Hello,
Yesterday I had a Trojan "attack" on my computer and I want to share some information.
The first symptom was some strange requests to unblock from Microsoft XP Firewall (Yes we still use XP) about "normal" software such as Explorer, ...
Then endpoint found 2 trojan removed them and ask me to reboot. I did the reboot after 20 minutes (I had to finish a work...)
After the reboot Bluscreen with a problem on the SPTD.sys driver.
I found another SPTD.sys driver, put it on my hdd (with a Win7 PE CD), success in booting and had a lot of trojan, downloader found by Endpoint.
Each time I boot endpoint found new infected files but doesn't resolve the issue!
Yesterday night after some google search, I discover that IE brings me in strange web sites (symantec forum was not accessible). after disabling the automatic configuration of the PROXY of IE, I finally reach some forums and I installed combofix that successfully delete the risk.
I still have an issue with endpoint, it is up to date but have the "!" sign on the icon and a warning in the status (see attached PNG)
If this can help you to update endpoint, i can also attach logs or any other file.
Above is the list of the symantec endpoint Risk found.
Risk |
Filename |
Original Location |
Status |
Date |
Trojan Horse |
80000000.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan.Paccyn!inf |
EvtEng.exe |
C:\Programmi\Intel\WiFi\bin\ |
Infected |
15/11/2011 16.52 |
Trojan Horse |
80000000.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan.Paccyn!inf |
DisplayLinkUserAgent.exe |
C:\Programmi\DisplayLink Core Software\ |
Infected |
15/11/2011 16.52 |
Downloader |
800000cb.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan Horse |
800000cf.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Downloader |
800000cb.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan Horse |
80000000.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan Horse |
800000cf.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Downloader |
800000cb.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan Horse |
800000cf.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan Horse |
800000cf.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Downloader |
800000cb.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 16.52 |
Trojan.Paccyn!inf |
vmnat.exe |
C:\WINDOWS\system32\ |
Infected |
15/11/2011 20.54 |
Trojan Horse |
80000000.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 20.54 |
Downloader |
800000cb.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 20.54 |
Trojan.Paccyn!inf |
WLIDSVCM.EXE |
C:\Programmi\File comuni\Microsoft Shared\Windows Live\ |
Infected |
15/11/2011 20.54 |
Trojan Horse |
800000cf.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 20.54 |
Trojan.Paccyn!inf |
fbserver.exe |
C:\APPLIC\FIREBIRD\bin\ |
Infected |
15/11/2011 20.54 |
Trojan.Paccyn!inf |
FortiSSLVPNdaemon.exe |
C:\WINDOWS\system32\ |
Infected |
15/11/2011 20.54 |
Downloader |
800000cb.$ |
C:\Documents and Settings\MyUserNameAndDomain\Impostazioni locali\Dati applicazioni\25f893e6\U\ |
Infected |
15/11/2011 10.32 |
Trojan.Zeroaccess |
Desktop.ini |
C:\WINDOWS\assembly\GAC_MSIL\ |
Cleaned |
15/11/2011 10.32 |
Trojan.Paccyn!inf |
S24EvMon.exe |
C:\Programmi\Intel\WiFi\bin\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
ccSvcHst.exe |
C:\Programmi\File comuni\Symantec Shared\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
agrsmsvc.exe |
C:\WINDOWS\system32\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
DeviceManager.exe |
C:\Programmi\File comuni\DeviceHelper\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
fbguard.exe |
C:\APPLIC\FIREBIRD\bin\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
IAANTMON.EXE |
C:\Programmi\Intel\Intel Matrix Storage Manager\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
jqs.exe |
C:\Programmi\Java\jre6\bin\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
LSSrvc.exe |
C:\Programmi\File comuni\LightScribe\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
NMSAccessU.exe |
C:\Programmi\CDBurnerXP\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
RegSrvc.exe |
C:\Programmi\File comuni\Intel\WirelessCommon\ |
Infected |
15/11/2011 10.35 |
Trojan.Gen |
SeaPort.exe |
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
Rtvscan.exe |
C:\Programmi\Symantec\Symantec Endpoint Protection\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
vmware-authd.exe |
C:\Programmi\VMware\VMware Workstation\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
vmware-usbarbitrator.exe |
C:\Programmi\Common Files\VMware\USB\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
WLIDSVC.EXE |
C:\Programmi\File comuni\Microsoft Shared\Windows Live\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
hpqWmiEx.exe |
C:\Programmi\Hewlett-Packard\Shared\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
Com4QLBEx.exe |
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\ |
Infected |
15/11/2011 10.35 |
Trojan.Paccyn!inf |
FortiSSLVPNdaemon.exe |
C:\WINDOWS\system32\ |
Infected |
15/11/2011 18.15 |