Apologies for posting this in the wrong place, but I cannot find anywhere on the Norton/Symantec website to report malware, only the tool to submit virus samples.
It primarily involves 3 files (dwm.exe, conhost.exe and csrss.exe) and several registry changes. It's particularly nasty as the files cannot be deleted or registry entries removed even in safe mode, I had to use an embedded version of XP that runs from CD to delete the files.
Although according to the link above it is known to Symantec, NIS with the latest updates could not detect it.
Apologies for posting this in the wrong place, but I cannot find anywhere on the Norton/Symantec website to report malware, only the tool to submit virus samples.
It primarily involves 3 files (dwm.exe, conhost.exe and csrss.exe) and several registry changes. It's particularly nasty as the files cannot be deleted or registry entries removed even in safe mode, I had to use an embedded version of XP that runs from CD to delete the files.
Although according to the link above it is known to Symantec, NIS with the latest updates could not detect it.
These were not "legitimate windows files", I assure you! Please visit the link I posted above, and you will see the files in question are in very specific locations, and all run as the current user.
Yes, I updated Norton, performed a full scan (which completed successfully) in both normal and safe mode. NIS did not detect the malware.
I did not try Power Eraser. But that wasn't the point of my post here, I was just pointing out that NIS didn't detect it, so either the detection of Backdoor.Cycbot!gen2 is faulty in NIS, or I have come across a new variant.
Some can be detected as this thread demonstrates. The info provided by Quads is more complete and much more of a concern than the info from Trend Micro.
If on XP, make sure you disable System Restore per above instructions. This will auto delete all your restore points!
Then perform a full scan ensuring all files are scanned. To do that you will have to go into NIS console and set SMART definitions to Off and Compressed Files Scan - Intelligent Skip Scanning to Off.
I really should have saved (at least) the 3 executables so I could forward them to Symantec for analysis, but I was at the time mostly concerned with making sure I got this off my PC ASAP as it holds most of my work files.
I did a full system scan with the latest definitions (as of around 8:00 pm yesterday) in normal mode, and scanned the "Documents and Settings\My User ID" and temp folders (where the 3 executables are) in safe mode and NIS did not detect anything.
@mrtn - yes, it did make proxy settings changes. If your infection is the same as mine, and you do not have the secondary infections that can follow on from this malware as mentioned in the link posted above by delphinium, it can be removed easily as long as you can access the file system from another OS (such as a bootable CD with Windows XP embedded, which is what I used). Once you have deleted the 3 executables mentioned in the link in my first post using the other OS, you can boot back into windows and you just need to fix the various registry entries that were changed.
Since critical Windows files may be involved, as well as TDL3 rootkit, I would suggest getting some assistance in making certain that all of it is removed and the operating system undamaged. All of these forums are very competent in this type of remediation.
c:\documents and settings\[user name]\application data\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\[username]\application data\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\Documents and Settings\[username]\Local Settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.