• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Hacked

I have a customer with Norton Security (updated, latest version), had some strange things going on, ie system reboots. In looking into, noticed there was an additional user account created and logged in and the guest account was re-enabled. I disabled guest, deleted bogus account, changed the customer password and started running scans. The full system scan only came up with heur.advml.B, which seems to be a generic hit. My question, how did this get past Norton in the first place? Why is it only seen on a full scan, vs quick scan? I would deem this more of a higher risk that what it's labelled as we have a system breach, with unwanted activity.

Jon

Replies

Kudos0

Re: Hacked

DSJon:

I have a customer with Norton Security (updated, latest version), had some strange things going on, ie system reboots. In looking into, noticed there was an additional user account created and logged in and the guest account was re-enabled. I disabled guest, deleted bogus account, changed the customer password and started running scans. The full system scan only came up with heur.advml.B, which seems to be a generic hit. My question, how did this get past Norton in the first place? Why is it only seen on a full scan, vs quick scan? I would deem this more of a higher risk that what it's labelled as we have a system breach, with unwanted activity.

Jon

No antivirus is perfect. Can you post the "copy to clipboard" details of this detection?

Kudos0

Re: Hacked

The best AV solution is to not turn the system on in the first place, albeit not a practical one! I'll stop out there tomorrow, get and paste.  Thanks

Kudos0

Re: Hacked

Sorry it took so long, but here is the scan results. Any insight would be appreciated. 

File Attachment: 
Kudos0

Re: Hacked

Filename: tch.exe
Threat name: Heur.AdvML.BFull Path: c:\users\djordan\appdata\local\temp\tch.exe
On computers as of: 10/3/2017 at 11:53:31 PM
Last Used: 10/4/2017 at 3:48:08 PM
Startup Item: No
Launched: No
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
tch.exe Threat name: Heur.AdvML.B
Many Users: Thousands of users in the Norton Community have used this file.
Mature: This file was released 1 year 7 months ago.
High: This file risk is high.
Source: External Media
Source File: xrdp.v2.1.exe
File Created: tch.exe
File Actions
File: c:\windows\system32\ rdpwrap.ini Removed
Infected file: c:\users\djordan\appdata\local\temp\ tch.exe Removed
File Thumbprint - SHA:
ba91ab389e3219c307980b903d7ed5aba8bbf9f4ec7f389db83d73b7dbab9209
File Thumbprint - MD5:
78d4e9ba8f641970162260273722c887

File name: RDPWInst
Detection ratio: 11 / 65
Analysis date: 2017-10-10

This thread is closed from further comment. Please visit the forum to start a new thread.