Trojans posing as Norton processes??: what is

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'd like some advice om the processes of Norton SystemWorks. I have
Systemworks 2005 + Pers Firewall 2005 on a single (non-network) home
pc, also have HijackThis (usefuil though Norton sees it as an
"intruder". The OS is Windows XP Pro+ SP1
Both OS and Norton programs are generally running well, but there's
been some problems with adware and suspected trojans. The Norton
processes aren't easy to decipher and consume lots of CPU sometimes,
and they *could* some of them be viruses masquerading as legit

A few days back the connection semed sluggish, some non-web programs
wouldn't open and the start page had been sort of hijacked for a
week(not very effectively, since i could ward it off merely by entering
the control panel and fixing the start page before each time I went
online; since Explorer kept stalling now and then, this was irritating
it seemed apparent that some trojan had erased/changed some things in
registry. I tried the process manager but got the reply "disallowed by
the administrator" -hey, that's me isn't it! (though other facts
indicated that I was still in charge as administrator). Luckily I could
use the manager which is part of HijackThis instead to check and close
some processes.
The network kept hassling for a few hours and then, after a virus scan,
it cleared up. Today I had another assault, an attempt to switch the IP
number to something really different - it worked for a few minutes,
then when I closed Internet connection and restarted the pc it
immediately went back to normal. So this is now warded off, and the
firewall is on max level for the moment.

The antivirus logs and quarantine file indicated that I'd had some
adware and infections by Trojan.Downloader and Trojan.Byte.verify (both
of whom may affect the registry). When I scanned again with Hijackthis
I got a process from Norton I'd never seen before, called
 The name is an exact match of a download from Symantec, but I haven't
made any downloads from them recently: I made a query to their support
but got no real reply - Symantec's customer service isn't their strong
point. At the point a few days back when the pc hassled badly I changed
the setings for Symantec's Live Update, but it didn't seem that
anything was actually downloaded right then, and in the logs there's
nothing about such downloads. I could try just killing the process, but
1) i don't know if that will work, 2) after the first crisis a few days
back, the log files suddenly worked and could be opened. For three
months before, I'd got a message "Symantec Log Viewer has encountered a
problem and has to close the program" - a well-known logical bug it
sems. I don't feel like risking returning to that sate by misguidedly
killing a process.

OK, a few questions that I'd appreciate some help with:
Anyone know what's the purpose of the process file
techsupp/asa/ in Norton? Anyone who strongly suspects it
might also be a hoax? (I sure do)

Is there any location in Norton SW where you can see exactly what's
been downloaded by LiveUpdate? If so, where do I find it?

How can you separate different svchost.exe processes (another strong
candidate for malware). They eat lots of memory and I can get no info
about what they do from neitherHijackThis nor could I with the orfinary
Processmanager (still locked).

And, finally: since some virus seems to have padlocked this manager -
what's the best way to reassert that I'm the Admin and get access to

all the best

Re: Trojans posing as Norton processes??: what is

Yes, I know svchost.exe monitors the central hosting processes. Could
be legit or non-legit so my question about that really is, how do I
find out *what* system processes are run by a certain svchost.exe
process shown in the manager?

Michelle wrote:
Quoted text here. Click to load it

Re: Trojans posing as Norton processes??: what is

Quoted text here. Click to load it

tlist.exe may be what you seek.  It's on the installation media.

Which svchost.exe instance runs what is a function of some registry

Best Regards,
Todd H. /

Re: Trojans posing as Norton processes??: what is

Michelle wrote:
Quoted text here. Click to load it

Classic symptom of a number of viruses. Post the hijackthis log in
castlecops or other appropriate forum.

Re: Trojans posing as Norton processes??: what is

Quoted text here. Click to load it

Please consider using Windows XP SP2 with the latest patches. There
is really no reason, why not using the many, many fixes.

Quoted text here. Click to load it

Please read (and follow):

Quoted text here. Click to load it

I hope, not. I fear, true. Do not work as Administrator. Work as
normal user.

Quoted text here. Click to load it

Yes. And this will not help at all.

Quoted text here. Click to load it


Please read again (and follow):


you don't need all this "security software". You don't need HijackThis,
you don't need a "Personal Firewall".

What you're needing is:

- flatten and rebuild your PC

- use Windows XP SP2 with actual patches

- use the Windows-Firewall _before_ connecting unprotected to the Internet,
  or use to download SP2 (after dropping connection, you
  could restore what changed)

- don't use Internet Explorer or Outlook in the Internet any more, use
  some alternatives

- don't work as Administrator, but with a normal user; then you can delete
  the user profile and everything, where your user has the rights to write,
  and usually don't need to flatten all, if you're infected

"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
                   Wolfgang Clement am 10.10.05 als Noch-Superminister

Site Timeline