Norton can get screwed up with detections

Quads · January 15, 2010, 3:59am

Well try this, Norton Screwing itself up. Have fun reading, Quads had fun sorting it out, I did post in the past about lumping TDL3 in with past TDL's and the confusion it can cause and with removal instuctions, Where Vundo comes into it no idea.

All Files were Dormant and some I were shifting into a desktop folder, so I could have just manually deleted the files including the installer, a lot less hassle compared to below.

Date & Time,Risk,Activity,Status,Recommended Action

15/01/2010 2:40 p.m.,High,h8srtxmtmvkohjy.dll (Trojan.Vundo) detected by Auto-Protect,Restart Required,You must restart your computer.

15/01/2010 2:37 p.m.,High,tdl3.exe (Backdoor.Tidserv) detected by Auto-Protect,Restart Required,You must restart your computer.

15/01/2010 2:33 p.m.,High,h8srtxmoboulkrv.dll (Backdoor.Tidserv) detected by Auto-Protect,Restart Required,You must restart your computer.

d:\documents and settings\john\desktop\tdl\tdl3.exe (Backdoor.Tidserv)

____________________________

File Actions

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

Infected file: d:\documents and settings\john\desktop\tdl\tdl3.exe

Removed

The .url files don't exist with TDL3 unlike the earlier variants like the UAC TDL2 (Tidserv) Norton thinks they are, . The TDL3's I have installed have a different mode of infection, to the TDL2 variantions

d:\documents and settings\john\desktop\new folder\h8srtxmoboulkrv.dll (Backdoor.Tidserv)

____________________________

URL Not Available

UNTESTED

Source

h8srtxmoboulkrv.dll

____________________________

File Actions

File: d:\documents and settings\john\desktop\new folder\h8srtxmoboulkrv.dll

Removed

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

File: d:\documents and settings\john\local settings\application data\google\chrome\user data\default\cache\f_001645

Removed

File: d:\windows\system32\tdsserrors.log

No Action Required

File: d:\windows\system32\tdssservers.dat

No Action Required

File: d:\windows\system32\tdssinit.dll

No Action Required

File: d:\resycled\boot.com

No Action Required

File: d:\tdl.dat

No Action Required

File: d:\windows\system32\dll.dll

No Action Required

File: D:\WINDOWS\system32\TDSSerrors.log

No Action Required

File: D:\WINDOWS\system32\TDSSservers.dat

No Action Required

File: D:\WINDOWS\system32\TDSSinit.dll

No Action Required

File: D:\resycled\boot.com

No Action Required

File: D:\tdl.dat

No Action Required

File: D:\WINDOWS\system32\dll.dll

No Action Required

____________________________

Registry Actions

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

No Action Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\TDSS

No Action Required

Registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

No Action Required

Registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys

No Action Required

Registry entry: HKEY_CLASSES_ROOT\msqpdxvx

No Action Required

Registry entry: HKEY_CLASSES_ROOT\homeview

No Action Required

These registry entries and some of the files didn't exist because it's the wrong TDL2 Tidserv variant

Over to the next message, over 20,000 limit

Quads · January 15, 2010, 4:06am

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->80b0514a

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->BM838362d6

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\WindowsUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\SysUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd

Restart Required

Registry entry: HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}

Restart Required

Registry entry: HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\DomainService

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\aldd

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\aldd

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\aldd

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\aldd

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\rdfa

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\rdfa

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\rdfa

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\rdfa

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\CAC

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\CAC

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\CAC

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\CAC

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\contim

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\contim

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\contim

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\contim

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\affltid

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\affltid

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\affltid

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\affltid

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\FCOVM

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\RemoveRP

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\80b043c4

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer->80b051e5

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\cs41275

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\cs41275

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\cs41275

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\cs41275

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\fias4013

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\fias4013

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\fias4013

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\fias4013

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\fias4018

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\fias4018

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\fias4018

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\fias4018

Restart Required

Registry entry: HKEY_USERS\S-1-5-21-1060284298-1417001333-1606980848-1003\Software\Microsoft\fias4052n

Restart Required

Registry entry: HKEY_USERS\S-1-5-19\Software\Microsoft\fias4052n

Restart Required

Registry entry: HKEY_USERS\S-1-5-20\Software\Microsoft\fias4052n

Restart Required

Registry entry: HKEY_USERS\.DEFAULT\Software\Microsoft\fias4052n

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kiruvogi

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->SFCDisable:0

Restart Required

Registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->Authentication Packages:...

Restart Required

I actually had to restore this so called Vundo (actual TDL2, file) to get my PC to boot properly after having to use Last Known Good Config. the First time. After restoring from Quarantine the speed of the PC's Windows startup came back to normal speed and didn't get stuck.

Quads

Quads · January 15, 2010, 3:59am

Well try this, Norton Screwing itself up. Have fun reading, Quads had fun sorting it out, I did post in the past about lumping TDL3 in with past TDL's and the confusion it can cause and with removal instuctions, Where Vundo comes into it no idea.

All Files were Dormant and some I were shifting into a desktop folder, so I could have just manually deleted the files including the installer, a lot less hassle compared to below.

Date & Time,Risk,Activity,Status,Recommended Action

15/01/2010 2:40 p.m.,High,h8srtxmtmvkohjy.dll (Trojan.Vundo) detected by Auto-Protect,Restart Required,You must restart your computer.

15/01/2010 2:37 p.m.,High,tdl3.exe (Backdoor.Tidserv) detected by Auto-Protect,Restart Required,You must restart your computer.

15/01/2010 2:33 p.m.,High,h8srtxmoboulkrv.dll (Backdoor.Tidserv) detected by Auto-Protect,Restart Required,You must restart your computer.

d:\documents and settings\john\desktop\tdl\tdl3.exe (Backdoor.Tidserv)

____________________________

File Actions

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

Infected file: d:\documents and settings\john\desktop\tdl\tdl3.exe

Removed

The .url files don't exist with TDL3 unlike the earlier variants like the UAC TDL2 (Tidserv) Norton thinks they are, . The TDL3's I have installed have a different mode of infection, to the TDL2 variantions

d:\documents and settings\john\desktop\new folder\h8srtxmoboulkrv.dll (Backdoor.Tidserv)

____________________________

URL Not Available

UNTESTED

Source

h8srtxmoboulkrv.dll

____________________________

File Actions

File: d:\documents and settings\john\desktop\new folder\h8srtxmoboulkrv.dll

Removed

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

File: D:\Documents and Settings\John\Desktop\Casino.url (didn't exist)

Restart Required

File: d:\documents and settings\john\local settings\application data\google\chrome\user data\default\cache\f_001645

Removed

File: d:\windows\system32\tdsserrors.log

No Action Required

File: d:\windows\system32\tdssservers.dat

No Action Required

File: d:\windows\system32\tdssinit.dll

No Action Required

File: d:\resycled\boot.com

No Action Required

File: d:\tdl.dat

No Action Required

File: d:\windows\system32\dll.dll

No Action Required

File: D:\WINDOWS\system32\TDSSerrors.log

No Action Required

File: D:\WINDOWS\system32\TDSSservers.dat

No Action Required

File: D:\WINDOWS\system32\TDSSinit.dll

No Action Required

File: D:\resycled\boot.com

No Action Required

File: D:\tdl.dat

No Action Required

File: D:\WINDOWS\system32\dll.dll

No Action Required

____________________________

Registry Actions

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

No Action Required

Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\TDSS

No Action Required

Registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

No Action Required

Registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys

No Action Required

Registry entry: HKEY_CLASSES_ROOT\msqpdxvx

No Action Required

Registry entry: HKEY_CLASSES_ROOT\homeview

No Action Required

These registry entries and some of the files didn't exist because it's the wrong TDL2 Tidserv variant

Over to the next message, over 20,000 limit

Quads · January 15, 2010, 5:29am

Virus Total report showing AV's detecting as TDSS, but Symantec detects as Vundo

http://www.virustotal.com/analisis/fbfe38fe1f3a4ef55ba8ee8cf69429b2e9e404f276824e8b72ca9c4241bc735b-1263532165

Quads

Message Edited by Quads on 01-15-2010 05:40 PM

pkid · January 15, 2010, 4:09pm

Sigh. I must admit that I hate this TDSS rootkit!

Quads · January 15, 2010, 6:09pm

I don't find it that bad, considering I removed a TDL3 and TDL2 installed on my PC for testing 2 or 3 days before the above problem.

All the files were dormant, so Norton must have had definition updates the morning that it detected the dormant files.

Much easier to delete the files yourself than to have Norton detect the files for you. Then having to go though "Last Good Known Config" to get back in etc.

Quads

Quads · January 16, 2010, 4:33am

Norton is still detecting the file "h8srtxmtmvkohjy.dll" as Trojan.Vundo with restart required and loads of registry entries belonging to Vundo,

Even though it is not Vundo, for the individual file.

Quads

Quads · January 17, 2010, 12:38am

Now this sounds familiar with Vundo

http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Vundo-capable-to-unzip-itself-from-zip/m-p/130717#M65313

1. Norton should not be detecting Malware as one type, when it is another

2. Norton should not be detecting non existent Files or Registry Entries

3. Norton should not be asking to Restart the PC to remove Files or Registry Entries that don't exist.

It would be like me, Mowing the lawns but I have no grass.

Quads

Norton can get screwed up with detections

Announcements