Norton ENHANCED PROTECTION MODE is a fake security alert. If you are seeing the alert then you have become infected with a trojan that uses this fake alert to trick you into thinking your PC is clean and protected.
The “Norton ENHANCED PROTECTION MODE” trojan come from malicious websites that ask users to download an Adobe Flash Player update or player needed to view a movie online. Once running, it will display an alert like below:
Next the trojan will install additional components and configure them to run automatically when Windows loads. While is running, the “Norton ENHANCED PROTECTION MODE” trojan blocks the Norton Antivirus and displays the following fake security warnings that stats:
Norton Antivirus
ENHANCED PROTECTION MODE
Attention!
Norton Antivirus operates under
enhanced protection mode.
This is temporary measure
necessary for immediate response to
the threat from virus.
No action is required from you.
Norton Antivirus
Release data of the anti-virus database:
[current data time]
Your system is protected
As already stated above, it will state that your computer is protected in order to hide the presence of the trojan in your PC.
If your computer is infected with this malware, then use these removal instructions below, which will remove “Norton ENHANCED PROTECTION MODE” trojan and other components of the trojan for free.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [wxpdrv] C:\WINDOWS\update.1\svchost.exe
O4 – HKLM\..\Run: [{RANDOM}.exe] “C:\DOCUME~1\1\LOCALS~1\Temp\{RANDOM}.exe”
O4 – HKLM\..\Run: [sysdriver32.exe] “C:\WINDOWS\sysdriver32.exe” rezerv
O4 – HKLM\..\Run: [sysdriver32_.exe] “C:\WINDOWS\sysdriver32_.exe” rezerv
O4 – HKLM\..\Run: [{RANDOM}.exe] “C:\WINDOWS\TEMP\{RANDOM}.exe”
O4 – HKLM\..\Run: [{RANDOM}.exe] “C:\DOCUME~1\1\LOCALS~1\Temp\{RANDOM}.exe”
O23 – Service: srvsysdriver32 – Unknown owner – C:\WINDOWS\sysdriver32.exe
O23 – Service: wxpdrivers – Unknown owner – C:\WINDOWS\update.1\svchost.exe
Use the following instructions to remove Norton ENHANCED PROTECTION MODE Alert
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Norton ENHANCED PROTECTION MODE Alert infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad. Reboot your computer.
Your system should now be free of the Norton ENHANCED PROTECTION MODE alert infection. If you need help with the instructions, then post your questions in our Spyware Removal forum.
Norton ENHANCED PROTECTION MODE Alert removal notes
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: your current antispyware and antivirus software let the infection through ? Then you may want to consider purchasing the FULL version of MalwareBytes Anti-malware to protect your computer in the future.
Norton ENHANCED PROTECTION MODE Alert trojan creates the following files and folders
c:\WINDOWS\update.1\svchost.exe
c:\WINDOWS\l1rezerv.exe
c:\WINDOWS\sysdriver32.exe
%Temp%\2244160.exe
c:\WINDOWS\sysdriver32_.exe
c:\WINDOWS\temp\1630354.exe
%Temp%\1414040.exe
c:\WINDOWS\temp\95576268-loader2.exe
c:\WINDOWS\temp\4286413.exe
c:\WINDOWS\temp\448_myunrar2.exe
c:\WINDOWS\temp\5913335.exe
c:\WINDOWS\temp\7085435.exe
c:\WINDOWS\temp\7263188.exe
c:\WINDOWS\temp\75727539.exe
c:\WINDOWS\services32.exe
c:\WINDOWS\temp\2027528.exe
c:\WINDOWS\temp\2945399.exe
c:\WINDOWS\temp\9497672.exe
c:\WINDOWS\temp\675184193.exe
c:\WINDOWS\update.2\svchost.exe
c:\WINDOWS\update.5.0\svchost.exe
c:\WINDOWS\rpcminer\bitcoinmineropencl.cl
c:\WINDOWS\rpcminer\bitcoinminercuda_10.cubin
c:\WINDOWS\rpcminer\bitcoinminercuda_11.cubin
c:\WINDOWS\rpcminer\bitcoinminercuda_20.cubin
c:\WINDOWS\rpcminer\cudart32_32_16.dll
c:\WINDOWS\rpcminer\curllib.dll
c:\WINDOWS\rpcminer\libeay32.dll
c:\WINDOWS\rpcminer\libsasl.dll
c:\WINDOWS\rpcminer\openldap.dll
c:\WINDOWS\rpcminer\rpcminer-4way.exe
c:\WINDOWS\rpcminer\rpcminer-cpu.exe
c:\WINDOWS\rpcminer\rpcminer-cuda.exe
c:\WINDOWS\rpcminer\rpcminer-opencl.exe
c:\WINDOWS\rpcminer\ssleay32.dll
Norton ENHANCED PROTECTION MODE Alert trojan creates the following registry keys and values
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpdrivers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srviecheck
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient
HKEY_LOCAL_MACHINE\SOFTWARE\sysdriver32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\systeminfog
HKEY_LOCAL_MACHINE\SOFTWARE\SERVICES32.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2244160.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1630354.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1414040.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\95576268-loader2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4286413.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2027528.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Services32.exe\close
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath
