Alright everyone here it is. I've spent 3 weeks formating my whole HD and reinstalling trying to find what the heck is going on.
My roommate who is also my uncle has a degree in computer science and seveal years programming experience in Java, Visual Basic 6.0, C++, and python. I consider myself to be pretty tech suavy and also have some experience in programming. My suspcions of my computer having this "undetectable" rootkit has caused me to take these steps:
1) Clear my bios chip. (He might of customized it though, I don't know.)
2) Format my whole HD front to back (Boot Nuke).
3) Install a trial version of Windows 7 (Don't trust the CD I'm using, maybe he switched it)
I just did all of the above yesterday, and then when Windows 7 booted up I turned off all services except for the ones necessary to connect to the network I'm on. (My roommats\Uncles network). Then I disabled remote service, rebooted, and installed a 90 day trial version of Norton 360 4.0 from a CD I burned 3 weeks ago.
Before the internet is even installed I max out my settings, add new security rules, and block every port except for Port 53 and port 67 and port 68. Also port 80 and port 443 for web browsing.
Svchost.exe tries to connect to port 137, 123, 547, 5047 or something, tries to listen for connections, and a few others. I block them all. I was told to always block port 137, 138, and 139 awhile ago because of exploits that had been circling around the web. Anyway, the only port svchost.exe can connect to right now is port 53 (Remote DNS). I also block everything for lsass, services.exe, and "system".
In my traffic rules all the blocks are at the top and I've hadded 4 new traffic rules that block everything except port 53, port 67, and port 68 (and port 80 and 443) - If I block port 67 and 68 (bootps and bootpc) then I can't connect to the network.
I also disables all protocols except for TCP and UDP.
In Task >> Security Logs I found port 127.0.0.1 network and restricted it. I hadn't installed the internet drivers or plugged ino the network yet, but the network was still saying I'm connected....then I found the computer I connect to and restricted it.
Now this is when the weird stuff happens.
Category: Norton Product Tamper Protection
Date & Time,Risk,Activity,Status,Recommended Action,Date,Actor,Actor PID,Target,Target PID,Action,Reaction,Terminal Session
6/8/2010 9:34 AM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Tuesday, June 08, 2010 9:34 AM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,840,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/8/2010 2:29 AM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Tuesday, June 08, 2010 2:29 AM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,848,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 8:52 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 8:52 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,804,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 8:17 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 8:17 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,812,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 8:16 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 8:16 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,476,C:\Program Files\Norton 360\Engine\4.2.0.12\ccsvchst.exe,1336,Access Thread Data,Unauthorized access logged,
6/7/2010 8:12 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 8:12 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,812,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 8:01 PM,Medium,Unauthorized access blocked (Set Info Process),Blocked,No Action Required,"Monday, June 07, 2010 8:01 PM",C:\WINDOWS\SYSTEM32\CONHOST.EXE,2516,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Lue\Downloads\Patch7790\IdsFFpt2.exe,2508,Set Info Process,Unauthorized access blocked,
6/7/2010 8:00 PM,Medium,Unauthorized access blocked (Set Registry Value),Blocked,No Action Required,"Monday, June 07, 2010 8:00 PM",C:\WINDOWS\SYSTEM32\REGSVR32.EXE,1848,HKEY_CLASSES_ROOT\RegClean.N360.1\,0,Set Registry Value,Unauthorized access blocked,
6/7/2010 7:58 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:58 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,480,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1324,Access Thread Data,Unauthorized access logged,
6/7/2010 7:57 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:57 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,480,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1324,Access Thread Data,Unauthorized access logged,
6/7/2010 7:56 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:56 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,824,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 7:55 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:55 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,536,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1328,Access Thread Data,Unauthorized access logged,
6/7/2010 7:54 PM,Medium,Unauthorized access blocked (Set Info Process),Blocked,No Action Required,"Monday, June 07, 2010 7:54 PM",C:\WINDOWS\SYSTEM32\CONHOST.EXE,3604,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Lue\Downloads\Patch195\IdsFFpt2.exe,3536,Set Info Process,Unauthorized access blocked,
6/7/2010 7:51 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:51 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,828,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 7:47 PM,Medium,Unauthorized access logged (Access Process Data),Logged,No Action Required,"Monday, June 07, 2010 7:47 PM",C:\WINDOWS\SYSTEM32\MRT.EXE,2944,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1344,Access Process Data,Unauthorized access logged,1
6/7/2010 7:47 PM,Medium,Unauthorized access logged (Access Process Data),Logged,No Action Required,"Monday, June 07, 2010 7:47 PM",C:\WINDOWS\SYSTEM32\MRT.EXE,2944,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1344,Access Process Data,Unauthorized access logged,1
6/7/2010 7:43 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:43 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,824,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 7:41 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:41 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1424,Access Thread Data,Unauthorized access logged,
6/7/2010 7:34 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:34 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1424,Access Thread Data,Unauthorized access logged,
6/7/2010 7:34 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:34 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1272,Access Thread Data,Unauthorized access logged,
6/7/2010 7:24 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:24 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,812,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 7:22 PM,Medium,Unauthorized access logged (Access Thread Data),Logged,No Action Required,"Monday, June 07, 2010 7:22 PM",C:\WINDOWS\SYSTEM32\SERVICES.EXE,484,C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe,1316,Access Thread Data,Unauthorized access logged,
6/7/2010 7:17 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:17 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,820,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
6/7/2010 7:09 PM,Medium,Unauthorized access blocked (Open File),Blocked,No Action Required,"Monday, June 07, 2010 7:09 PM",C:\WINDOWS\SYSTEM32\SVCHOST.EXE,808,C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\symnetdrv\DirNet.dat,0,Open File,Unauthorized access blocked,
svchost.exe tries to read dirnet.dat and several others. Also tries to: "Set Registry Value", "Set Info Process", "Access Thread Data", and "Open File" - I'll note that it only tries to do this AFTER I first connect to the internet. It never tries to do any of this if I never connect to the internet. One I FIRST CONNECT after the format then it begins the tampering, even if I disable the internet. --- Yes, I've read all fo the threads about norton tamper protection.
2) I ran registry fix and it showed these:
Category: Registry Cleanup
Date & Time,Risk,Activity,Status,Submitted By,Problem,Action
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymAdLog.dll.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymAddIn.xml.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymAddIn.dat.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\SymMcCmd.dll.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\MceEULA.dll.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\YourApp.exe,\" refers to an invalid application path, \"C:\Program Files\Belkin\F5D8055\v2\YourApp.exe.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The file extension, \".shtml,\" refers to an invalid program identifier, \"shtmlfile.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The file extension, \".xht,\" refers to an invalid program identifier, \"xhtfile.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The file extension, \".xhtml,\" refers to an invalid program identifier, \"xhtmlfile.\"",Entry Deleted
6/8/2010 2:59 AM,Info,Registry Cleanup,Success,Tuneup,"The key, \"CLSID\{12BEF447-D278-4EED-B3E1-09CDF7E4C126}\InprocServer32,\" refers to a missing file, \"C:\Program Files\Norton 360\Engine\4.0.0.127\MceEULA.dll.\"",Entry Deleted
3) "View Security History" isn't showing the regular things it's supposed to or used to show BEFORE I first connected to the internet. Like "Intrusion prevention started" is supposed to be showing today when I turned my computer on and booted into windows, but it's not showing in the "Full history"...but it did yesterday everytime I rebooted. It would show that intrusion prevention and signatures are loaded each time. Now it's not. It's also not showing some other things like certain rules. It usually says "Firewall rules blocked ____" everytime it blocked a rule, but now it's not.
4) I have "Advanced Events Monitoring" on...but when I click "Remove all" under "Program Component" it just re-adds about 50 new components and I don't get a warning or alert on any of them. Why??? Same when I click "Remove All" under "Program Launch", "Command Line Execution", "Code Injection", "Windows Messages", "Direct Network Access", "Com Control" and others. It'll keep them removed from the list until I reboot..but once I reboot they're all added again.
Why??? Shouldn't I be getting alerts for these components? There is over 50 of them under "Program Component" and I haven't received an alert, warning, or been asked to allow or block any of them. When I remove them, they just get added again. Their are remote control components on there and all kinds of stuff.
(Automatic Program Control is turned off.)
If anyone could please help I would be very thankful.