Trojan DD:

[TezzRexx]

Hello there, I may or may not have a Trojan on my system.

Firstly, I have Symantec AntiVirus installed on my computer and Ad-Aware, both of which didn't pick up the .exe after I ran it, which I then found out was a trojan and is slightly worrying me. I've done a quick and full scan, nothing was found. :S

Now, I'm unsure of what to do. If you guys have any advice/ great programs that would find it, I'd greatly appreciate it. My first reaction and I'm guessing probably best method is to reformat my C:\ partition on my hard drive, leaving my document and swap file partition. Would this be okay or would the trojan still be active?

I blame moderators for not removing a topic about a young wet Berk, which I thought was going to be a high-larious picture of baby Berk in a bath!

[Dr. kitteny berk]

My first reaction and I'm guessing probably best method is to reformat my C:\ partition on my hard drive, leaving my document and swap file partition. Would this be okay or would the trojan still be active?

99.999999% chance that will not work.

I'd use http://www.eset.com/onlinescan/

if it sees something, get trial of nod32 downloaded etc, uninstall symantec, reboot, install nod32, use that to clean up. then buy it.

[HereComesPete]

A² is quite good. Ewido is good too. Misec have a program called trojan hunter, never used it but it would appear a lot of people like it. It has a free trial, you may be able to sweep it.

Editz - chasing down the exe in safe mode may seem like a good idea, but a good trojan will have seeded itself around your files so it's quite hard to remove without it springing back up. Although given the exe is rather obvious it probably isn't that fancy.

I got one called simantec a while back from stupidly clicking on an email link.

[TezzRexx]

Cheers guys, scanning with the online thingy that Berk linked

[TezzRexx]

Hmm, looking at security task manager, I had a look at system idle and noticed it sends data to a shit load of IP addresses, the first being google...

<a href="http://smg.photobucket.com/albums/v602/ ... nt=err.jpg" target="_blank"><img src="http://img.photobucket.com/albums/v602/TezzRexx/err.jpg" border="0" alt="Photobucket"></a>

Is this normal?! Most of the Ips don't work.

I asked Shada what happened on his and his first IP is his system and then a load of other Ips.

[Dr. kitteny berk]

hijackthis log?

[TezzRexx]

Sure thing;

Logfile of HijackThis v1.99.1
Scan saved at 23:30:33, on 13/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\wmpenc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\TezzRexx\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[Dr. kitteny berk]

<strike>I can't see anything obviously wrong there.</strike>

I'd suggest a few reboots to check nothing appears, if the nod32 online scan showed nothing,
try this http://www.kaspersky.com/virusscanner just to be super safe.

if you still have the exe somewhere, try scanning it with http://virusscan.jotti.org/

Obviously, I'd advise against using email, paypal, banking stuff etc on your machine for now.

[Dr. kitteny berk]

From somewhere else

Run HijackThis and put a check by the following entries, close all open windows and browsers and click 'Fix Checked'

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Go to 'add/remove programs' and uninstall all versions of 'Java'.Then go Here and install the newest version.

Purge the restore folder by doing the following.

Go to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

[HereComesPete]

Some of the dll's look like they may be replacements for legit files to seed your pc, I'm not sure but 'c:\program files\bonjour\mdnsnsp.dll' might be a fake written over the real itunes version.

Things like if you don't have a creative card but it's running a creative driver set are signs too 'CTHELPER.EXE' might be a fake if you don't. An all caps root version such as you have tends to worry me, usually it shouldn't run from root and I don't think it should be all capitals, I may be wrong.

Try killing everything none essential with msconfig.exe and restart. If stuff you told to turn off re-appears then chances are it might not be what it says it is.

[HereComesPete]

Poking around about cthelper, lots of places say even if it's legit it's a resource hog and is a waste of a process, so you can kill it regardless.

[Dr. kitteny berk]

just done looking on my machine

xpnetdiag.exe is most likely legit.

[HereComesPete]

If any of you svchost.exe's are using a rather high amount of memory they may be hiding dirty naughty dlls.

Microsoftsmethod of swapping to dll's for reusable running was good, except they won't start properly without an exe file, so things can hide behind a generic svchost.exe name and do bad things.

[HereComesPete]

just done looking on my machine

xpnetdiag.exe is most likely legit.

Dependant on size/mem usage it's either legit, or has polymorphic code inserted in it that can send stuff through/to ip's.

Hope I'm not scaring anyone!

[HereComesPete]

Mind you, it's mostly there to help connection problems, if you has none it can be killed too.

[Fear]

If you tell me where you got the trojan from I'll go have a look and see if it really is one.

[TezzRexx]

ESET has just found 4 items but is not finished yet i'll have a look once it's done and continue from there.

[cheeseandham]

On a slightly different note of possible prevention rather than cure,
If you're paranoid, an .exe sweeper or simply visit the darker side of the web you might want to have a look at this -
http://www.sandboxie.com/
Looks like a good idea and in theory will sandbox you off if you run it when/before doing anything potentially risky.

I've had a quick look and it seems to do what it says on the tin, but since I don't do anything that risky I don't use it. So please don't think this is an uber recommendation.

[TezzRexx]

Cheers Ham! Btw how's the sprog?

[Dr. kitteny berk]

On a slightly different note of possible prevention rather than cure,
If you're paranoid, an .exe sweeper or simply visit the darker side of the web you might want to have a look at this -
http://www.sandboxie.com/
Looks like a good idea and in theory will sandbox you off if you run it when/before doing anything potentially risky.

I've had a quick look and it seems to do what it says on the tin, but since I don't do anything that risky I don't use it. So please don't think this is an uber recommendation.

Is a good suggestion, but not being that interested in using iffy stuff, I've not used it much, just for occasional keygens etc.

so again, good on paper, little experience. YMMV