Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
In case it helps others help on this -- which version of NIS2008 do you have? Help & Support / About and the NIS Tab gives it.
Can you say anything more about the name of the trojan since there are often subversion and the one listed on the Norton website has been around for quite a few years so it's surprising if is not detected.
<< The downloader that also infected me also dumped a few more nasties on my PC >> Any names?
The version of NIS2008 is 15.0.0.60.
The software I used didn't report that it was a variant. I know it's not good form to include link to competitor site but here is a link to the reference database http://www.pctools.com/mrc/infections/id/Trojan.Virtumonde/
Trojan.ISTbar is another of the infections that hit me at the same time. I believe this is a downloader and may have resulted in other threats being downloaded. NIS2008 did pick up and clean a few but I don't have the logs for that activity.
Adware.Maxifiles also hit me at the same time and probably resulted in the various popups that started to appear.
What I really can't understand is that I wasn't doing anything on the PC when this "attack" occured. I had been using Google, left the room, and when I came back about 10 minutes later the screen was full of popups and the taskbar had vanished. I always have NIS on, firewall on and liveupdate on.
Anyway, hope this helps.
I'm not the person to help more on the trojan attack itself but there's plenty of help here from other users and from Norton Staff.
There is a more recent version of NIS2008 which you can get at: www.symantec.com/newnis.
This is a free update if your existing subscripion is still valid so it's worth getting.
Here's a link to one Symantec document about Virtumonde -- that does give some registry and file locations that you might want to cross check as not being there after your clean-up.
See if one of the Norton Staffers can help with why it was not detected although with it not being there that might be more difficult -- you don't still have it in quarantine in the utility you used?
I take it you had it on Automatic LiveUpdate? What Setting is it on? To check this: Start > Control Panel > Symantec LiveUpdate. How often do you Run LiveUpdate Manually? How often do you Run a Full System Scan? Did you Run a Full System Scan before going to Tech. Support?
I would advise everyone, right now, to Run LiveUpdate as there are Attacks happening right now and the ThreatCon is at: Level 02: Elevated. Also, the Web Activities is High; E-mail and File Sharing are at Medium.
The big problem with virtumundo is that it changes by the day. So most anti virus vendors are walking behind it. It is a nasty little thing. I'm not surprised Norton didn't catch it. Most of them out there won't. Bestthing you can do in these cases is sen the samples to Symantec Malware Submission
So Symantec can do something about it
Just a quickie in regards to the Spyware Doctor, I assume you were using the trial version, which wouldn’t remove hardly anything until you’d purchased it? In case anyone else has the same problem, Google offer a trial version of this as part of their Google Pack which I have also found very useful in getting rid of Trojans which Norton said were not there. The Trojan I couldn’t find was Trojan.Backdoor I think, but also the one you’ve named, and the only way I could get rid of them was the Spyware Doctor.
Thanks for the info on the free update, I wasn’t aware of this. Fortunately I do still have it in quarantine so will try to work out how to send it on.
rnwhalley wrote:
Thanks for the info on the free update, I wasn't aware of this. Fortunately I do still have it in quarantine so will try to work out how to send it on.
Do a search here across all the boards on [how submit Symantec] and you should get the information -- Search here is very good.
This is probably a good message to look at
To answer some of the other questions posted, Live Update is on automatic but I also check for updates most days.
Regarding the PC Tools utility I was using, this is a paid for version including their AV engine so I was able to quarantine the virus. Interestingly the problem has now returned and I am back to explorer.exe restarting itself regularly. This time none of the virus scans are picking up a problem.
I have a process viewer and I can see the IMAPI object starting, killing explorer.exe and then a new version starting. I can use this to suspend explorer.exe which stops the reload problem but then it also stops the desktop and taskbar from being accessible. I tried a scan whilst I had it suspended and SPyware Doctor picked up a further 2 infections but it hasn't cured the problem.
I will post further information to update on my progress.
If you are able to , please submit a sample to Symantec. Malware Submission
OK, I have managed to find the quarantined file and have submitted it. Not sure if they will be able to read it as it was quarantined by Spyware Doctor. Anyway fingers crossed.
I have also downloade the latest NIS2008 as someone suggested but that isn't picking up the problem either.
Make sure you Run LiveUpdate every Few Hours to keep your Norton Product Updated and Run Full System Scans at least twice-a-week!
Thanks for the tip which I will use.
Now trying remote scanning from the internet. Norton and Spyware Doctor are still reporting the PC as clean but the explorer.exe process is still restarting every 10 seconds. I have also noticed that it has lowered my security settings in Internet Explorer and has removed all windows system restore points appart from one which seems to coincide with the infection.
Try running Malwarebytes:
It is a free utility which I used over this past weekend to help remove similar symptoms from a friend's computer (he was not using NIS).
I had to run Malwarebytes, Spybot, the installed Internet Security program, a few times before I got it all cleared off. And honestly I'm still not 100% sure; but three days and no new issues.
I also used the instructions from the Symantec Site regarding manual removal from the registry.
Turn off System Restore until you are sure you have removed it. Also once you start the cleaning process, disconnect from the internet - that seemed to help.
The one I removed had deleted all restore points, changed the Internet Security (not Norton) settings, shut off Windows automatic update and placed the words "Virus Alert" in the system tray by the clock. It also removed most of the needed entries from the start menu window and was throwing pop-up windows like crazy. It really took some work to get it out.
Phil_D wrote:Try running Malwarebytes:
It is a free utility which I used over this past weekend to help remove similar symptoms from a friend's computer (he was not using NIS).
I had to run Malwarebytes, Spybot, the installed Internet Security program, a few times before I got it all cleared off. And honestly I'm still not 100% sure; but three days and no new issues.
I also used the instructions from the Symantec Site regarding manual removal from the registry.
Turn off System Restore until you are sure you have removed it. Also once you start the cleaning process, disconnect from the internet - that seemed to help.
The one I removed had deleted all restore points, changed the Internet Security (not Norton) settings, shut off Windows automatic update and placed the words "Virus Alert" in the system tray by the clock. It also removed most of the needed entries from the start menu window and was throwing pop-up windows like crazy. It really took some work to get it out.
Message Edited by Phil_D on 07-15-2008 04:28 PMMessage Edited by Phil_D on 07-15-2008 04:51 PM
This and superantispyware can help. www.superantispyware.com
Thanks for the suggested sites to try out. I will give them a go later when my latest scan attempt has completed. Good point about System Restore I will also try this.
Current situation is Norton picks up nothing in a full scan. I am now having problems with the LiveUpdate in Norton as it is downloading signatures but failing to process the download succesfully. I think it may have been attacked in some way.
I have also been running Bit Defender from their web site and it picked up a Trojan.Downloader.AWA and a number of Trojan.Generic infections which it deleted. From time to time this seems to fix the problem but then after I log back on the problem with the explorer.exe starts again. I suspect it has left fragments of itself on my drive and the shut down or startup process initiates it again. Interestingly Bit Defender is now showing clean as well.
I have now gone back to trying Spyware Doctor with the the latest set of virus signatures. The current scan is 18% complete and has found 446 High Risk infections. Most of these seem to be concentrated in a Local Temp directory within a folder called Patcher\Staging Area. This looks pretty dubious to me.
I also got the Malware report back from the infected file I submitted to Norton. The automated check they did couldn't find any malicious code and they have retained the sample for further checks.
I'm not beaten yet though
Thanx for the update. Please let us know if Malwarebytes and or SAS could do something for you
mwhalley,
Unfortunately when you get hit hard like this you need multiple angles of attack hence the utilities suggested by Stu and myself.
As far as the temp folders, the information in there may or may not be needed for the online scan from Bit Defender. However if you are through using that scan, I wouldn't hesitate to completely delete everything in the temp folder – also then be sure to empty the recycle bin.
I can tell you that I had my best success once I turned off System Restore and disconnected from the internet. I think after the initial cleaning, a few nasties were left behind and while I was still internet connected they just “phoned home” and came back as before.
While disconnected, I ran the various scans in SAFE MODE and then in Normal Mode.
Once downloaded, installed and updated I know you can use Malwarebytes without the need for internet access. You should also run NIS while disconnected. Also be sure to run SAS recommended by Stu.
Have patience; as I mentioned you may have to perform each operation multiple times, but I’m sure you’ll win.
Don’t give up!
<< I wouldn't hesitate to completely delete everything in the temp folder – also then be sure to empty the recycle bin. >>
Just a time saving reminder -- if you hold down SHIFT when using the DEL key then the deleted files don't go into the Recycle Bin. Of course you might want to check it for files from before starting to clean up.