Norton Systemworks 2003

Discussion in 'malware problems & news' started by hardy, Nov 9, 2002.

Thread Status:
Not open for further replies.
  1. hardy

    hardy Registered Member

    Joined:
    Nov 8, 2002
    Posts:
    6
    installed Norton Systemworks 2003 with NIS on Nov 2, fully updated it on Nov 4 when it detected "Netspy Trojan Horse" with no recommendation or observed action by Norton.

    have a history of problems on this machine for 4 months. origin OS Win98 Nov 2001, performance degraded over a period of months, frequent crashes, "bad image" diagol boxes, IE corrupted, finally died.

    upgraded to XP Professional Mar 2002. discovered 2 months after installing XP the firewall was switched OFF. i was later informed the firewall is operational upon installation without requiring to be manually turned on. is this is true?

    The same installer reinstalled XP with SP1, Oct 2002, informing me there were now no viruses/trojans after making changes to the registry and turned the firewall on.

    Thinking things were not as they should be had a new XP installed by a new installer Nov 2. he generated a new key and ran SP1. machine crashed the next day wiping out large volumes of Windows system files. he fixed the problem then loaded NIS which then detected Netspy.

    currently, Norton terminates and is disabled about once a day, enabling only on reboot.

    Began researching/learning about security and downloaded Trojanhunter which reports no Trojans, now looking at TDS.

    I’d very much appreciate any comments. Thank you.
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Look for a registry value(HKLM\Software\Microsoft\Windows\CurrentVersion\Run) containing the name of this Trojan !

    Try to scan with Norton in DOS Mode!


    Technodrome
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Do you have more details on the NIS alert, log entry?

    CrazyM
     
  4. hardy

    hardy Registered Member

    Joined:
    Nov 8, 2002
    Posts:
    6
    CrazyM

    first, would the Firewall be turned on by default on initial installation of XP?

    NIS .. Log viewer .. Alert ..
    reads as follows:

    Details: Rule "Default Block Netspy Trojan horse" stealthed (localhost,1024)
    Inbound TCP connection
    Local address,service is (0.0.0.0,1024)
    Remote address,service is (localhost,3012)
    Process name is "C:\WINDOWS\Explorer.EXE" .. dated Nov 6

    the installer who loaded the second copy of XP on Nov 2 was sitting at the computer with me at the time, we both saw the NIS Alert (Nov 6) from the updated NIS and IMMEDIATELY deleted all the log entries under NIS/Log Viewer/Connections. odd behavior. i stopped him deleting more entries. when i queried his actions he said i didn't need all that rubbish.

    technodrome said:
    "Look for a registry value(HKLM\Software\Microsoft\Windows\CurrentVersion\Run) containing the name of this Trojan"!

    looked and all seems normal. thx.

    .. missed one point close the end of the first XP installation. a dialog box headed "sysman.exe" ... "bad image"or "sysmanp.exe" popped up on every startup.

    currently on startup getting "tintsetp.exe ... bad image" box

    cheers
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The XP firewall or NIS? NIS will be set to start automatically by default at install. As for the XP firewall I am not certain as I have never run XP.

    That firewall event log entry was generated by one of NIS' default trojan block rules. It does not mean you are infected in any way, just that it has blocked an inbound connection attempt on a port that is also associated with the Netspy Trojan (in this case local service/port 1024).

    From the details in the log entry you will note the remote address is "localhost", your own computer.

    Also note that from the first line it used the term "stealthed" instead of blocked. When you see the term stealthed being used instead of blocked, this indicates something (an application/service) is listening on the port being blocked by the firewall.

    If this is occurring at system start up, it is likey just NIS blocking your computer talking to itself very early in the process (in this case which ever app/service ended up listening on local service/port 1024).

    While this particular firewall event log entry is nothing to be worried about, if he new anything about NIS at all, he could have taken the time to explain what you were seeing.

    Hope this helps explain what you are seeing from the NIS side of things and that you are not infected with Netspy.

    Regards
    CrazyM
     
  6. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    CrazyM,

    I think I saw this posted somewhere else recently (but don't remember where). It looks to me like there's a rule missing (or missed up) because we don't see this on the Win XP box here.

    Unfortunately, it's difficult to tell whether it's a missing System-Wide rule or a missing Explorer-specific rule. Now, if he's running NIS 4.0, we could probably tell which one is missing or messed up, but on NIS 6.0 (which I'll bet is what he's got), it's not going to be fun.

    How 'bout we start with the loopback rules? That's a likely culprit. A lot of people seem to lose that one and don't realize that Explorer (like MSIE) often needs it so that it can talk to itself.
     
  7. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
  8. controler

    controler Guest

    I would be suspect also of the copy of XP.
    Did he install over old or did he-she reformat?
    No Win xp is not enabled by default.
    Maybe there is a conflict between the new NIS and Win XP's firewall.
    Can be many things.

    unfounded possible insulting remarks deleted - Forum Admin
     
  9. hardy

    hardy Registered Member

    Joined:
    Nov 8, 2002
    Posts:
    6
    running NIS 6.0.1.10 …..TH reports the following:

    While scanning C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe: File %systemroot%\system32\dumprep 0 -k not found

    Installer installed over an old copy, no reformat.

    Now the NIS icon at the side of the screen has disappeared
    but the icon in the sys tray still shows ‘enabled’.
    XP’s Firewall has been on for the last week, just turned it off.
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Was NIS installed after this reinstallation of the OS? Or there from the fist install? If the latter, you may want to consider uninstalling and do a clean install of NIS/System Works.

    The icon on the side, Alert Tracker, can be enabled/disabled under options.

    In regards to the firewall event discussed, could you clarify a couple of points for me: Did you only see this particular event at system start up? Is NIS set to start automatically at system start up?

    Also check your IM at the top of the forum page...
     
  11. hardy

    hardy Registered Member

    Joined:
    Nov 8, 2002
    Posts:
    6
    >Was NIS installed after this reinstallation of the OS?
    ..Yes, Norton was installed last week after the installation of XP, which overwrote an existing copy of XP. The installer generated a new key,installed SP1, then Norton Systemworks 2003.

    >Or there from the fist install?
    ..No

    >The icon on the side, Alert Tracker, can be enabled/disabled under options.
    ..I understand the Alert Tracker can be enabled/disabled … thing is it does this without input from me.

    >In regards to the firewall event discussed, could you clarify a couple of points for me: Did you only see this particular event at system start up? ..The Alert occurred whilst running, not at startup, soon after updated from Symantec. Saw it only once.

    >Is NIS set to start automatically at system start up?
    ..Yes.


    cheers
     
Thread Status:
Not open for further replies.