Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect Rootkit


  • Please log in to reply
2 replies to this topic

#1 NichePlayer

NichePlayer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 13 August 2010 - 03:38 PM

Hello. I'm running win 7 and Norton Anti-virus on a home network with 3 other computers. A couple of days ago, I checked Norton's history and saw MANY "Unauthorized Access Blocked" messages; about 1 per minute. Also very cryptic messages concerning "teredo tunneling pseudo interface". Thinking I had a simple trojan or keylogger, I downloaded and ran MS Security Essentials, SuperAntiSpyware and MalwareBytes. ALL, including Norton, report no problems after doing a full system scan. Yet, the Norton messages continue. Looking through Norton's history I see that the first 'block' message occurred last Sunday morning.

The latest symptom, and the most scary, is that if I attempt to run Thunderbird email client about 10-12 Java sessions start and connect to ?? and start downloading a ton of stuff. I immediately terminated TBird & those sessions using process manager so I don't have details regarding that at this time. I can get a screen cap and post it, though.

I have Win Sys Internals installed. Nothing appears out of the ordinary in Autoruns or PortMon (at least until TBird started. Yikes!)

After reading a few of the tutorials here, I looked for a rootkit scanner that supports Win7 and only found one, Sophos, but, since it is unfamiliar to me, I did not dl or use it.

At this point the infected machine, Linus, is disconnected from the network and I'm using a backup computer to communicate to write this.

Where do I go from here? Any thoughts will be much appreciated.

Thank you for reading.

PS - a little more info may help. It's Win 7 64 bit. I have a full system backup from Tuesday (unfortunately, after the infection, but before the real nasty stuff started) and another from about 6 weeks ago that will be clean. I put windows & it's necessaries on the C: drive and 90+% of the apps, utils, etc on the D: drive. Data, pics, etc is on E: through I: with only 2-3 exes on E:. Nothing but data on the rest.

Edited by NichePlayer, 13 August 2010 - 04:00 PM.


BC AdBot (Login to Remove)

 


#2 Blathnat

Blathnat

  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:09:15 PM

Posted 13 August 2010 - 05:09 PM

The unauthorized access blocked is Norton logging every instance of another program or utility accessing Norton files. It is part of Norton's Tampre Prevention, which hopefully prevents anything from turning Norton off or disabling it. It does not indicate any threat, and does not stop the program or utility from doing what it needs to do, other than digging too deep into Norton.

The Teredo Tunnelling is in place to get ready for the switch from IPV4 to IPV6. It checks to see if you require it, and if you don't, it drops it. The wording is confusing, and it adds a good deal to the space the logs take up, but it is informational only.

The Java is of more importance.

#3 NichePlayer

NichePlayer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 13 August 2010 - 05:32 PM

Thank you for the reply.

Yes, concerning Norton, I've read that in the forums. It does seem beyond coincidence that in 3 years of running Norton, I've never seen it before. And the processes it says are trying to access it are surprising; first system32\conhost.exe then logitech\setpoint.exe and now, MS Security.

Still, I'm willing to accept it as a working rule of thumb.

Agreed about the java issue. How do java instances get launched? I'm very ignorant of java other than to know that over the years it's cause me a bit of grief.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users