Symantec Endpoint Protection is able to be disabled and shut down by user space process: Can be simulated with Process Hacker.

Have you opened a support case for this issue and submitted any threat samples to Security Response?

Yes i have opened a support case. Reference number provided over chat was 493570644. I have not submitted any threat samples as yet but I do have a few of  them. Some are printed on paper and in the custody of my boss.

 I would suggest you fwd some of the file samples via the email you received when opening your support case.  Make sure the case number is in the subject line.

Also send any of the printed docs too.

You may want to also try submitting the file samples to http://www.symantec.com/business/security_response/submitsamples.jsp
Pay attention to which support contract you have and select, as it makes a difference to the SLA for them getting back to you. 

Hi

Using process hacker, you can suspend or terminate the threads and/or handles under the rtvscan.exe process. This prevents revival of the rtvscan process while, I believe, disabling it.

What I have seen some people do is create a number of processes, with varying priorities, and using nondescript names as well as known names so that not all the eggs are in one basket. Furthermore, I have also seen process sitting under various other svchost,exe processes, as well as their own.

When I was using Process Hacker to disable these systems, it seemed impossible.

Regards

By the way, my user ID mikorangester and mikorange has been hijacked

If you shut down the Dcom service launcher with process hacker you get a system shutdown with Windows XP  SP3

It also restarts straight after

Here is a hack of the asus site http://vip.asus.com/eservice/techmailstatus.aspx .

I have been attempting to request a bios update from Asus to disable my onboard RF interface on my computer using a Dell computer at work. I am getting some kind of interception and replacement of my requested web page with one that has the following property: When I press the submit button, I get a messagebox saying something like "Email Incorrect".

The second image is a fake microsoft website that started being delivered about 2 days ago. Note the URL.

Hi

My crazeeeeeem@hotmail.com user name has also been hijacked. I was once mikorangester, mikorange, crazeeeeeem and now this.

Regards

Is Tamper Protection Enabled on these computers.If yes then what is the action set up ( block or log ).
The user account you are logged in as ..is it a limited user or local admin or something?

submit all your suspicious files to https://submit.symantec.com/basic

Hi

Just checked. Tamper protection is enabled. I just noticed that this is set to log event only.  I will test with block it and log the event.

Thanks

I set the tamper protection to "block it and log the event". Went back to Process Hacker and tried doing the same. I can terminate the handles. I can terminate the threads. I notice something new. Thread handles for rtvscan are resurrected(?) in the handles window. Will send screen dump after I restart my computer.

Sorry. Restarted PC, had a look at tamper protection settings and it was reset back to "log the event only". You will have to test this internally as I am still having to deal with this RF interference problem. Thanks

Seems like a dedicated MITM / Session hijacking attempt.

I'd seriously recommend that you reimage the system, as it seems every other ID of yours is being hijacked. Are you connecting over wireless to the internet? and tr to remove the RF device drivers from Device Manager and see if that helps to alleviate the issue

Seeing the info you've given, it seems like a targetted attacke soecifically towards you / your company. Try to run Autoruns for Windows by Sysinternals and Hijack This to try and see which file / process is injecting itself in the generic processes. Maybe this will give us a lead unto whats actually happening in the background.

I would suggest you to call the symantec support & run the Esugload point utility & they will help you to find which file or application is the root cause of the issue.

Here is a screen dump of an MS Excel hack. I was attempting to create a data validation drop down list and received the following message.

ESUG would not really help in identifying the real threat files. I'm not saying dont run it, but run another logging tool HijackThis to get a detailed log and post the log here so we can check for any discrepancies.

I'm saying this might be a targetted attack since standard AV / security software is failing to catch / identify the threat.

If most of your users are part of the Administrators group on the network, my first recommendation would be to revoke tohse credentials, and make them Norml users. Any attack on Windows XP based systems is primarily considered an elevation of privilege attack in most cases, since Windows XP makes all users with Admin rights run all applications in elevated mode by default, unlike Windows Vista / Windows 7.

Additionally, I'd recommend that you run a full security audit of the database and change any / all passwords that may be compromised, and / or delete any usernames that are not supposed to have access to the DB. This will be one way of trying to crimp on whatever the other chaps are after, and you may also wnat to include your local law enforcement / DOJ chaps in this to run a forensic audit and footprinting to try and track down whoever did this, or where this activity is originating from before all hell breaks loose.