Problem with Malware not found by Internet security

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

If you have an Files, please Submit them to symantec Security Response: http://www.symantec.com/business/security_response/submitsamples.jsp

 

 If you have not already done so, do a Full System Scan, with Updated Virus Definitions, in Safe Mode.

 

Please also Download, Install, Update then Run a Full Scan in Safe Mode: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html.

 

What Norton Internet Security is it, e.g. N.I.S. 2009?

Try using one of the non-windows based scanners.

 

If you have NIS2009, you can use the new startup disk to see if that will pick it up.

 

I think AVG, Avast!, PC Tools and Avira all have antivirus recovery disks (bootable) which you can use to try and clean the infection.

 

Perhaps your malware is a rootkit, in which case it would be hard to remove...

 

You could try Avira Anti-Rootkit, or a heuristics program like Norton Anti-Bot or Threatfire to see if they zap them based on behaviour.

Message Edited by tech-sponge on 10-02-2008 01:25 AM

I would add one thing to Floating_Red's excellent suggestion about Safe Mode and that is to unplug from the internet while performing the scan.

 

This prevents the nasties from "phoning home".

 

  [repsonses to multiple messages]

 

If you have an Files, please Submit them to symantec Security Response

 

  By that, do you mean if I track down which files are repsonsible, send them in?  I'll do that, but the trick is figuring out what they are.  I thought once I tracked it down to the DCOM service, it'd be easy to figure out what the DCOM service was launching at startup and find the perp, but after poking at the DCOM configuration program for awhile, I couldn't figure out what mechnism was used to start programs and therefore couldn't figure out what was getting run.

 

  The process that's actually running is svchost (or ccSvcHost when NIS is installed), so it's a .dll _somewhere_.

 

  Thanks for the assorted suggestions.  I'll attempt some of them tonight.

 

  I'm not entirely sure which version of NIS I have (I don't see anything that actually says what it is), but I'm pretty sure it's NIS 2008.  The copyright notice says 2007-2008 and the version is 15.5.0.23.

 

  I hadn't mentioned it before, but I did do all of the scanning with the ethernet cable disconnected and most of the scanning in Safe Mode.  I've done the most thorough scans possible with all of the AV programs I've tried, though I'm not positive I tried Norton in Safe Mode.  I currently have NIS uninstalled so I could try some of the other virus scanners, but I'll reinstall and see if I can get any further with it and the other suggestions that have been made.

 

  I feel like I have it cornered, but the final removal is proving difficult.

Hi Techguy1000,

 

Thanks for the additional information. As 15.5.0.23, you have the most recent version of NIS 2008.

 

You might want to try NIS 2009; it has some more advanced scanning which may help. You can confirm your eligibility for the FREE update at the Norton Update Center.

 

You mentioned that you have uninstalled NIS 2008. If you decide to update to NIS 2009, please be sure that the following items have also been uninstalled via Add-Remove Programs:  Symantec Live Update, Symantec LiveUpdate Notifier. These are required for 2008 but not for 2009.

 

When you get the chance, please try the NIS Full System Scan in Safe Mode while unplugged and also the Malwarebytes scan in the same fashion.

 

One last suggestion: You should consider deleting all of your System Restore Points as they may have become infected.

 

Please keep us informed and Best Wishes!

Message Edited by Phil_D on 10-01-2008 01:29 PM

I hope that all the open connections are caused by Norton itself .

I downloaded NIS 2009 yesterday and checked netstat -no after reading this post .

I have 45 connections !!!!!!

5 of them use my ip adress with the status time wait pid 0

1 of them is established pid 804 wich is ccProxy.exe , whatever that is .

37  are on 127.0.0.1:1027 time wait pid 0

1 is established at 127.0.0.1:1027 pid 804

and 1 is established at 127.0.0.1:1027 pid 852 wich is ccSvcHst.exe ???

So this gives me the tcp-ip warnings in my logs .

I always used Esets NOD32 and Esets Smartsecurity 3.0 and never had that many connections .

I don't have any p2p programs or bittorrent clients and no IM clients open at the moment .

So it must be NIS 2009 .

All the advises here are a suprise for me because I payed 70 Euro's for this product , and all I read is download this and download that .

When I bought this product I was told that NIS 2009 was a complete internet security product , so I don't need any other scanners do I ?

I am 100% sure my computer doesn't contain any malware , so maybey NIS is the malware ?

 

 N.I.S. 2009 is not Malware, otherwise millions of Users - thousnads at least - would be "Infected"; it might be some Malware trying to act like N.I.S. 2009.

 

Remember to run Norton LiveUpdate to get all the Updates after installing a New Norton Security Product!

Message Edited by Floating_Red on 10-01-2008 08:31 PM

Hi

 

If the likes of Norton, Malwarebytes AntiMalware and SuperAntispyware can't find anything  Then you have to remember DCOM is used by all sorts of things in Windows, including XP and Vista.

 

The file path is "WINDOWS\system32\svchost.exe -k DcomLaunch"  if you shut it down you will or should find the PC will restart. AS it a needed process.  When connected to a network there may be more activity.

 

It might be slightly more active if you have something connected using Bluetooth.

 

A list of things the use DCOM. is here http://itsvista.com/2007/04/dcom-server-process-launcher/

 A lot of the same would be used by XP. 

 

 

Thanks 

 

Quads

 

I agree Norton is not Malware

 

 

Quads 

"ccProxy.exe" Is part of NIS and it's firewall as far as I know (stand to be corrected). It contols the Content filtering Websites, Domains etc.
Quads 
 

shivan wrote:

I hope that all the open connections are caused by Norton itself .

I downloaded NIS 2009 yesterday and checked netstat -no after reading this post .

I have 45 connections !!!!!!

5 of them use my ip adress with the status time wait pid 0

1 of them is established pid 804 wich is ccProxy.exe , whatever that is .

37  are on 127.0.0.1:1027 time wait pid 0

1 is established at 127.0.0.1:1027 pid 804

and 1 is established at 127.0.0.1:1027 pid 852 wich is ccSvcHst.exe ???

So this gives me the tcp-ip warnings in my logs .

I always used Esets NOD32 and Esets Smartsecurity 3.0 and never had that many connections .

I don't have any p2p programs or bittorrent clients and no IM clients open at the moment .

So it must be NIS 2009 .

All the advises here are a suprise for me because I payed 70 Euro's for this product , and all I read is download this and download that .

When I bought this product I was told that NIS 2009 was a complete internet security product , so I don't need any other scanners do I ?

I am 100% sure my computer doesn't contain any malware , so maybey NIS is the malware ?

 


 

 

Hello shivan,

 

It is best for all the users if the posts remain on the topic. In this particular thread we are trying to assist another user who has a problem.

 

If you have an issue with excessive connections, you should start a new topic on that.

 

You said: "and all I read is download this and download that ." 

 

Perhaps you did not understand our intent. We were informing Techguy1000 that a free update to NIS 2009 is available and we also recommended one other on-demand scanner to assist in resolving the issue.

 

Thanks.


Quads wrote:

Hi

 

If the likes of Norton, Malwarebytes AntiMalware and SuperAntispyware can't find anything  Then you have to remember DCOM is used by all sorts of things in Windows, including XP and Vista.

 

The file path is "WINDOWS\system32\svchost.exe -k DcomLaunch"  if you shut it down you will or should find the PC will restart. AS it a needed process.  When connected to a network there may be more activity.

 

It might be slightly more active if you have something connected using Bluetooth.

 

A list of things the use DCOM. is here http://itsvista.com/2007/04/dcom-server-process-launcher/

 A lot of the same would be used by XP.

 

--------------------------------------

 

I'm not sure what the point of your message is supposed to be.  Did you omit half of the first paragraph?

 

I shut down the DCOM service as a temporary measure just to keep the malware from starting so things would run a little smoother.  As I said, stopping DCOM was likely to break some other things.  I don't believe that DCOM itself is the source of the problem, but something it's starting or something that's using the service is.  A lot of what DCOM does are remote functions of some sort.  About the only remote service I use is file sharing, and that's unaffected.  The PC did not shut down and nothing I was using right then seemed to be affected after disabling DCOM and the machine was running a whole lot faster.  As far as I'm concerned, it can stay that way until the infection is removed.

 

I disabled DCOM via the service manager and the massive number of remote connections were gone and stayed gone after a reboot.  Reenabling the service promptly brought them back.

 

I think I've found some posts about something that sounds very similar on the Avast site and will also be attempting some of the remedies listed there as well as the ones listed here.  I don't believe I've tried AntiMalware, but I have tried NIS and SuperAntispyware and they didn't find it.

Hi

 

What do you mean what's the point of my message..............?

 

I was explaining, if AntiVirus and Anti-Spyware software can't find anything, it could mean nothing is there to find.

I then went on about DCOM, which you stated in this paragraph,

 

"Using netstat and Processor Explorer, I can see that the process is getting started by the DCOM Service Process Launcher and Process Explorer shows it as "Terminal Services"."

 

Quite a few people would then start thinking DCOM is an infection, or files related to that service and then wonder why the PC and Windows is not running correctly or won't boot.   Like people who just delete the legitimate "explorer.exe" or "scvhost.exe" then wonder what wrong. So I thought I would say about DCOM. That's all.

 

Was there any services listed under the "dependences" tab via the services- DCOM?? or any file name you have noticed using it.

 

Mine is running, but I have no Dependencies listed 

 

 

Quads 



I was explaining, if AntiVirus and Anti-Spyware software can't find anything, it could mean nothing is there to find.

I then went on about DCOM, which you stated in this paragraph,

 

"Using netstat and Processor Explorer, I can see that the process is getting started by the DCOM Service Process Launcher and Process Explorer shows it as "Terminal Services"."

 

Quite a few people would then start thinking DCOM is an infection, or files related to that service and then wonder why the PC and Windows is not running correctly or won't boot.   Like people who just delete the legitimate "explorer.exe" or "scvhost.exe" then wonder what wrong. So I thought I would say about DCOM. That's all.

 

Was there any services listed under the "dependences" tab via the services- DCOM?? or any file name you have noticed using it.

 

Mine is running, but I have no Dependencies listed 

 

 

Quads 


 

  Are you trying to say that opening 20+ smtp connections to assorted sites all around the world is not malware?

 

  It wasn't my intention to say that the DCOM service is a virus (and I didn't), but it is getting used by one.

 

  A few interesting things happened last night.  With the DCOM service stopped I still wasn't seeing any signs of the virus.  I ran a couple of other Malware scanners and after one of the reboots it was back.  I looked and the DCOM service was still stopped, but now the process opening all the SMTP connections was shown as an RPC service. Tricky little **bleep**.

 

  I reinstalled NIS and the evil process moved back to ccSvcHost.  Opening the Dependancy Walker was a little interesting in that there were entries for msvcr80.dll and msvcp80.dll that were "not in the current directory or path", but that seems to be normal for ccSvcHost.

 

  NIS was initially working OK, but then stopped coming up properly at boot.  The malware was still running strong, but now back under svchost.  On machine shutdown, a memory access error popup showed up for ccSvcHost, so it looks like something in NIS is messed up.  Suspicious, but I don't think it's related to the malware.  It looks like I'll have to reinstall NIS... again.

 

  A safe mode scan with NIS came up with an IEDefender trojan.

 

  I've seen people with pretty much the same problem on the Avast site.  The fix doesn't seem to be "run this software and it'll fix it".  It's more "run HijackThis or DSS and post a log, then they're told to delete a few things and rerun the HJT/DSS scans, delete some more stuff, and after 2 or 3 rounds, the malware is gone.

 

  This weekend I'll take my work laptop home.  It's configured very similarly to my home desktop in terms of software installs and such, but the laptop doesn't have any signs of this malware.  That'll at least give me a clean system to compare anything that's suspicious looking with.

 

  For a given svchost or ccSvcHost PID, does anyone know a definitive way to figure out what all the DLLs and executables involved with the process are?  Is the Depency Walker from Process Explorer showing that info?

 

  I can see the bad process, but whatever it is is hiding behind a service and I can't seem to track down what's actually calling the service.

Removal instructions for IEDefender: http://www.symantec.com/security_response/writeup.jsp?docid=2007-111420-0754-99&tabid=3 ; check and make sure all Files are Removed.

 

Technical Details for Trojan.Zlob: http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=2.

Try Anvir Task Manager  http://anvir.com/taskmanager/

 

Silver


Floating_Red wrote:

Removal instructions for IEDefender: http://www.symantec.com/security_response/writeup.jsp?docid=2007-111420-0754-99&tabid=3 ; check and make sure all Files are Removed.

 

Technical Details for Trojan.Zlob: http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=2.


 

  I should have been more specific.  NIS found IEDefender, but I don't think that's the malware causing me the headaches.  We'll see when I boot back to normal mode.  I strongly suspect the malware will still be there.

 

  NIS claimed it removed the affected files.  I haven't had a chance to check, though.  I started the scan late last night and just glanced at the results this morning.  I probably won't have a chance to do much with it tonight.  This thing has distracted me from getting some work done that I need for the weekend, so it might be a couple of days before I get a chance to do much more work with it.


Techguy1000 wrote:

Floating_Red wrote:

Removal instructions for IEDefender: http://www.symantec.com/security_response/writeup.jsp?docid=2007-111420-0754-99&tabid=3 ; check and make sure all Files are Removed.

 

Technical Details for Trojan.Zlob: http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99&tabid=2.


 

  I should have been more specific.  NIS found IEDefender, but I don't think that's the malware causing me the headaches.  We'll see when I boot back to normal mode.  I strongly suspect the malware will still be there.

 

  NIS claimed it removed the affected files.  I haven't had a chance to check, though.  I started the scan late last night and just glanced at the results this morning.  I probably won't have a chance to do much with it tonight.  This thing has distracted me from getting some work done that I need for the weekend, so it might be a couple of days before I get a chance to do much more work with it.


 

Greetings,

    I know that N.I.S. Removed Files that were Detetced as IEDefender; you could have got re-infected or N.I.S. may not have got all the Files.  That is why I suggested that.

 

Were you Connected to the Internet when Running this Scan?


Floating_Red wrote:

Greetings,

    I know that N.I.S. Removed Files that were Detetced as IEDefender; you could have got re-infected or N.I.S. may not have got all the Files.  That is why I suggested that.

 

Were you Connected to the Internet when Running this Scan?


   No, I was in Safe Mode without networking.