A few days ago I was on a website which, without me clicking on anything, suddenly redirected to a fake Adobe flash player update website. I hit the back button straight away, only to get redirected again. I got two messages from Norton saying it had blocked two intrusion attempts. I tried to run a scan but Norton just simply wouldn't go through with it and I kept on getting an error message. Tried the same with Malwarebytes and a similar thing happened. I uninstalled MB and tried to reinstall it but it wouldn't work. Not long after that my laptop crashed, but it's done that for ages so I don't think that was to do with the intrusion attempts. When the laptop restarted Norton was working again and, again, I had no symptoms. But I noticed in its security history that SVCHOST.EXE and CONHOST.EXE were both making continuous unauthorised access attempts, which Norton was blocking. I did a bit of Googling, though, and apparently this is fairly normal. But I also noticed it was exonerating things such as "WS.Trojan.B" in its statistical submissions, which doesn't sound right. I explained my situation to someone from Norton via live chat and, though they couldnt be sure, they reckoned a virus could indeed have got in.
Anyway, the next day I took my laptop to the local PC World for them to repair. I think they tried to restore it to its factory settings so that they could try and eliminate the issue whilst saving my files, but they said the virus had corrupted its ability to do that, and so instead they wiped everything and were confident they got rid of it. So today I reinstalled Norton on my freshly wiped laptop and, after running a few scans, noticed CONHOST and SVCHOST we're making the odd unauthorised access attempts targeting Norton, but I tried to dismiss this as normal. The scans said everything was fine, too, and there were no symptoms of viruses or anything. But when rerunning the scan I noticed that the names of a lot of the things it was scanning but not detecting as malicious were pretty dodgy eg. Infostealer.Snifula.B, Trojan.Peacomm, etc.
So my question is, a) how were these Trojans/worms able to stay on my machine after a complete, clean wipe? And b) how can they be gotten rid of if a wipe didn't work and neither Norton nor Malwarebytes are picking them up?
Go easy on me - trust me when I say my understanding and knowledge of computers is terrible! Thanks in advance for the help!
Oh, and I should also add that, other than these dodgy things I noticed in the scans, there are no actual symptoms that I've noticed yet.
If you see the names, Infostealer.Snifula.B, Trojan.Peacomm, when Norton is scanning, that is what Norton is searching for. If Norton doesn't find anything you are most likely clean.
Okay, that's a good sign then. Is there any way to be absolutely certain my machine is clean? And why is it searching for those names in particular (there was a whole string of them)? Surely if my machine is supposed to be like-new again after the wipe, there should be no memory of having anything like them to search for in the first place?
Also, I'm not sure if this is related or not, but I'm not sure if my Security History feature may have frozen. Up until about 1am it was registering lots and lots of 'Info' logs about various things, but all of a sudden they stopped. I tried out a couple of processes that had generated logs before, such as scanning both CONHOST.exe and SVCHOST.exe individually, but this time they didn't Show up in the history. I've also run several scans since the last bit of information came up on one of the logs and yet there's seemingly been no activity registered. Do you know why that might be?
Hi, Jcj25. The reason you're seeing those malware items that Krusty13 mentioned is because they are included in Norton's malware definition database, and they show up during a scan.
Re the history issue, have you tried running Live Updates manually until no more are found, and then rebooting ?
Okay, that's a good sign then. Is there any way to be absolutely certain my machine is clean? And why is it searching for those names in particular (there was a whole string of them)? Surely if my machine is supposed to be like-new again after the wipe, there should be no memory of having anything like them to search for in the first place?
It is quite normal for Norton to search for them. It does the same on both of my machines as well.
Also, I'm not sure if this is related or not, but I'm not sure if my Security History feature may have frozen. Up until about 1am it was registering lots and lots of 'Info' logs about various things, but all of a sudden they stopped. I tried out a couple of processes that had generated logs before, such as scanning both CONHOST.exe and SVCHOST.exe individually, but this time they didn't Show up in the history. I've also run several scans since the last bit of information came up on one of the logs and yet there's seemingly been no activity registered. Do you know why that might be?
(Sorry if these are all stupid questions!)
Access Blocked entries in your Norton Security History are simply processes that are not allowed to access Norton files. Norton does not permit any program or process to access it's files, so again this is normal. I can only guess that these processes have, for now, stopped trying to acces Norton files.
"Is there any way to be absolutely certain my machine is clean?"
If Norton and mbam both come up clean I would suggest you're ok. If you suspect malware you should perhaps contact one of the free malware removal sites
The unauthorized access blocks are normal. SVCHOST.EXE and CONHOST.EXE are frequently-seen entries in the Norton Product Tamper Protection logs. Norton was simply preventing outside agents, in this case two Windows processes, from accessing Norton processes.
The list of scary-sounding malware you see displayed during a Norton Quick Scan (or the first part of a full scan) are common infections that Norton is specifically looking for. If you look carefully, you will see that it says "Scanning for...."
The exonerated files in the Statistical Submissions are just that...exonerated. They are files that are being sent to Symantec to help refine existing virus definitions to reduce the number of false positive detections. These are gathered by Norton Community Watch, which is a data collection component of Norton, NOT a malware detection component.
So, yes, to answer your question, there are some malware varieties that can survive a reformat, but in your case it seems more likely that you may not have been infected in the first place - at least based on the information you have given us.
Right, okay, I think I'm starting to get it now and this does definitely sound like good news. You're right, it does indeed say "scanning for" but could you tell me what has made Norton look for those particualr Trojans/worms in particular? As in, why would it scan for items it has no reasonable basis to believe are on the computer? Furthermore, before my computer got scrubbed I looked back at Norton's security history in the days leading up to the intrustion attempts, and AFAIK there were no mentions of "WS.Trojan.B" or anything like that then. So is the fact that it appeared afterwards just a coincidence?
Overall, I think it would definitely make sense for me not to have been infected in the first place - that would certainly explain the lack of symptoms. Is there anything that I can look out for on the computer, aside from the obvious (eg. pop-ups, adverts, programmes not functioning normally - all of which I think are unlikely to happen), that might indicate it is compromised?
And lastly, I don't think it's a case of CONHOST.exe and SVCHOST.exe simply having stopped trying to access Norton's files because, like I said, when I scanned those processes individually for the first time yesterday, they both generated logs. Then when I scanned them again after I noticed the history had sort of frozen, no such logs were generated. There's no chance that Norton might have been compromised by anything, is there?
“Right, okay, I think I’m starting to get it now and this does definitely sound like good news. You’re right, it does indeed say “scanning for” but could you tell me what has made Norton look for those particualr Trojans/worms in particular? As in, why would it scan for items it has no reasonable basis to believe are on the computer?”
Can’t speak for your other concerns, but as far as I know, this is just a default list of common infections Norton checks for before going on to scan the rest of your files. I see it checking for various specific threats every time I run a full scan.
Oh, that's a huge relief! If that's normal then I've got nothing to worry about. And, what's more, after updating itself after trying a Quick Scan, the Security History no longer appears to be frozen.
So looks like I'm virus-free after all. Thanks, everyone!
Furthermore, before my computer got scrubbed I looked back at Norton's security history in the days leading up to the intrustion attempts, and AFAIK there were no mentions of "WS.Trojan.B" or anything like that then. So is the fact that it appeared afterwards just a coincidence?
Since the entry for WS.Trojan.B is a statistical submission, and not a malware detection, I wouldn't be concerned. It could easily have been a file that was picked up when reinstalling and updating the software on your system.
As for Norton being compromised, that is not likely. You'd also almost certainly notice other system anomalies if something capable of corrupting Norton without disabling it were on your PC.