All tools loaded yesterday (TDS-3, Port Explorer, Worm Guard), full system scan run (I think), yet a "hidden" task still starts and runs, even when not connected to web.

Checked TDS-3 processes, shows Norton Systemworks/antivirus/firewall processes, but these same processes do not show in Task Manager (ccEvtMgr and ccPxySvc don't show, but ccApp does show).

NSW + virus + firewall 2003 loaded since last fall, stopped 2 buffer overrun attack 2 and 4 days ago, so its doing something.

In Task Manager (Windows ME) sometimes a blank line shows at the bottom of the list of tasks, sometimes not.
Yesterday, after installing each application (rebooting after each install) TDS-3 hung. I had Windows Explorer up, ADSL cable unplugged during whole install process and still unplugged, and Windows Explorer hung too. TDS-3 process showed as still running in Task Manager, but the icon disappeared, and couldn't get black console to show on display. :-\

Rebooted, TDS-3 hanging hasn't hung again, yet.
TDS-3 configured to run at startup with everything scanned except CRC32 System Files Test. Full system scan found 2 files: LeakTest Demo (file ok), and one file named as .com.pif (don't remember file name) but has been archived to D:\ drive already.

If TDS-3 isn't catching this right now, what can I use?
What can I look for?
Just found beginners TDS-3 configuration, haven't done it yet, so my question may be premature?

Norton might be compromised - Ccap didn't used to run, and started running yesterday. This is a standalone machine, I have 4 port router for ADSL connect, but to me.

More TDS-3 Process details, Symantec says these should show on Task Manager with ccApp:

ccEvtMgr.exe : Name: Event Manager Service,
Window: Win95 RPC Wmsg Window
ccPxySvc.exe : Name: Norton Internet Security Proxy Service,
Window: Win95 RPC Wmsg Window
DDHelp.exe : Name: Microsoft DirectX Helper,
Window: DDHelpWndClass

Other Norton files show on TDS-3 process but not Task Manager, is this normal? (I don't know anything, have just been poking around and observing.)

Where do I start? :P

Hello Frugalphone,
I asume you are a licensed TDS3 user, first make sure you have the lates radius file, then install execution protection.
In scan control select everything except for "scan for clients/edit servers" & the two NTFS entries - In generic detection enable both tick boxes and move the sensitivity slider to the right.
Do a full system scan.
If you have already done this then start up PE and make sure you have no connections that you have not instigated.
I have tried the TDS3 process list and it does show task manager as a service when it is running but this is an XP pc and ME may be different.

BTW have you scanned for spyware using either AdAware or Spybot Search & destroy?

Hi frugalphone, welcome to the DCS family!
What do you notice exactly from the possible hidden process?
Does it start immediately after reboot or after being connected to the web?
Are there any unknown keys when you look in TDS > System analysis > autostart explorer?
And if you look with Start > run > msconfig > autostart tab, are there any unknown or anonymous items?

Could there be spyware involved? Did you try with spybotS&D for instance or Ad-aware?


The *.com.pif is a double extension only, if you know the file there is no problem, that leaktest thing is also just a demo, nothing serious.

I hope with installing your programs you had all other applications closed, especially anti-virus protection and the kind, and the norton parts when installing something else: you might need to uncheck them temporary in the msconfig, reboot, do your installs, if necessary reboot, re-enable your antivirus and norton parts and reboot again and see if everything runs fine as it should.

I use the CRC32 scan all time, and as you can see in the sticky thread about that you can add your own files to be checked and change paths to where files are on your system, etc.


Does WormGuard alarm on anything when you try to open any file? Did you for WG install the security and did you press the test button?

Which processes in Port Explorer show as hidden or could be suspicious? Did you try to spy on their data packets?

*Edited: we did it again! Pilli and i are such a team huh, see the posting after i sent my posting away. Fortunately we did not tell all the same story (would be so boting) and no contradictions (of course not!), even the same spyware advice! wow!
Waiting for your further scan results.
Oh and Pilli said we think you're a licensed user with the updates etc, if so, also install the exec protection.*

.com.pif :(
I don't like the combination of those extensions. Do you have any 16 bit DOS programs running on your system?
Dolf

Dolf, Wouldn't Wormguard usually alarm if a dual extention tries to run?

Frugal phone, I forgot the link to the latest Radius.tds file: http://tds.diamondcs.com.au/radius.td3 Just drop it into your main TDS directory.
Spybot can be found here: http://security.kolla.de/news.php?lang=en
& AdAware here: www.lavasoft.de

Jooske, I just saw your edit ;D

-{ Quote: " quoting: Pilli link=board=5;threadid=13286;start=0#msg84949 date=1062620795]
Dolf, Wouldn't Wormguard usually alarm if a dual extention tries to run?
" }-
IF protection has been enabled.... yes

Update: Is this a worm?
Is this A Worm / virus?

Tried to run Norton Liveupdate, checked options...none were set for LiveUpdate to run automatically, yet LiveUpdate (or something with its name) has been running. LiveUpdate starting very frequently now, on auto should be once a week...suspicious perhaps? Updates good from 8/27, so problem is recent

Tried manual run, failed, internal errors in . Filling in Symantec error form, needed AntiVirus version, tried AntiVirus -> "Help", and WormGuard kicked it out! Here's interesting bits, attached is full SafeText

FILE: c:\windows\help\nav.chm
SIZE: 217945 bytes
---------------------FILE BEGINS <Extracted Strings>---------------------
231: /#IDXHDR
247: /#ITBITS
270: /#STRINGS
287: /#SYSTEM
300: /#TOCIDX
315: /#TOPICS
330: /#URLSTR
345: /#URLTBL
360: /#WINDOWS
376: /$FIftiMain
395: /$OBJINST
412: /$WWAssociativeLinks/
436: /$WWAssociativeLinks/Property
472: /$WWKeywordLinks/
492: /$WWKeywordLinks/BTree
522: /$WWKeywordLinks/Data
550: /$WWKeywordLinks/Map
576: /$WWKeywordLinks/Property
607: /document.css
628: /images/
639: /images/about.gif
663: /images/abtnohow.gif
690: /images/abtopengif.gif
718: /images/clouds.gif
743: /images/clsdtwst.gif
769: /images/dot.gif
791: /images/hotspot.gif
816: /images/how.gif
838: /images/note_icon.gif
865: /images/opentwst.gif
891: /images/Symc_logo.gif
919: /LU_PC.html
937: /LU_PC10.html
957: /LU_PC11.html
977: /LU_PC2.html

and then

3737: /NAV_virus_found6.html
3766: /NAV_virus_found7.html
3795: /NAV_virus_found8.html
3824: /NAV_virus_found9.html
3851: i"/NAVW_AutoProtect_enable_proc.html
3894: /NAVW_inoculation_alerts.html
3930: /NAVW_liveupdate_about.html
3962: y+/NAVW_LiveUpdate_Automatic_enable_proc.html
4012: | /NAVW_Log_Viewer_Monitoring.html
4053: /NAVW_ManualScan.html
4079: P&/NAVW_manualscan_bloodhound_about.html
4124: l$/NAVW_options_autoprotect_about.html
4167: M-/NAVW_options_autoprotect_advanced_about.html
4321: //NAVW_options_autoprotect_bloodhound_about.html
4374: m//NAVW_Options_AutoProtect_Exclusions_items.html
4430: /NAVW_options_email_about.html
4466: "/NAVW_options_email_advanced_.html
4508: /NAVW_options_iml_about.html
4541: `$/NAVW_options_inoculation_about.html
4585: #/NAVW_options_liveupdate_about.html
4626: ^#/NAVW_options_manualscan_about.html
4668: :(/NAVW_Options_ManualScan_Exclusions.html
4715: 9&/NAVW_options_miscellaneous_about.html
4760: V$/NAVW_options_scriptblock_about.html
4805: /NAVW_password_reset.html
4837: /NAVW_Quarantine_About.html
4870: $/NAVW_Quarantine_Options_Change.html
4912: > /NAVW_scan_repairwizard_use.html
4953: /NAVW_Subscription_about.html
4989: /NAVW_virus_list.html
5017: /Support_CPD.html
5041: /whatisthis.txt
5061: ::DataSpace/NameList
5082: <(::DataSpace/Storage/MSCompressed/Content
5130: D,::DataSpace/Storage/MSCompressed/ControlDataj
5179: )::DataSpace/Storage/MSCompressed/SpanInfob
5224: /::DataSpace/Storage/MSCompressed/Transform/List<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/
5373: i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
5491: /NAV_about4.html
5514: /NAV_about5.html
5537: /NAV_about6.html
5560: /NAV_about7.html
5583: /NAV_about8.html
24290: 0PAV6cy
25025: @GJkx6
25586: JYx&\j
25593: e2GxZ5
25901: -9]G:%
26179: `Sy$.:
26237: ?F6Q{m
27943: QzVG|8YA
28023: u2yB$+*
28725: O:_?.^
28875: $:"75*.2b
29017: hFS*0_u
29057: ?81TU
29326: 9,aKU*
29718: {p%D~l
31358: $z#]Z#
31652: ?9=C9S
31968: o$fekx'
32313: BP"!Kf}
32375: vqVmmYo0
32428: Zu"nZ_
32504: a,n4KW`
32821: K0+2 j
33498: (LV^v;
33977: *{%HR`
35653: "yck]!
35720: l$Yqc{
36008: SS~l=!8o
36042: G.$r%9
36576: I ~*ho
36688: Q ]VSj[/
37469: 'QX{%z
37628: U~nAcMM`l
38199: A%GP8
38251: l#TV(Y_
38270: %JI~bu4
38735: sljQKfU;
39412: w*G5Jo
39634: _mu{^#
40278: +TTeip
42145: K$Okmnc+u
42251: (o3W/8
43491: \d8Ql
43777: wg+BKwu
44570: GS2u[A
44650: 2>|i8(
45245: o"d~_Rn
45273: OZc/,(Pb
45435: @CZh-[
46181: j?C+j@<+
46817: Ys~_Z`
47510: !wgII\Otgs8
48645: :=W(+,^
49060: nNosP*7
52001: !2<$nvp
52278: ?_\5Ju
52314: jG#3Ns
52811: ,j4i\d{\yptf
54286: R|Yvf=%`kQ
54481: 3%2*bThQ
54561: EpIkEL
54770: \Cu?#2
54863: G"$3$~
55308: NF%g`RB
57319: Z?#rP%
*****************
Wow, lots to do and learn, some quick answers, then off to the toolbench:

Philli, yes licensed, already got Updates and latest Radius, execution protection is on.
- Full system scan done with tick boxes as you recommended, but not with the Current Scan List filled in; will re-do full system scan.
- Blank line in task manager shows up even when not connected to web, then goes away again. Cannot seem to correlate it to any activity, so unsure what PE could tell me (maybe my system is trying to send something....hmmmm...hadn't thought of that....)
- Haven't scanned for spyware or adware yet - thanks for links.

Jooske, blank line takes a while to show up after boot. I've tried to "catch" it doing intermittent Task Managers during boot process, have seen <unknown> in task list, once saw two <unknown>s, but ME is pretty thin for system management it seems. Caught it once, killed the task, then couldn't even shut down the system - had to power off.
- Ran --> autostart explorer, no unknown keys, although 3 keys are <empty> Run, RunOnce, and RunOnceEx
- Neither Port Explorer or WormGuard has hollered - I keep hoping they will. The buffer overrun was stopped by Norton, I didn't have DCS tools loaded yet (talk about incentive), aggressor IP address showed as mine, but the port kept changing, and timing between attacks seemed steady.
- Did not turn off Norton utilities when installing, will re-do everything.
- Will look for CRC32 link.

Dollefie, Don't know how to check for 16-bit process (?). File was from Panda Antivirus (downloaded, don't recall ever running it)
pqremove.com.pif
"Performs text-based (command-line) functions, Created Mar 20, 2002, Modified Dec 19, 2001.
I think I'll quarantine it anyway.

Dumb question, but does it matter that file names are all caps? Most Norton files have mixed font file names that match its File Properties, but some are all caps, and version numbers displayed doesn't matched File Properties value either. Seems one way a hacker could tell what's his or not.... ?

Thanks for great directions -- this'll keep me busy for the next 10 minutes .... ;)

Wormguard will frequently alert you when it does a pre-launch analysis of a file that is found to have the string "virus" in it (Yes, many viruses do include such strings in their code) so it is likely a false alarm. You can scan it using other means (TDS, on-line scanner, etc) just to be certain.

You might also want to pinpoint the location of the LiveUpdate that is running but not apparently doing anything, stop the process and use the "String Extractor" utility from TDS (in the Utilities menu) to look for suspicious strings as well to scan with TDS.

HTH

Dan

The *.com.pif could be for instance clrav.com.pif, the shortcut on the desktop for a cleansing tool, in this case for sircam if i remember well. So i am not worried at all for such a tool which i know and it will not run unless i press that shortcut to start the cleaner.
Various of my shortcuts have such double extensions and i know which files they are connected to, so no worries there yet.
I would look deeper if they show up in other places.