Question about "Symantec Eraser Service", what does it do exacltly?

I have NIS 2012 (19.2.0.10) and decided to run a full disk scan which I normally don't do.   It came back and told me it found a few "infected" files (mainly security programs) on my external drive. These are programs I had backed up from my old computer and never ran on my new one.

 

One of the files off my external drive was said to be infected with Backdoor.Graybird.  I don't know if that was really true or not, but since the file was on an external drive and never ran my machine wouldn't be infected.  Anyway it said that it removed the file, along with a c:\windows\system32\installed.dat file which I'm fairly certain had nothing to do with the other file.  It told me I needed to reboot to finish the cleanup process.

 

I rebooted and after that, NIS 2012 started running another ccsvchst.exe process which it apparently added to the System Services.  It is listed as "Symantec Eraser Service" and is set to run automatically.   That process has been thrashing my disk for the last hour doing something.

 

Doing a quick search I find very little about "Symantec Eraser Service" other than it's part of Norton Antivirus.

 

What exactly is it doing and will it go away when it's finished (as it wasn't there before)?


Morac wrote:

I have NIS 2012 (19.2.0.10) and decided to run a full disk scan which I normally don't do.   It came back and told me it found a few "infected" files (mainly security programs) on my external drive. These are programs I had backed up from my old computer and never ran on my new one.

 

One of the files off my external drive was said to be infected with Backdoor.Graybird.  I don't know if that was really true or not, but since the file was on an external drive and never ran my machine wouldn't be infected.  Anyway it said that it removed the file, along with a c:\windows\system32\installed.dat file which I'm fairly certain had nothing to do with the other file.  It told me I needed to reboot to finish the cleanup process.

 

I rebooted and after that, NIS 2012 started running another ccsvchst.exe process which it apparently added to the System Services.  It is listed as "Symantec Eraser Service" and is set to run automatically.   That process has been thrashing my disk for the last hour doing something.

 

Doing a quick search I find very little about "Symantec Eraser Service" other than it's part of Norton Antivirus.

 

What exactly is it doing and will it go away when it's finished (as it wasn't there before)?


Hi,

I'm not sure either. When I tried to chase it down on the Symantec site I ended up with their pay-for-expert service.

There is the Norton Power Eraser found here: http://us.norton.com/support/DIY/index.jsp

Which is a very powerful tool so be careful.

I never installed Norton Power Eraser.   Whatever is currently running is part of Norton Internet Security 2012.   As far as I can tell, by using some system process spy tools, the "Symantec Eraser Service" is scanning my drives like a normal system scan would do. It's reading all the files on my hard drive.

 

The difference is that it doesn't show anywhere that it's dong a scan and there's no way to stop it.

 

I'm also not sure what it's looking for since it already wiped the one file it thought was a virus.

Hi Morac,

 

Eraser generally refers to a Norton malware removal engine that shuts down the services and removes the files and registry entries created by certain malware.  It's an uninstaller, of sorts.

Makes sense, though since there was no malware installed (the file was on a removable disk) I'm not really sure what it's doing at the moment other than slowing it down.  I noticed it because there's now three ccsvchst.exe processes, when before there have always been two.

 

Will it go away when it's finished?  I'd rather it not do this every time I boot up my machine.  

Unfortunately, I don't know anything about the technical workings of the Eraser.  I would certainly hope and assume that it would finish its business and go away.  You might check Norton Unresolved Security Risks to see if your malware is listed there.  If so, and you removed the disk containing the threat, Norton might continue to search for it in vain.  If you find it in Unresolved Risks, go ahead and clear it, so Norton will know to give up.

There's nothing in the unresolved risks.   Norton actually resolved all risks during the disk scan.  I'm still not sure why it wanted to do an eraser scan or whatever it's doing.


SendOfJive wrote:

Hi Morac,

 

Eraser generally refers to a Norton malware removal engine that shuts down the services and removes the files and registry entries created by certain malware.  It's an uninstaller, of sorts.


Nice to know. Thanks for the information.

It's currently been at it for 4 hours and doesn't appear to be making any progress.  There's nothing in the "Unresolved Security Risks" area.

 

I checked the Windows Event Log and "Symantec Eraser Service" has never run prior to today.

 

What's the default System Services startup type (auto, manual, etc) for "Symantec Erase Service" in Norton Internet Security 2012?

Actually is it even installed by default?

Default for eeCtl service is 'System'.  However, you should not be able to adjust this as it should be under the control of Norton / Symantec services exclusively.


dbrisendine wrote:

Default for eeCtl service is 'System'.  However, you should not be able to adjust this as it should be under the control of Norton / Symantec services exclusively.


Thanks, but I actually meant EraserSvc11121, the service that actually runs ccsvchst.exe.  On my system it's currently set to automatically run on system startup.

Have you rebooted since this started running?  Maybe if you reboot.....

I didn't want to interupt it in case it would start over again.   It appears to have made it to scaning the "c:\program files" folder and everything in it.  I'm assuming it's scanning every file on my system for some reason.  If it's not done by morning, I may reboot it.  

 

I wish I knew what it was trying to do.

Just to close things out, the Symantec Eraser Service (ccsvchst.exe) process wasn't running this morning.  It started a 9:00 PM when I rebooted and stopped itself at 4:00 AM.

 

I still have no idea what it did since there's nothing in the Recent History about it, but at least it didn't seem to damage anything that I can tell.