Solved

Viruses Not Detected By Norton or McAfee

Posted on 2004-09-27
19
1,114 Views
Last Modified: 2013-11-16
Hi, guys sorry to bother you, but I have this nasty problem that I can't solve.
OS: Windows XP Home Pre-SP2

Sympton: 1) Everytime Windows starts, my Symantec Antivirus get shutdown and won't start.  2) Ctrl-Alt-Delete brings up the taskmanager for 0.5 seconds, and it dissapears 3) "msconfig" at Start->Run results in no response. 4) Running "Hijackthis" also results in no response.

What I have tried: 1)Rebooted into safe mode, Ran Symantec Antirus (succesfully) and updated the latest definitions, and did a full system scan, but it found nothing  2) Under safe mode, Ran Adaware with the latest defintions, found 10+ spyware and removed all of them. 3) Ran Hijackthis under safe mode, and removed all suspicious entries 3) Went back to normal mode, and the problems still persist. I downloaded a copy of Nod32, and it also refuses to run (appears for a split second and dissapears).

HOWEVER, if i rename all those files that refuse to run, they all run succcesfully. So I know the virus has a list of filenames somewhere that it prevents them from running. So I ran nod32 (renamed) 's system scan, and it found a couple of viruses that Symantec did not pick up, and I deleted all the infected files, but the problem STILL persists.

Right now, I am not experiencing any real problems other than those files not being able to run. I'm am just confused as to why wouldn't Symantec pick up those viruses, and why do those symptoms still exist even when nod32 cleaned them....

Any advice as to what to do?
Thanks a lot!!!!!

0
Comment
Question by:zxzwin
19 Comments
 
LVL 7

Expert Comment

by:wparrott
ID: 12166835
I dumped Norton about 6 months ago for AVG from Grisoft. It's free, scans for virus' and download trojans (websites love to push them to PC's these days), and doesn't hog resources like Norton or McAfee. Plus, it's generally not targeted by the virus coders (not popular enough, yet). Try this:

1. Goto http://www.grisoft.com and click the link to the free version. Fill in the required info (only first/last name, email addr, and country required) and wait for the e-mail. Use the link in the e-mail to download the latest verison. Once you download the software, check e-mail for second message with software serial #.

2. Turn off System Restore. It can cause problems when you are trying to remove viruses.

3. Uninstall Norton and McAfee. Reboot.

4. Install AVG. Don't reboot at the end of the install. Run the program and update the definitions. Do a full system scan (Run Complete Test). Reboot.

5. Run a full test again (just to be sure).

6. Test to see if things work correctly again.

This has worked for me many times (95 out of 100, if I had to guess). :)

HTH...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12167308
Have u checked this yet ??

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> http://www.experts-exchange.com/M_926622.html :)

adn how abt running Stinger in safemode >> http://vil.nai.com/vil/stinger
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12169778
There are plenty of Viri that shutdown task manager, and most AV products.
Use mcafee's stinger- it will not get shutdown by the viri.
Turn off system restore first- then reboot- http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
then use stinger http://vil.nai.com/vil/stinger/
-rich
0
 

Author Comment

by:zxzwin
ID: 12172676
I ran stinger under safemode, and it found nothing.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12172713
When u Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site to analyse >> http://www.hijackthis.de/index.php?langselect=english
Does it report anything as Nasty ??
0
 
LVL 25

Expert Comment

by:nickg5
ID: 12175917
I had a trojan virus and my Norton did not detect it. This was the solution to get rid of it. You might try it:

Start->Run->sysdm.cpl <enter>
From the System Restore tab, uncheck system restore.(turn it off by checking it)
Reboot, and then deselect it to have it reenabled (it 'can' come in handy sometimes, but can also be a hiding place for trojans).
This should take care of it - (the trojan has embedded itself in one of your restore points - this will kill all restore points, thus the trojan horse as well).
You will lose all previous restore points, as you've noticed -but you wouldn't want to restore this trojan either, so that's irrelevant...

0
 
LVL 1

Accepted Solution

by:
Grinler- earned 500 total points
ID: 12176425
Rename hijackthis.exe to another name like hjt.exe and then run the program.  It should now allow you to create the log and post it here.
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12177199
If you are able to run the programs by renaming them then as you have suggested the virus or whatever it is must have a list of files. If this is the case it is performing a process enumeration then through using the process ID gaining the filename and , in turn, terminating the process.

It is most important that you figure out what programs are running on startup and also running during a normal boot. Like others have said hijackthis will show you. So will MSconfig. Either way, if you are able to get into msconfig through renaming it then go to the startup tab and untick anything that looks suspicious - be ruthless - if you dont know it untick it. Note the filepaths of those files for later. Restart and see if the problem still exists. If it doesn't (which i think it still may) then delete manually those files that you wrote down.

As allways, update your antivirus software, get spybot search and destroy(www.safer-networking.org) if you don't have it already, and do a complete scan.

Regards,

Hypoviax
0
 
LVL 1

Expert Comment

by:cool_apj
ID: 12177524
I had a similar Problem Like these.

The list of viruses which leads to these are as follows:
W32.HLLW.Kefy              
W32.HLLW.Cydog@mm
Backdoor.IRC.Yoink.A    
Backdoor.Volac.dr        
W32.Kwbot.R.Worm      
W32.Erkez.B@mm        
W32.Spybot                  
w32.spybot.worm.html
NETSTATT.EXE

Wat i wld suggest is download Tweak for windows and u wil get the list of process running.
U hv got the problem correctly.

Check ur system for all the above viruses manually and delete all the entries from the registry. These wld b a lenghy process but these is the best process to get rid of the problem.

Wld suggest you to do a online virus scan

Do u get high Internet utlisation, even if u r not accessing emails or browsing, when u connect.









0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Expert Comment

by:LauraLees
ID: 12178643
Did you make note of the viruses that you were infected with?

If so, have you looked into specific virus removal tools or instructions for those specific viruses?
Some viruses make changes to the registry (or even perform other obscure changes) that are not automatically removed if the virus files themselves are deleted.
0
 

Expert Comment

by:dipich
ID: 12182628
Hi

I had an infected clinet @ work today. My virus solution didn't found by using the latest pattern file. Then i tried stinger (latest version - came out yesterday) and won ;-)

An other nice tool is sysclean with the latest pattern file from trend micro - its free.

http://www.trendmicro.com/ftp/products/tsc/sysclean.com

http://de.trendmicro-europe.com/enterprise/support/pattern.php

try this!

Didi
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12191034
Pull down ClamWin from www.clamwin.org and run it in safe mode.
As it's a pretty obscure virus checker, viruses tend to ignore it, whereas with McAfee, NAV etc viruses will bind to internal process and take the software application down, so it's free to worm its way around your network......
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12195136
How about we let it rest for a while. The questioner has got a million and one suggestions. Let them  try some out and see if any worked or not

Regards,

Hypoviax
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12201534
I hope security experts to correct my answer if it was wrong :
the reasons of this problems are as following :

1.The machine may formatted with FAT32 that doesn't support security features , so that,  any user (I call the virus a user) can make sensitive changings (like change system files , registry entries ,  in computer because there is no permissions like what NTFS supports , so , convert it by the command convert C: /FS/:NTFS

2.The machine may formatted with NTFS but the user has Administrator previlliges  when the machine  was infected by the virus , so that don't use any user account that is member from Administrators Group until you need to Administrator previlliges  then use Run As instead of logon as a member from Administrators Group (using Secondary Logon) .in this case when the virus try to infect your machine when you logon as a member that has limited previlliges it will may excute in your machine and try to make changes like Registry entries to change the following key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to ensure runing every startup process for all users , we know this Registry entries have permissions and it cann't be changed by any ccount like Guest , but Administrator & SYSTEM have Full Control , then the virus cann't make any effectes of your system untill you excute virus EXE file with Administrator previlliges  .
We know now that the virus cannot infect ALL system , but it can infect just your profile and it can access to some registry entries like the following key :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that although you logon as a member with limited rights , but the virus may run every startup process that done by you .
I made a test in my personal  lab with dangerous virus , my profile were damaged , but the other profiles didn't .
by this method the virus can damaged Boot Sector because it need to permissions .
after a virus did the mentioned above , it will need to logon to system using Administrator previlliges and guesses some commone accounts and passwords for example :

               
Adminstrator                password
Adminstrator
Adminstrator                system
SYSTEM                       root
and so ,
so that ,  you should apply  complexe passwords specially with Adminstrator account .
I guess that yhe virus CHANGED REGISTRY ENTRY OR some system files like DLL FILES becuase you excuted the virus with Adminstrator previlliges or with limited permissions but Adminstrator with no password (null) when files system was NTFS  OR you excuted the virus by any user when file system was FAT32 .
I have some quistion :
Q1:did you logon with Administrative previlliges when the machine was infected ?

You said : "I'm am just confused as to why wouldn't Symantec pick up those viruses"
1.this may be very new viruses and you may know that Symantec update viruses definitions by slow method , so that it cann't catch the new viruses .
OR
2.you may installed (while you should unistall NAV first then install it)  and it saved the registry changed and from this settings one or more setting tells the NAV to exclude VIRUS.EXE file from scanning or disable work with the new updates .
3.you may made full scan with limited user rights so that the NAV will  scan just the profile for that user because it will be denied from access to system files and the virus may be in %SYSTEMROOT%\system32  path .
and you asked " and why do those symptoms still exist even when nod32 cleaned them"
in my opinion this due to some reasons :
1.It comes from internet wherease your machine run XP SP2 that has dangeous holes , look :

"Microsoft will make Windows XP Service Pack 2 available to the general public this week, but the enthusiasm for the first significant OS update in almost two years is now competing with worries over discoveries and claims of new holes and vulnerabilities ( http://www.eweek.com/article2/0,1759,1638492,00.asp )  Through an anonymous tip, we confirmed a core vulnerability that could lead to spoofing in the Windows Security Center, the new control panel for a PC's security status. Another unpatched hole has been found in Internet Explorer that affects Version 5.01 and later, as well as on an SP2 updated system. The hole allows an attacker to download a malicious executable to the user's system without their knowledge. For more on this IE flaw, see our Windows Update and vulnerabilities. "

http://www.pcmag.com/article2/0,1759,1639275,00.asp

http://www.eweek.com/article2/0,1759,1636809,00.asp

2.you may made system cleaning with out turn off system restore then used system restore and restore virus !!! .

good luck , I hope to help you and hope from all to correct my answers

0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12204382
JPEG exploit could beat antivirus software - 09/30/2004  
Antivirus software could be ill-prepared to protect corporate networks from the latest Windows vulnerability--innocent-looking JPEG files that contain security attacks. According to Mikko Hypponen, director of antivirus research for F-Secure, antivirus software will strain to find JPEG malware, because by default, it only searches for .exe files. "Normal antivirus software, by default, will not detect JPEGs," Hypponen said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."

There are about 11 file name extensions to which JPEGs can be changed, including .icon or .jpg2. Hypponen said this would make finding malicious JPEGs even more difficult; searching could take up a significant amount of valuable processor power.
News source: www.news.com  
0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12204929
You should follow the steps in this tutorial to protect against the JPEG Viruses:

http://www.bleepingcomputer.com/forums/topict3077.html
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 12205652
Sounds like the machine is sick dude. If an on-demand scan can't find a virus then there is none.

Nothing more time consuming or more annoying than a rebuild.

But you feel better after.

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12206565
> Sounds like the machine is sick dude. If an on-demand scan can't find a virus then there is none.

Disagreed..  if your virus engine is itself compromised, then it won't find certain viruses.  That's why it's best to run Stinger in Safe Mode to verify the integrity of the AV system itself.. ;)
0
 
LVL 8

Expert Comment

by:nader alkahtani
ID: 12206672
This may be your MAIN PROBLEM :


                                          Microsoft Security Bulletin MS04-028
                  Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)


http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx


0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now