antivirus Pop Up window saying

 

"RESTART REQUIRED - your computer must restart in order to continue the removal of Security Risks. Restart Required"

 

I then offers options of RESTART NOW (Reccomended), REMIND IN AN 1 HOUR, 12 HOUR, 24 HOUR

 

When I choose retart now, it does, but within seconds the pop up appears again (and again, and again....)

 

Any ideas why or how to stop this nightmarish loop I am stuck in?

 

Advance thanks

 

 

8

Hi

 

How long before requesting for restart??

 

What are the names of the 5 files, 1 service, and 3 system actions. 

 

Have you tried Malwarebytes http://www.malwarebytes.org/mbam.php install, Update database then run a Full Scan 

 

Quads 

9

Just checking because,

 

NickGeo wrote:

Similiar story to others in the forum. 

Norton Antivirus 2009, installed 3-user pack, 3/29/2009,  version 16.5.0.134,  Current SKU 14159016

Windows XP, Service Pack 3, All urgent/recommended/optional Windows Updates applied.

 

.....

 

In Quarantine log, there are 18 entries.  All "resolved - no action" recommended.

The most recent were detected after the v2009 installation:

 

1.  Backdoor.Tidserv, virus, HIGH risk, affecting 5 files, 1 browser cache, 3 system actions.

      Status:  Removed    No recommened action.

      Component:  Auto-Protect     Definitions Version:   2009.03.29.021   ERASER Version:  109.1.0.61

      Risk state:   Fully Removed.

 

2.  Backdoor.Tidserv, virus, HIGH risk, affecting 5 files, 1 Service,  1 browser cache, 3 system actions.

      Status:  Removed    No recommened action.

      Component:  Virus Detection    Definitions Version:   2009.03.29.021   ERASER Version:  109.1.0.61

      Risk state:   Fully Removed.

 

No other activity for the since January - again, all entries state fully removed, no recommended action.

 

The quick scans have run clean.

I'm running a full scan now, only 100K files into the 770K list.   Clean scan so far.

NickGeo,

Couple of questions:

January but the deleted files Definitions are from March 29th?

Can you post details of the Quarantine log?

What is the never ending pop up message?

 

Thanks.

10

The oldest and easiest variant for the TDSS, Seneka is here

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740

 

Might be newer file names now.  and you can use Malwarebytes as the last step instead of SuperAntispyware

 

The Newer UAC infection is a whole different matter.

 

Quads 

11

The Norton antivirus 2009 Full Scan completed last night without finding anything.

 

I rebooted the machine, and logged in. 

 

Regarding popup timing -- The {X} Security Request popup appears 1:20 minutes after windows login.  It says, "Restart Required, Your computer must restart in order to continue the removal of Security Risks"  and offers restart delay options. 

 

Files: affected by Backdoor.Tidserv      Details from 3/29/2009 6pm scan:

  1. c:\documents and setting\{user1 name}\local settings\temp\tmp47.tmp
  2. c:\system volume information\_restore-{0282d612-3cf6-480a-9241-b04ab03be528}\rp966\a0055241.exe
  3. c:\documents and setting\{user1 name}\local settings\temp\tmp47.tmp
  4. c:\documents and setting\{user1 name\Desktop\Casino.url
  5. c:\documents and setting\{user1 name\Desktop\Casino.url

Files: affected by Backdoor.Tidserv      Details from 3/29/2009 2:30pm scan:

  1. c:\documents and setting\{user2 name\Application data\Microsoft\Windows\winlogin.exe
  2. c:\documents and setting\{user1 name}\local settings\temp\tmp47.tmp
  3. c:\documents and setting\{user1 name}\local settings\temp\tmp47.tmp
  4. c:\documents and setting\{user1 name\Desktop\Casino.url
  5. c:\documents and setting\{user1 name\Desktop\Casino.url

The Quarantine Log's third entry is from 1/17/2009:

Risk Name:  Trojan.Vundo     Eraser Version 108.2.4.3

Affected Areas:    254 Registry Entries,  7 Files, 4 Processes, 1 Service.

 

If someone needs the details, I would like to know how to cut/paste this list of issues.  I have an export file, but as you know it's a binary file.

12

Try to Update the virus definitions using the Intelligent Updater. You can download and run Intelligent Updater from the following link:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95

 

You have to download the first exe file(ends with v5i32.exe) and run it in normal mode. Now, run the scan in Safe Mode.

1. Restart your computer.

2. As soon as the computer starts, tap the F8 key about once per second until you see the Windows Advanced Options menu.

3. Use the arrow keys on the keyboard to select Safe Mode, and then press Enter.

4. Click Yes to proceed to Safe mode.

5. Click Start button, and then click Run.

6. Type the following text and click OK:

navw32.exe /L

7. Check whether the scan runs completely and then restart the computer.

13

Also have Malwarebytes Installed, then update the definitions so when you go into Safe Mode you can also do a Full Scan with Malwarebytes as well as Norton.

 

Quads 

14

No joy yet.  The Restart Required popup persists.

 

Quads -- MalwareBytes tool is better than most free scanners I've used.  Thanks for the referal. 

 MalwareBytes found ten items it labeled associated with "Internet Antivirus Pro" - two directories, and eight files:

 

Directories: 

C:\Documents and Settings\Username2\Application Data\Internet Antivirus Pro       and

C:\Documents and Settings\Username2\Application Data\Internet Antivirus Pro\db

 

Files:

C:\Program Files\Common Files\InternetAntivirusPro.exe
C:\Documents and Settings\Userame2\Application Data\Internet Antivirus Pro\settings.ini
C:\Documents and Settings\Userame2\Application Data\Internet Antivirus Pro\uill.ini

C:\Documents and Settings\Userame2\Application Data\Internet Antivirus Pro\unins000.exe

C:\Documents and Settings\Userame2\Application Data\Internet Antivirus Pro\Uninstall  Internet Antivirus Pro.lnk
C:\Documents and Settings\Userame2\Application Data\Internet Antivirus Pro\db\config.cfg
C:\Documents and Settings\Userame2\Application Data\Internet Antivirus Pro\db\Urls.inf
C:\Documents and Settings\Userame2\Local Settings\Application Data\Microsoft\Windows\pguard.ini

 

I downloaded the standalone Norton antivirus tool, but unfortunately it threw an exeption when I ran NAVW32.exe /L under Safe Mode.

 

For those following this thread - after you have downloaded the Norton Intelligent Updater tool, and run it, a friendly popup informs you that the files can be found in "user's Temp directory.  in the targeted directory, you'll also find a log file for the Intelligent Updater installation (most recent when sorted by file date) --  look here:

 C:\Documents and Settings\{UserName}\Local Settings\Temp

 

I left the machine re-running the MalwareBytes with definition file 1335 tonight.   Though I didn't start it under Safe Mode.   Thus, another visit is required to follow Quads' instructions.

Message Edited by NickGeo on 04-02-2009 08:53 PM
15

Quads:   By posting the reference to TDSS above, were you trying to tell me that this problem was related to Seneka?

Quads wrote:

The oldest and easiest variant for the TDSS, Seneka is here

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740

 

Might be newer file names now.  and you can use Malwarebytes as the last step instead of SuperAntispyware

 

The Newer UAC infection is a whole different matter.

 

 

16

Hi

 

Internet Antivirus Pro = Rogue Security program, these start on start up and succeed or attempt to on infection disable to some extent your Legit security software.

 

Don't forget with malwarebytes to complete the removal process, some have not realised.

 

Ok if something is still stuck possible trying to load on startup, Try Hijackthis http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis Download the 3rd .exe (executable) version run and create a log then post.

 

 

Malwarebytes may run under "Normal Mode" depends on how the Rogue works. Don't forget to click "Full Scan"

 

Quads 

17
NickGeo wrote:
Quads:   By posting the reference to TDSS above, were you trying to tell me that this problem was related to Seneka?
Quads wrote:

The oldest and easiest variant for the TDSS, Seneka is here

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740

 

Might be newer file names now.  and you can use Malwarebytes as the last step instead of SuperAntispyware

 

The Newer UAC infection is a whole different matter.

 

 

 
The link given is the removal instuctions for the TDDS /Seneka Rootkit that  Norton detects and back when I created that post had trouble removing, But Norton detects as "Backdoor.Tidserv!inf"  as seen in your first post.
The you say you have a "Vundo" infection, plus a rogue security infection What fun.
Quads 

 

18

For those following this thread I wanted to update the status.

 

We have repeatedly run MalwareBytes and Symantec AV2009 scans.   

The scans are clear - no issues reported, after turning off Windows System Restore.

 

No Joy yet.  The Symantec "Restart Required" popup about two minutes into each login.   When I restart the machine, the popup appears again.  I have tried Safe Mode Restarts.  This is a multiuser PC, I've tried various user accounts.  I have run the scans from Safe Mode.

 

My intent at this point is to invoke Symantec Product Support staff, as this appears to be a software bug.  Worst case switching to another companies AV product wouldn't be too hard,  I hope that uninstalling NAV2009 would stop the popups.

 

Thanks all for the help.

Nick

19

Hi

 

After using Malwarebytes in Full Scan mode, to get rid of what ever, is there any risks in the NIS Security History "Unresolved threats" list??

 

Quads 

20

NickGeo - could you please run a HiJackThis log and post that here?