[Resolved] possible backdoor trojan.

  • 7 Replies
  • 1865 Views
*

Offline AldoH

  • Bronze Member
  • 21
[Resolved] possible backdoor trojan.
« on: June 01, 2010, 05:00:06 AM »
I recently got a warning from symantec warning of a backdoor trojan which i deleted and all scans since have came back clean, malwarebytes gave same clean results, was hoping someone could cast an eye over to see if its truly gone.thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:52, on 01/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
C:\WINDOWS\system32\logon.scr
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\RP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\RP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\RP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE (User 'Default user')
O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247001084759
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A76015B-CABE-4223-9F85-8D0476E7EEEF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A76015B-CABE-4223-9F85-8D0476E7EEEF}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A76015B-CABE-4223-9F85-8D0476E7EEEF}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 7626 bytes
« Last Edit: June 01, 2010, 08:11:46 AM by 1972vet »

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] possible backdoor trojan.
« Reply #1 on: June 01, 2010, 08:12:28 AM »
Greetings AldoH and Welcome to our Forums,

That log looks just fine. Are you still having issues?
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline AldoH

  • Bronze Member
  • 21
Re: [Resolved] possible backdoor trojan.
« Reply #2 on: June 02, 2010, 02:10:06 AM »
Not since I used symantec to remove the backdoor trojan but I suppose I dont fully trust it call it paranoia but i wanted to make double sure. i'll doulble check again with full scans from symantec and malwarebytes then post my findings. i hope i havent wasted ur time but i just wanted to check and the last time i got infected i used spy hammer and deleted all p2p stuff havent used them since and had no trouble at all.

*

Offline AldoH

  • Bronze Member
  • 21
Re: [Resolved] possible backdoor trojan.
« Reply #3 on: June 02, 2010, 05:36:32 AM »
Both updated full scans of malwarebytes and symantec have came back clean again, if i have wasted ur time i apologise, i was concerned really because i dont use this machine for anything other than a server for media and couldnt figure out why it should get a backdoor trojan when it isnt even used for internet do u have any suggestions on how to keep this pc safe? would putting the security settings to the max be a good idea? 

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] possible backdoor trojan.
« Reply #4 on: June 02, 2010, 07:41:02 AM »
Quote
...i hope i havent wasted ur time but i just wanted to check...
Oh no, listen...it's never a waste of time so don't think you even need to apologize. That's exactly what we are all here for to help alleviate the gnawing suspicion. If you think you have some issue, please feel free to come back and post a help request. We're all happy to help if even to offer the assurance that your system is clean.

So, now that you have the green light that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20090101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of malicious software intrusion and infections:

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been completely satisfied from having tested and used each one of those at one time or another.

Although my personal preference is Avira Antivir, one should not rely just on one person's anecdotal account of the effectivness or efficiency of any one in particular but should determine which best suits their own needs.

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Sunbelt Personal Firewall

Zone Alarm Beware This download includes the Ask Toolbar...The ZoneAlarm Spy Blocker toolbar is powered by "Ask.com". The "Ask" search engine will cause "targeted" ads to be presented to you based upon the content of the web pages you visit, any personally identifiable information you have provided to "Ask.com", or keywords appearing in your search queries. Many security experts consider this type of behavior offensive...Windows 2k/XP/Vista

Outpost Free

Comodo Beware This download includes the HopSurf toolbar...If YOU DONT WANT THIS TOOLBAR be sure to remove the check from the box when presented during the installation. By installing the HopSurf toolbar, you grant Comodo permission to collect information about your Internet usage. Read the HopSurf EULA. Don't be too alarmed by this caveat...I highly recommend this firewall, but it may just be best suited for advanced users.

Keep your software updated...make it easier on yourself and install the free security tool "Secunia PSI"

It helps in the background to protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software that it finds AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from  your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup:
("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline AldoH

  • Bronze Member
  • 21
Re: [Resolved] possible backdoor trojan.
« Reply #5 on: June 03, 2010, 02:13:48 AM »
Thanks alot and as with the last time we spoke i will follow ur instructions, the only thing i would ask is that ive been using google chrome i think we spoke about this the last time, ive never had any issues with it and its got the WOT app already. will the spywareblaster and winpatrol software still work with chrome or do u still recommend changing to firefox?

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] possible backdoor trojan.
« Reply #6 on: June 03, 2010, 07:50:17 AM »
SpywareBlaster's purpose is to protect the browser. It does nothing else...you need only to update it say, once per week (unless you purchased a license, in which case it will auto update for you)...and WinPatrol's purpose is to protect the system itself (Windows, thus the name"Win"patrol).

Although I don't believe Chrome has yet to be incorporated into the SpywareBlaster's gui, I believe Chrome will be nonetheless protected. If you consider that a web site is a web site regardless of the browser that takes you there, it is still "a website". It's the active x components (peculiar more to a website than the browser) that Spywareblaster is after.

I'll grant you, the active x "killbit" is what SpywareBlaster will set up for the particular browsers that it's designed for but at least you'll have Internet Explorer protected regardless of your other browsers. I think, since Chrome is so similar to FF it would be the reason why I said "I believe" your Chrome install would also be protected.  I would at least give it a try just to see...can't harm a thing. It has a very small footprint and uses no system resources until you open it that is. The best part is, you only need to open it when you update it. Leaving it closed, the system's browsers are still protected. In fact, if you minimize it to the system tray you will receive a warning that leaving it open is unnecessary.

You should use it regardless of the browser you choose. Keep in mind, you can't uninstall Internet Explorer so you'll always have that one.

As for WinPatrol, you should use it regardless of what browser you choose. It is "System" oriented more so than any specific browser or application for that matter. WinPatrol is an excellent piece of software that gives you the most bang for the buck so-to-speak.

You will be alerted to any system changes that you make and those you don't make yourself. This very concept is what Microsoft uses for the user account control in both Vista and Windows 7. You must authorize these changes in order for Windows to allow them (which gives you complete control). Malware will make changes...and since WinPatrol "Patrols" for such things, then your system would be protected against these unauthorized changes.

Control over system changes is just one of the many benefits you get from this program. I have used it myself and even WITH windows Vista and 7. I believe I started using WinPatrol soon after it was released for download WAYYYY back in the early 90's I think...and have recommended it ever since.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] possible backdoor trojan.
« Reply #7 on: June 03, 2010, 02:53:21 PM »
This issue appears resolved and the thread is closed to prevent others from posting here.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven