NIS2009 missed Trojan found by MS Malicious Software Removal Tool - June 2009

[silverfox99]

My laptop (Vista, Office) running NIS2009 (defaults) just updated via Windows Update and on restart the "Microsoft Windows Malicious Software Removal Tool - June 2009" dialog box popped up and message said "Malicious software was detected and removed from your computer - click to view details". I clicked and it said that "Trojan:Win32/Alureon!inf" had been detected and deleted. Should I be worried? Bit concerned that NIS2009 running defaults didn't pick this up. Has dented my confidence in this suite (NIS2009) if MS tool has better detection!

[raven211]

Quote:

Originally Posted by silverfox99

My laptop (Vista, Office) running NIS2009 (defaults) just updated via Windows Update and on restart the "Microsoft Windows Malicious Software Removal Tool - June 2009" dialog box popped up and message said "Malicious software was detected and removed from your computer - click to view details". I clicked and it said that "Trojan:Win32/Alureon!inf" had been detected and deleted. Should I be worried? Bit concerned that NIS2009 running defaults didn't pick this up. Has dented my confidence in this suite (NIS2009) if MS tool has better detection!

Microsoft's tool has never found anything for me, and if you didn't notice anything strange before this, I wouldn't worry. I wouldn't worry in either case, and, believe it or not, a security application from a company can always find what's not found by another company. That's how it always works and there you've the reason why people (here) run a layered approach.

Besides... if it's gone it's gone, right? Might as well be an FP (let's just hope a none serious one ), and next time it might be Symantec which saves your butt where M$ wouldn't.

[TrojanHunter]

This is a personal opinion of mine BTW that I've never had a good experience of Norton in the past. I like what they have done with their software to make it lighter that has been a step forward for them, but Symantec for me is all overblown marketing. If you read their forums I often see 'Use Malwarebytes', which to me is of concern that malwarebytes is relied on to remove infections. In Nortons defence it cannot detect everything like any other Anti-virus.

Your best bet is to use Norton in conjuction with something like Sandboxie in the future.

[silverfox99]

Thanks I am beginning to think NIS on it's own is not very secure. I have just run Malwarebytes Antimalware and it found another Trojan on my laptop!

gxvxcserv.sys

Here is the logfile of the removal.

Malwarebytes' Anti-Malware 1.37
Database version: 2263
Windows 6.0.6001 Service Pack 1

11/06/2009 22:48:40
mbam-log-2009-06-11 (22-48-34).txt

Scan type: Quick Scan
Objects scanned: 69862
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


What would you guys suggest? Dump NIS 2009 or combine with other apps?

[virtumonde]

Does NiS have the latest updates on your machine?

[JRViejo]

silverfox99, this is what Microsoft says about the Win32/Alureon trojan. For further peace of mind, I would run an online scan via their Windows Live OneCare safety scanner.

[JRViejo]

silverfox99, the infected Registry Data Items that MBAM found are part of the same Win32/Alureon trojan, according to the info in the Analysis tab of the first link I provided.

I would not be so quick to dismiss NIS, yet I do agree with virtumonde to make sure that it is up-to-date. Do run that online scan ASAP.

[silverfox99]

Thanks will run a check with the one care scanner. That looks like a particularly nasty trojan.

Yes, NIS2009 updates frequently with streaming definitions often every few minutes.

[colt45allstar]

Norton's really improved a lot over the last few years and it's detection rate is actually now one of the best.

Having said that... as you've found out there is no such thing as 100 percent detection.

For that reason, it's always a good idea to have other programs to scan with from time to time.

I've got the following in addition to my Kaspersky Internet Security 2010 (note you don't necessarily need this many on demand programs.. I'm just paranoid)

MalwareBytes
SuperAntiSpyware
Prevx CSI
Spybot
Rogue Remover (this one has been discontinued and will soon be uninstalled from my computer)

[TrojanHunter]

If that was my Norton License I probably wouldn't renew when it expires.

[Stefan Kurtzhals]

Alureon is pretty nasty malware family and they are very good in updating in order to avoid detection. The MS generics are very effective on them.

[Einsturzende]

MS Malicious Software Removal Tool will find most common and well known malware, if finded malware is not FP and NIS was updated, throw your NIS in garbage, This thread is shame to symantec and should be sticky in the hall of shame

[ASM]

Nothing is Perfect... even if I have Porn Queen as my girlfriend, I will still eye on other girl...

[raven211]

Quote:

Originally Posted by Einsturzende

MS Malicious Software Removal Tool will find most common and well known malware, if finded malware is not FP and NIS was updated, throw your NIS in garbage, This thread is shame to symantec and should be sticky in the hall of shame

Bashers should stay out of any forum as they too seldom have a great point which weighs up for what they're saying more.

[Einsturzende]

Quote:

Originally Posted by ASM

Nothing is Perfect... even if I have Porn Queen as my girlfriend, I will still eye on other girl...

who talking about perfect? neither me nor you, mine is most fundamental and yours is too much...

[silverfox99]

Thanks for help guys. Am sure am now rid of Trojan after spending a few hours over weekend running various anti-malware apps on my laptop (Malware Bytes AntiMalware, SuperAntiSpyware, Prevx etc) and finishing off running serveral online scans KIS, ESET, One Care etc. All came up clean.

Sadly, I only just bought NIS2009 so still have 300 days or so on sub so will keep it as can't afford to ditch it. Any suggestions for an app to complement the possible weaknesses in NIS2009? I assume can only have one 'active' which will be NIS, others will be 'on demand'?

Will have a look at Sandboxie and MalwareBytes.......but appreciate any other advice. Laptop is running Vista fully patched. Was reading about 'Morro' this morning http://news.bbc.co.uk/1/hi/technology/8095932.stm , might take a look when it's released as it was an MS tool that found this Trojan in the first place!

you have to remember 3rd party software cant scan everything, most don't tell you this, but a scan with nod 32 v2.7 will tell the the amount of locked files it couldnt scan. ms scanner scans deeper which is probably why it found it. im not a norton knocker, i have an active subscription but the twice ive had it installed it's let me down, a weekly scan with malware bytes etc should help.

[jrmhng]

Quote:

Originally Posted by silverfox99

Thanks for help guys. Am sure am now rid of Trojan after spending a few hours over weekend running various anti-malware apps on my laptop (Malware Bytes AntiMalware, SuperAntiSpyware, Prevx etc) and finishing off running serveral online scans KIS, ESET, One Care etc. All came up clean.

Sadly, I only just bought NIS2009 so still have 300 days or so on sub so will keep it as can't afford to ditch it. Any suggestions for an app to complement the possible weaknesses in NIS2009? I assume can only have one 'active' which will be NIS, others will be 'on demand'?

Will have a look at Sandboxie and MalwareBytes.......but appreciate any other advice. Laptop is running Vista fully patched. Was reading about 'Morro' this morning http://news.bbc.co.uk/1/hi/technology/8095932.stm , might take a look when it's released as it was an MS tool that found this Trojan in the first place!

No need to ditch it. It is a good product. Hang around here and learn more about security.

[raven211]

Quote:

Originally Posted by silverfox99

Thanks for help guys. Am sure am now rid of Trojan after spending a few hours over weekend running various anti-malware apps on my laptop (Malware Bytes AntiMalware, SuperAntiSpyware, Prevx etc) and finishing off running serveral online scans KIS, ESET, One Care etc. All came up clean.

Sadly, I only just bought NIS2009 so still have 300 days or so on sub so will keep it as can't afford to ditch it. Any suggestions for an app to complement the possible weaknesses in NIS2009? I assume can only have one 'active' which will be NIS, others will be 'on demand'?

Will have a look at Sandboxie and MalwareBytes.......but appreciate any other advice. Laptop is running Vista fully patched. Was reading about 'Morro' this morning http://news.bbc.co.uk/1/hi/technology/8095932.stm , might take a look when it's released as it was an MS tool that found this Trojan in the first place!

There are many tools that indeed run in real-time to complement your other security. I place my bet right now that most people will comment "Prevx", which indeed will work with NIS just fine, so if you like it - go for it. Just a price-tag that might be a problem for you... The latest version of ThreatFire is causing serious problems for loads of people, but the "stable" version is still available for download here: http://www.threatfire.com/files/tfinstall41.exe - and it doesn't seem to automatically update to v4.5, so you can keep the updates on, even if there's a cloud. Sandboxes are another alternative if you can handle them.

[trjam]

Prevx does work with NIS.

[BlueZannetti]

Quote:

Originally Posted by silverfox99

What would you guys suggest? Dump NIS 2009 or combine with other apps?

With respect to additional applications, I really wouldn't do anything yet.

The MBAM scan seems to have simply picked up residual leftovers. A handful of registry entries. No files on disk, nothing active.

I guess the key question is what was the detailed view around the MSRT alert. Was it an alert regarding a legacy file on the drive (left from a prior incomplete removal, but isolated and therefore nonfunctional) or was it dealing with an active infection/process?

Finally, the OS is Vista. UAC is enabled, right?

Blue

[silverfox99]

Hi Blue

Quote:

Finally, the OS is Vista. UAC is enabled, right?

Yes and Yes.

I didn't see a 'detailed view' option with the MS tool, just a pop up box stating that the tool had removed a threat. Do you know if the tool stores any detailed info elsewhere about what the threat was, where it was found, and what files (if any) were deleted.

The initial tool run was an autorun on restart after the June MS Updates. I manually downloaded the June 2009 tool again over the weekend and ran it. It found nothing this time.

There seems to be a new problem with the online MS Scanner tool for Vista as Vista SP2 users now get caught in an install loop when trying to run it.

Vista Safety Scanner won't Launch
http://boards.msn.com/safetyboards/t...param=Page%3d1

[BlueZannetti]

Quote:

Originally Posted by silverfox99

I didn't see a 'detailed view' option with the MS tool, just a pop up box stating that the tool had removed a threat. Do you know if the tool stores any detailed info elsewhere about what the threat was, where it was found, and what files (if any) were deleted.

OK, I was aiming to see if was active vs simply an identified (but inactive) file. As for MSRT functionality, I have to plead ignorance. There may be a log somewhere with the desired information. On my own machines, it dutifully updates as indicated, and that's basically the last I ever see of it.

In general, UAC (or limited user, etc.) provides very decent protection against drive by modifications. What it obviously doesn't protect against is a user purposely installing a piece of software that is malicious or compromised and blithely approving all the required prompts. This is where some level of assurance that an application is valid (as provided by conventional blacklist approaches) is useful.

Blue

[silverfox99]

Thanks Blue.

Something else to add to my protection set-up consideration is a wife who doesn't like (or know what to with) pop up dialog boxes saying "Something might be up, what do you want to do?"

I did however give her a crash course in UAC so she know knows if UAC pops up in response to her trying to open or run an app or file, she can go ahead and say 'continue' (probably) safely. If it is unexpected, best to say 'no' and see what happens.

NIS2009 is good in that was as it is pretty much fire and forget so whilst I enjoy tweaking settings to the max, I need to keep in mind other users, and doing anything which might increase FPs.

[m00nbl00d]

Quote:

Originally Posted by silverfox99

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.

First question to be asked is: Are 85.255.112.170 and 85.255.112.235 your ISP's DNS IPs?

If you have no idea what they should be, I suggest you contact your ISP asking. Then, if they are no match to those, then you need to change that.

Trojan.DNSChanger. As the name says, it will change your ISP's DNS IPs with others.