Posted 10 January 2010 - 03:13 PM
I was directed to this forum by the folks over on the Norton Community forums because they believe that I may have a possible rootkit that you may be able to assist with.
Yesterday, I found an issue where all Google search result pages were being redirected through businesssite.net when I clicked on them, instead taking me to various "search result" pages unrelated to my original search. Seeing this, I assumed spyware/malware/viruses of some sort, so I ran a couple programs to try to clean things out. I ran SpyBot , Malwarebytes, SUPERAntiSpyware, and ComboFix. Spybot detected 26 items I believe (I'm still trying to find the logs from that scan though unfortunately), and Malwarebytes detected 11 items, all of which looked to be Trojan related (I have the log from this run, if you need/want it). SUPERAntiSpyware didn't find any items to clean up.
The problem with Norton began when I then went to run ComboFix. It directed me to disable any spyware/virus programs before running the scan. It notifed me that Norton Internet Security 2008 was running and that I needed to disable it. When I went to Start -> Programs, I'd click on Norton Internet Security, I'd get a cursor with an hourglass, but then nothing would open. I then tried to open it through My Computer -> Programs, but the same result. I can see that a new instance of uiStub2.exe would be created in Task Manager each time I tried to open NIS. I'd try to kill extra instances of this program, but was getting an access denied message. If I started my computer up in SafeMode, I did get a dialog box when I went to NIS from the start menu that said that there would be limited functionality, but asked if I'd like to run a full scan. If I said yes, it seemed to be scanning OK.
I went ahead and ran ComboFix anyway, which maybe I shouldn't have done since I couldn't disable the Norton, but I have that log available as well, if needed.
I then tried to uninstall NIS 2008 so that I could just do a clean install afterwards. I first tried to uninstall through the integrated uninstall program at Start -> Programs. Again, I'd get the cursor with the hourglass, but nothing would happen. I then tried to uninstall through Add/Remove Programs in Control Panel, but had the same result. In Safe Mode, when I went to do the Uninstall exe from the Start Menu, I was told that I needed to run it while my computer was in Normal mode. I finally tried downloading the Norton_Removal_Tool from the Norton website, but it also won't seem to run. I can see that it's starting, as I see many instances of Norton_Removal_Tool.exe in my Task Manager, but I cannot kill any of them either and am getting the same access denied message.
I finally tried to put in my Norton Internet Security 2008 CD that came with my laptop to see if it might try to do an install once inserted. Nothing ever opened. I tried to do Add Programs through the Control Panel and pointed to the setup.exe file on the disk, but nothing happened again.
This morning, I was directed by Norton to run HiJackThis, which I did, and again I have those logs available if needed.
Note: Before yesterday, I haven't had any issues with Norton. It usually appears at the bottom right of my screen and my regular weekly scan ran without issue Monday night. Again, I'm running Norton Internet Security 2008 on Windows XP Professional.
Please let me know if there's anything else I can provide to help in diagnosing this issue. Just FYI, my internet is no longer having the redirect issue it seems, so it's just the Norton issue that has me concerned.
Thanks in advance