Help needed for periodic Bla Trojan Horse

Periodically when I connect to AOL and at the time of connection my NAV will issue the following message - 'Norton Internet Worm Protection has detected and blocked an intrusion attempt'. It is being blocked by Security Rule: Default Block Bla Trojan Horse.

I have run a NAV full system scan, a full scans by Ad-Aware, Spybot and CounterSpy and everything is clean.

Is this something I should be concerned about or is it nothing more than NAV Internet Worm Protection just doing its job? Is there something I can do to stop getting this intrusion attempt?

 

Symantec's Recommendation

 

Thanks for the repy killian, but I don't see that anything there applies (that I can understand anyway). I am not infected with Bla so I don't need to get rid of it. And of the recommendations it offers I thinks I am following all of ones that appy except maybe the first one (don't quite understand what it means) and I haven't installed any patches since updating to SP2 in March.

 

wwalker555,


First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Downloaded all the software required and performed all steps upto Scanning and Cleaning Steps 1b (I have Windows XP)- boot in safe mode with networking support. I was not able to start AOL to do the online scans. AOL would not start due to a communication error. Tried it multiple times with no success.

I don't see a way around this, can I do all the online stuff without being in "Safe Mode with Networking"?

 

The READ ME specifically states that if you cant run the online scans in safe mode for whatever reason to reboot and run them in normal mode.

 

It has been a while since my last reply/question on this thread -- was getting all the items done in the "Read Me First" sticky.

The problem I am getting is that periodically when I connect to AOL and at the time of connection NAV (Norton Internet Worm Protection - which is my firewall) will issue the following message - 'Norton Internet Worm Protection has detected and blocked an intrusion attempt'. The worm being blocked is Bla Trojan Horse.

I upgraded Windows from a very out of date SP1 in mid-February to SP2. In mid-March, I upgraded my Norton SystemWorks 2004 to Norton SystemWorks Premier 2005 and established Norton Internet Worm Protection as my firewall. Soon after then is when I started getting the warning almost evertime I connected to AOL. I run NAV, Spybot w/ the immunize feature, Ad-Aware and CounterSpy all the time. Everything has been clean for months.

So starting on 5/17, I started performing the items laid out in "Read Me".

5/17-Upated Windows - everything available to that date has been applied. Actually I thought this may have fixed the problem because the 'Norton Internet Worm Protection has detected and blocked an intrusion attempt' message did not appear for 9 days. But it is now back on almost a daily basis.

5/26-5/28 - Removed Microsoft java and installed Sun Java. Took a while because I ran into a few problems - okay now.

Did steps 1,3,4 of Getting Prepared.

5/29-6/1 - Started Scanning and Cleaning.
Step-1, Ran Symantec Security Check and Trend Micro Free Online virus Scan - both ran clean (not run in Safe Mode, AOL wouldn't let me logon that way). Ran McAfee AVERT Stinger in Safe Mode - no problems found.

Step-2, Ran CCleaner - lots of stuff cleaned out - problem not fixed.

Step-3, Ran Ad-Aware and the Ad-Aware VX2 Cleaner Plug-in and Spybot (immunize was already on) - no problems found.

Step-4, Ran CWShredder and Kill2 me - No problems found.

'Norton Internet Worm Protection has detected and blocked an intrusion attempt' (Bla Trojan) message appeared the next time I booted and logged on to AOL.

6/1-6/3 Started performing the Alternate Scans.

Ran Bitdefender (issued a message that it failed to be able to update virus definitions), No problems found. Ran RavAntivirus, No problems found.

Ran TrojanScan - I did find a worm IRC-WORM.Momma.e, got rid of it as detailed in http://forums.majorgeeks.com/showthread.php?p=589114#post589114.

Couldn't run a-squared (a2) Free edition, I have an AOL account and you can't perform the register with an AOL address.

Ran avast! Virus Cleaner Tool and ADS Spy - no problems found.

'Norton Internet Worm Protection has detected and blocked an intrusion attempt' (Bla Trojan) message appeared the next time I booted and logged on to AOL.

Sorry for being so verbose, but I figured more info is better.

Do you actually think I have a problem? Or is this nothing more than NAV Internet Worm Protection just doing its job? Is there something I can do to stop getting this intrusion attempt -- even if there is no problem, getting this message amost everytime I connect to AOL is annoying.

Wayne

 

Personally, Norton aint worth anything anymore. I had a pc with NAV05 with updated defs and have a WORM. Norton still doesnt know it was on there.

Personally I would recommend AVG for AntiVirus, ZoneAlarm for a Firewall, and SpyWare Guard & Spyware Blaster as my spyware protection.

Norton will give you messages like that to make you think its working when actually its not. In your case its possible something could be wrong or it could be nothing.

Post a fresh HJT log and we will see if anything is hiding.

 

I am beginning to feel the same way about Norton especially after TrojanScan found that one worm that it did - I have had that software installed for about 3 years!!! -- two different versions of NAV (always with updated defs never found it!!!

I have attached the HJT log -- please let me know if you see something.

Thanks,
Wayne

 

Scan with HijackThis and Check the Boxes for the following:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

Make sure All Browser Windows are Closed when you Click FIX.

After removing the above entries your log will be clean!

 

Thanks for all the input BJGARRICK. I fixed the items indicated with HijackThis. Since I have run all the scans in the "Read Me First" and fixed the items with HijackThis and am still get the Norton message (even after a reboot), I have to assume my PC is clean and I am the victim of a screwed up Norton system.

I had installed NSW, not only for the NAV but also for the some of the utilities but I am sure those utilities must be able to be done by Windows or another utility package.

I will remove NSW and install the virus and spyware programs you have suggested...

I already have SpywareBlaster and will add SpyWare Guard. I assume it is okay to retain Spybot, Ad-Adware and CounterSpy (I will let this lapse after the subscription is up).

If I am not mistaken, you should only have ONE virus protection software installed so when I remove NSW (which has NAV for my virus software and Norton Internet Worm Protection for my firewall) I will install AVG and ZoneAlarm.

When I ran CCleaner, it seemed to have got rid of a lot what must have been deadweight... would you suggest that I run it periodically?

Do you think this is a sound plan?

I do appreciate your help and work on my problem.

Wayne

 

Yes, I would recommend installing AVG as my antivirus and ZoneAlarm as my firewall. As far as CCleaner, I run it everytime I close a browser because I cant stand junk on my PC, but thats me lol!

You should see this article on How to Protect yourself from malware!