Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Viknok Activity 3 - error popup from Norton 360


  • Please log in to reply
1 reply to this topic

#1 k_mc_vn

k_mc_vn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 26 June 2014 - 12:34 PM

PC:  Dell Inspiron 620

OS:  Windows 7 Home Premium - Service Pack 1

Browser:  Windows Explorer 11

 

On Saturday, June 21, my computer suddenly and inexplicably rebooted itself.  I'm not exactly sure of the sequence of events, but my best guess is that I powered up my machine, a dialog popped up "Do you want to allow the following program to make changes to this computer?" (Program name: A tool to aid in developing services for Windows NT, verified publisher: Microsoft Windows, Program Location: "C:\Windows\System32\sc.exe" start "Garmin Core Update Service").  I clicked "OK" and then connected my machine to the internet.  I'm not sure if I started to play some internet games while the Garmin software updated or after.  But while playing the games, my system rebooted.

 

After the pc rebooted and I reconnected to the internet, I started to receive popup messages from Norton 360 that it had blocked access to my system.  The exact text is as follows:

   Norton blocked an attack by:

   System Infected:

   Trojan.Viknok Activity 3.

 

In the popup, there was a link to "View Details".

 

The attacking sites were listed when I clicked "View Details"  There were several:

   delphoner5.me

   jubmoz788.me

   strong-sellos78.org

   trottilez-x8.biz

   grom-biz8.biz

   postfort-main93.com

   88.198.188.103

   5.45.66.208

   8.198.188.100

   88.198.188.102

   fourteen-meters7.me

   5.45.67.216.

 

Here are the actions that I've taken:

   Researched Trojan.Viknok Activity 3.  There wasn't much information.  The Symantec site didn't seem to have much on the Trojan, the security response is as follows:

 

**** BEGINNING OF NORTON SECURITY RESPONSE FOR Trojan.Viknok Activity 3 *****

Severity: High This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description Trojan.Viknok is a Trojan horse that steals information from the compromised computer.
Additional Information When the Trojan is executed, it may connect to the following command-and-control server:
[http://]dgfvv.mydad.info/778/bod8[REMOVED]

The Trojan then infects the following file so that it executes whenever Windows starts:
%System%\rpcss.dll
Affected
  • Windows 2000, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

**** END OF NORTON SECURITY RESPONSE FOR Trojan.Viknok Activity 3 *****

 

As you can read above, the recommended advice is to take immediate action, but which specific actions should be taken are left unsaid.  And, I just noticed, Windows 7 is not listed.

 

This being the case, I decided I needed to get back to a clean system.  I have a Dell computer and had created a repair disk (flash drive) sometime last year.  I booted the flash drive, selected the option to backup my disk image and selected files (which I did to an external 500GB drive).  The Dell DataSafe Local Backup software said that it would restore my system and then copy my selected files back to my system.  The interface was a bit confusing and I ended up restoring back to the factory image; none of my files were copied back to the system.  After much angst and more research, I managed to retrieve the files, or so I thought.  The Dell DataSafe Local Backup listed all my files, but did not have those files.  The one file I was most interested in did not get restored--I tried restoring it and it alone to an empty folder, and the backup/restore software restored a different file.  I tried restoring three files from my backup to an empty folder and again got different files.

 

The only thing that I could do was move on, so I started loading software back onto my system.  First, the Norton 360 software.  Next, I started updating Windows 7.  This was a long process and gave me time to think.  It occurred to me that I had backed up an image of my disk before trying to recover my system.  The Norton popups had disappeared, but I needed my mail file and the other file--and I couldn't help but think what other important files I was missing; so I decided that I needed to restore the disk image.  I knew that I would get the Norton popups on Trojan.Viknok Activity 3 after reverting back, but I had to do it.

 

I restored the image, connected to the internet and the Norton popups started happening again as I had predicted, one after the other.

 

I'm not sure who to contact at Norton.  I would think they would want to investigate this further.  I'm pretty sure they've probably already seen this before, but there is no clear avenue to take to contact them.  Their technical support seems to want money before they'll talk to anyone.

 

So I have several questions.  Do I have an infection?  Since my factory restored system did not get "attacked" (as described by the Norton popup), was the software running on my pc triggering the attack?  How do I get it to stop? (Along the line, someone suggested rebooting my modem and router, which I did; but the popups did not stop.)  I also have a laptop (some funny things were happening on it, but I think they have been resolved), but I do not get and have never gotten the Norton popups on it (I'm creating this post on the laptop).  What should I do next?

 

The folks in the Norton Community suggested (not to me, but in a few other posts) to contact the folks at four different sites.  You guys were at the top of the list.  So, can you help?

 

Thanks.


Edited by hamluis, 26 June 2014 - 12:55 PM.


BC AdBot (Login to Remove)

 


m

#2 k_mc_vn

k_mc_vn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 28 June 2014 - 12:10 AM

Got impatient while waiting for a reply and decided to run scans *again*.

 

First ran a full scan by Norton 360.  Nothing was found.

 

Next ran Norton Power Eraser (NPE), including the rootkit scan.  This time, NPE found a problem with rpcss.dll and had a fix for it.  Allowed NPE to apply its fix and the incessant popups from Norton 360 have ceased.

 

I consider this issue closed.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users