Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Affecting Norton Internet Security


  • This topic is locked This topic is locked
2 replies to this topic

#1 wattshr

wattshr

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 10 January 2010 - 03:13 PM

Hello--

I was directed to this forum by the folks over on the Norton Community forums because they believe that I may have a possible rootkit that you may be able to assist with.

Yesterday, I found an issue where all Google search result pages were being redirected through businesssite.net when I clicked on them, instead taking me to various "search result" pages unrelated to my original search. Seeing this, I assumed spyware/malware/viruses of some sort, so I ran a couple programs to try to clean things out. I ran SpyBot , Malwarebytes, SUPERAntiSpyware, and ComboFix. Spybot detected 26 items I believe (I'm still trying to find the logs from that scan though unfortunately), and Malwarebytes detected 11 items, all of which looked to be Trojan related (I have the log from this run, if you need/want it). SUPERAntiSpyware didn't find any items to clean up.

The problem with Norton began when I then went to run ComboFix. It directed me to disable any spyware/virus programs before running the scan. It notifed me that Norton Internet Security 2008 was running and that I needed to disable it. When I went to Start -> Programs, I'd click on Norton Internet Security, I'd get a cursor with an hourglass, but then nothing would open. I then tried to open it through My Computer -> Programs, but the same result. I can see that a new instance of uiStub2.exe would be created in Task Manager each time I tried to open NIS. I'd try to kill extra instances of this program, but was getting an access denied message. If I started my computer up in SafeMode, I did get a dialog box when I went to NIS from the start menu that said that there would be limited functionality, but asked if I'd like to run a full scan. If I said yes, it seemed to be scanning OK.

I went ahead and ran ComboFix anyway, which maybe I shouldn't have done since I couldn't disable the Norton, but I have that log available as well, if needed.

I then tried to uninstall NIS 2008 so that I could just do a clean install afterwards. I first tried to uninstall through the integrated uninstall program at Start -> Programs. Again, I'd get the cursor with the hourglass, but nothing would happen. I then tried to uninstall through Add/Remove Programs in Control Panel, but had the same result. In Safe Mode, when I went to do the Uninstall exe from the Start Menu, I was told that I needed to run it while my computer was in Normal mode. I finally tried downloading the Norton_Removal_Tool from the Norton website, but it also won't seem to run. I can see that it's starting, as I see many instances of Norton_Removal_Tool.exe in my Task Manager, but I cannot kill any of them either and am getting the same access denied message.

I finally tried to put in my Norton Internet Security 2008 CD that came with my laptop to see if it might try to do an install once inserted. Nothing ever opened. I tried to do Add Programs through the Control Panel and pointed to the setup.exe file on the disk, but nothing happened again.

This morning, I was directed by Norton to run HiJackThis, which I did, and again I have those logs available if needed.

Note: Before yesterday, I haven't had any issues with Norton. It usually appears at the bottom right of my screen and my regular weekly scan ran without issue Monday night. Again, I'm running Norton Internet Security 2008 on Windows XP Professional.

Please let me know if there's anything else I can provide to help in diagnosing this issue. Just FYI, my internet is no longer having the redirect issue it seems, so it's just the Norton issue that has me concerned.

Thanks in advance

-Heather-

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:01 PM

Posted 10 January 2010 - 06:03 PM

Welcome to BC

If you downloaded HJT from Norton/Trend Micro we do not use it and it might not even post
It is a BETA version

Follow these directions

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

You will also be instructed to create a Root Repeal Log

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:01 PM

Posted 12 January 2010 - 08:31 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/286257/possible-rootkit-affecting-norton-internet-security-2008/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users