Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan Horse Detected

  • This topic is locked This topic is locked
2 replies to this topic

#1 Rathji


  • Members
  • 3 posts
  • Local time:03:46 AM

Posted 21 April 2010 - 11:09 AM

**This is possibly a double post, the forums were acting strange when I posted the first time - if that is the case then this is the correct post***


I am a new IT guy in a small non-profit company and we are running a Windows XP on our domain.

Ever since I have started this computer has been performing slowly. It is a newer PC (relatively speaking, for non-profit new means < 5 years old), Symantec Endpoint Protection won't update regularily, the computer is running very slowly and if I run Hitman Pro it comes up with hits but Symantec throws an error which says access is denied. The 80 gig hard drive is almost (~70 gigs full, but using Treesize doesn't show what the space is being take up by. Normally we have about 15 gigs being used as not much data is stored on the machines. I have tried Malware Bytes and Hitman Pro to see if I can detect the problem.

When scanning the following alert comes up from Symantec:

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan Horse
File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4b8c0db8.tmp
Location: Quarantine
Computer: **********
User: Administrator
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, April 21, 2010 09:24:17 AM

The files the scans find are C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Antivirus Corporate Edtion\7.5\xfer\4aae20bc.tmp (or similar), which seem like they could be quarantine files, except we are using Symantec Endpoint Protection 11.0

I think I have followed the preperation guide properly, and DDS log is included below. I have also attached the Attach.txt file. The GMER scan runs but has crashed 3 times so I will attach that log when the scan finally succeeds.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 8:25:26.23 on 04/21/10
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.990.461 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [VTTimer] VTTimer.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: dontdisplaylockeduserid = 1 (0x1)
mPolicies-system: HideStartupScripts = 1 (0x1)
mPolicies-system: HideShutdownScripts = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149865458404
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150319820604
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2007-5-17 3456]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-19 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-19 108392]
R2 IntelliAdminRC4;IntelliAdminRC4;c:\windows\intelliadminrc4\Agent32.exe [2010-4-14 2281440]
R2 Poweroff;Poweroff;c:\windows\system32\poweroff.exe [2006-6-15 172032]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2008-4-19 2177464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100413.048\NAVENG.SYS [2010-4-14 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100413.048\NAVEX15.SYS [2010-4-14 1324720]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2006-8-3 320384]
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-7-11 23153]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-04-21 13:37:30 0 d-----w- c:\program files\Trend Micro
2010-04-15 22:15:25 140018 ----a-w- c:\windows\system32\.crusader
2010-04-14 19:37:35 0 d-----w- c:\windows\IntelliAdminRC4
2010-04-08 21:17:45 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 21:17:28 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 21:17:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-08 21:07:05 0 d-----w- c:\docume~1\admini~1\applic~1\JAM Software
2010-04-08 21:06:23 0 d-----w- c:\program files\JAM Software
2010-03-22 18:19:41 0 d-----w- c:\program files\Microsoft Windows Small Business Server

==================== Find3M ====================

2009-11-29 06:55:16 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 8:26:41.42 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Rathji

  • Topic Starter

  • Members
  • 3 posts
  • Local time:03:46 AM

Posted 23 April 2010 - 09:07 AM

This problem has been resolved and this thread can be removed.

Thank you for anyone who had looked into it.

#3 fireman4it


    Bleepin' Fireman

  • Malware Response Team
  • 13,505 posts
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:46 AM

Posted 23 April 2010 - 11:32 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.



If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users