Virus disabled Norton Anti virus

Discussion in 'Software' started by robert707, Mar 15, 2004.

Thread Status:
Not open for further replies.
  1. robert707

    robert707 Corporal

    hi , i was surfing the net and hit a site with pop ups, that tried to download a program, i got a window asking me to authorize it but i refused, think it said "gain" but didn't think much of it at the time so i didn't really pay attention. Any way i just hapend to try and update my Norton Anti-virus in the same secsion and found that Norton couldn't find an internet conection even though i was connected. I tried to scan for viruses but the "scan now" button had simply disapeared from the interface!

    Then i used spybot search and destroy. It found a bunch of tracking cookies wich i deleted. Then used CW Shredder, it found nothing, but was "unable to update".
    Then i found that Norton was fixed! i updated the defs and scanned , finding nothing.
    I didn't pay attention to the search and desrtoy results 'cause they all said 'cookies' but could a simple cookie have caused all that?

    The reason i bring this to the forums is that i know from previous HORRIBLE experience that: a virus does stuff upon rebooting AFTER the first time it's installed.The last time my anti-virus was disabled the computer wouldn't boot up into windows again and i spent two weeks figuring out how to scan for viruses from DOS out of an internet cafe. When i scanned Norton found nothing but i know there had to be something on my computer somewhere, CWShredder still can't update.

    Is there anything i should try before rebooting? Could a simple Cookie have been it? Am i being Paranoid? :)

    P.S have checked task list and there nothing suspect there, and have deleted temp, and internet content folders.
     
  2. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

  3. alanc

    alanc MajorGeek

    Just to add to what the good General said, found this info on Gain...
    at this site: http://www.pchell.com/support/gator.shtml

    Gator/Gain is well known spyware, but I think it was probably some other nasty that disabled your NAV.
     
  4. robert707

    robert707 Corporal

    progress on virus/trojan hunt

    Ok i scanned useing the first link (panda) and it found this:

    Exploit/iFrame Disinfected Local Folders\Sent Items\Re: $300. Rec'd

    But isn't that folder "sent items" from outlook? 'cause i didn't use Outlook in the sesion when i got the virus ,so i think maybe that could have been something that had been there for a while and NOT the new infection. Also because my zonealarms firewall still has an X on it's icon in the styst tray and , there's a red message in Zone Alarm that says "system error:reboot" So wahtever the Panada scan got hasn't changed the disabling of my firewall. Also , CWshredder still can't update.

    Am i right in thinking i shouldn't reboot or is that the only way to know if i have something or is there something else i can try yet?

    Would a "Hijackthis" log be relevant? If so can i post it here for advice? ( i should ask first i guess)

    Oh and i scanned for Trojan's useling the link below and it found nothing. Also tried "TRojan Remover" wich found nothing but says it will scan on boot. If and when i reboot. Will wait for more feedback.

    Thanks for your time Rob :)
     
  5. alanc

    alanc MajorGeek

    What happened when you ran Ad-aware? Did Housecall find anything?

    The latest version of CWShredder is 1.53.1 - you can get it HERE

    I think rebooting is OK, but if you'd like to post a HijackThis log before you do that I'll take a look at it.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is another new virus out called W32/Polybot.l!irc. I think it would be worth checking out this info on McAfee's Website. Look at the symptom's! It can cause thing like ZoneAlarm, HiJack, most virus scanners and many more not to work. Here is the link:

    http://vil.nai.com/vil/content/v_101100.htm#RemovalInstructions
     
    Last edited: Mar 16, 2004
  7. DOA

    DOA MG's Loki

    Attached Files:

    Last edited: Mar 16, 2004
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I delete this message!
     
    Last edited: Mar 16, 2004
  9. robert707

    robert707 Corporal

    progress report + hijack log for Alanc

    Ok i ran Houscall and found nothing. Updated CWshredder by direct downlaod and found nothing. Updated Adaware to version 6. and found this: In the Adaware results list it has a registry key icon, under "vendor" it says Alexa , under "type" it says DataMiner and under "Object" it says HKEY_LOCAL_MACHINE:SOFTWARE/IE/extensions with some long number. It also found 2 cookies also called 'DataMiner' . I need to know if it's safe to delte this resistry key icon in ad-aware and wether this is the likley cause of recent Anti-virus and firewall malfunction, i'm guessing it's NOT the virus if it's just a 'data miner' like the other cookies, and since quarantineing it my firewall still isn't working-- but am just double checking.

    The link for the W32/Polybot! virus that Chalsang gave me requies me to update Mcaffee wich i don't have. 'Sloppy Goat' Mentioned KAV or F-Secure. Are either of those a free dowload without requiring postal adress and telephone like McAffee?

    And before i chance rebooting here is my Hijack this log for Alanc or any one else who'd know what to do with it:

    Logfile of HijackThis v1.97.6
    Scan saved at 12:55:34 PM, on 3/16/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\TABLET.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\SIERRA\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\ANVSHELL.EXE
    C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
    C:\PROGRAM FILES\JONATHANGRIMES\SIMPLY TRANSPARENT\SIMPLYTRANSPARENT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\SIERRA\NORTON ANTIVIRUS\NAVW32.EXE
    C:\MY DOCUMENTS\LATESTZONE\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.184.51/find4u/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.184.51/find4u/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.184.51/find4u/sp.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.184.51/find4u/sp.htm
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\SIERRA\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
    O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent\SimplyTransparent.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37919.5612847222
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
     
  10. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Ok Robert those entries are perfectly safe to delete

    Secondly i would advise downloading Spybot Search and Destroy here
    http://www.majorgeeks.com/download2471.html
    as you are still have spyware

    So i also suggest going to the Tips Tricks and how to forums and learn how to read Hijack This log files, and learn about removal and prevention of these kind of attacks ;)
    http://www.majorgeeks.com/vb/forumdisplay.php?f=33

    Any thing you still have problems with just ask :)
     
  11. Brad

    Brad Private E-2

    Norton Internet Sercurity
    I've had problems with Symantec's Update as well.It would download update but couldn't install.
    The fix I worked is:
    Go to Personal Firewall-->Internet Access Control--.look for "Symantec Norton Antivrus Scan and
    Deliver"Click on arrow and change to"Permit all".You will find alot off Symantec's tabs are set to
    Automatic,sounds good but I've found it's best to change all/most to permit all.
     
  12. carl_tapp_775

    carl_tapp_775 Private First Class

    Not sure how to do this, bare with me.....

    I had this problem as well, I kept Norton AV 2003 updated weekly sense installation. But seemed that I kept having lots of problems. Auto Protect disabled many times.
    I am running XP on my system, with Free Ram Pro, so I could see my ram consumtion was not what it should be. I kept running Norton hoping it would get to the problem, but it didn't. I started trying other things, reading forums in different sites didn't help. I finally got a response from someone and he told me to add SpyBot with teatimer active, which I did. I was already running Ad-aware 6.0 , which now has been updated to SE Plus. And I have now added SpyBlaster as well as of finding this site. I went and added AntiVir also, I ran the program and guess what ? It found two trojan backdoors, one worm and another virus. And I removed them, but when I read the report it said :
    Master boot record of hard dic HDO OK
    Master boot record of hard disc HD1
    The record could not be read!
    Error code 0x0015
    C:/
    hiberfil.sys
    Access denied! Error during opening!
    Error code 0X000D
    Warning! Access Error/file locked!
    pagefile.sys
    Access denied! Error during file opening!
    This is a Windows swap file. This file is locked by
    Windows.
    Error code 0X00D
    Warning! access error/file locked
    C:/Documents and Settings\All Users\Application Data\
    SpyBot Search and Distroy\Recovery

    Then it goes through all the programs and logs on my pc reading : The whole archive is password protected.

    Am I reading and understanding correctly ? Is SpyBot keeping the archive file locked at this point ? I disabled System Restore and Auto Protect in Norton, in fact I just un-installed Norton completely.

    Should I un-install Ad-aware SE Plus and the others including SpyBlaster and then run the AntiVir program again ?

    Or is it unnesesary sense the Master booth record HDO was Okay anyway ?

    I could find a list where I thought this might be more appropriate to place this topic. Hope this all makes sense and I can get some info on this. Thanks Carl
     
  13. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Ok, time to stop.

    Robert707: You need to do some reading :) Please read and follow this thread:
    http://forums.majorgeeks.com/showthread.php?t=35407

    Hijack This log files tutorial and how to post:
    http://forums.majorgeeks.com/showthread.php?t=38752

    Hijack This is not a spyware removal tool, but you do have a hijack.
    If it does not work, please post a new thread in the Spyware forum.

    carl_tapp, posting in someone elses thread is considered rude, it distracts people from the issue they are working on and your own post usually gets ignored. Please, start your own thread :)
     
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds