Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus -popups: Sentry Total Family Protection


  • Please log in to reply
25 replies to this topic

#1 rtxx

rtxx

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 26 January 2009 - 02:51 AM

Hi
This is my friend's computer, Win XP media center with recovery console. He has a virus that kept starting up programs like "sentry total family protection" and interfered with starting up other programs, wouldn't let him go to any website other than some AOL page.

He claims his Norton Internet Security 2006 was up to date & active before the infection. But "Security is disabled."

Based on some advice I saw elsewhere *before finding this forum*, I ran ComboFix, which stopped the popups until I rebooted. On rebooting, the computer started the popups again. I ran combofix again, went into safe mode and uninstalled a bunch of games that apparently my friend installed just before these problems started, rebooted, and for now there are no popups. However when I try to "turn Security on" within NIS, the computer just reboots. So I'm sure there's still a virus.

Would appreciate advice
thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 AM

Posted 26 January 2009 - 11:02 AM

Hi and welcome ... Probably there is still malware on here,let's check...

Next run ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Follow with MBAM:
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 02:58 AM

I ran ATF Cleaner and MBAM -after I caused another problem.

Just FYI here's the other problem, (but I assume this is something to be addressed perhaps at another forum, since it's probably not a virus issue in itself). Just to explain the situation:
Today, in Normal Mode (i.e. not Safe mode) I tried to start Norton Internet security (=NIS) and download current antivirus files. Whenever I "enabled protection" in NIS the computer would immediately reboot. (I suspect this is not exactly due to an active virus, but due to corruption already done by a virus. I could be wrong, certainly.) So to get around it, I went into NIS Options and set it to start whenever the computer starts. That was my big mistake. Now whenever the computer starts in Normal mode it immediately reboots before getting to the desktop. The only way the computer works now is in safe mode.

The problem is that NIS can't run or have its settings changed in safe mode, and Windows Installer can't uninstall it in safe mode, but I can't get the computer into Normal mode.

I tried a System Restore to January 14 (before the date that suspicious programs were installed), but that didn't change the behavior. The computer stays in an endless loop of rebooting unless I tell it to boot into safe mode, presumably due to corrupted NIS.

After that, I ran (in safe mode) ATF Cleaner and MBAM. Here's the file. It found no objects and didn't offer to remove anything.


Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 2

1/26/2009 6:11:17 PM
mbam-log-2009-01-26 (18-11-17).txt

Scan type: Quick Scan
Objects scanned: 56999
Time elapsed: 2 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OK, so after that I went to online chat with Symantec reps. So I spent 2.5 hours with a Symantec analyst & his next level, more competent analyst. No progress. They decided I need to remove "the virus" first before NIS can be uninstalled.

Would still appreciate your advice
Thanks!
Richard

Edited by rtxx, 27 January 2009 - 05:31 AM.


#4 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 27 January 2009 - 03:13 AM

download the removal tool for norton from http://service1.symantec.com/Support/tsgen...005033108162039 make sure your friend knows how to access his norton account

Edited by dhants20, 27 January 2009 - 03:15 AM.


#5 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 04:24 AM

Thanks, dhants. For that Norton Removal Tool, do you know if it works in safe mode? I'll try it (in fact I already had downloaded it) but I bet it doesn't.

My friend is more of a flake than I realized. Now he says he MAY have received warnings from Symantec before last December that his NIS subscription was expiring. Despite what I understood earlier, it looks like his NIS subscription probably expired Dec 31 or Jan before the malware took over his computer. And he was broke so he didn't do anything about it, including he didn't mention the situation to anyone halfway responsible (me for instance) who could have installed free AV & firewall. AND he didn't pay any attention when his MSIE homepage changed without any action on his part. AND he downloaded weatherbug or some such from that new homepage. @#$% !!

One hopes one learns from one's consequences. But one hopes one's consequences aren't too severe. He's slow in some respects but I care about him. Yeah, I let him know I'm irritated about this.

and I'm sorry now for not following boopme's directions as given.

#6 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 27 January 2009 - 04:29 AM

OK, so after that I went to online chat with Symantec reps. So I spent 2.5 hours with a Symantec analyst & his next level, more competent analyst. No progress. They decided I need to remove "the virus" first before NIS can be uninstalled. - they really told you this huh? guess they're not really competent. :thumbsup: it would take 2.5 hours if I were your tech. :flowers:

were you able to clear out the viruses? and yes it should run on safemode

Edited by dhants20, 27 January 2009 - 04:30 AM.


#7 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 04:58 AM

Well, after being transferred to Symantec's antivirus team (at 11pm, 3 hrs after starting chat with their support team) and then being told it would cost $100 which neither of us have, I decided to wait till Tuesday (yep, today) and went home

thanks, will try it assuming that suggestion isn't outranked by boopme

#8 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 05:03 AM

If NIS removal tool works in safe mode, why didn't the Symantec analysts think of that?
Wait, don't answer that.


Symantec would charge $100 for virus removal. These bleeping computer volunteers are amazing. Thanks, you guys!

Edited by rtxx, 27 January 2009 - 05:06 AM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 AM

Posted 27 January 2009 - 10:26 AM

Have you tried to uninstall NIS thru the control Panel,Add Remove Programs while in safe mode?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 01:39 PM

Yes I tried, it doesn't work. Somewhere I saw an explanation from Symantec saying that this is because the Windows Installer program, used by NIS, doesn't run in safe mode

#11 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 02:20 PM

Looks like indeed Norton Removal Tool should work in safe mode. Here's comment to that effect from someone who appears to be "Norton Authorized Support Team"
http://forums.majorgeeks.com/showthread.php?t=150327
"You do not want to use Add/Remove programs to uninstall the software, as the Norton Removal Tool is a specifically designed to properly remove all of the components. Running it a few times is the best route to go with to ensure that all of the components, including the LiveUpdate scheduler, are removed.
If you get any error messages while running the removal tool in regular Windows mode, then run the tool while booted into Safe Mode."

I'll try it when I get over there this afternoon.


"If NIS removal tool works in safe mode, why didn't the Symantec analysts think of that?
Wait, don't answer that."


#12 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 08:06 PM

Success!
dhants, you were absolutely right, Norton Removal Tool runs in Safe mode, and now my friend's computer boots normally. The issue that prevented booting normally **was Norton Internet Security 2006**, and it was NOT an active virus as their analyst claimed.

So, using NORTON's OWN tool I was able to fix that issue in ~15 minutes, although last night I spent almost THREE HOURS connected to their outsourced analysts, who were UNABLE to fix it.

This episode tells me something about a) their applications, and b ) quality of their customer support. I will be actively discouraging anyone I hear who is thinking about using Norton security products.

Back to the original issue, the malware infection. So I have run ATF cleaner and MBAW again, this time in normal mode. No surprise (since I got the same result previously) MBAW found nothing to report. I'll paste in the log file from the quick scan. I'm now running a thorough scan. Nothing shows up yet.

If it would be helpful, I can post the log from the first combofix scan I ran (before seeing that this site discourages it). That got rid of the popping up "Sentry Total Family Protection" program (at least until I rebooted), and may give more of a clue as to what we're dealing with, & where it might be lurking in this computer?


Malwarebytes' Anti-Malware 1.33
Database version: 1701
Windows 5.1.2600 Service Pack 2

1/27/2009 4:41:55 PM
mbam-log-2009-01-27 (16-41-55).txt

Scan type: Quick Scan
Objects scanned: 57208
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 AM

Posted 27 January 2009 - 08:35 PM

Good for you !!! :thumbsup: are you still having popups??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 27 January 2009 - 08:42 PM

No popups (yet). After an hour of thorough scan, MBAM has found 2 objects infected so far. I don't know how long till the scan is done & we can get more info.

(If you have a different suggestion I can abort this scan.)

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 AM

Posted 27 January 2009 - 08:59 PM

Hi ,I don't know many files are on the PC but MBam usally completes in less than an hour. Are yuo runnning a Full or Quick scan. So i guess it should be done soon. You probably only needed a Quick scan and they run from 10 to 30 mins. usually.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users