04-21-2009 03:59 AM
Several days ago I started getting messages from Norton alert saying "[insert some sort of Russian/Cyrillic script here] wants to connect to the internet using svchost/windows/system32/wJQs.exe" yadda-yadda or something like that. I have the full message but I'm not going to bother reproducing it here right now. I would typically get this message either at random times or on startup or after computer had been in sleep mode and it would come up 2 or 3 times, sometimes with only a couple svshost processes and sometimes with up to 8. I soon knew this was a virus since I had never seen anything like it, since wJQs.exe is a known virus apparently, and since this started happening after using utorrent for the first time. But anyway, I couldn't find the file myself even as a hidden file where Norton was telling me to look or in temp folders or anything, and Norton wouldn't get rid of it itself and didn't give me the option to "always block". I ran a virus scan >> no help. I contacted a Norton chat tech and he said run a scan from a special Norton program you could download if your norton had been deactivated by a virus somehow >> no help. He also gave me a link for how to submit information to Norton for them to analyze but when I went there I couldn't actually find anywhere to submit anything. Finally i just gave up and settled for having to manually block it several times a day. Then just now Lucallback updates and I run a scan and it tells me bloodhound.SONAR.1 has been detected or whatever like that and it cleans a registry and a couple processes, quarantines this, and submits a report automatically. So here's the questions part we're finally getting to:
I have additional information that I suspect the submitted report might not include. Where do I submit that?
Also, is there any way that I can force Norton to ALWAYS block a certain program from accessing the internet without having to ask me. I went through the Norton "Internet Security Options" menus with a fine-toothed comb and couldn't find any way to do this but I'm sure there must be some way and I'm just missing something, right?!
Solved! Go to Solution.
04-21-2009 04:49 AM - edited 04-21-2009 04:56 AM
To see if the file has been submitted, open NIS, click on the "History" link under "Computer" and check the Recent History of NIS activities.
You can submit a file once it is quarantined. First find the file in Quarantine, select it, click "More details" from right, and click "Submit to Symantec". If the file is not quarantined, you can do it manually when you go to "Quarantine" (from NIS main screen) and click "Add to quarantine". For detailed analysis, you can submit suspicious files to ThreatExpert or VirusTotal for example.
To block an application from accessing the internet, go to NIS options, under "Computer Setting" find "Smart Firewall" - "Program Control" and click configure. Click "Add", find the file you need to block, double click on it, a message should appear asking you whether to allow, block or manually configure internet access. From the drop down menu, select Block and click OK, then OK again, and exit NIS options. Now the file should be blocked.
04-23-2009 01:13 AM
OK, thanks vejdin for the info.
I just hadn't done anything more about it thinking "Oh, well, it's taken care of now." but I guess I was wrong to think that since just now another Norton virus scan ran and it AGAIN found a problem with the exact same areas:
1 registry entry (HKEY_USERS ... blah-blah-blah\Software\Microsoft\Windows\CurrentV
1 file (windows\system32\drivers\svchost.exe)
2 processes (same)
1 broswer cache
So it's exactly the same thing in exactly the same location and wasn't really gotten rid of the first time apparently, even though I haven't had anymore of those net-access requests? But this time instead of being called "bloodhound.SONAR.1" it's simply called "TrojanHorse" and the risk level has moved up from medium to high.
What the heck is going on?
Am I really rid of this thing or not?
Again I submitted it to Norton except this time I had to choose to submit it and last time it was submitted automatically.
04-23-2009 01:53 AM
"wJQs.exe" is indeed Malware,
1. Is part of a Trojan trying to download a Rogue Security program or
2. Possibly part of the early TDSS family variants.
Download Both Malwarebytes and SuperAntispyware Free
Install, Update definitions and Run Full Scans
One should detect it by now
The location "windows\system32\drivers\svchost.exe" is incorrect it should be
04-23-2009 12:06 PM
I gather the one or a bit of both programs detected the Malware, including the fake "svchost.exe"??
So you are all clean and free.