Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Heruistic virus detected by Norton 360


  • Please log in to reply
5 replies to this topic

#1 arc14716

arc14716

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 03 February 2014 - 07:03 PM

I just finished a full system scan with Norton 360 on my PC.  The scan picked up a herustic virus.  It has been quarantined and the issue resolved.  However, I want to make absolutely sure that I've resolved the issue. 

 

I've run TDSKiller and no threats were detected.  I've yet to run Malwarebytes Anti-Malware Scanner due to time constraints and will do so once I've returned.  Is there anything else beyond that I need to do.

 

Thanks for your time.

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,903 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:50 PM

Posted 03 February 2014 - 08:50 PM

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
Vista/Windows 7/8 users need to run Internet Explorer/Firefox as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green esetOnline.png button.
  • Read the End User License Agreement and check the box:
  • Check esetAcceptTerms.png.
  • Click the esetStart.png button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop as ESETScan.txt.
  • Push the esetBack.png button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.
  • -- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not always the case. Be careful what you choose to remove. If in doubt, ask before taking action.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 arc14716

arc14716
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 04 February 2014 - 12:20 PM

ESETscan.txt log results:

 

C:\Documents and Settings\Stanley K. Emmsley\Desktop\My files\Shockwave_Installer_Slim.exe Win32/Bundled.Toolbar.Google.D application cleaned by deleting - quarantined
C:\Documents and Settings\Stanley K. Emmsley\My Documents\Downloads\Shockwave_Installer_Slim.exe Win32/Bundled.Toolbar.Google.D application cleaned by deleting - quarantined
 

Are these threats cause for concern?

 

And what is a heruistic virus anyway?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,903 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:50 PM

Posted 04 February 2014 - 01:03 PM

Major software vendors like Adobe, Java and others have been bundling third-party software (toolbars, add-ons) in their download packages which allows users to perform a system checkup of their computers.Toolbars and add-ons install themselves in various areas of your operating system to include your browser and Windows Registry. Since some of their componets (Adware) and behavior browser hijacking are determined to be harmful, anti-virus and anti-malware tools may detect and remove them as Potentially Unwanted Programs (PUPs). This type of detection does not always necessarily mean the file is malicious or a bad program.

To learn more about PUPs and how you get them, please read: About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

That's why it is important to read the EULA and everything very carefully when downloading software. You should be able to uncheck the box to include McAfee or Norton and any free toolbars that are offered during installation or updates unless you want them. Unfortunately some users have reported doing this and the bundled software is still being downloaded.


Many anti-virus and other security scanning programs utilize optional heuristic scanning engine features to detect brand new viruses and other types of malware, based on behaviors and coding patterns that infections commonly use.

Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

* Eset: Heuristic AnalysisDetecting Unknown Viruses
* Kaspersky: What is heuristic analysis

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "false positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware. Packed files use a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself and often trigger alerts by anti-virus software using heuristic detection because they are resistant to scanning (difficult to read). Sometimes lowering the program's heuristic settings and rescanning may provide more accurate results but then that increases the possibility for new malware to infect your system.

Submitting file samples to the vendor for further analysis allows the lab techs to quickly investigate and confirm if the detection is actually malware. Some security programs have built-in options for submitting a file directly from the quarantined area to the vendor's lab for analysis. Most user guides will explain how to do that. Other anti-virus solutions automatically submit files or provide an alert to do so if you have checked the option to "Submit for analysis in the program's settings. If those options are unavailable, you can also look for documentation on the vendor's web site on how to submit file samples.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 arc14716

arc14716
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 04 February 2014 - 05:34 PM

I'm looking over the recent security history from yesterday's Norton 360 scan.  It looks like that the questionable file was quarantined and a sample may have been submitted to Norton for anaysis.  The file is labeled "mintoolbox.exe" and was located in a file on my desktop for antivirus/antimalware tools.  It may've been one of the detection tools I downloaded from this site several months ago.

 

Anyway, my PC is working fine.  Is there anything more that I should do?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,903 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:50 PM

Posted 04 February 2014 - 06:37 PM

If you read all the links I provided you should be good to go.

BTW, MiniToolBox (MiniToolBox.exe) is one of several specialized utilities/tools created by farbar, a Security Developer who assists the BC Malware Response Team (MRT). Our 1st Responders and MRT here at BC often recommend members download, run the tool and post its log output while assisting them with various issues.

False detections by anti-virus programs for specialized fix tools are not uncommon.

Certain embedded files that are part of legitimate programs or specialized fix tools, may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored.

Most of the well known specialized tools we use as malware fighters are written by known experts at various security forums like Bleeping Computer, TechSupport, GeeksToGo, SypwareInfo and others so they can be trusted. Unfortunately, many of these tools are repeatedly falsely detected by various anti-virus programs from time to time.

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with the tools themselves. We can inform the developers but they have encountered this issue many times before and in most cases there isn't much they can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users