Unable to remove this spreading threat - infected


Tim_Lopez wrote:

Hello Tech0utsider,

 

I'm not questioning that you would be protected. I'm fully confident in the layered protection in NIS to keep you secure.


Do you mean as in the Prevention or Detection or both?  If so, symantec needs to work on their Detection and S.O.N.A.R., because Norton has missed 15-or-so Malicious Files that another Free Product Detected over a few months. 

 

B.T.W., I think N.I.S. 2009 is a very good product.

Missed as in on-demand scanning or behavioural based detection – Sonar/Bloodhound.


Tim_Lopez wrote:

Hello Tech0utsider,

 

I'm not questioning that you would be protected. I'm fully confident in the layered protection in NIS to keep you secure. You could always submit the sample to Symantec to have it analyzed if the file was questionable. 


Hi Tim

 

I have spent the best part of this weekend trying to clean this infection out of my system. Not only was it hijacking my DNS, directing me to rogue sites through my Mozilla browser, as well as totally disabling NIS09, which I have had to reinstall, now I am completely unable to run Live Update as the DNS corruption seems to have hijacked this somehow.

 

I have just about cleaned out the infection, with the exception of the Live Update problem (NOTE: it has also hijacked my DNS so I can't even get updates to run this Norton Security Scan). It is a test machine with backup available, but I like to get to the bottom of these things before giving up.

 

Now, to my disappointment and even dismay, I have just received a reply from Symantec Security Response telling me the file is CLEAN (tell me about it), but also a reply from Kaspersky Virus Submission telling me the file is infected and will be added to their next definitions base. Go figure.

 

Here are the replies I received:

 

[CLOSING]: Symantec Security Response Automation: Tracking #10006869‏.Below is a status update on your virus submission:

Date: November 1, 2008

Dear john a,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: c3222.zip
machine: Machine
result: See the developer notes

filename: c3222.exe
machine: Machine
result: See the developer notes

Developer notes:
c3222.zip is a container file of type ZIP
c3222.exe Our automation was unable to identify any malicious content in this submission.
The file will be stored for further human analysis This file is contained by c3222.zip.

Our automation was unable to identify any malicious content in this submission.
The file will be stored for further human analysis

Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message.

  
And this from Kaspersky:
 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Hello,

c3222.exe_ - Trojan.Win32.Pakes.llj

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.
The answer is relevant to the latest bases from update sources.

--
Best regards, ...
Virus analyst, Kaspersky Lab.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

 

So there it is. I must say I have lost a little faith in Symantec Security Response for the moment, but not NIS09, which is excellent software.

 

John

 

 

Message Edited by johna on 11-02-2008 01:53 PM

Don’t give up hope, John.  The letter from Symantec only says that their automation was unable to find any viruses and that the file was being saved for human analysis.  Kapersky may have just dived right in with human analysis.

Hi mijcar

 

What I understand that to mean is it will be stored away unless it needs to be reopened in the future for investigation. I have seen this before, and still have malicious files locked away in quarantine that I have had the same replies for, and they seem to get shelved after this first step, unless there is a need for future analysis.

 

Thanks for your reply.

John, I don’t want you to be right, but you may be.  If I have a complaint about Norton staff response is that they seem to think one examination of the problem is sufficient.  If it passes muster, then it is okay.  I have experienced this myself and have had an unresolved issue with a webpage so bad it was finally taken down and which to this moment, Norton says it’s fine.  Let’s hope they listen a wee bit more than either of us have experienced.

Hi mijcar

 

It isn't necessarily myself I'm all that concerned about, it's any other Symantec customer that gets hit with this infection, because it isn't in the Symantec definitions base.

 

 

Message Edited by johna on 11-02-2008 02:24 PM

Tech0utsider wrote:

 

However, I recommend that you use a-squared antimalware to resolve this threat and to stop installing other security software, which could have been behind "knocking Norton out completely". 

 

 


No luck with a-squared, Tech, although it did pick up the original file as a Trojan.

 

 


Dieselman743 wrote:
Have you tried SuperAntiSpyware. Its actually more powerful then MBAM.

Hi Dieselman743

 

Because of the DNS corruption, for some reason I am unable to update SAS.


shane_pereira wrote:

Hi Johna,

 

Hence some specific questions:

- How did you download the exe ? Through email ? Web ? etc.

- where did you save it to and where did you run it from ?

- How did you run it ? Just double-clicked it ?


Hi Shane

 

1. I had the link to the download sent to me by someone else I was trying to help recover from this infection, so yes, I downloaded the file straight from the web.

 

2. I saved it to my desktop, and ran it from there, after performing a right-click scan with NIS09.

 

3. Yes, I ran it by simply double clicking it, it is a .exe file.

 

Thanks

 

 

I just PM éd you. Please have a look at it

What were you doing that you became infected? Just curious. Here are some great tools.

 

http://www.ezpcfix.net/html/download.htm

 

 http://www.majorgeeks.com/GMER_d5198.html

Hi Dieselman743

 

I was trying to help someone who was infected with the virus, and wanted to put it on a test machine of my own it was becoming so hard to remove. I was sent the link which got them infected, and it goes from there. I have a backup of my own, but I still need to be able to know how to remove it. The Malwarebytes' entries I mentioned earlier are the only remnants left, but they are causing all the trouble.

 

I will try those links.

 

Thanks!

Wow even McAfee flagged them as malicious and Norton did not...

 

Well obviously detection of new malware is not Norton's strong point...

 

I thought that Norton was the best at rootkit detection and removal; only product to have a "++" in both detection and removal. And that was Norton 2008, not 09. 

Threatfire nabbed two of the files as malicious. ClamWin nabbed 1. NOD32 nabbed 1. The last one I deleted.

seen lots of threads in this forum..lots of them says symantec cant scan and detect and remove lots of viruses while other security products can...is it true?....they said symantec 2009 is good...i have my doubts now..should i go back to nis 2008 which there are lesser problem ?.....and one thing...is trail version lousier in catching viruses and stuff and lousier firewall and everything ?

Message Edited by tanmx on 11-03-2008 03:37 AM

The trail version is the same as the full version. NIS 2009 has a better detection rate then NIS 2008. Just go to AV Comparatives and see for yourself.

do you still have the problem?


ialexandra73 wrote:
do you still have the problem?

Yup, DNS is hijacked. Can't find anything in other forums. I have suggested changing DNS to manual, and referring to ISP for details.

 

This is a tough one.

do this and tell me ....

 

1. Download this file - combofix.exe   http://download.bleepingcomputer.com/sUBs/ComboFix.exe      and
http://siri.urz.free.fr/Fix/SmitfraudFix.exe        
and save it to desktop 

start  ….in  safe mode with network

 

 

Double click on smitfraudfix from desktop
o Click Enter on the first blue message
o Clcik on keyboard the  2 and  Enter
o Wait until you see : Do you want to clean the registry ? click on keyboard the  Y   and  Enter
o WAIT UNTIL IS FINISCH, you will see a text log message close all the windows

 

2. Double click combofix from desktop
3.  and wait accept with yes  .
4. When finished, it will produce a log for you. Send me the log .
Note:
• Do not mouseclick combofix's window while it is running. That may cause it to stall.