The Norton details after the safe swapping of the infected "explorer.exe" to the desktop then allowing Norton to detect the infected not in use copy.

Category: Resolved Security Risks

21/08/2010 11:18 a.m.,High,explorer.exe (Suspicious.Mystic) detected by Auto-Protect,Quarantined,Resolved - No Action,c:\documents and settings\john\desktop\explorer.exe

c:\documents and settings\john\desktop\explorer.exe

____________________________

____________________________

On computers as of:

21/08/2010 at 11:16:44 a.m.

Last Used:

21/08/2010 at 11:18:25 a.m.

Startup Item:

No

Launched:

No

____________________________

____________________________

Very Few Users

Fewer than 5 users in the Norton Community have used this file.

____________________________

High

This file risk is high.

____________________________

Threat Details

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.

____________________________

Origin

Downloaded from  URL Not Available

Source: External MediaSource File:

explorer.exe

____________________________

File Actions

File: c:\documents and settings\john\desktop\explorer.exe

Removed

____________________________

File Thumbprint - SHA:

Not Available

____________________________

File Thumbprint - MD5:

Not Available

____________________________

Quads

I guess my last post didn't post?? Trying again!

Hi Quads

Not sure my situation with explorer is the same as yours??

When I put a clean explorer.exe anywhere in my PC, nothing happens EXCEPT in c:\windows, THEN the attached copy of the Norton actions file occurs,

Note,

the attachment was a bmp file and the post would not go through (I will have to type it and post separately)

but its reported in on-screen messages a little differently

It reports it has detected Suspicious.Mystic

It reports a virus has been detected and removed

then in the file, it says a Heuristic virus temp.tmp was detected and deleted

Why is Norton removing a clean explorer.exe ONLY if placed in the c:\windows directory

on the desktop in MY PC, it's safe, and I can run it from a thumb drive

as I recall, running it from the c: root drive it is detected and nailed.

I do not know about this stuf, but I am not sure we're dealing with the same explorer issue, unless something immediately injects a bug into my clean explorer in the windows directory for Norton to find and remove....but then what's the temp.tmp stuf about?

I am around the house working, available to try things.

I get email on my phone so don't hesitate to ask.

I will drop what I'm doing and get back ASAP.

OK here's the text re-typed in approximtely the Norton history file format with v short for version.

This is starting up the PC

copied the clean explorer.exe to the desktop---nothing

copied the clean explorer.exe to c:\windows and Norton went after it.....

Hope it helps

Hello medscien

Please try running live update. I have a newer Intrusion prevention defintions than you are showing. The one I am showing is dated from 8/20 and came thru to me last night, Friday night. Maybe the newer defintions will help the situation.

Thanks Floplot,

I will try a bit later, but that PC only runs a couple minutes before rebooting, once connected to the internet. I think it's part of the bug, trying to connect to an external server or something, And maybe Norton reboots to protect the PC?

Won't get to this till later tonight....guests.

I will try repeatedly, just in case Norton has a solution (sort of doubt it but anything is worth a try!)

It's the same, one I got the details from the quarantine and Norton removed the Mystic detected "explorer.exe" from my Desktop as I had was ready swapped the 3 files over with my own script  during a restart.

The 3 files were

"explorer.exe" detected as Mystic blah blah by Norton

"Winlogon.exe"  Not detected by Norton

"[random_selected_driver].sys  not detected by Norton by is the randomly selected MS driver to be infected by TDL3(+)

I swapped all 3 files with clean copies by script  within one restart, not just replace one of the files.

"I do not know about this stuff, but I am not sure we're dealing with the same explorer issue, unless something immediately injects a bug into my clean explorer in the windows directory for Norton to find and remove"

"I do not know about this stuff" Right so how can you figure out I have not purposely tested the same Malware?? but I have figured there is more than one file involved not just "explorer.exe"   Then I had the swapped out infected version of "explorer.exe" on the desktop allowed to be detected by Norton an detected as the same as seen by the log above. Virustotal also brings back a result by Symantec as the same.

I have now remove the infection from my PC, as I am finished playing with it,  that was easy and boring, Compared to "Ramnit"

I no longer and not for quite some time remove Malware on this forum, because the forum is dangerous in it's setup for Malware Removal.

The other Forum will get to you in time

Quads

---

floplot wrote:

Hello medscien

 

Please try running live update. I have a newer Intrusion prevention defintions than you are showing. The one I am showing is dated from 8/20 and came thru to me last night, Friday night. Maybe the newer defintions will help the situation.

---

LOL,  Good luck with that!!,   Norton won't remove the infection, 

Symantec got hold of me asking if I have the sample that also infects "explorer.exe" and "winlogon.exe' as they don't have any sample of it.

Quads

Norton is still not to fix the TDL3 (+) infected driver, but for "explorer.exe" and "winlogon.exe", both have had definitions added for detection as "Trojan.Bamital!inf" and and Norton is to "repair" the files,  Not to "delete" or "remove" the files. 

Quads

So, from reading the last few posts, please correct me if I'm wrong, I should NOT try to run liveupdate because it will not fix my problem? However Quads knows a fix (I guess you don't give this info to Norton gang?) Anyway I should wait.

The other forum still has not gotten to me, they're obviously busy. When I look at how many interactions they have had with some of their clients with rootkit bugs, it's scary. These can be a lot of work. But I'm prepared to do it.

We had guests tonight and I could not break away, but now they're gone. I'm really tired and only should start a round of this if I'm on the ball, so I will see what you say.  If you think I should try liveupdate, I will, but I know it will take many tries, as the bug keeps rebooting the machine when net-connected.

Will watch for a reply till 12:30am then check in the am when I get up. Thanks a lot, all.

(I guess you don't give this info to Norton gang?)

I give all the info or files they ask for, even Symantec know there are some infected files Norton is not allowed to remove otherwise you won't be able to load Windows.

There are some where Norton does not have the ability to handle the infection so will not remove it.

Soon where ever you are in the world the new definition should automatically download via Norton Automatic upadting, if not already, so that the Heuristic detection of Mystic and removal of Explorer.exe no longer happens. But is repaired.

But if TDL3 is still in the background, which is Tidserv, and you stated in on your first post HTTP...Tidserv.................

Norton can't handle that.

However Quads knows a fix, LOL well I did remove the infection from my PC with scripting,

Quads

Quads

Nice all you people do work together fighting the bad guys. It's so hard for me to comprehend the mind of a person who creates this stuff. I guess they do it because they can, and get their jollies watching others scramble to clean up the mess.

I Googled Trojan.Bamital!inf and found a removal sequence. I won't try it but thought you'd find it interesting.

On Bleepingcomputr.com, titled "TrojanBamital!inf - Requires Manual Removal Says Norton 360.

I guess the person bought Norton and, per the new update, the trojan was named and part of the damage fixed (as you have predicted) but the bug itself has to be removed with several other programs, however it looks like they did get rid of it.

This was just FYI, as I said, I won't do anything till told to.

There is a wholw lot of stuff on the web all of a sudden about this trojan, it must be spreading. Seem to be "blaming" firefox for a entry point? I do use firefox, oddly because of all the internet explorer issues. Nothing's immune!

Symantec asked for my files I gave,  Symantec looked at them quicklt and added the definitions for them and Symantec PMed me saying what they have been added as and the flag that Norton is to do with them "Repair"

Quads

Managed to connect net and run long enough to do liveupdate,

Norton found temp.tmp backdoor trojan blocked it,

winlogon.exe, ID'd it as Bam...   deleted it,

now other than the occassional temp.tmp NOW identified as Bam...  it runs with the internet connected using the thumb drive.

NOW doing regular statistical submissions of blocking BAM, blocking backdoor trojan, and blocking an unauthorized accesses

I will now try putting clean explorer.exe in the c:\windows directory and see if that runs....

Didn't even get to run it....Norton detected it as soon as copied-in, as Bam.... And deleted it

Hmmmm

I guess the good news is the computer is running....sort of, albeit with explorer on a thumb drive, and with the net connected !

couldnt do that before.

So now I'll be able to download a liveupdate easier...maybe Norton (or Quads?)  will implement a fix ??

You are forgetting about the 3rd file, oh well that is what the other forum is for

I have just Norton and I don't have the update yet that changes the Suspicious.Mystic to the Ban...... with the flag of deleted.

Quads

Nope, didn't forget Tidserv, and that I should eventually get help from the other forum in removing that.

I thought perhaps Norton people might tackle that part too eventually, but you have said there are some files Norton cannot touch, because it kills Windows. Is that the case?

I just checked and 5 minutes ago I got my first instructions from whatthetech, so I'm off....

Maybe really, really bad......

Got instructions from other guys but cant do them,

Here's part of what I told them:

Prior to last night, I was able to boot to a wallpaper image and run explorer.exe from a thumb drive to get my desktop.
if I put it anywhere on C, the bug (or Norton) found it and deleted in immediately.

Last night I managed to run Liveupdate, never shut off the PC, left the net connected for a half hour or so, saw repeated detections of Trojan Bamital!inf and backdoor.trojan, but the PC ran, still with explorer.exe on a flash disc. Putting explorer on the c drive, explorer was still removed but with a Bamital message now from Norton. Shut down for sleep.

This am the PC will not boot in regular or safe mode, reboots repeatedly. F8 to safe stops at menu, anything I select reboots after several seconds.
Maybe norton doing it? Net disconnected, same results.
PC came with OS (XP Pro installed) and I do not have OS discs! I will attempt to find it from friends.

I REALLY wish I didn't run Liveupdate....at least I could MAKE the PC run, albeit without net, or only for a few minutes with net connected.
I will continue to try things to boot.

Any ideas how to stop rebooting?
I sure hope so...

Catbyte on whatthetech will deal with it.  They have ways.  Don't fool with it, assuming you can, and make some arrangements with a friend to download whatever Catbyte might ask you to get. Don't panic yet.

Moved to the thread of its own for better exposure

Soon, I think,

I just posted a dump for CatByte.

Had to leave for a while.

I don't know what their hours are, probably random, but I'll be there again in the am.

Hopefully, we start to make progress now.

Any idea how fast this rootkit is spreading? Since I started this thread, there's a lot of activity on the web and in the forums. Norton says "few infections", which concerns me as it might not get the attention from them that it should.

You guys (male and female, I have to assume) have been great and treat everything as important but I have to believe priorities are set in companies like Norton by how widespread a problem is. till ommorrow.......