Viruses Not Detected By Norton or McAfee

Hi, guys sorry to bother you, but I have this nasty problem that I can't solve.
OS: Windows XP Home Pre-SP2

Sympton: 1) Everytime Windows starts, my Symantec Antivirus get shutdown and won't start.  2) Ctrl-Alt-Delete brings up the taskmanager for 0.5 seconds, and it dissapears 3) "msconfig" at Start->Run results in no response. 4) Running "Hijackthis" also results in no response.

What I have tried: 1)Rebooted into safe mode, Ran Symantec Antirus (succesfully) and updated the latest definitions, and did a full system scan, but it found nothing  2) Under safe mode, Ran Adaware with the latest defintions, found 10+ spyware and removed all of them. 3) Ran Hijackthis under safe mode, and removed all suspicious entries 3) Went back to normal mode, and the problems still persist. I downloaded a copy of Nod32, and it also refuses to run (appears for a split second and dissapears).

HOWEVER, if i rename all those files that refuse to run, they all run succcesfully. So I know the virus has a list of filenames somewhere that it prevents them from running. So I ran nod32 (renamed) 's system scan, and it found a couple of viruses that Symantec did not pick up, and I deleted all the infected files, but the problem STILL persists.

Right now, I am not experiencing any real problems other than those files not being able to run. I'm am just confused as to why wouldn't Symantec pick up those viruses, and why do those symptoms still exist even when nod32 cleaned them....

Any advice as to what to do?
Thanks a lot!!!!!

Who is Participating?
Rename hijackthis.exe to another name like hjt.exe and then run the program.  It should now allow you to create the log and post it here.
I dumped Norton about 6 months ago for AVG from Grisoft. It's free, scans for virus' and download trojans (websites love to push them to PC's these days), and doesn't hog resources like Norton or McAfee. Plus, it's generally not targeted by the virus coders (not popular enough, yet). Try this:

1. Goto and click the link to the free version. Fill in the required info (only first/last name, email addr, and country required) and wait for the e-mail. Use the link in the e-mail to download the latest verison. Once you download the software, check e-mail for second message with software serial #.

2. Turn off System Restore. It can cause problems when you are trying to remove viruses.

3. Uninstall Norton and McAfee. Reboot.

4. Install AVG. Don't reboot at the end of the install. Run the program and update the definitions. Do a full system scan (Run Complete Test). Reboot.

5. Run a full test again (just to be sure).

6. Test to see if things work correctly again.

This has worked for me many times (95 out of 100, if I had to guess). :)

Have u checked this yet ??

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
( site credit goes to Ramesh >> :)

adn how abt running Stinger in safemode >>
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Rich RumbleSecurity SamuraiCommented:
There are plenty of Viri that shutdown task manager, and most AV products.
Use mcafee's stinger- it will not get shutdown by the viri.
Turn off system restore first- then reboot-
then use stinger
zxzwinAuthor Commented:
I ran stinger under safemode, and it found nothing.
When u Download HijackThis v1.98.2 from here, run it and Save the LOG file:

Then Post that log at this site to analyse >>
Does it report anything as Nasty ??
I had a trojan virus and my Norton did not detect it. This was the solution to get rid of it. You might try it:

Start->Run->sysdm.cpl <enter>
From the System Restore tab, uncheck system restore.(turn it off by checking it)
Reboot, and then deselect it to have it reenabled (it 'can' come in handy sometimes, but can also be a hiding place for trojans).
This should take care of it - (the trojan has embedded itself in one of your restore points - this will kill all restore points, thus the trojan horse as well).
You will lose all previous restore points, as you've noticed -but you wouldn't want to restore this trojan either, so that's irrelevant...

If you are able to run the programs by renaming them then as you have suggested the virus or whatever it is must have a list of files. If this is the case it is performing a process enumeration then through using the process ID gaining the filename and , in turn, terminating the process.

It is most important that you figure out what programs are running on startup and also running during a normal boot. Like others have said hijackthis will show you. So will MSconfig. Either way, if you are able to get into msconfig through renaming it then go to the startup tab and untick anything that looks suspicious - be ruthless - if you dont know it untick it. Note the filepaths of those files for later. Restart and see if the problem still exists. If it doesn't (which i think it still may) then delete manually those files that you wrote down.

As allways, update your antivirus software, get spybot search and destroy( if you don't have it already, and do a complete scan.


I had a similar Problem Like these.

The list of viruses which leads to these are as follows:

Wat i wld suggest is download Tweak for windows and u wil get the list of process running.
U hv got the problem correctly.

Check ur system for all the above viruses manually and delete all the entries from the registry. These wld b a lenghy process but these is the best process to get rid of the problem.

Wld suggest you to do a online virus scan

Do u get high Internet utlisation, even if u r not accessing emails or browsing, when u connect.

Did you make note of the viruses that you were infected with?

If so, have you looked into specific virus removal tools or instructions for those specific viruses?
Some viruses make changes to the registry (or even perform other obscure changes) that are not automatically removed if the virus files themselves are deleted.

I had an infected clinet @ work today. My virus solution didn't found by using the latest pattern file. Then i tried stinger (latest version - came out yesterday) and won ;-)

An other nice tool is sysclean with the latest pattern file from trend micro - its free.

try this!

Tim HolmanCommented:
Pull down ClamWin from and run it in safe mode.
As it's a pretty obscure virus checker, viruses tend to ignore it, whereas with McAfee, NAV etc viruses will bind to internal process and take the software application down, so it's free to worm its way around your network......
How about we let it rest for a while. The questioner has got a million and one suggestions. Let them  try some out and see if any worked or not


nader alkahtaniNetwork EngineerCommented:
I hope security experts to correct my answer if it was wrong :
the reasons of this problems are as following :

1.The machine may formatted with FAT32 that doesn't support security features , so that,  any user (I call the virus a user) can make sensitive changings (like change system files , registry entries ,  in computer because there is no permissions like what NTFS supports , so , convert it by the command convert C: /FS/:NTFS

2.The machine may formatted with NTFS but the user has Administrator previlliges  when the machine  was infected by the virus , so that don't use any user account that is member from Administrators Group until you need to Administrator previlliges  then use Run As instead of logon as a member from Administrators Group (using Secondary Logon) .in this case when the virus try to infect your machine when you logon as a member that has limited previlliges it will may excute in your machine and try to make changes like Registry entries to change the following key :
to ensure runing every startup process for all users , we know this Registry entries have permissions and it cann't be changed by any ccount like Guest , but Administrator & SYSTEM have Full Control , then the virus cann't make any effectes of your system untill you excute virus EXE file with Administrator previlliges  .
We know now that the virus cannot infect ALL system , but it can infect just your profile and it can access to some registry entries like the following key :
so that although you logon as a member with limited rights , but the virus may run every startup process that done by you .
I made a test in my personal  lab with dangerous virus , my profile were damaged , but the other profiles didn't .
by this method the virus can damaged Boot Sector because it need to permissions .
after a virus did the mentioned above , it will need to logon to system using Administrator previlliges and guesses some commone accounts and passwords for example :

Adminstrator                password
Adminstrator                system
SYSTEM                       root
and so ,
so that ,  you should apply  complexe passwords specially with Adminstrator account .
I guess that yhe virus CHANGED REGISTRY ENTRY OR some system files like DLL FILES becuase you excuted the virus with Adminstrator previlliges or with limited permissions but Adminstrator with no password (null) when files system was NTFS  OR you excuted the virus by any user when file system was FAT32 .
I have some quistion :
Q1:did you logon with Administrative previlliges when the machine was infected ?

You said : "I'm am just confused as to why wouldn't Symantec pick up those viruses"
1.this may be very new viruses and you may know that Symantec update viruses definitions by slow method , so that it cann't catch the new viruses .
OR may installed (while you should unistall NAV first then install it)  and it saved the registry changed and from this settings one or more setting tells the NAV to exclude VIRUS.EXE file from scanning or disable work with the new updates . may made full scan with limited user rights so that the NAV will  scan just the profile for that user because it will be denied from access to system files and the virus may be in %SYSTEMROOT%\system32  path .
and you asked " and why do those symptoms still exist even when nod32 cleaned them"
in my opinion this due to some reasons :
1.It comes from internet wherease your machine run XP SP2 that has dangeous holes , look :

"Microsoft will make Windows XP Service Pack 2 available to the general public this week, but the enthusiasm for the first significant OS update in almost two years is now competing with worries over discoveries and claims of new holes and vulnerabilities (,1759,1638492,00.asp )  Through an anonymous tip, we confirmed a core vulnerability that could lead to spoofing in the Windows Security Center, the new control panel for a PC's security status. Another unpatched hole has been found in Internet Explorer that affects Version 5.01 and later, as well as on an SP2 updated system. The hole allows an attacker to download a malicious executable to the user's system without their knowledge. For more on this IE flaw, see our Windows Update and vulnerabilities. ",1759,1639275,00.asp,1759,1636809,00.asp may made system cleaning with out turn off system restore then used system restore and restore virus !!! .

good luck , I hope to help you and hope from all to correct my answers

nader alkahtaniNetwork EngineerCommented:
JPEG exploit could beat antivirus software - 09/30/2004  
Antivirus software could be ill-prepared to protect corporate networks from the latest Windows vulnerability--innocent-looking JPEG files that contain security attacks. According to Mikko Hypponen, director of antivirus research for F-Secure, antivirus software will strain to find JPEG malware, because by default, it only searches for .exe files. "Normal antivirus software, by default, will not detect JPEGs," Hypponen said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."

There are about 11 file name extensions to which JPEGs can be changed, including .icon or .jpg2. Hypponen said this would make finding malicious JPEGs even more difficult; searching could take up a significant amount of valuable processor power.
News source: 
You should follow the steps in this tutorial to protect against the JPEG Viruses:
Sounds like the machine is sick dude. If an on-demand scan can't find a virus then there is none.

Nothing more time consuming or more annoying than a rebuild.

But you feel better after.

Tim HolmanCommented:
> Sounds like the machine is sick dude. If an on-demand scan can't find a virus then there is none.

Disagreed..  if your virus engine is itself compromised, then it won't find certain viruses.  That's why it's best to run Stinger in Safe Mode to verify the integrity of the AV system itself.. ;)
nader alkahtaniNetwork EngineerCommented:
This may be your MAIN PROBLEM :

                                          Microsoft Security Bulletin MS04-028
                  Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.