Hidden Rootkit

Alright everyone here it is. I've spent 3 weeks formating my whole HD and reinstalling trying to find what the heck is going on.

My roommate who is also my uncle has a degree in computer science and seveal years programming experience in Java, Visual Basic 6.0, C++, and python. I consider myself to be pretty tech suavy and also have some experience in programming. My suspcions of my computer having this "undetectable" rootkit has caused me to take these steps:

1) Clear my bios chip. (He might of customized it though, I don't know.)
2) Format my whole HD front to back (Boot Nuke).
3) Install a trial version of Windows 7 (Don't trust the CD I'm using, maybe he switched it)


I just did all of the above yesterday, and then when Windows 7 booted up I turned off all services except for the ones necessary to connect to the network I'm on. (My roommats\Uncles network). Then I disabled remote service, rebooted, and installed a 90 day trial version of Norton 360 4.0 from a CD I burned 3 weeks ago.

Before the internet is even installed I max out my settings, add new security rules, and block every port except for Port 53 and port 67 and port 68. Also port 80 and port 443 for web browsing.

Svchost.exe tries to connect to port 137, 123, 547, 5047 or something, tries to listen for connections, and a few others. I block them all. I was told to always block port 137, 138, and 139 awhile ago because of exploits that had been circling around the web. Anyway, the only port svchost.exe can connect to right now is port 53 (Remote DNS). I also block everything for lsass, services.exe, and "system".

In my traffic rules all the blocks are at the top and I've hadded 4 new traffic rules that block everything except port 53, port 67, and port 68 (and port 80 and 443) - If I block port 67 and 68 (bootps and bootpc) then I can't connect to the network.

I also disables all protocols except for TCP and UDP.

In Task >> Security Logs I found port 127.0.0.1 network and restricted it. I hadn't installed the internet drivers or plugged ino the network yet, but the network was still saying I'm connected....then I found the computer I connect to and restricted it.

 

Now this is when the weird stuff happens.

Category: Norton Product Tamper Protection
Date & Time,Risk,Activity,Status,Recommended Action,Date,Actor,Actor PID,Target,Target PID,Action,Reaction,Terminal Session


6/8/2010 9:34 AM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Tuesday, June 08, 2010 9:34 AM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,840,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/8/2010 2:29 AM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Tuesday, June 08, 2010 2:29 AM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,848,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 8:52 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 8:52 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,804,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 8:17 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 8:17 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,812,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 8:16 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 8:16 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,476,C:\Program Files\Norton 360\Engine\4.2.0.12\ccsvchst.exe,1336,Access Thread Data,Unauthorized access logged,


6/7/2010 8:12 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 8:12 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,812,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 8:01 PM,Medium,Unauthorized access blocked (Set Info Process),Blocked,No Action Required,"Monday, June 07, 2010 8:01 PM",C:\WINDOWS\SYSTEM32\CONHOST.EXE,2516,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Lue\Downloads\Patch7790\IdsFFpt2.exe,2508,Set Info Process,Unauthorized access blocked,


6/7/2010 8:00 PM,Medium,Unauthorized access blocked (Set Registry Value),Blocked,No Action Required,"Monday, June 07, 2010 8:00 PM",C:\WINDOWS\SYSTEM32\REGSVR32.EXE,1848,HKEY_CLASSES_ROOT\RegClean.N360.1\,0,Set Registry Value,Unauthorized access blocked,


6/7/2010 7:58 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:58 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,480,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1324,Access Thread Data,Unauthorized access logged,


6/7/2010 7:57 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:57 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,480,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1324,Access Thread Data,Unauthorized access logged,


6/7/2010 7:56 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:56 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,824,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 7:55 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:55 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,536,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1328,Access Thread Data,Unauthorized access logged,


6/7/2010 7:54 PM,Medium,Unauthorized access blocked (Set Info Process),Blocked,No Action Required,"Monday, June 07, 2010 7:54 PM",C:\WINDOWS\SYSTEM32\CONHOST.EXE,3604,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Lue\Downloads\Patch195\IdsFFpt2.exe,3536,Set Info Process,Unauthorized access blocked,


6/7/2010 7:51 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:51 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,828,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 7:47 PM,Medium,Unauthorized access logged (Access Process Data),Logged,No Action Required,"Monday, June 07, 2010 7:47 PM",C:\WINDOWS\SYSTEM32\MRT.EXE,2944,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1344,Access Process Data,Unauthorized access logged,1


6/7/2010 7:47 PM,Medium,Unauthorized access logged (Access Process Data),Logged,No Action Required,"Monday, June 07, 2010 7:47 PM",C:\WINDOWS\SYSTEM32\MRT.EXE,2944,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1344,Access Process Data,Unauthorized access logged,1


6/7/2010 7:43 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:43 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,824,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 7:41 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:41 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1424,Access Thread Data,Unauthorized access logged,


6/7/2010 7:34 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:34 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1424,Access Thread Data,Unauthorized access logged,


6/7/2010 7:34 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:34 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1272,Access Thread Data,Unauthorized access logged,


6/7/2010 7:24 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:24 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,812,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 7:22 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:22 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1316,Access Thread Data,Unauthorized access logged,


6/7/2010 7:17 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:17 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,820,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,


6/7/2010 7:09 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:09 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,808,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,

 

 

svchost.exe tries to read dirnet.dat and several others. Also tries to: "Set Registry Value", "Set Info Process", "Access Thread Data", and "Open File" - I'll note that it only tries to do this AFTER I first connect to the internet. It never tries to do any of this if I never connect to the internet. One I FIRST CONNECT after the format then it begins the tampering, even if I disable the internet. --- Yes, I've read all fo the threads about norton tamper protection.

 

 

2) I ran registry fix and it showed these:

Category: Registry Cleanup
Date & Time,Risk,Activity,Status,Submitted By,Problem,Action
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymAdLog.dll.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymAddIn.xml.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymAddIn.dat.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymMcCmd.dll.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\MceEULA.dll.\"",Entry Deleted

 

6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\YourApp.exe,\" refers to an invalid application path, \"C:\Program Files\Belkin\F5D8055\v2\YourApp.exe.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The file extension, \".shtml,\" refers to an invalid program identifier, \"shtmlfile.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The file extension, \".xht,\" refers to an invalid program identifier, \"xhtfile.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The file extension, \".xhtml,\" refers to an invalid program identifier, \"xhtmlfile.\"",Entry Deleted


6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"CLSID\{12BEF447-D278-4EED-B3E1-09CDF7E4C126}\InprocServer32,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\MceEULA.dll.\"",Entry Deleted

 

 

3) "View Security History" isn't showing the regular things it's supposed to or used to show BEFORE I first connected to the internet. Like "Intrusion prevention started" is supposed to be showing today when I turned my computer on and booted into windows, but it's not showing in the "Full history"...but it did yesterday everytime I rebooted. It would show that intrusion prevention and signatures are loaded each time. Now it's not. It's also not showing some other things like certain rules. It usually says "Firewall rules blocked ____" everytime it blocked a rule, but now it's not.

 

4) I have "Advanced Events Monitoring" on...but when I click "Remove all" under "Program Component" it just re-adds about 50 new components and I don't get a warning or alert on any of them. Why??? Same when I click "Remove All" under "Program Launch", "Command Line Execution", "Code Injection", "Windows Messages", "Direct Network Access", "Com Control" and others. It'll keep them removed from the list until I reboot..but once I reboot they're all added again.

Why??? Shouldn't I be getting alerts for these components? There is over 50 of them under "Program Component" and I haven't received an alert, warning, or been asked to allow or block any of them. When I remove them, they just get added again. Their are remote control components on there and all kinds of stuff.


(Automatic Program Control is turned off.)

If anyone could please help I would be very thankful.

There are several things I wish to say here, However I think that you should wait for Quads to comment on your thread before you take anyone else's advice (unless it's a Norton staff member - their names will be in red)

 

Matt


This message is posted having regard to the following statement which you are kindly requested to read first.
http://community.norton.com/t5/Forum-Feedback/Statement-of-contribution-by-cgoldman/m-p/215993#M5047

 

Anyway this forum is for NIS and NAV and there is another forum for N360. So I will propose that it is moved.


I think you may be doing too much. I am not sure about 90 day trial versions either. It seems strange that you would distrust Win 7 on CD but accept N360 burned weeks ago. Why not install N360 direct from Symantec website as trial version!

 

I did install it from the website and then as soon as it finished downloading I blocked everything, unplugged the internet, and burned it to CD as fast as possible, because I’m paranoid that the file will be some how switched with a modified version with same file size or that the file size setting is tampered with to show the same file size as the real version. I know that the only way this would be possible is if there is some type of hidden network access that can transfer files super fast, but I think there is. I didn’t build this computer it was a gift. Speaking of hidden network access, I have another question. In Device Manager when I click “Show hidden devices” it shows, but there is 1 device under “Network” that it does not show. To get this to show I had to use System Mechanic Pro to tweak a setting to “Show hidden devices”. When I used this tweak and then opened Device Manager I seen “Async Adapter” but it was in grey while the rest were in black. I can’t uninstall this and the “Disable” is actually disabled from being disabled. So, I deleted the driver “asyncmac.sys” AND all of the back-ups included in the windows installation. Strange though, because I did not get a “Unable to install device” when I rebooted…I should of got that “unable to install device” message when it couldn’t find the drivers. Why is it hidden? Why is it grey’d? Why is it unable to be uninstalled? Why is the “Disabled” option grey’d out? I’m

 

 

 

127.0.0.1 is a reserved IP address corresponding to the host computer. Known as the loopback address, 127.0.0.1 is used whenever a program needs to access a network service running on the same computer as itself.

****************************************

"The following policy might need to be adjusted to allows Windows to connect:
Policy Provider:
Filter Name: SymNetDrv Firewall Filter INBOUND_TRANSPORT_V6"


This looks like a normal request to Norton to allow a connection from the router.

******************************************

June 07, 2010 8:01 PM",C:\WINDOWS\SYSTEM32\CONHOST.EXE,2516,C:\Progra mData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7 }\N360_4.0.0.127\Lue\Downloads\Patch7790\IdsFFpt2. exe,2508,Set Info Process,Unauthorized access blocked,

 

This one looks like you have blocked the port(s) needed for a Norton update

********************************************

 

6/7/2010 8:00 PM,Medium,Unauthorized access blocked (Set Registry Value),Blocked,No Action Required,"Monday, June 07, 2010 8:00 PM",C:\WINDOWS\SYSTEM32\REGSVR32.EXE,1848,HKEY_CLA SSES_ROOT\RegClean.N360.1\,0,Set Registry Value,Unauthorized access blocked

 

This one refused to allow Regclean to tamper with Norton files.

*********************************************

 

It isn't necessarily tampering that you are seeing.  Most programs and utilities on your machine require access through Norton to do what they need to do.  Think of normal traffic as more of an application rather than tampering.

 

Why do you think you have a rootkit?  What symptoms have you had, such as browser redirects, trojans and Fake AV's?

What about #3 and #4? I think the “Security History” might be wrong…maybe it’s not supposed to show with each reboot when norton starts. I’m suspicious out of probably just paranoia from past experiences with system security. I’m a clean freak and security freak. If one thing in my security setup goes wrong, then I have to re-do the whole thing. If my firewall is off for more than 5 minutes, I have to format and reinstall. I can’t keep my system setup for longer than 3 months. I can’t use system restore in fear that my restore points have been modified. Even when my computer is unplugged and turned off I have to cover it in wet towels and foam in case there is some type of hidden OS running silently. Just kidding about that last part, lol. I guess that my knowledge of how easy it is to exploit a system makes my condition worse.

Actually, it may be that you have blocked so many required ports that the logging has increased as the machine tries to find the disconnected parts of itself.

 

Port 123 is normally used for time synchronization, which is necessary for many things.  That is why it is listening and could well be trying to access the net to synchronize.

 

Different routers need access to different ports, different email clients use different ports other than the usual 110 and 25.

 

With # 4, the rules that are being made are required to allow the machine to run.  It is simply esatablishing enough of an environment to operate.

 

Rootkits are fairly easy to spot because of symptoms.  They aren't even that difficult to get rid of, just time consuming.  Most of the free malware removal forums, especially Bleeping Computer, are very good at getting them out.  If you turned off advanced events monitoring, set your firewall back to default, and kept an eye on intrusion prevention, you would spot a problem fairly quickly.

 

Rootkits are designed to do specific tasks like download more malware, contact "home base" for instructions, redirect your browser to malicious sites, and away from security sites.

 

I can't tell you not to worry, because you will anyway.  As long as you know where to go to get uninfected, and your browsers, programs, and security software are patched and uptodate, the feeling of helplessness and paranoia should be reduced enough to actually enjoy your computer. :smileywink:

When I used this tweak and then opened Device Manager I seen "Async Adapter" but it was in grey while the rest were in black. I can't uninstall this and the "Disable" is actually disabled from being disabled. So, I deleted the driver "asyncmac.sys" AND all of the back-ups included in the windows installation. Strange though, because I did not get a "Unable to install device" when I rebooted...I should of got that "unable to install device" message when it couldn't find the drivers. Why is it hidden? Why is it grey'd? Why is it unable to be uninstalled? Why is the "Disabled" option grey'd out?

 

This is a Microsoft file and driver that normally has to do with dial-up.  It may have something to do with other synchronzations in your machine.  I highly recommend Google before deleting things.