• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

winrscmde... and my experience with Norton

Hello all,

I'm aware my post count will speak volumes, but my background is solid and my current experience is true so look forward to your feedback.  Just a quick note, I've been in IT industry for over 20 years, most of which was a Sr. systems engineer/administrator and seen enough to give me a healthy fear of the internet and stick to sites i know and don't open emails I dont recognize (and some I do).

Specs:

- Windows Vista x64 Ultimate SP2

- Norton Security Suite v5.2.2.3

Anywho on to what happened:

- Surfing the internet doing some research on up-coming quad-core cell phones, sticking to sites i'm familiar with.  Opened a UK news website to figure out why Samsung decided against quad-core in their SG3 in US.  Had other windows open with information, CNET, Youtube, some smaller cell review sites.

- Within 2 seconds my computer started to reboot.  No errors, no prompts for installs on OS or browser add-ons.

- System came back up and kept giving a popup of "winrscmde stopped working and was closed". 

What I did:

- Ran full system scan, which took over 4 hours. (spoiler alert, found nothing)

  -- During this time I researched on internet, found a bunch of tips like running SFC (done, didnt help) and talking about the svchost.

    --- I found a svchost.exe in c:\windows, on top of the real one in the system32 folder.  There was a svchost process running in task bar that appeared and disappeared every few seconds that had an odd description of "winrscmde" instead of the real description.

    *** Important Note: the svchost file had a last modified date of 2009, but a creation date of today!  Shouldnt the OS catch that suspicious detail?

    --- When I renamed c:\windows\svchost to something else, another was instantly created.

- Norton Power Eraser, Downloaded and ran

  -- I just got to say they should have some sort of full downloadable program to scan my system at this stage.  I found it concerning that I had to enable my network knowing I had a trojan or worse actively taking over and doing who-knows-what from my system.

  -- First run (plus reboot for rootkit scan) detected a harmless exe on my desktop after coming up.  I let it remove it anyways. After competed system BSOD'd with error about kdcom.dll

  -- Second run (plus reboot for rootkit scan) detected "Risk: PhysicalDrive0, Type: Boot Record"

    --- Thoroughly went through logs and they do not reveal what was detected and cleared at root level.

- Manually removed svchost files from c:\windows because they were still there, but not being duplicated it seemed any longer.

- Rebooted system, installed another virus software mentioned on a thread from similar person.

Conclusion:

- I believe I got a virus got on my computer while surfing not-intentionally-malicious websites (perhaps something embedded in comments section by someone).

- Was NOT detected by Norton Security Suite, Windows Defender, IE9's SmartScreen filter

- None of the usual prompts of something attempting to install appeared.

- No clue if system is safe so I will be doing a full reinstall in a few days when my Windows 7 x64 disk shows up.

- Disappointed in Norton, because I am incredibly safe in everything I do online, I would hope they could protect or at least inform me of attacks through my browser.  AFTER the fact of being infected it didn't know... but i saw the processes and files behaving strangely myself.

- Will be finding another AV solution, but definitely not McAfee.

Perhaps this day's worth of work will help someone else more than it helped me.

Wish I knew what virus it was.... or is?

-Z

Replies

Kudos0

Re: winrscmde... and my experience with Norton

Update:  Still no clue what the virus is/was and if I'm still infected or not after scanning computer with full scans by 2 AV programs after above mentioned steps.  I feel like i can't trust any of the AV programs.

Can anyone help me try to figure out what it is/was?  Did my manual deletion of the suspected c:\windows\svchost.exe after NPE's removal of an unidentified Boot Record cure my computer?

The virus was able to plant on my MBR so skillfully without detection, I would find it hard to believe it was so easy to remove after finding it.

The closest I've come to identifying it is someone on a answers.microsoft.com thread has an almost identical experience but his Microsoft Security Essentials software detected Trojan DOS ALUREON:A.  I've installed that as well and found nothing.

Kudos0

Re: winrscmde... and my experience with Norton

Hi Zyozeer,

I would suggest you wait until Quads sees your post.  He is a volunteer (as most of us are with the non red user names).  He is out resident Malware Removal expert and will be best suit to help you, as long as you have not already done too much to your system for him to assist you.

I would also like to inform you that you are not using the most recent version of Norton Security Suite.  I do not know if that is your desire or not, but you can look at the thread below in regards to upgrading to NSS. (version 6.2.1.5)

http://community.norton.com/t5/Norton-360/Comcast-Norton-Security-Suite-v6-2-1-5-update-is-now-available/td-p/731974

I would also suggest you wait to upgrade to Version 6 (if you desire to) until you are 100 % sure your system is clean.

Kudos0

Re: winrscmde... and my experience with Norton

Hi Norton (and norton support),

Just wanted to take a moment out of my day (unlike you) to tell you that you support is worthless and its pathetic you can't have a couple people responding to forum posts.. because people need help in these situations.  You should not be depending on volunteers as they're not the ones taking in all the money.  Additionally not providing a satisfactory response to other forum threads stating your product is completely unable to detect current threats is concerning.

I will be sure not to make the mistake of trusting Symantec in the future and plan on recommending against any companies I work with from buying Symantec products.

Regards,

-Z

p.s. - You should probably post an forum announcement more recent than April 2010 to at least pretend someone is listening.

Kudos0

Re: winrscmde... and my experience with Norton

I'm sorry you did not get any specific help in removing what you think is an infection that got through your protection. These forums are user to user with a Norton presence (names in red) so they do depend on our individual expertise and for rootkits we are lucky to have one extraordinary volunteer Quads who will work on a one to one basis and has a high success rate, provided the user has not already started to fix the problem. He is extremely busy at present and deals with users on a first come first served basis.

I do note that you are using the free COMCAST version of Norton 360 and that you are a full generation out of date which might increase the risk of something getting through.

If you cannot wait for help there are other free and expert sites like Bleeping Computer.

BTW when you say:

<< p.s. - You should probably post an forum announcement more recent than April 2010 to at least pretend someone is listening. >>

If you look you'll see they are not necessarily in date order. and there are other announcements that are much more recent.

Hugh
Kudos0

Re: winrscmde... and my experience with Norton

The user do so much manual work plus 3 AV's (Norton, McAfee, MSE) that with this stated.   I've been in IT industry for over 20 years, most of which was a Sr. systems engineer/administrator  I am not touching a manually tampered system

 

I do know at least some of what the user had or has though.  I have had to deal with it on this forum a few times.

 

Quads

Kudos0

Re: winrscmde... and my experience with Norton

Quads,

I think we all understand that very valid reason which is rather different.

Thanks for the incredible job you do when circumstances do not thwart you ....

Hugh

This thread is closed from further comment. Please visit the forum to start a new thread.