Not what you were looking for? Ask our experts!
Reply
Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: Problem with Malware not found by Internet security.


Techguy1000 wrote:

Floating_Red wrote:

Greetings,

    I know that N.I.S. Removed Files that were Detetced as IEDefender; you could have got re-infected or N.I.S. may not have got all the Files.  That is why I suggested that.

 

Were you Connected to the Internet when Running this Scan?


   No, I was in Safe Mode without networking.


 

Excellent. 

 

Generally, you should be dis-connected from the Internet when running Full System Scans.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Contributor
Shagrat
Posts: 17
Registered: ‎09-29-2008

Re: Problem with Malware not found by Internet security.

From what you describe I suppose your computer is acting like an e-mail zombie.

 

SMTP is an e-mail protocol used to send e-mails, more precisely, SMTP is used by e-mail servers to handle messages between each other, where they then can be donloaded from destination mailbox using POP3 or IMAP.

To be able to act as an e-mail server, there has to be a rather complex program installed on your machine. It is unlikely that it would be able to hide itself in such a way that it would not show up in Processes tab in Task manager.

It is probable you have a rootkit (more info on http://en.wikipedia.org/wiki/Rootkit) installed on your machine, which effectivelly hides itself and the e-mail server from the rest of the world, only using DCOM for data tranfer. In such a case, NIS or any other antivirus would be to no avail here, as active rootkits are practically unable to remove when running. In fact, the only one and 100% sure way to remove a rootkit is to format the drive and make a clean install of the Windows.

I recommend to boot another operating system and from it run the scan. It's possible tho, that the malware files would be hidden, encrypted or other sorts of nasties and therefore hard to detect, but good scanners would be able to detect and disable the rootkit.

 

Meanwhille, SMTP by definition operates on TCP port 25. Disabling this port in your firewall would prevent the malware from sending e-mails, however, it would prevent you from sending e-mails as well, if you are using MS Outlook configured to a SMTP server.

 

 

Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: Problem with Malware not found by Internet security.


Shagrat wrote:

From what you describe I suppose your computer is acting like an e-mail zombie.

 

SMTP is an e-mail protocol used to send e-mails, more precisely, SMTP is used by e-mail servers to handle messages between each other, where they then can be donloaded from destination mailbox using POP3 or IMAP.

To be able to act as an e-mail server, there has to be a rather complex program installed on your machine. It is unlikely that it would be able to hide itself in such a way that it would not show up in Processes tab in Task manager.

It is probable you have a rootkit (more info on http://en.wikipedia.org/wiki/Rootkit) installed on your machine, which effectivelly hides itself and the e-mail server from the rest of the world, only using DCOM for data tranfer. In such a case, NIS or any other antivirus would be to no avail here, as active rootkits are practically unable to remove when running. In fact, the only one and 100% sure way to remove a rootkit is to format the drive and make a clean install of the Windows.

I recommend to boot another operating system and from it run the scan. It's possible tho, that the malware files would be hidden, encrypted or other sorts of nasties and therefore hard to detect, but good scanners would be able to detect and disable the rootkit.

 

Meanwhille, SMTP by definition operates on TCP port 25. Disabling this port in your firewall would prevent the malware from sending e-mails, however, it would prevent you from sending e-mails as well, if you are using MS Outlook configured to a SMTP server.

 

 


 

I have to dis-agree here.  Norton Products are made to deal with Rootkits and should be able to Remove them; in the un-likely event it does not Remove them, please refer to your Anti-Virus Product to see which Rootkit it is.

 

Here is an example: Summary instructions for Hacktool.Rootkit: http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99&tabid=1.

 

 

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Stu Rootkit Eradicator
Rootkit Eradicator
Stu
Posts: 5,210
Registered: ‎04-08-2008

Re: Problem with Malware not found by Internet security.

Have you tried to download and install Antibot? That might help
"All that we are is the result of what we have thought"
Regular Contributor
Tech0utsider
Posts: 1,452
Registered: ‎07-29-2008

Re: Problem with Malware not found by Internet security.

65 million other Norton Community Users. If you look into your settings, joining Norton Community Watch is optional. So far. 65 million users have enabled this option.....

 

I would suggest that you try Norton Antibot. Sounds like your computer was targeted and turned into a botnet. 

=\
Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: Problem with Malware not found by Internet security.


Tech0utsider wrote:

65 million other Norton Community Users. If you look into your settings, joining Norton Community Watch is optional. So far. 65 million users have enabled this option.....


 

Where did you get this information?

 

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Contributor
Techguy1000
Posts: 10
Registered: ‎10-01-2008

Re: Problem with Malware not found by Internet security.

  Well, the problem has somewhat resolved itself.  I noticed something odd with HijackThis around a dll in a Logitech directory.  I didn't think I had any Logitech software still installed, so I removed the entries and ended up with a non-booting system.  It wasn't horribly broken and it was probably fixable.  I could get into safe mode and the system almost booted normally, but I was spending way too much time trying to chase this phantom, so I stuck a new hard drive in the computer and I'm doing a fresh install.  It'll be somewhat painful to reinstall all the software (I'm sure I'll be feeding it CDs for days), but in the end hopefully I'll end up with a much leaner machine without all the crap that's accumulated over the years.

 

  Before I screwed the system up, I found that on startup the malware first went to Steephost.net (a known malware site), so I set up a general firewall rule to block all access to the subnet that Steephost.net resolved to (located in the Ukraine, which I'd have no problem blocking the entire country), and the malware went dormant.  My guess is if the initial attempt to contact the home server failed, it didn't try to go further.  I didn't really expect this to work because the malware seemed to start before Norton starts up, but maybe the firewall gets loaded much earlier than the user front end.

Virus Trouncer
mijcar
Posts: 3,098
Registered: ‎08-01-2008

Re: Problem with Malware not found by Internet security.

Interesting.

 

I've just had some Logitech issues last night with my son's computer.

 

I love their mice and hate their software!  Year after year, on computer after computer, I have had more problems with Logitech software than any other product I have ever used.

 

In any case, last night's problem was a complaint from Vista about Logitech Updater.  Something about it trying to access a file that didn't exist, I believe.  It happened right after I told Logitech Updater that I didn't want it to automatically check for updates any more.  Two years and it hadn't found a single update -- enough is enough.  I must have made it unhappy and it was trying to get even.  :smileywink:.  Anyway, I clicked okay and that seemed to be that.

 

Be aware that Logitech does not uninstall easily.  It is happy on your computer and wants to spend the rest of eternity there.  Trying to remove it from the registry is dangerous, I have found.  In fact, one of the reasons I originally got Norton Systemworks was to engage in combat with Logitech.  Their registry cleaner was better at removing the artifacts of Logitech than I was.

 

Lately, I have discovered the following is the best strategy for removing Logitech from anyone's system:

Install the latest Logitech software related to the product.  It will uninstall the previous one (usually, but not always, alas).  Then immediately remove that piece of software.

 

Good luck!

mij
N360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Contributor
Techguy1000
Posts: 10
Registered: ‎10-01-2008

Re: Problem with Malware not found by Internet security.


mijcar wrote:

Interesting.

 

I've just had some Logitech issues last night with my son's computer.

 

I love their mice and hate their software!  Year after year, on computer after computer, I have had more problems with Logitech software than any other product I have ever used.

 


 

  I've had the same experience with Logitech, which is why I didn't think I still had any of their software installed.  Their mice usually work just fine without all the annoyware installed.

 

  The thing I tried to get rid of appears to be related to the Logitech Desktop Manager.  I don't even know what it does, nor do I know when I would have purposefully installed it.  I imagine it got installed along with some other piece of Logitech crapware, and it is very persistent stuff.

 

  Anyway, I saw on another security forum where someone appeared to have something infecting their system that sounded almost exactly like what I have (had), except their HijackThis log showed some definite spyware/malware processes running that I didn't show.  Also in their log was all of the crap around the dll in the logitech directory which the person was told to have HijackThis "fix" the entries.  They didn't report any problems in doing that, so I removed them as well.  In my case, it didn't work out so well.

 

  If what I saw in the HijackThis log (about 50 "protocol" entries, all pointing at a single DLL in the Logitech directory) was normal for the "Logitech Desktop Manager", then it digs its tentacles deep into the OS when it's installed.  However, I have a strong feeling that the dll in question was the piece of malware that was giving me the problems.  It was dropped in the Logitech directory to hide it and then had most of the common protocols routed through it to make sure that it got activated no matter what.  Or at least that's my best guess.  There is no reason, even for Logitech bloatware, to have that much crap going on.  Before axing it, I did some web searches on the dll name and did come up with several entries about it being malware.

 

Newbie
finallyBitten
Posts: 3
Registered: ‎12-03-2008

Re: Problem with Malware not found by Internet security.

I was so hoping to find a solution in this thread... aside from scrapping the OS.

 

 

Same issue here, experienced a drive-by script infection (IE7 w/all updates--yeah, i know...) while running MS OneCare <VirTool:WinNT/Cutwail.K aka Trojan.Pandex>, which OneCare repeatedly reported it cleaned, but was always back upon reboot...

 

Bought Norton 360 v2 hoping it would clean up this mess... rather it detected the same virus twice, then quit finding it altogether, while the malware behavior continues...

- 2 http connections appear to ip-70-38-68-137.static.privatedns.com

- then MANY smtp connection attempts are made

 

Coincidentally(NOT!), connections terminate when I run a scan and svchost.exe instances (10-20 at a time run) crash (LOT'S of App Failure popups)--tho the scan always comes back clean.

 

 

My box is totally pwned... uggg!