NIS2009 missed Trojan found by MS Malicious Software Removal Tool - June 2009

Discussion in 'other anti-virus software' started by silverfox99, Jun 11, 2009.

Thread Status:
Not open for further replies.
  1. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    My laptop (Vista, Office) running NIS2009 (defaults) just updated via Windows Update and on restart the "Microsoft Windows Malicious Software Removal Tool - June 2009" dialog box popped up and message said "Malicious software was detected and removed from your computer - click to view details". I clicked and it said that "Trojan:Win32/Alureon!inf" had been detected and deleted. Should I be worried? Bit concerned that NIS2009 running defaults didn't pick this up. Has dented my confidence in this suite (NIS2009) if MS tool has better detection!
     
  2. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Microsoft's tool has never found anything for me, and if you didn't notice anything strange before this, I wouldn't worry. I wouldn't worry in either case, and, believe it or not, a security application from a company can always find what's not found by another company. That's how it always works and there you've the reason why people (here) run a layered approach.

    Besides... if it's gone it's gone, right? :D Might as well be an FP (let's just hope a none serious one :D), and next time it might be Symantec which saves your butt where M$ wouldn't. :rolleyes:
     
  3. TrojanHunter

    TrojanHunter Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    151
    Location:
    United Kingdom
    This is a personal opinion of mine BTW that I've never had a good experience of Norton in the past. I like what they have done with their software to make it lighter that has been a step forward for them, but Symantec for me is all overblown marketing. If you read their forums I often see 'Use Malwarebytes', which to me is of concern that malwarebytes is relied on to remove infections. In Nortons defence it cannot detect everything like any other Anti-virus.

    Your best bet is to use Norton in conjuction with something like Sandboxie in the future.
     
  4. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    Thanks I am beginning to think NIS on it's own is not very secure. I have just run Malwarebytes Antimalware and it found another Trojan on my laptop!

    gxvxcserv.sys

    Here is the logfile of the removal.

    Malwarebytes' Anti-Malware 1.37
    Database version: 2263
    Windows 6.0.6001 Service Pack 1

    11/06/2009 22:48:40
    mbam-log-2009-06-11 (22-48-34).txt

    Scan type: Quick Scan
    Objects scanned: 69862
    Time elapsed: 2 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 6
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys (Trojan.Agent) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    What would you guys suggest? Dump NIS 2009 or combine with other apps?
     
  5. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    504
    Does NiS have the latest updates on your machine?
     
  6. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
  7. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
    silverfox99, the infected Registry Data Items that MBAM found are part of the same Win32/Alureon trojan, according to the info in the Analysis tab of the first link I provided.

    I would not be so quick to dismiss NIS, yet I do agree with virtumonde to make sure that it is up-to-date. Do run that online scan ASAP.
     
  8. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    Thanks will run a check with the one care scanner. That looks like a particularly nasty trojan.

    Yes, NIS2009 updates frequently with streaming definitions often every few minutes.
     
  9. colt45allstar

    colt45allstar Registered Member

    Joined:
    Jun 9, 2006
    Posts:
    65
    Norton's really improved a lot over the last few years and it's detection rate is actually now one of the best.

    Having said that... as you've found out there is no such thing as 100 percent detection.

    For that reason, it's always a good idea to have other programs to scan with from time to time.

    I've got the following in addition to my Kaspersky Internet Security 2010 (note you don't necessarily need this many on demand programs.. I'm just paranoid)

    MalwareBytes
    SuperAntiSpyware
    Prevx CSI
    Spybot
    Rogue Remover (this one has been discontinued and will soon be uninstalled from my computer)
     
  10. TrojanHunter

    TrojanHunter Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    151
    Location:
    United Kingdom
    If that was my Norton License I probably wouldn't renew when it expires.
     
  11. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Alureon is pretty nasty malware family and they are very good in updating in order to avoid detection. The MS generics are very effective on them.
     
  12. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    MS Malicious Software Removal Tool will find most common and well known malware, if finded malware is not FP and NIS was updated, throw your NIS in garbage, This thread is shame to symantec and should be sticky in the hall of shame :p
     
  13. ASM

    ASM Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    164
    Nothing is Perfect... even if I have Porn Queen as my girlfriend, I will still eye on other girl...:mad:
     
  14. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Bashers should stay out of any forum as they too seldom have a great point which weighs up for what they're saying more.
     
  15. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    who talking about perfect? neither me nor you, mine is most fundamental and yours is too much...
     
  16. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    Thanks for help guys. Am sure am now rid of Trojan after spending a few hours over weekend running various anti-malware apps on my laptop (Malware Bytes AntiMalware, SuperAntiSpyware, Prevx etc) and finishing off running serveral online scans KIS, ESET, One Care etc. All came up clean.

    Sadly, I only just bought NIS2009 so still have 300 days or so on sub so will keep it as can't afford to ditch it. Any suggestions for an app to complement the possible weaknesses in NIS2009? I assume can only have one 'active' which will be NIS, others will be 'on demand'?

    Will have a look at Sandboxie and MalwareBytes.......but appreciate any other advice. Laptop is running Vista fully patched. Was reading about 'Morro' this morning http://news.bbc.co.uk/1/hi/technology/8095932.stm , might take a look when it's released as it was an MS tool that found this Trojan in the first place!
     
  17. stratoc

    stratoc Guest

    you have to remember 3rd party software cant scan everything, most don't tell you this, but a scan with nod 32 v2.7 will tell the the amount of locked files it couldnt scan. ms scanner scans deeper which is probably why it found it. im not a norton knocker, i have an active subscription but the twice ive had it installed it's let me down, a weekly scan with malware bytes etc should help.
     
  18. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    No need to ditch it. It is a good product. Hang around here and learn more about security.
     
  19. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    There are many tools that indeed run in real-time to complement your other security. I place my bet right now that most people will comment "Prevx", which indeed will work with NIS just fine, so if you like it - go for it. Just a price-tag that might be a problem for you... The latest version of ThreatFire is causing serious problems for loads of people, but the "stable" version is still available for download here: http://www.threatfire.com/files/tfinstall41.exe - and it doesn't seem to automatically update to v4.5, so you can keep the updates on, even if there's a cloud. Sandboxes are another alternative if you can handle them.
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Prevx does work with NIS.
     
  21. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    With respect to additional applications, I really wouldn't do anything yet.

    The MBAM scan seems to have simply picked up residual leftovers. A handful of registry entries. No files on disk, nothing active.

    I guess the key question is what was the detailed view around the MSRT alert. Was it an alert regarding a legacy file on the drive (left from a prior incomplete removal, but isolated and therefore nonfunctional) or was it dealing with an active infection/process?

    Finally, the OS is Vista. UAC is enabled, right?

    Blue
     
  22. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    Hi Blue

    Yes and Yes.

    I didn't see a 'detailed view' option with the MS tool, just a pop up box stating that the tool had removed a threat. Do you know if the tool stores any detailed info elsewhere about what the threat was, where it was found, and what files (if any) were deleted.

    The initial tool run was an autorun on restart after the June MS Updates. I manually downloaded the June 2009 tool again over the weekend and ran it. It found nothing this time.

    There seems to be a new problem with the online MS Scanner tool for Vista as Vista SP2 users now get caught in an install loop when trying to run it.

    Vista Safety Scanner won't Launch
    http://boards.msn.com/safetyboards/thread.aspx?threadid=1146634&boardsparam=Page%3d1
     
  23. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    OK, I was aiming to see if was active vs simply an identified (but inactive) file. As for MSRT functionality, I have to plead ignorance. There may be a log somewhere with the desired information. On my own machines, it dutifully updates as indicated, and that's basically the last I ever see of it.

    In general, UAC (or limited user, etc.) provides very decent protection against drive by modifications. What it obviously doesn't protect against is a user purposely installing a piece of software that is malicious or compromised and blithely approving all the required prompts. This is where some level of assurance that an application is valid (as provided by conventional blacklist approaches) is useful.

    Blue
     
  24. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    Thanks Blue.

    Something else to add to my protection set-up consideration is a wife who doesn't like (or know what to with) pop up dialog boxes saying "Something might be up, what do you want to do?"

    I did however give her a crash course in UAC so she know knows if UAC pops up in response to her trying to open or run an app or file, she can go ahead and say 'continue' (probably) safely. If it is unexpected, best to say 'no' and see what happens.

    NIS2009 is good in that was as it is pretty much fire and forget so whilst I enjoy tweaking settings to the max, I need to keep in mind other users, and doing anything which might increase FPs.
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    First question to be asked is: Are 85.255.112.170 and 85.255.112.235 your ISP's DNS IPs?

    If you have no idea what they should be, I suggest you contact your ISP asking. Then, if they are no match to those, then you need to change that.

    Trojan.DNSChanger. As the name says, it will change your ISP's DNS IPs with others.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.