Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

The Trojan that keeps replicating

Created: 13 Nov 2010 | 19 comments

So I've been stuck with this trojan that SAV finds and quarantines it.  I have read this discussion after weeks and weeks of research but I have not found a solution.

 

https://www-secure.symantec.com/connect/forums/liv...

 

I tried turnig off system restore without any luck.  I dowloaded Malwarebytes but wont let me update giving me this error message;

"NBAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)"  (I already emailed them bout this and offered a router reconfiguration. )

 

I tried combofix and still..NOJoy.

 

SAV still finds a new trojan everytime there is a new update.   I have serious problems with Internet Explorer eveytime I google "New York Times".  First off, it redirects me to other sites - sometimes I would get Porn Pop ups.  (It's very akward when you are trying to help a patron and all of a sudden, naked pictures pop up. )

 

I have been to many forums and still I could not find a solution.  Can anyone help me? 

 

 

Discussion Filed Under:

Comments 19 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Is this on 1 machine or more ?

Remove all IE Add-Ons

Delete all Temporary Internet Files and Delete everything inside %temp%

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Prahveer's picture

In my opinion SAV is obsolete AV for protecting your computers.I would strongly recommend you to consider upgrading to Symantec Endpoint Protection 11 which incorporates a more powerful AV engine + IPS technology which is effective to ward off drive by downloads.

To disinfect your computer,try using Norton Power Eraser available on http://liveupdate.symantec.com/upgrade/NMR/English...

If Norton Power Eraser fails to clean your computer:

Consider updating Flash player,either upgrade IE or better still,use another web browser such as Mozilla Firefox or Google Chrome.

Also use Clearcloud DNS or Norton DNS to block access to malware sites.These two are very effective tools that should form part of your security arsenal.

www.nortondns.com

www.clearclouddns.com

Prahveer Kumar
BSc(Hons) Mathematics - year 2 student
University Of Technology,Mauritius

 

Hoboken Library's picture

I do not wish to upgrade until I get this thing solved.  As far as SAV is concerned, they are still updating the definitions.   It is just a matter of locating this sneaky trojan.

mon_raralio's picture

When you said you had no luck in turning off System Restore, does that mean that it cannot be turned off? And have you removed the contents of the Quarantine?

Check the following:

Run > msconfig

Go to startup. Remove files you don't know. You may want to do a research on this before disablling them.

Regedit:

HKLM\Software\MS\Win\CurrVer\Run - look for suspicious entries

Go to Windows folder: Details, sort by date. Check what kind of files are recently created. Same with the System32 subfolder

Symantec also has a rescue CD to scan infected PCs.

Also the C:\windows\system32\drivers\hosts file for any changes.

Then, change the IE settings back to default.

“Your most unhappy customers are your greatest source of learning.”

Hoboken Library's picture

What I meant bu "no luck" was that I did turn off System Restore but when I ran the full scan,  SAV picked up nothing.   As far as the Quarantined files, they are always deleted.

 

...and this may be a naive questino but what did you mean by IE settings? 

" Then, change the IE settings back to default."

 

 

mon_raralio's picture

The malware may have made some changes in how IE connects to the Internet. Some values may have been added and security level settings may have been lowered.

Maybe compare this with another PC's, and copy the settings from that.

But to reset it to default... (IE 7 onwards)

Open IE settings... Internet Options > Advanced >

Reset/Restore buttons are found at the bottom.

“Your most unhappy customers are your greatest source of learning.”

Hoboken Library's picture

I would love to add that I always run ccleaner whcih clears all temp files, cahce files ect.  I also ran AVG and taht did not work as well.

 

 

Vikram Kumar-SAV to SEP's picture

Have you done this

 

Remove all IE Add-Ons

Delete all Temporary Internet Files and Delete everything inside %temp%

Also try running GMER ( from gmer.net ) once its a rootkit removal tool.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Hoboken Library's picture

I'll do that and get back to you.  Thanks for you reply.  I really appreciate it. :)

cus000's picture

Hi,

 

I would suggest you to use Process Explorer and check if there's any unsigned program running in the background.

Just kill the guy and delete it...

If not you may want to try update Malwarebytes AM using this offline update tool, link as below:

http://malwarebytes.gt500.org/

GL!

 

regards

AravindKM's picture

Try this tool

Symantec Endpoint Recovery Tool (SERT)

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Hoboken Library's picture

Got some advise from Malwarebytes itself.  The told me to reset the router settings and that seem to work.   I tried to update Malwarebytes def and it would not let me.  Kept giving me this message:

 

"NBAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)" 

Anyway, after I reset the routher settings, I was able to update the definitions with not problem.  Ran the scan and it picked up 3 infectious objects.  I hope that did the trick.  

So far, I am not recieiving any popups.  I google New York Times and and there are no popups.  I'll keep you posted. 

I will wait till the next updated for the virus definition is abaible from SAV.  Usually when that happens, it picks up a trojan.   We'll what happens.

Thank you all for you your replies.  I appreciatied very much.  Have a Happy thanksgiving or Indian Genocide depending upon how you look at it.  I'm Navajo so that is my joke for the day

 

 

Monty_simmons's picture

Hi,

I have a similar problem.  How do you reset the router?  I am not as advanced users like you.

I work from home and I have an ADSL Modem.

I dont want to reinstall my laptop, which is what has been suggested by the professionals since they have tried to clean my laptop

.Brian's picture

Unplug it, wait two minutes, then plug back in.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mon_raralio's picture

To restore factory defaults on most routers, look for a tiny button that can only be pressed with a thin sturdy device like a straightened out paperclip or ballpoint pen. Disconnect the ethernet cables. Press-and-hold it for like 20 seconds. Lights usually flash to indicate that the router has been reset.

“Your most unhappy customers are your greatest source of learning.”

Prahveer's picture

Prevention is better than cure.

For security reasons,I would strongly advise you to use Mozilla Firefox or even Google Chrome.

Google chrome contains sandbox technology to minimise exposure to malicious code.

Try Noton safeweb lite or Mcafee SiteAdvisor,both are free tools which warn you of malicious web sites.

Prahveer Kumar
BSc(Hons) Mathematics - year 2 student
University Of Technology,Mauritius

 

mon_raralio's picture

I agree with using Mozilla Firefox on companies, and probably have the add-on No Script. But usually, most companies especially those working in IT have very specific policies on what applications to use, probably due to licensing agreements, tie-ups, accountabilities and other reasons.

And if there are no restrictions, maybe some "older" management types still consider the softwares created by Mozilla as a maverick of some sort. And getting something to replace something they already have that is working is pointless. That's like trying to explain why there are alerts of detections in their computers when they have AVs in place - they're expecting their PC to be absolutely virus free from the day an AV is installed.

“Your most unhappy customers are your greatest source of learning.”

GPCALI's picture

Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image). How do I use this?http://www.symantec.com/business/support/index?page=content&id=TECH131685&locale=en_US

Clean all types of temporary CCleaner