Malware seen during scan but security suite not catching it.

[Guest]

I have XP Media edition and Norton Internet Security 2007.

During a norton scan, in the scan window where it shows the files being
scanned I see several malware items such as ZBKAngel, PC-Keylog PRO, and
several others; but when the scan is finished Norton does not detect them and
I get an all-okay message.

ZBKAngel is a backdoor from what I've been able to find out. Not being able
to get any help from Symantec I decided to do a "DOD wipe" and reload.

After reloading with the restore disk I installed norton. Before connecting
to the LAN or internet I then did a scan and watched the scan window. During
the scan ZBKAngel showed up in the window again! This tells me that it is
either a backdoor in the windows system itself or in the norton software! I
did a nine pass wipe of the system before reload and also a complete format.
Does anyone have any knowledge of this?

So, after norton is completely setup and active I connect to the windows
update for all updates and do the same with norton. I did not go to any other
site.
I disconnected from the internet and did another scan and found that all of
the same stuff was back again! ARRggg!

Is it possible for a cable modem or router to contain malware or script to
install it?

Also where the heck did ZBKAngel come from??? Is this built into the OS or
norton?

Any help would be greatly appreciated, thank you!

Landru

 

[David H. Lipman]

From: "LANdru" <[email protected]>

| I have XP Media edition and Norton Internet Security 2007.
|
| During a norton scan, in the scan window where it shows the files being
| scanned I see several malware items such as ZBKAngel, PC-Keylog PRO, and
| several others; but when the scan is finished Norton does not detect them and
| I get an all-okay message.
|
| ZBKAngel is a backdoor from what I've been able to find out. Not being able
| to get any help from Symantec I decided to do a "DOD wipe" and reload.
|
| After reloading with the restore disk I installed norton. Before connecting
| to the LAN or internet I then did a scan and watched the scan window. During
| the scan ZBKAngel showed up in the window again! This tells me that it is
| either a backdoor in the windows system itself or in the norton software! I
| did a nine pass wipe of the system before reload and also a complete format.
| Does anyone have any knowledge of this?
|
| So, after norton is completely setup and active I connect to the windows
| update for all updates and do the same with norton. I did not go to any other
| site.
| I disconnected from the internet and did another scan and found that all of
| the same stuff was back again! ARRggg!
|
| Is it possible for a cable modem or router to contain malware or script to
| install it?
|
| Also where the heck did ZBKAngel come from??? Is this built into the OS or
| norton?
|
| Any help would be greatly appreciated, thank you!
|
| Landru

If you wiped the disk to DoD standards and reinstalled the OS and then sawe this Backdoor
Trojan again then you re-installed it.

You need to re-examine all the files you used to reinstall the OS and softwasre as one of
them is this Trojan's installer !

As for the question...
"Is it possible for a cable modem or router to contain malware or script to install it? "

No. It isn't.

 

[Guest]

Thats what I figured. The restore disk is the one that came with the computer
when I bought it. The norton software I bought from bestbuy in the brand new
unopened box. So what gives??
This is what led me to believe that either windows or norton has this
backdoor built in.

What do you suggest?

Thanks

 

[David H. Lipman]

From: "LANdru" <[email protected]>

| Thats what I figured. The restore disk is the one that came with the computer
| when I bought it. The norton software I bought from bestbuy in the brand new
| unopened box. So what gives??
| This is what led me to believe that either windows or norton has this
| backdoor built in.
|
| What do you suggest?

What computer is this and what is the Restore Disk ?

Do you have a distribution copy of WinXP Media Center ?

BTW: Please don't Multi-Post.
Please learn to Cross-Post to pertinent, On Topic, News Groups instead.

 

[Harry Johnston]

Thats what I figured. The restore disk is the one that came with the computer
when I bought it. The norton software I bought from bestbuy in the brand new
unopened box. So what gives??
This is what led me to believe that either windows or norton has this
backdoor built in.

I'm not sure I understand why you think this malware is on your computer in the
first place. What do you mean by "you saw it in the scan window" - can you
actually find the files on your computer? Are you sure you weren't merely
seeing a message saying Norton was checking for them?

Have you tried Windows Live OneCare (a free malware scan from Microsoft)?

<http://onecare.live.com/site/en-us/default.htm?s_cid=sah>

Harry.

 

[David H. Lipman]

From: "Harry Johnston" <[email protected]>


|
| I'm not sure I understand why you think this malware is on your computer in the
| first place. What do you mean by "you saw it in the scan window" - can you
| actually find the files on your computer? Are you sure you weren't merely
| seeing a message saying Norton was checking for them?
|
| Have you tried Windows Live OneCare (a free malware scan from Microsoft)?
|
| <http://onecare.live.com/site/en-us/default.htm?s_cid=sah>
|
| Harry.

Harry:

MS OneCare is one of the worst anti virus scanners in the anti virus market. In fact in a
recent public test descrivbed in AVComparatives, out of 17 tested anti virus products,
Microsoft's OneCare came in LAST !

http://www.av-comparatives.org/
http://www.computerworld.com.au/index.php/id;1407473052;fp;2;fpid;1

There are web site scanners from; Kaspersky, McAfee , Trend Micro, F-Secure, BitDefender,
yada, yada that are *much* better.

I have actually written the Multi AV Scanning Tool which is a front-end to the command line
scanners of; McAfee, Sophos, Trend Micro and Kaspersky.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Guest]

Harry, The norton scan window show the file names that are currently being
scanned. This is where I see these file names during the scan. Norton does
not acknowledge that they are there nor can I find them anywhere on the
computer. They may either be hidden really well or masquerading as system
functions, OR maybe norton is reading the contents of a definition file, I
don't know.

Dave, I have a Hewlett Packard Pavilion computer that I bought brand new
from the HP website. It came with the HP restore disk. Everything was
properly sealed when I recieved them. The same with the Norton software.
Brand new in an unopend box from bestbuy.

I have even wondered if this were some ploy by symantec to get you to pay
for their customer support. I tried talking to them but they were
uncooperative unless I gave them $. They even side stepped the issue by
giving me vague answers to my questions.

I never had this stuff on my computer from earlier editions of norton, it
suddenly first showed up when I installed the new version.

The same thing happened to a friends brand new computer bought from HP. When
norton 2007 was installed on a new clean system and a scan was performed
before anything else was installed and before connecting to the internet.
Same thing, ZBKAngel shows as one of the files under scan.

I have never heard of the "contents" of a definition file for example being
shown during scan.

Somehting smells fishy to me. Like I mentioned earlier, I wonder if norton
is up to something.

Thanks Dave, and I will learn the proper posting methods.

So, any other ideas?

Thanks,

Landru

From: "Harry Johnston" <[email protected]>


|
| I'm not sure I understand why you think this malware is on your computer in the
| first place. What do you mean by "you saw it in the scan window" - can you
| actually find the files on your computer? Are you sure you weren't merely
| seeing a message saying Norton was checking for them?
|
| Have you tried Windows Live OneCare (a free malware scan from Microsoft)?
|
| <http://onecare.live.com/site/en-us/default.htm?s_cid=sah>
|
| Harry.

Harry:

MS OneCare is one of the worst anti virus scanners in the anti virus market. In fact in a
recent public test descrivbed in AVComparatives, out of 17 tested anti virus products,
Microsoft's OneCare came in LAST !

http://www.av-comparatives.org/
http://www.computerworld.com.au/index.php/id;1407473052;fp;2;fpid;1

There are web site scanners from; Kaspersky, McAfee , Trend Micro, F-Secure, BitDefender,
yada, yada that are *much* better.

I have actually written the Multi AV Scanning Tool which is a front-end to the command line
scanners of; McAfee, Sophos, Trend Micro and Kaspersky.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "LANdru" <[email protected]>

| Harry, The norton scan window show the file names that are currently being
| scanned. This is where I see these file names during the scan. Norton does
| not acknowledge that they are there nor can I find them anywhere on the
| computer. They may either be hidden really well or masquerading as system
| functions, OR maybe norton is reading the contents of a definition file, I
| don't know.
|
| Dave, I have a Hewlett Packard Pavilion computer that I bought brand new
| from the HP website. It came with the HP restore disk. Everything was
| properly sealed when I recieved them. The same with the Norton software.
| Brand new in an unopend box from bestbuy.
|
| I have even wondered if this were some ploy by symantec to get you to pay
| for their customer support. I tried talking to them but they were
| uncooperative unless I gave them $. They even side stepped the issue by
| giving me vague answers to my questions.
|
| I never had this stuff on my computer from earlier editions of norton, it
| suddenly first showed up when I installed the new version.
|
| The same thing happened to a friends brand new computer bought from HP. When
| norton 2007 was installed on a new clean system and a scan was performed
| before anything else was installed and before connecting to the internet.
| Same thing, ZBKAngel shows as one of the files under scan.
|
| I have never heard of the "contents" of a definition file for example being
| shown during scan.
|
| Somehting smells fishy to me. Like I mentioned earlier, I wonder if norton
| is up to something.
|
| Thanks Dave, and I will learn the proper posting methods.
|
| So, any other ideas?
|
| Thanks,
|
| Landru
|

In theory then the HP has existed OK for a while and "all of a sudden" Norton is making this
declaration.
Maybe this a False Positive declaration.

Please submit a sample of a file suspected of being "ZBKAngel" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Guest]

? do you have spy bot or ad-aware on your computer