• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

chrome_update.exe" trojan horse?

My yesterday's early morning NIS2009's full scan of 'our' Vista machine, reported the detection and quarantining of a trojan horse, ie; ERASER 109.2.2.4, but I've noticed a number of questionable issues surrounding this thing's 'fully resolved' status.
First, preceeding that 'full system scan' (FSS), my fully updated NIS2009 had immediately before that scan, just performed an 'idle quick scan' (IQS) which I'm pretty certain I initially read (in it's scan results) that the IQS had resolved a single threat, ie; '1 cookies') and yet some 18 hours later (as I write this post), it seemingly no longer lists anything detected.  About a 1% chance my memory fails me and that I simply imagined the '1 cookies' threat.
Nevertheless I mention it as that plus the fact that I'd just before the IQS, recently ignored my brower's caution of the site I wanted to visit 'reportedly' containing malicious content and went ahead and visited the site (trusting that NIS2009 would prevent anything serious, which both seems proven true).  Anyway, I immediately ran a full system scan right after the IQS and only then did NIS2009 detect the trojan horse.  Aside from my rather flip lapse at browsing edicut, have I not done something I need to in NIS2009's settings and/or does anyone know if NIS2009's supposed to prompt trojan horse's at the moment they're intriduced?
What I have a hard time with is that presumably, at least browsers, if not also connected flash drives are a commonly scanned area that NIS2009 IQS's are supposed to scan, no?  If 'no', then why didn't the idle quick scan detect the trojan horse?  If, 'yes, then how is it that Symantec apparently doesn't consider a browser and/or a connected flash drive as commonly affectable? 
I only mention that as I also notice in security history "scan results", that while it lists the IQS and my subsequent FSS, oddly the date-times of these two scans, indicates there being a differnece of some 6 hours between the two scans (when I'm fairly positive I began the scan right after the IQS finished, then went to bed.  Anyway, in that the FSS lists as having taken 56 minutes to complete, is there some explanation why the date-times are 6 hours apart?
What bothers me the most out of this thing is in that I'm not running silent (I'd prefer virus alerts immediately), plus I have opted for the advanced protection, and yet I neither saw any alerts, nor does the security history seem to even record when the trojan horse was introduced. Am I wrong and NIS2009 isn't capable of detecting a trojan horse's introduction and also isn't capable of notifying the user of when a threat was introduced (even after it's been detected and resolved), maybe I've just not got the right NIS settings for what I expect from NIS?? On top of that, if there's any difference between Idle Quick Scans and Idle Time Scans, I'm unaware of it, but IQS's are running while i've opted out of the setting for Idle Time Scans (set to "off"). The aparrent inability of NIS2009 to notify me when a trojan horse is introduced, plus the aparrent lack of sufficient scan results details (to at least indicate when the trojan horse was introduced) leaves me wondering if Symantec is doing something about where this stuff's coming from, especially since I see yet another issue when reading the security history (as follows). I see in my the security history's advanced details, that the alert summary indicated that the details were being submitted to the community watch, but when I woke up yesterday (after some 7 hrs sleep after initiating the FSS), I see that regardless of my having opted for community watch, the threat's detail's submittal still listed as "pending" (so I manually submitted them).  Something seems amuck there, no? So at what point might I expect to hear anything back about the trojan horse's origin and/or that maybe the coded details might have provided enough details in order to hopefully be acted on (at least by Symantec notifying the responsible server)?  Never, or am I expecting too much from NIS2009 and/or Symantec and I'm supposed to doing being something myself, if so what can I do w/o what seems to be a signifcant lack of detail about it (the trojan's date and time of introduction)?
That said, the remainign issue is that my portable chrome's remaining files (on my Vista's flash drive) don't now compare to those of my XP's flash drive (each flash drive has the exact same cersion of chrome on them).  Missing from my Vista's flash drive, a result of NIS2009's cleaning, is not only the "chrome_update.exe", but several other files seem to be missing from it's folder. Other apparently missing files are chrome's "Local State" (it's xtn is undisclosed) and hdmi.ico.  As such, in that Chrome's browser stills works (though probably something related to any update feature won't work any longer), I'm left to presume one of several things here. Assumption one, apparently Symantec doesn't see the need to prompt users when a file can't be cleaned, except by the inference of it's being quarantined and therefore comes up missing (unless it's automatically re-generated by Windows or some other means).  So does anyone know if this's the case? Assumption two, in that since NIS2009 didn't 'clean' the supposedly infected chrome_update.exe and either the trojan or NIS2009 apparently deleted the other two missing chrome files, what am I tpo believe?  Should I copy and paste  back (the now three missing files) and do so from my unaffected flash drive, or expectedly it'd be wiser to delete the entire chrome folder and simply re-run it's 'ini'?  App's for adding into this mix of issues, my memory, my assumptions and my expectations, but I think they all need addressed and I'd sure appreciate their being nswered and hopefully resolved.
 Happ-e-trails to all, wguru 

Replies

Kudos0

Re: chrome_update.exe" trojan horse?

Hi yourweld

You ask many questions in your thread. I can answer one of them. Idle quick scans will always run even if you have idle scans turned off. They run for the protection of your computer in the background and only take a few seconds to run generally. Even if you schedule your scans, you will still see idle quick scans.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.18.0.213 Core Firmware 282 I E 11 Chrome latest version.
Kudos1 Stats

Re: chrome_update.exe" trojan horse?

If I am understanding you completely, Norton has removed three Chrome files, which should be in your history under resolved threats, and a heuristic detection of a trojan horse has been submitted to Symantec.

What can happen sometimes is that new definitions arrive constantly and a file that was harmless eighteen hours ago can trigger a warning later because of the new defs.  This will cause Norton to react by quarantining the files, and for any dubious files it will trigger a community watch submission to Symantec to check the file.

If you go to a website that Norton has found to be dangerous, you can still become infected as a result of inadequacies in your browser security, script injections, and inadvertant clicking on things.  Your antivirus relies on patching vulnerabilities in your programs, your surfing decisions, and its own information to protect you.  You can't hope for one program to protect you against all infections, and to protect you from yourself.  You have to help it.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: chrome_update.exe" trojan horse?

Thank you Sir(s),

Yes thankx, I kind of surmised IQS and ITS were likely different birds, but I just don't read catch they're any different (maybe IQS's aren't server run like it seems ITS's might be)

Yes thanx, I kind of expected the chrome_update.exe to be a false positive (something it seems Symantec's fumbling things more than once and more than we know). 

I can say that as today's FSS safe mode scan (only now after several weeks of following my install-running of AutoEater's current version), not only did NIS2009 neglect to object to AutoEater's install and running at startups, ref. no alerts and no history record of any issues until a safe mode FSS.

Moreover last week I had to reinstall AutoEater as it stopped working (I had thought it was just Vista acting up) and a check of my security history confirms no mention of AutoEater (until today's safe mode FSS).

So now we know.  NIS2009 is for relatively no reason eating files, seems to either block AutoEater and/or at least one time, 'fully resolved' it w/o notifying me.  Most objectionable is the fact that files are being eaten w/o no notice.

As for what settings I might need to tweak in NIS2009 and what I need to be doing about these matters, it looks like I need either to post elsewhere on or in another another Symantec 'forum', so any suggestions as how to get Symantec's attention and hopefuly action on false positives and both reported/unreported collateral damage?

Again thankx for the replies and happ-e-trails to all.

Message Edited by yourweld on 11-17-2009 02:40 PM
Kudos0

Re: chrome_update.exe" trojan horse?

AutorunEater, not AutoEater

'eating files w/o notice', not 'w/o no notice'. 

Kudos0

Re: chrome_update.exe" trojan horse?

Seems as if Trojan Horse' (Eraser version 109.2.2.4) is being labeled for nearly every supposed threat that NIS2009's finding, ie;

 chrome_update.exe, AutorunEater.exe,  etc.

So without much response here to my specifically generalized ('sooo many') questions, I'm left to assume these are false positives and Symantec's doing nothing about/with the 'community reports' as even after several days now of definitions updates, NIS2009's not only disallowing me from re-installing AutorunEater, but continuing to 'fully resolve' my re-installation of AutroruEater (after I, with a bit of trouble, un-quarantined the supposedly trojan horse infected files, ie; clicked 'restore files, then that pane froze, then I re-ran AutorunEater's ini, then re-ran the quarantine restore process which only then completed w/o freezing that pane, but then NIS2009 'fully resolved' my AutorunEater again on a subsequent FSS).

Since I've also seen supposed hits for a bar_311 infected autotun.inf file (two weeks ago and again a few days ago, even after the Vista's NIS2009 supposedly cleaned this flash drive, not only a year ago, but again now on both machines once two weeks ago and now again a few days ago, but on my other machine), ie; the same flash drive was supposedly re-infected with the same file a year later and again two weeks later after "totally resolved").

What with the coincidentally timed onslaught of these supposed 'hits', I'm wondering if all these are nothing more than Symantec's means of motivating users into re-subscribing, ie; when our re-newal dates are fast approaching. Hmmm.  False positives  and supposed re-infections, gee what a coincidence. 

All in all, as aside from the Chineese fire drills, botton line is NIS2009 affords no means for users to allow legitimate programs to run because NIS2009's 'add exclusions' merely afford adding exclusions for nothing more than NIS's pre-listed obviously valid malware.

I'm so discusted with NIS2009 and Symantec as well. 

And screw what appears to be this forum's moderator's pre-listed word verifications (insinuating increasingly insulting words that I'm supposed to type in every time I post back).

Message Edited by yourweld on 11-21-2009 05:16 PMMessage Edited by yourweld on 11-21-2009 05:23 PM
Kudos0

Re: chrome_update.exe" trojan horse?

Today something somewhere (also during a Norton update) removed "chrome.exe" 

No Idea where it went and what happened.

Quads 

This thread is closed from further comment. Please visit the forum to start a new thread.