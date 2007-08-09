Spyware, Viruses, & Security forum

by sundownr2 / August 9, 2007 2:41 AM PDT

I have acquired a Trojan which CA scans can not locate. This Trojan does whatever it wants after shutting down the CA firewall and Windows firewall. Windows Defender can not see this Trojan either.

I have contacted CA support 8 times over the past week but they answer so irregularly it is hard to deal with CA.

I asked for my money back but no answer there either.

Moral of story... CA security software is useless if it can not detect all Trojans. I am now forced to completely rebuild 2 heavily populated systems because of an undetectable Trojan.

I tend to believe this Trojan is telling CA and me both, "See what I can do anytime I want".

If you know anybody at CA please thank them for me for giving me zero options to deal with Trojans I paid them to protect me from.

15 total posts
Rants are great
by Bob__B / August 9, 2007 9:33 AM PDT

they let off steam.

If you think you have undetected malware on the machine then go to the top of this forum and look at the Welcome thread.

There are more than a few tools that you can use to scan your machine.

It has never occurred to me that my anti-tools (CA or other) would be 100% effective.

I assume they won't.

If I get hit by something that damages the machine beyond repair then I bring out my backups.

You do have backups....right???

If Scanner(s) Don't Find, Maybe a Rootkit......
by tobeach / August 9, 2007 4:23 PM PDT

defining character of rootkit is they (after gaining entrance to your machine) erase ALL traces of their entry path & other normal entries from registry. This is why anti-root kit programs verify system space totals to find them. Nothing in registry but they DO still occupy space.
If more space used on disk than registered total, you have a rootkit.

Try scanning with the following FREE rootkit detectors/removers:

http://www.f-secure.com/blacklight/
http://free.grisoft.com/freeweb.php/doc/8/lng/us/tpl/v5

Worth a try at the right price!! Good Luck! Happy

Thanks for the great input...
by sundownr2 / August 9, 2007 10:55 PM PDT

I guess I am getting too old and cranky. Antivirus companies can not track everything.

The links were excellent resources but unfortunately did not locate this "puppy".

Sooner or later it seems I will have to rebuild.

Thanks for the great input.

You said originally that this
by roddy32 / August 9, 2007 11:14 PM PDT

was a trojan. Try a dedicated trojan scanner such as TrojanHunter. It is not free BUT there is a free tral available which might eliminate this for you.

http://www.misec.net/

No such luck with Trojan scanner
by sundownr2 / August 10, 2007 4:52 AM PDT

roddy

Thanks for the link but nothing seems to work with this Trojan... it is a very clever dude. It even deleted my Windows Firewall icon. I backed up and getting ready for a disk clean.

sundownr

You have not named this
by roddy32 / August 10, 2007 4:59 AM PDT

trojan nor have you really said why you think you have one. If you tell the complete story, maybe someone can help. I'm not sure what you mean by "It even deleted my Windows Firewall icon". Deleted it from where?? If none of these scanners are finding anything, I doubt if you have a malware problem but we need more info if we are going to help you figure what what is wrong.

Deleted firewall icon
by sundownr2 / August 10, 2007 5:14 AM PDT

roddy

I put a Windows Firewall shortcut icon on my desktop to keep close tract of my firewall... then it magically disappeared.

This Trojan is a bit insidious in that it does different things... it will wake up my system and transmit to the Internet now and then. It also has screwed with my network settings which were easily fixed.

I shut down all my modem ports except 80 and icmp and smtp... this seems to have slowed things down. I use a imap mail server.

For all I know my system may be a zombie.

Antivirus and antispyware are not my strong suits.

sundownr

sundownr

I am not so sure that
by roddy32 / August 10, 2007 5:26 AM PDT
In reply to: Deleted firewall icon

you are infected with anything. You may or may not have a competely different problem. One way to tell for sure would be to go to a HJT expert forum and post a log and see if they see anything in the log as far as an infection. Just explain what the problem as far as what the computer is doing without blaming CA or a trojan and post the log and let them look at it. This link will tell you HOW and WHERE to post a log. Please post it at ONLY one forum on the list (NOT HERE) and also be patient, they are busy.

http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=255339&messageID=2533167

HJT process
by sundownr2 / August 10, 2007 6:13 AM PDT
In reply to: I am not so sure that

roddy

I will post my results back here in a few days.

Thanks for the info.

sundownr

Those people are good and this
by roddy32 / August 10, 2007 6:52 AM PDT
In reply to: HJT process

way you will know one way or the other whether you have a malware problem or not. Good luck.

Here is more information...
by sundownr2 / August 10, 2007 7:39 AM PDT

roddy

I have tried all of these scanners...

Norton
CA
SpyWare Doctor
F-Secure Black Light
AVG - vremover
Trojan Hunter

I had to delete some to install others.

Why do I think this is a Trojan?

Because it has broke through 2 firewalls (CA and modem) and then turned off Windows Firewall at least 10 times over 3 days. It uses port 80 at will and causes networking problems. On one occasion it even deleted a shortcut to Windows Firewall???

I am willing to bet HJT can not see this Trojan either... but it is certainly worth a try.

If it is not a Trojan then I certainly have some weird problems... then again maybe I have a new breed of spyware conventional scanning can not detect... after all roddy somebody has to be first when a new breed hits the net Happy

I will get back with you.

sundownr

(NT) OK, Good luck and keep us posted.
by roddy32 / August 10, 2007 8:50 AM PDT
sundownr: You Said "broke through 2 firewalls.....
by tobeach / August 10, 2007 4:48 PM PDT

(CA and modem) and then turned off Windows Firewall at least 10 times over 3 days.".
Modem firewall & >1< software firewall (either CA or Windows) but not both. I don't use CA but I believe it's program scans for a 2nd software firewall (Windows specifically) and turns it off automatically to prevent several complications from 2 running at once; one of which could cause net connectivity problems. Perhaps that's where the turn off is coming from. That auto feature would normally be a good thing, but if you are over-riding it manually......

In same stream of thought..have you running ANY other protective programs with operating background guards (such as AV's or anti-spy/trojan programs/ Cyberhawk/Spybot Tea Timer setting control??
Sometimes multiple background guards can cause conflict. Often background guards are included " only in the pay version".
No expert...just a thought or 2. Good Luck w/ HJT!!! Grin Sandy

Very good analysis...
by sundownrr / August 10, 2007 8:47 PM PDT

Sandy

I believe your analysis is right on now that I think about it.

When I changed to Norton yesterday the Windows Firewall quit shutting down... kinda of a dead give away if you ask me.

I wanted to ask CA about running CA and Windows firewall together but could never get their support to follow up... I mean to tell you these people are out to lunch all the time.

And yes I have been running other background guards (off and on) which apparently caused problems too.

I guess I am a basket case when it comes to understanding the essentials of spyware protection... but I am learning thanks to the great input available in this forum.

As for my port 80 mystery I am assuming that was CA too because when my Windows Firewall went down my modem would indicate net activity. How much more coincidental can it get?

Thank you for the help.

sundownr

