What Norton Internet Security missed - down for 3 days

After IS gave me a "no threats found", all of the threats listed in the ASO scan below was still on my PC: Just a small sample of what Norton IS missed. Had me down for 3 days. Yes, updated definitions before the san, all the "protection" was on and I scanned right before this scan by ASO Why did Norton miss ALL these threats and many others I had to use other working software to finally get my systems back up and running????

 

Norton:

 

 Category: Scan Results Date & Time,Risk,Activity,Status,Task Name,Scan Time (d:h:m:s),Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention,Heuristic Virus,Heuristic Virus Resolved 9/10/2011 11:38 AM,Info,Idle Quick Scan results, Completed,Idle Quick Scan, 0:00:05:54,"6,351","1,220",462,"4,094",28,547,0,0,0,0,0,,

 

ASO SCAN:

 

Scan Log Total Time: 169 Mins 22 Secs Start Time: Sep 10, 2011 at 08:45:09 AM End Time: Sep 10, 2011 at 11:34:31 AM RogueProgram.MS-Antispyware-2009 (Rogue Antispyware Program) Status : Quarantined Infected registry keys/values detected hkey_current_user\software\microsoft\windows\currentversion\drivers hkey_current_user\software\microsoft\windows\currentversion\drivers\video hkey_current_user\software\microsoft\windows\currentversion\drivers\video\options -------------------------------------------------------------------------------- RogueProgram.WinAntiVirus-Pro-2006 (Rogue Antispyware Program) Status : Quarantined Infected registry keys/values detected hkey_classes_root\*\shellex\contextmenuhandlers\shellextension hkey_classes_root\directory\shellex\contextmenuhandlers\shellextension hkey_classes_root\drive\shellex\contextmenuhandlers\shellextension hkey_local_machine\software\classes\*\shellex\contextmenuhandlers\shellextension hkey_local_machine\software\classes\directory\shellex\contextmenuhandlers\shellextension hkey_local_machine\software\classes\drive\shellex\contextmenuhandlers\shellextension -------------------------------------------------------------------------------- Malware.goldun (Generic Malware ) Status : Quarantined Infected registry keys/values detected hkey_local_machine\software\microsoft\windows nt\currentversion\windows\requiresignedappinit_dlls -------------------------------------------------------------------------------- Malware.hatob (Generic Malware ) Status : Quarantined Infected registry keys/values detected hkey_local_machine\software\policies\microsoft\windows nt\windows file protection\sfcdisable -------------------------------------------------------------------------------- Trojan.swisyn (Trojan) Status : Quarantined Infected registry keys/values detected hkey_local_machine\system\currentcontrolset\services\catchme hkey_local_machine\system\currentcontrolset\services\catchme\type hkey_local_machine\system\currentcontrolset\services\catchme\errorcontrol hkey_local_machine\system\currentcontrolset\services\catchme\start hkey_local_machine\system\currentcontrolset\services\catchme\imagepath hkey_local_machine\system\currentcontrolset\services\catchme\group hkey_local_machine\system\currentcontrolset\services\catchme\enum hkey_local_machine\system\currentcontrolset\services\catchme\enum\0 hkey_local_machine\system\currentcontrolset\services\catchme\enum\count hkey_local_machine\system\currentcontrolset\services\catchme\enum\nextinstance -------------------------------------------------------------------------------- Malware (General Components) (Generic Malware ) Status : Quarantined Infected registry keys/values detected hkey_current_user\software\microsoft\security center\antivirusdisablenotify hkey_current_user\software\microsoft\security center\updatesdisablenotify hkey_current_user\software\wget -------------------------------------------------------------------------------- Trojan-Downloader.VB.ask (Trojan-Downloader) Status : Quarantined Infected files detected FileName: c:\system volume information\_restore{87925209-405c-42a6-8fee-9cf10cc35238}\rp2420\a0816046.com MD5: 92bd80f82fe8a28385b7d9d3f215e8b3 (73728 Bytes) Signature: FileName: c:\system volume information\_restore{87925209-405c-42a6-8fee-9cf10cc35238}\rp2420\a0816116.com MD5: 92bd80f82fe8a28385b7d9d3f215e8b3 (73728 Bytes) Signature: FileName: c:\system volume information\_restore{87925209-405c-42a6-8fee-9cf10cc35238}\rp2420\a0816896.com MD5: 92bd80f82fe8a28385b7d9d3f215e8b3 (73728 Bytes) Signature: FileName: c:\system volume information\_restore{87925209-405c-42a6-8fee-9cf10cc35238}\rp2421\a0817033.com MD5: 92bd80f82fe8a28385b7d9d3f215e8b3 (73728 Bytes) Signature:

Hey and  welcome to Norton community, i have some questions for you.

Which Norton Product and version are you using on your computer?

What operating system are you using, and are it up to date with the latest updates and service packs.

 

can you check if Smart definitions are enabled in your Norton product, Turn it of and then run liveupdate and you will got hte full set of virus definitions downloaded to your computer.

 

Go to exception for Anivirus and SONAR and remove System volume information from the list, so that Norton can scan these areas for threats.

 

which Antivirus or ondemand Scanner did you use to detect these threats on your computer?

Hi bhflex1,

 

These all appear to be remnants of threats that had already been removed from your PC prior to the most recent Norton scan.  Often, registry keys are left behind, sometimes intentionally, when a threat is removed.  Programs like Malwarebytes' for example, will alert to these leftover registry keys even though the actual threat is no longer present in a file on your computer.  Also, each threat might be represented by multiple entries, so the number of entries found is far more than the actual number of malicious programs that were actually on the machine.

 

The last part of your log shows the malware located in System Volume Information.  These are System Restore points where a threat has been backed up.  Threats located in SVI are inactive and cannot do any damage unless you restore the computer using that restore point - at which time Norton Auto-Protect would be invoked.  Norton scans would not detect a threat in SVI because SVI is not scanned by default.  Malware cannot be removed from SVI without corrupting the restore points, and it poses no threat -  so the considerable time that would be spent scanning SVI would serve no purpose.

 

In short, it looks like something, possibly Norton or another AV product, successfully removed all of the active threats some time ago and what you are seeing now are remnant registry keys and backed up copies of threats in your restore points.  Your PC was safe.

Did as you suggested,Smart def. WAS on already though.  still had 8 instances of trojan-backdoor.FLOOD.dropper. ASO finally removed them and PC came back to life. Used Webroot and it found several infections when I ran Norton Live Update in the certificates from Norton. Removed these and the rest of my problems stopped - for now.

On the other PC's I ran every Norton tool I could find on your site including removal and reinstall and the virus was still causing big problems. We have the latest NIS and PCA with daily updates.

I have had Norton on my PC's since 2004 and my oldest PC had infections from all the way back then - esp. in zip files. ASO and Webroot found them when Norton did not.

What to do?

Hi bhflex1,

 

How many real time security and system monitoring programs are running at one time on your system?  I see what appears to be your post at BleepingComputer and a couple of things stand out::

 

You say that Malwarebytes', NIS and Spybot Search and Destroy are all giving clean scans.  All of those are well-known and respected programs.  Malwarebytes' and Norton, in particular have very high detection rates and if you run both of those and find nothing, then there is almost certainly nothing to find.  I am inclined to think that the ASO product is giving you a false positive.  Your slow system performance may be due to conflicts among some of the programs you are running.  That is very typical of cases where functionalities overlap in security products.

OP needs to spend some time on Bleeping reading the logs on the malware removal forum.  Rather a large percentage of the users have more than one real time scanner on the system.