Re: [H] Symantec AV went NUTS ?
You could check at the IP level on a box that's not the compromised machine. Just launch a sniffer and make sure your on a network that can see the traffic and see where the actual download is going to. Then compare that to where it should be going to. I bet rootkit is redirecting your downloads and just serving malware from that new location. I would be interested in knowing that if it were true. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FORC5 Sent: Monday, February 11, 2008 2:28 PM To: hardware@hardwaregroup.com Subject: Re: [H] Symantec AV went NUTS ? good idea, nothing in hosts except 127.0.0.1 localhost all others show nothing suspicious. think I will do a rootkit scan for grins. fp At 11:07 AM 2/11/2008, Mesdaq, Ali Poked the stick with: >Check your host file c:\windows\drivers\etc\hosts or check which IP >your connecting to for downloads. You might have had a trojan mess with >your dns settings. This could happen in the host file or at a lower >level which will be harder to detect. > >Thanks, -- Tallyho ! ]:8) Taglines below ! -- Take the bull by the hand, and don't mix metaphors. Protected by Websense Messaging Security -- www.websense.com
Re: [H] Symantec AV went NUTS ?
good idea, nothing in hosts except 127.0.0.1 localhost all others show nothing suspicious. think I will do a rootkit scan for grins. fp At 11:07 AM 2/11/2008, Mesdaq, Ali Poked the stick with: >Check your host file c:\windows\drivers\etc\hosts or check which IP your >connecting to for downloads. You might have had a trojan mess with your >dns settings. This could happen in the host file or at a lower level >which will be harder to detect. > >Thanks, -- Tallyho ! ]:8) Taglines below ! -- Take the bull by the hand, and don't mix metaphors.
Re: [H] Symantec AV went NUTS ?
Check your host file c:\windows\drivers\etc\hosts or check which IP your connecting to for downloads. You might have had a trojan mess with your dns settings. This could happen in the host file or at a lower level which will be harder to detect. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FORC5 Sent: Saturday, February 09, 2008 3:06 PM To: hardware@hardwaregroup.com Subject: [H] Symantec AV went NUTS ? Have narrowed this down to the scheduled update feature in my SAVC file dwhwizrd.exe. When it runs it creates a endless stream of files dwh.tmp ( where is random numbers) It detects these as a trojan . So does my Webroot AV. Have I been infected by a really smart V or is this a bug in my SAVC. Wondering if anyone else has seen this.? Getting ready to un install it but meanwhile have disabled scheduled updates. Also FWIW it also is detecting tools I have used for years as bad boys. ( combofix and rockxp to name just two) google has shown this to be a false positive. thanks fp -- Tallyho ! ]:8) Taglines below ! -- I'm on the trailing edge of technology. Protected by Websense Messaging Security -- www.websense.com
Re: [H] Symantec AV went NUTS ?
I do that but it seems not to stick. Thanks Fp At 08:51 PM 2/9/2008, j maccraw Poked the stick with: >For legit tools, I've had to mark the folders as >ignore to keep SAV from wiping >them out. -- Tallyho ! ]:8) Taglines below ! -- Press any key to continue or any other key to quit.
Re: [H] Symantec AV went NUTS ?
For legit tools, I've had to mark the folders as ignore to keep SAV from wiping them out. This is Symantec's description of the process: http://service1.symantec.com/support/ent-security.nsf/docid/242413265148 Someone else asking the same question, no real answer: http://forums.techguy.org/general-security/637562-solved-3000-trojans-1-month.html FORC5 wrote: > Have narrowed this down to the scheduled update feature in my SAVC > file dwhwizrd.exe. > When it runs it creates a endless stream of files dwh.tmp ( where is random numbers) > It detects these as a trojan . So does my Webroot AV. > > Have I been infected by a really smart V or is this a bug in my SAVC. > > Wondering if anyone else has seen this.? > Getting ready to un install it but meanwhile have disabled scheduled updates. > Also FWIW it also is detecting tools I have used for years as bad boys. ( combofix and rockxp to name just two) google has shown this to be a false positive. > > thanks > fp > > > Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
[H] Symantec AV went NUTS ?
Have narrowed this down to the scheduled update feature in my SAVC file dwhwizrd.exe. When it runs it creates a endless stream of files dwh.tmp ( where is random numbers) It detects these as a trojan . So does my Webroot AV. Have I been infected by a really smart V or is this a bug in my SAVC. Wondering if anyone else has seen this.? Getting ready to un install it but meanwhile have disabled scheduled updates. Also FWIW it also is detecting tools I have used for years as bad boys. ( combofix and rockxp to name just two) google has shown this to be a false positive. thanks fp -- Tallyho ! ]:8) Taglines below ! -- I'm on the trailing edge of technology.
