Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
Hi everybody,
In the last week my PC became infected with a nasty piece of Malware or possibly Spyware, which, unfortunately the Norton 360 package did nothing to stop. My 360 was fully up to date and the full scans revealed nothing. The initial effect was just to display in addition to my chosen web page one of several others, whilst none were offensive or pornographic they were irritating to say the least.
Other identifiable symptoms included a warning displayed in the systray about Auto-update being turned off, despite it being “switched on” when viewed via the control panel. Auto-fill of web page forms also stopped functioning. Subjects of the rogue pages included dating, travel, music etc etc.
Naively, I though my best course of action was to delete IE7 and revert back to IE6, this had no effect at all. I still don’t know where the infection came from, but, during the course of last week, things got worse, to the extent, Norton 360, did attempt to help and finally purged my system of two “Trojans” one of which was Vundu.
However, the, additional web pages kept on appearing. I should probably explain at this stage I am an IT professional of some 20 years experience, So on another Pc I searched the web and gleaned some knowledge as to eradicate my problem, I found out about Hijack this, , and I downloaded this and had ran a scan and from my gleaned knowledge I could see some BHO’s identified with unusual looking file names, none of which I could find any information for by searching on Google.
During the week these dll’s kept on appearing. Some of these dll’s included (I deleted many others before making notes)vedaygh.dll
xfpmrscu.dll d
dacgrkv.dll
jkkKaXRi.dll
mjmrythp.dll
rrgryhypm.dll
nppbho.dll
uibho.dll
rhcr5gjoevol.exe.
In addition to the dll’s several .ini files also arrived in windows\system32\ and all were dated on the day they attached themselves to my pc. None of these dll’s could be manually deleted as they reported to be “in use”, however, most could still be renamed and following a reboot could be deleted as the registry was then pointing to a none existent file. Even flagging the files for delete at next reboot had no effect Ultimately the only file I could not delete was jkkKaXRI.dll, which incidentally was the oldest most recent file (dated within the last week) to reside in windows\system32.
Despite repeatedly trying to manually to delete this jkkKaXRI.dll from the registry I could not delete it from the system32 folder even in safe mode. I deduced that this file loaded at windows logon and also re-updated the registry every few minutes or so.
Other features of this problem were that it set my privacy settings for cookies to “allow any” and as such it placed in both the documents and setting\”my username”\cookies & documents and setting\”my username”\local settings\temporary internet files\ other cookies and downloaded information, despite internet explorer not being run.
These cookies were all “my username”@ip address which included following IP addresses:-
XX.17.166.170
XX.17.166.172
XX.188.16.39
XX.188.16.29
XX.188.13.34
So on initial system boot the jkkKaXRI.dll got loaded, and via the internet downloaded the next batch of dll’s with random names, which it then inserted new dlls’s for execution into the registry. As I stated above these dll’s were then immediately in use and couldn’t be deleted but could be renamed and deleted from the registry and then manually deleted from system32 folder on the next reboot.
The only way to stop further infection was to boot the PC in safe mode without networking. jkkKaXRI.dll was still in use in safe mode.
After many hours of pouring over this problem I was getting to the stage of a reformatting my C: drive and re-installing everything, not a task I was looking forward too, as this would have been a further 20 hours or so, as I would not have been able to trust my backup as I did not know where the infection came from or where it resided.
However, fortunately, I thought about booting my pc from a cd rom, I used an XP PRO cd, and then using the “R” repair option to get to a “DOS” prompt I was able to finally able to delete jkkKaXRI.dll
What this has highlighted to me is how clever these malicious people are becoming and by using what would appear to be random generated names for the “DLL’s” it will be harder for people such as yourselves at Symantec to indentify the threat.
Also what concerns me more is how vunerable both IE and XP are in that it has been very easy for someone to infect my PC, that not only took over the behaviour of IE (cookies and rogue pages), but was able to control the logon process to prevent the eroneous DLL being deleted by normal means and further control over the registry making this problem very hard to fix.
My biggest concern of all was I thought I had invested good money in the latest and greatest 360 package and was fully protected, but unfortunately not. !!!
I have not had any rogue pages since my fixing efforts and furthermore I have yesterday updated this PC to Norton Internet Security 2008, in the hope that is offers me more protection than Norton 360 did.
I will also be looking to acquire a new version of Ghost to replace my version 10 for my backup purposes.
One thing that is very clear Internet Security is far more efficient at everything, under 360 with the Phishing Filter ON IE7 performed very slowly before displaying a web page, using NIS 2008 it performs well, also scanning 950,000 files I have on this PC under 360 took about 3 hours, (this PC is a DELL 5150 Pentium D 2.9GHz with 3GB Ram) so not slow at most things, under NIS 2008 it did the same full scan in under half the time.
Over the weekend I must have spent in excess of 15 hours wrestling with this problem, and if I was charging my time out to a client, it would have got to the stage whereby my time would have cost more than the value of the hardware complete with OS, so there has to be a better way of fixing these problems and I would like to think that you people at Symantec are on the case and can offer me an easier solution I can deploy in the future and hopefully incorporate, “the where with all”, into NIS 2009 ????
Now for the question, as NIS 2008 has not detected anything on my PC now, can anyone offer any further advice, as to anything else I should do to ensure that my PC is totally clean, would it be still worth trying Norton Anti-Bot ?
Sorry for the long post, but i thought it worthwhile trying to demonstrate how time consuming and difficult resolving this type of problem was for me, should i have done anything different ?.
Any replies and advice gratefully received, thanks in advance
Best regards
Andy
[edit: Broke IP's.]
I have just been having an almost identical problem to Andy_Milne.
Got infected with two virus/spyware pains in the same day.
WHY DOES NORTON 360 NOT PICK THEM UP !
Tried using the "Support" button on screen and found it very inappropriately named. All Symantec offered was to clean my machine for a charge of £69.99
Why on earth should I pay for them to fix what I consider to be a fault in 360 in the first place ?
Like Andy I resorted to searching the web to get information and then manually removed the problem. Spent the entire weekend doing it though.
Apparently the malware that hit me is very well known which makes it even more amazing that 360 failed ti pick up on it.
Even after it was on my machine the 360 full scan failed to find it.
The "support" team showed no interest in gathering any information about the problem with perhaps a view to understanding how it got through thier "protection" and maybe updating the signature database. All they wanted was the £69.99 fee.
Net result is that I have now totally lost confidence in the Norton range. Unlike Andy I shall not be "upgrading" to another Norton package. Upgrading? Yes Norton ? No way !
I am very sorry for the bad experience that both of you have had. I would first recommend that you follow the steps listed in the How To Troubleshoot a Suspected Malware Infection announcement. This provides great advanced user information for dealing with threats.
Please let me know if this helped for you
I have to agree too. Nortons 360 simply does not detect certain infections, does not stop their spread and cannot therefore remove them. I tried to get tech support to be interested and examine the infected original file, but they were only interested in offering the clean up service for more money. I did not have a problem to remove the infection - Microsoft onecare did that for me - I just wanted Norton to be better.
I have posted another thread recently about non detection and hope someone will take notice.
Hi and this is mainly to Tony.
I've read your how to detect and clean, however, none of this was helping in my case.
The registry, was being re-updated every few minutes by a DLL process that was being controlled by a task item that could not be stopped even when running in "Safe Mode" no amount of registry editing or task stopping helped. In fact if you edited the registry to remove the 5 references to the main rogue DLL then shutdown the PC the LOGOFF process also re-updated the registry.
QED the PC at next boot was still the same and as the DLL was hyper-active at re-boot, by changing IE cookie settings, and downloading further DLL's and .EXE's and .INI's it looked an impossible task to resolve. now my fix may have been unorthodox but it worked.
The main reasons for posting here was the need to alert people that may have been like me and thought they had the best solution, I'm not having a real dig about Symantec or 360 perse, but, it didn't stop me being infected. I realise my situation may well be unique or the infection methodology too new to have been detected, but my aim was to share my problems so that other don't have to go through the same pain as me.
I have not become dissolutioned with Symantec as i have already re-invested in NIS 2008, which already looks to be a more comprehensive solution, but one, now has to accept that 360 did not provide me with the comfort i was looking for.
I am also planning to update my version of Ghost.
I hope by these new pages that we all learn from each others experiances, and we that we can move forward, without getting into a "blame culture", and hope that the resposible people from Symantec are able to use or experiances to positively enhance the products so that we all ultimately benefit.
Had i been aware of the ability to submit suspiscious files, i would have sent a veritable package, but my main goal was to cleanse my PC without embarking on the last resort of formatting my hard drive.
Best regards
Andy
The post on "How to troubleshoot a suspected Malware infection " does indeed give some interesting and useful advice.
It does however fall down on some critical areas.
1. It assumes a fairly high level of computer 'savvy'. To a typical user it might as well be written in Klingon for all the real help it gives.
3. Uses phrases like "look for anything suspicious". Define to me what is suspicious !
4. How many users really want to delve into the system registry. Risky and fraught with dangers of making mistakes.
5. I see no reference to Vista. Although I accept most of the advice for XP is transferrable.
I particularly like the advice on Task Manager/Process towards the end of the document.
"Look through the list for possible threats". How is anybody supposed to know what a "possible threat" is. These things do not come with process names like "I_am_Virus" or "Spyware". If they did then even Norton 360 could have spotted them......probably.
Looking through the suggested registry entries I now see an entry under StartupReg with a key of CMDS / Command saying
rundll32.exe C:\Users\williamp\AppData\Local\Temp\geBTkHXO.dll,c
and another under StartupReg witha key of 1e7fdb82 / command saying
rundll32.exe "C:\Users\williamp\AppData\Local\Temp\rjbjxhhe.dll",b
Both of these look suspicious to me but what do I do with them. Your guide does not say whether to delete them or whether to delete the whole key or just the command values.
And this now just worries me because I think I have found a problem, but do not know what to do about it.
This is why we purchase packages like Norton 360. To help in these situations.
I can undertsand that a virus might slip through the initial protection phase and allow a virus onto the machine (we, the users, do after all make mistakes ourselves and click the wrong button sometimes, or do not fully read a warning message or even allow our family free access to our beloved machines without a degree in computer sciences.)
What I can not accept is that a full scan then fails to find the virus after it has embedded itself in the system. Even a simple web search for geBTkHXO.dll,c tells you that it is a known spyware issue so why oh why does Norton 360 not identify it on a full system scan.
It is so dissapointing. I have used Norton products for a long time, thinking I was safe, but now this confidence is shattered.
And why, when I originally contacted "support" did they not tell me to submit the problem Symantec Security Response for analysis instead of just pushing the 69.99 recovery option. Once I declined this there was no willingness on thier part make any useful sugestions.
I am not even sure that I was in contact with a real person. I used the interactive message method of contact and long replies were coming back much faster than a human could have typed them and they did not really enter into a 'conversation'.
Either somebody was clicking standard replies and questions or they are experimenting with an AI support system.
Not a very helpfull option that one unless you have £69.99 to spend.
Reference the comment from Andy that he has "upgraded" to NIS 2008.
Can the guru and/or administrator give an honest comparison between 360 and NIS 2008.
I had always thought that 360 was supposed to be the stronger of the two packages but how do they really compare ?
Do they use the same technology and search engines/database or is there a specific advantage of one over the other.
Isn't 360 the same thing as NIS 2008 but packaged up a bit prettier and simpler for the less techically minded users.
Come on guys, give us an honest appraisal of the two alternatives. Which one really is the stronger.
Again I quite agree with you. I do suggest Autoruns from Microsoft. This is but one of a family of tools from some computer guys that did so good, Microsoft bought them inhouse (..at least I hope they were 'bought' rather than just 'brought'). I'm sure this is not the forum to discuss Autoruns fully, and therefore suffice to say that one advantage with Autoruns, is that you can suppress listing of Microsoft tagged entries and concentrate on the remainder. Examine all entries with blank publishers - this should be first on the list of "suspicious" or "possible threats". When you untick an entry it is no longer loaded on reboot, but rather the entry is copied to another safe area within the registry. It can be brought back by ticking empty boxes. Only when you are 100% positive that the entry is never required again, can you right mouse click an entry and delete it. If something is loading at boot up, it will be shown here.
In your case I would delete those two entries then are running an obvious (to me) fraudulent dll and in the temp directory too. As it happens, Norton 360 clean up would have deleted the temp directory in any event. What Autoruns also shows is pointers to files that no longer exists.
Hi All,
Picking up on Williams comments.
I have for many years been a Norton user and have always found it to represent "good value for money", I migrated from NIS 2006 to N360 about a year ago, as it looked better value than buying NIS 2007 and a new version of Ghost, however, I realised pretty quickly N360 was trying to be "all things to all men" and didn't really do anything well.
The scans are a nightmare to get to do what you want and the backup faciliites are not great either. it nearly impossible to scan an individual downloaded file in isolation or a burned CD you have to somehow take on trust it is looking after you behind the scenes.
I also feel than N360 is aimed at the typical family and the non technical user as being a "comfort factor", however, it is not friendly to use and V1 performs like a dog for browsing with the Phishing filter turned on.
Somehow, i feel much more comfortable and in control with the user interface NIS2008 offers, its more friendly, i can do what i want, far more controlable, and is certainly more efficient.
I have aquired NIS2008 as a 3 user license which covers my home/business computing needs perfectly, I just hope than with the frequency of Live updates we get to the stage whereby the new signatures actually detect and solve situations similar to my original problem, that N360 failed on.
We all have to accept that we can't have a internet enabled Pc without some "protection", and we are putting our trust and faith in whichever software house we become loyal to, as readers of this board, we are all using Symantec products, and i can assure you based on personal consulting experiance they are no better or worse than the competition, in my business dealings i regularly use Sophos, which whilst cheaper, than Norton AV for Exchange/Outlook platforms, does not perform overly well and has recently been responsible for duplicating many emails.
We can all recant horror stories, but, the purpose of these discussions has to be to focus the "Techical People" at symantec to make their products better and listen proactively to what we as users are saying we want the product to do.
At the end of the day we want piece of mind, we pay our annual subs and we expect our "AV" solution to deliver, but unless we have the ear of the technicians and not the salesmen and accountants, we will not be able to ensure we get our needs incorporated into the product.
You can't blame a "sales engine" for trying to sell you a "£70.00" fix, i might have been tempted myself as 15 hours, the time i spent on fixing my pc x £45.00 hour which is my chargeout rate = £675.00 i know which amount i'd rather spend.
I personally know, i couldn't afford to be without a usable PC for more than 1 working day, which to some extent is why i have 3, however, i need my Pc's for my business use and as such my needs are probably different from the stereo typicaly family who uses their PC for domestic needs, surfing, facebook, itunes, news etc etc and thse families with children also proabably need to be safe knowing that their kids can't surf inappropriately.
It is obvious that people with a reasonable degree of technical knowledge feel as though they are being ripped off for being charged for fixing something they perceived should have been prevented in the first place, however, we are only paying probably less than £1.00 per week in the first place, its a case of settling on personal expectation, and i don't yet feel as Symantec are more of a villan than the competition, at the end of the day they are out to meet the needs of their shareholders first and us as consumers second.
Sorry for the rant and ramble. but at this moment in time i am more comfortable with NIS 2008 than i am with N360.
Cheers
Andy
[ ... ]
Can the guru and/or administrator give an honest comparison between 360 and NIS 2008.
I had always thought that 360 was supposed to be the stronger of the two packages but how do they really compare ?
Do they use the same technology and search engines/database or is there a specific advantage of one over the other.
Isn't 360 the same thing as NIS 2008 but packaged up a bit prettier and simpler for the less techically minded users.
Come on guys, give us an honest appraisal of the two alternatives. Which one really is the stronger.
If you look around you'll find information about this, even in this thread, and I'd agree with what he says. Tony Weiss the Symantec Administrator here has said similar in the past.
N360 is good fit and forget but difficult or impossible to tweak; NIS is more complex but you can tweak it.
I'm pretty sure that Tony did say that both use the same AnitVirus engine and so definitions.
Although I have 360 on my VISTA system that is largely for comparison; otherwise I have NIS 2008 and use specialized programs for other functions like back up -- Save & Restore on my laptop and an imaging program on my main system.
huwyngr wrote:N360 is good fit and forget but difficult or impossible to tweak; NIS is more complex but you can tweak it.
I'm pretty sure that Tony did say that both use the same AnitVirus engine and so definitions.
Although I have 360 on my VISTA system that is largely for comparison; otherwise I have NIS 2008 and use specialized programs for other functions like back up -- Save & Restore on my laptop and an imaging program on my main system.
Couldn't have said it better myself. The Norton AntiVirus inside Norton 360 and Norton Internet Security is the same, so you're protected.
I’m sure you could have done … but as long as it’s error-free <s>
Moving to its own thread for better exposure.
Phew ! <g>
I think you are in the wrong part of the Forum but one of the Norton Staffers will deal with that and your message I'm sure.