Where is this file?

Norton Security | Norton Internet Security
1

Below is the result of a quarantine for a remote access trojan.  I would like to know where it is saying this file is, as there is no path:  mydocs100114.zip.  Is this a recursive definition?  Is mydocs.scr located in mydocs100114.zip located in c:\users\... ?

 

File Actions

mydocs.scr
[Contained in] mydocs100114.zip      <----------  Where was this file on my filesystem?  
[Contained in] c:\users\redacted\appdata\local\comms\unistore\data\7\b\f0000201000000073701.dat Deleted     <---- was it in this .dat?

 

Thank you.

----------------------------------------------------------------------------------------------

Quarantine results below

On computers as of 
12/2/2018 at 10:53:30 AM

Last Used 
11/28/2018 at 7:38:03 PM

Startup Item 
No

Launched 
No

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.


____________________________


mydocs.scr Threat name: W32.Extrat
Locate


Many Users
Thousands of users in the Norton Community have used this file.

Mature
This file was released 4 years 2 months ago.

High
This file risk is high.


____________________________


Source: External Media


____________________________

File Actions

mydocs.scr
[Contained in] mydocs100114.zip
[Contained in] c:\users\redacted\appdata\local\comms\unistore\data\7\b\f0000201000000073701.dat Deleted
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

2

Do you recall ever being invited to participate in a remote web meeting or allowing a technical support rep to start a remote access session on your computer?  There's always a possibility Norton detected some old, orphaned remnants from a "legitimate" remote access session on your system and quarantined them as W32.Extrat because they share similar properties with a known (malicious) RAT used by hackers, although that would be difficult to determine without the SHA256/MD5 hashes.

I have never allowed anyone to remote access my machine.  In fact, Norton support that called me back (some call center yesterday after I filed a support request) asked me if they could remote in and I said no.  My work uses gotomeeting to communicate but I have another computer I will use.  I will uninstall it from my main cpu. 

3

Oh, thank you again for the reply.

One word of caution.  There is a way to safe way to submit a false positive report to Symantec at https://submit.symantec.com/false_positive/ by selecting the option to Provide a File Hash (see the support article Report a Suspected Erroneous Detection (False Positive) to Symantec) so it's unfortunate your detection logs don't include a SHA256 or MD5 hash.  W32.Extrat and Packed.Generic.463 are high-risk detections, so I'd be very hesitant to restore these files from quarantine for a false positive submission unless you have reasonable proof that they are not malicious.  There's always a risk you could re-infect your computer if you restore those files.

I didn't submit a false positive for these.  I clicked the submit to symantec button in history.  I thought this was so they have another data point on a good identification.  I believe these threats are real.  I did not restore them.  They remain in quarantine.

Since nasdaq has finished cleaning your system I'll post a bit of information I found about GoToMeeting and UNPCampaignManager in my next reply.  Don't know if it will be helpful, though.

I look forward to it.  I've been in paranoia overload since this happened, so more information the better. 

 

The only thing that was potentially a false positive that I know of was the one Norton submitted automatically under "statistical submission Trojan.Klovbot" for some executable named ake.exe. It doesn't tell me where this executable is or was. There's no risk quarantine for it.  It just says statistical submission.  I looked this up and apparently Norton does this when it sees something it doesn't think is malware but is close enough so it wants to eliminate false positives by collecting this data.

I had 10 years or so of mail on my mail server that I downloaded via POP a few weeks ago.  I suspect all of these risks in folder 7 are Norton finding all the malware people have been trying to send me for 10 years. I have since deleted that pop account from Mail, backed up that account to pst and deleted that and 2 other accounts from my domain.

4
lmacri:

Since nasdaq has finished cleaning your system I'll post a bit of information I found about GoToMeeting and UNPCampaignManager in my next reply....

Hi Hornsj2:

Again, I'm not a trained malware removal specialist so this is pure speculation on my part, but I noticed the FRST Fixlog.txt file <here> that nasdaq asked you to run to clean up your system had a reference to a stray registry entry for -> C:\Users\<yourusername>\AppData\Local\GoToMeeting\9508\G2MOutlookAddin64.dll => No File.

A Google search showed this entry is related to a Microsoft Outlook plugin owned by LogMeIn Support (the same LogMeIn company that provides the remote access tool Norton Customer Support uses for their support sessions) called GoToMeeting.  The LogMeIn support article Start or Schedule Meetings in Microsoft Outlook states that "If you are running Windows, the GoToMeeting Outlook plugin allows you to view, schedule, join, edit and delete meetings directly from your Microsoft Outlook calendar".

The Should I Remove It? site has a review of GoToMeeting at https://www.shouldiremoveit.com/GoToMeeting-9017-program.aspx.  While they don't classify this software as malware, they do note that GoToMeeting uses remote access and screen sharing technologies.  Do you recall ever being invited to participate in a remote web meeting or allowing a technical support rep to start a remote access session on your computer?  There's always a possibility Norton detected some old, orphaned remnants from a "legitimate" remote access session on your system and quarantined them as W32.Extrat because they share similar properties with a known (malicious) RAT used by hackers, although that would be difficult to determine without the SHA256/MD5 hashes.

You could check with nasdaq, but I think the scheduled task below that was also cleaned up by your FRST Fixlog.txt file [Task: {6EAA9146-5DBF-44BE-A899-DB0D0B8BBC0B} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION] is an old task associated with Microsoft's Universal Notification Platform (UNP) and is probably a remnant of a promotion campaign when Microsoft was nagging users to upgrade to the Win10 Creators Update (Version 1703) in April 2017 via a pop-up request.  See the Reddit thread UNPCampaignManager - Any Ideas On That? for more information.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8

5
Hornsj2:

...Unfortunately none of them had thumbprints or hashes.  I can submit them to Norton, though, if that helps.

Hi Hornsj2:

One word of caution.  There is a way to safe way to submit a false positive report to Symantec at https://submit.symantec.com/false_positive/ by selecting the option to Provide a File Hash (see the support article Report a Suspected Erroneous Detection (False Positive) to Symantec) so it's unfortunate your detection logs don't include a SHA256 or MD5 hash.  W32.Extrat and Packed.Generic.463 are high-risk detections, so I'd be very hesitant to restore these files from quarantine for a false positive submission unless you have reasonable proof that they are not malicious.  There's always a risk you could re-infect your computer if you restore those files.

The Farbar Recovery Scan Tool (FRST) logs <here> in your Malwarebytes thread show you're a Steam gamer so you might want to read through SpaceX's thread Trojan Horse in Steam Game? for future reference.  As I noted in that thread:

It's not unusual for Steam executables to be flagged by Norton as potential threats, but these are typically heuristic (behaviour-based) detections that are triggered because the file shares similar characteristics with known trojans (e.g., the executable tries to download a file or open a backdoor connection to a remote server).  With Steam games that suspicious behaviour often has more to do with sloppy programming than malicious intent.

Also note that marking a thread as solved in the Norton forum doesn't lock it from further comments.  It will auto-lock after a 30 days if there is no new activity in the thread.

Since nasdaq has finished cleaning your system I'll post a bit of information I found about GoToMeeting and UNPCampaignManager in my next reply.  Don't know if it will be helpful, though.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8

6

OK to close thread

7

Thank you for your reply.

 

It is a relief to hear that Defender is something that would have probably caught a trojan.

Everything you stated was correct.  One exception is that I actually had 4 risks detected.  All of them seemed to be in Mail's attachment hidden folder.  I only posted the ones I did as an example.

Unfortunately none of them had thumbprints or hashes.  I can submit them to Norton, though, if that helps.

I also see something in my logs that says statistical submission for Trojan.Klovbot but that says nothing is to be done.

Lastly, no tool has detected a registry key or executable, or anything outside of those hidden mail folders which was identified as an infection.  Malwarebytes has warned me of web trojans a few times, but I understand that is a "potential" infection based on the ip address that my browser was connecting to, and that my browser would just pick another ip.   It has also called out potential hijacks and adware.

I'll submit the files to Norton and work under the belief that I have not been hacked.  

8
Hornsj2:
...I have run all of my Norton tools, and MalwareBytes Premium, and run through the MalwareBytes forums detection and removal procedures with one of their volunteers (they use bleepingcomputer too).

I sort of panicked when I saw that file in quarantine, but if my theory above holds, it was never executed.  No tool I have run has said I have a RAT running on my system, not that they are fool-proof.

Hi Hornsj2:

I found your thread W32.Extrat in the Malwarebtyes forum and it sounds like nasdaq believes your system is now clean, so that's good news.

If I understand correctly from that Malwarebytes thread, you just installed Norton this past week and it immediately detected and removed a possible W32.Extrat infection.  Am I correct that your main concern now is that you've had a malicious remote access tool (RAT) running on your computer that went undetected for several months before you installed Norton?  It also looks like you have a Win 10 Pro OS, so if you had an active infection before 28-Nov-2018 it would have to be hidden very well if your built-in Windows Defender antivirus and Malwarebytes both missed it.

I'm not sure how anyone could determine if you had an active RAT running on your computer now that your system has been cleaned, but someone from Norton might be able to provide further insight if the detected files are still sitting in your quarantine folder.  According to the images you posted in the Malwarebytes forum you actually had three detections on 28-Nov-2018 around 7:38 PM - two for W32.Extrat and a third for a Packed.Generic.463 detection for a self-extracting compressed executable - see the Symantec write-up at https://www.symantec.com/security-center/writeup/2014-071723-5510-99#technicaldescription for Packed.Generic.463 as well as the Wikipedia article Executable Compression about these types of compressed executables. Is it possible any of those detection logs include a SHA256 or MD5 hash (digital fingerprint) that could be used to determine the exact variant of W32.Extrat and/or Packed.Generic.463 that Norton detected?  Here's a sample from the File Thumbprint section of one of my own detection logs (taken from a false positive detection I had when I tried to download the Farbar Recovery Scan Tool executable frst.exe last year) that shows the type of information you should be looking for:

     File Thumbprint - SHA:
     7de76db002505d6873aec4ee96be1d65f0c97a95619f39f64bfe64f3366a215f
     File Thumbprint - MD5:
     58b1fd6d5593b1868d2b96e36ca4a0da
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8

9

Thank you for your reply.

In actuality, this folder here is where Windows Mail stores all attachments downloaded when you sync your POP  mail account.

c:\users\redacted\appdata\local\comms\unistore\data\7\

Here is where it stores the actual messages themselves:

c:\users\redacted\appdata\local\comms\unistore\data\3\

0,2, etc are (not sure of the order) calendar, people, and other types of data related to mail.

The files in these folders are hidden operating system files.  I believe Mail uses this data to reconstruct the email and show you it in Mail as a message with attachment.

 

So, you see, it found a virus in an attachment file, probably simply downloaded via Mail when I synced. My question is, why does it list the infected file, then [contained in] filename with no path, then [contained in] with a path.

---

mydocs.scr    <-- Infected file
[Contained in] mydocs100114.zip      <---------- Zip with infected file .  Why no path?  
[Contained in] c:\users\redacted\appdata\local\comms\unistore\data\7\b\f0000201000000073701.dat Deleted     <---- dat file in place where attachments are stored for Windows Mail.   Did this contain the .zip?

---

 


I suspect it is because the file is in the zip, which is in the .dat.  If this is the case, I have not been infected, but the virus was primed and ready to go if I read the attachment via Mail.

I have run all of my Norton tools, and MalwareBytes Premium, and run through the MalwareBytes forums detection and removal procedures with one of their volunteers (they use bleepingcomputer too).

I sort of panicked when I saw that file in quarantine, but if my theory above holds, it was never executed.  No tool I have run has said I have a RAT running on my system, not that they are fool-proof.

 

10

Hi Hornsj2:

Please see the Technical Description tab of Symantec Security Center write-up for your W32.Extrat detection at https://www.symantec.com/security-center/writeup/2012-111221-3742-99#technicaldescription.  According to that write-up the W32.Extrat detection is related to a family of worms/trojans that spreads malicious remote access tools (RATs) like Xtreme RAT and Spy-Net RAT.

I'm not a malware removal specialist, but my best guess is that you somehow received a zipped file called mydocs100114.zip (e.g., via a drive-by download while you were browsing an infected web site or via a malicious e-mail attachment) that came bundled with multiple components like an activation script (mydoc.scr) and a data file (f0000201000000073701.dat) that was saved or created in the hidden c:\users\<yourusername>>\appdata\local\comms\unistore\data\7\b\ folder when the .zip file was unzipped. See the How-To Geek article How to Show Hidden Files and Folders in Windows 7, 8, or 10 if you don't know how to temporarily unhide the c:\users\<yourusername>>\appdata\local folder to view its contents.

When Norton detected this infection the associated files were either permanently deleted (which is what happens for most high-risk malware if Norton is certain it detected the signature of known malware) or the files were renamed and encoded/encrypted to neutralize any potential harm and then placed in quarantine.  I believe the Norton quarantine folder is located at C:\ProgramData\Norton\<<your Norton product ID number>>\SRTSP\Quarantine but you should see an error message similar to "You don't have permission to access this folder...." if you try to open this quarantine folder and view the contents.  

If the detected file(s) were placed in Quarantine (check at Security | History and choose Quarantine from the Show dropdown box to see if they were actually quarantined) they can't do any harm to your computer unless you choose to manually restore them from quarantine from inside the Norton program - see the support article Act on Quarantined Risks or Threats.

If you're concerned Norton didn't completely remove/neutralize this infection I'd suggest posting in BleepingComputer's Virus, Trojan, Spyware, and Malware Removal Help board where a trained malware removal specialist will check your system at no cost and help remove any traces that might remain on your computer.  Read their Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help before posting so you know what diagnostic logs you need to provide in your first post.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8