[SOLVED] Backdoor Trojan

Status
Not open for further replies.

Gemo

Distinguished
Mar 17, 2013
39
0
18,540
On my wife's Win7 PC she runs Symantec Endpoint Protection and today a SEP notification msg started popping up [SID: 29106] System Infected; Trojan Backdoor Activity 152 detected.

She also noticed that Google Chrome wouldn't open/run so I did a full AV scan using Malwarebytes and Kaspersky's Free Scanning Tool, and both utilities didn't find any issues. I uninstalled Google and reinstalled it and now it is working.

Everything seems to be OK, however every 20 or 30 seconds the SEP "[SID: 29106] System Infected; Trojan Backdoor Activity 152 detected" notification pops up.

Would appreciate any advice n exactly what this msg is trying to tell me and how do i fix what ever the problem is.

Many thanks - and stay well.
 
Last edited by a moderator:
Solution
Ok, so here's the deal. You have an infection that NONE of the scanners seems to want to identify or even recognize. It is trying to phone home. My advice is, disconnect that system, NOW, from the internet, and wipe the whole thing with a clean install.

Yes, you MIGHT be able to figure out what is on there. Yes, you MIGHT be able to apply some kind of mitigation or removal process on that infection. No, you cannot GUARANTEE that it isn't so deep into your registry and file system that you can never actually get rid of it or that you won't end up playing a systemic game of whack-a-mole until the little bastard decides it's infected enough other machines and decides to lock up your machine until you pay a ransom. And if you think it...
I'd run a second opinion scanner like these.

Second opinion tools

dn4S1LB.jpg


A second opinion scanner is exactly what it sounds like, a malware tool that offers additional malware detection and removal capability. Just as it's a good idea to get the opinion of a second physician or medical specialist when you've been given a clean bill of health, but are still sure that something isn't right, so it is with virus and malware infections.

There are many, many instances where traditional scanning utilities are spoofed or simply aren't defined for searching out specific lesser known or as yet uncommon infections, or in some cases, simply bits and pieces that are still a danger to your system but do not fit the pattern criteria targeted by your standard protections. Running one or all of these after traditional scans is simply a good practice, especially if your system still seems to be exhibiting signs of abnormal behavior.


Before running the second opinion tools it's highly recommended that you reboot the system, and again boot into the Safe mode environment so that changes made by your Antivirus and Malware utilities can take affect.




Recommended Second opinion tools

*Hitman Pro

*TDSSKiller Rootkit tool

*Rogue Killer
 

Gemo

Distinguished
Mar 17, 2013
39
0
18,540
Thanks for and appreciate the comments. I did the 2nd opinion scans, using TDSS Rootkit and Rogue Killer but nothing showed up .
Very impressed with Rogue killer - very nice and powerful utility.
I've fully scanned now more than 12 times variously using Symantec Endpoint, Malwarebytes (both AV program and their rootkit tool) , Kaspersky (KVRT scan tool and TDSS) and Rogue killer.
The Symantec notification is still popping up but it seems a little less frequently - ie. every 40-60 secs.
Have also tried - disconnecting (by temporarily disabling the LAN network adapter) from the internet and I no longer get the SEP notification.

FYI - have an almost exact similar PC running a very similar configuration and I am not seeing this "System Infected; Trojan Backdoor Activity 152 detected" problem on that unit.

Very frustrated - something seems to living in my wife's PC and I'm worried about how safe it is to use the PC.

Sure hope someone has a brilliant idea...
 
Might find some information here that could be helpful.

https://community.broadcom.com/syma...viewer#bm4f5c7cae-a704-4f3a-902c-e637d42892b0

DO you know if your breach or attempted breach is being listed as incoming or outgoing?

Can you please list ALL non-Microsoft applications installed on this computer?

Can you Ctrl-Alt-Delete, then run task manager, click on "Show more information" at the bottom if needed, click on the processes tab, click the memory column at the top and take a screenshot. Then click the Startup tab and take a screenshot. Be sure to take multiple screenshots of the startup tab if necessary to capture all startup processes.

Post images as explained here:


Also, this site might be helpful to you as well.

Well, nevermind on that. Looks like the Spyware Hammer forum has closed it's doors. I'll see if there are any other malware or intrusion specific forums with folks that specifically deal with ONLY this type of thing, out there, that is useful. Might also check the Symantic forums.
 

Gemo

Distinguished
Mar 17, 2013
39
0
18,540
Sage advice on updating to Win10, which will be in the cards - but here is some new add'l info that my better half shared with me. Apparently at the time Chrome stopped working she got something on the screen that said she needed to update Google Chrome, so (yikes!!!) she clicked on it, and it seems that's when the problem started -
To get Chrome working I had to reinstall it and started noticing the Symantec notification on "System Infected; Trojan Backdoor Activity". So I'm thinking something infected the PC when she clicked on the "update" and SEP is tracking that but it is unclear how to fix it...
I understand Win7 is no longer supported but I spent some time today on my Win7 PC and it is working perfectly - ie. no System Infected notices from SEP - so it has to be some specific issue "infecting" my wife's machine...

I can do some work on listing what programs are running on her PC and post them...
 

Gemo

Distinguished
Mar 17, 2013
39
0
18,540
Hey Darkbreeze - little confused on what you are asking for --
No problem opening up Task Manager and listing the Processes, and then clicking on the Memory column and grabbing multiple screen shots to capture all the processes...
- but not sure what you mean by clicking the Start Up tab - don't see a Start Up tab in Task Mngr - I can off course list the Start Up programs using MSConfig - is that what you mean...?
Rgds...
 
You're right, that's because you're running Win7. Windows 8 and 10 DO have a startup tab on task manager. More reasons to upgrade.

Whatever she clicked on was likely an infection, Chrome, Firefox, these NEVER "ask" you to update, they simply do it, in the background, and then notify you that the update will be applied the next time the browser is restarted or may not even tell you anything at all. To "tell" you that you need to update, in a pop up window, should have been a dead giveaway.
 
You can try System restore, but I'll be honest, I don't have much faith in it. In fact, I normally disable it on all my machines and most my clients machines, and I opt for a third party backup image program like Acronis true image because that always works, every time. Fully 3/4ths of the times I've tried to fix something using System restore, it has failed to work correctly. Same goes for the Windows startup repair process. I have little faith in Microsoft's mechanisms. But, it's worth a shot. Worst case scenario, you bork something up and end up having to do a clean install of Windows 10, and plug in your Windows 7 key, so you don't have to "upgrade" which is a lousy way to do it. Too many issues after upgrading. The only reason to upgrade IMO is to get an OEM license upgraded to 10 and attached to a Microsoft account so you can then turn around and do a clean install.

It would be a good idea to back up anything important first though.
 

Gemo

Distinguished
Mar 17, 2013
39
0
18,540
More info on the "[SID: 29106] System Infected; Trojan Backdoor Activity 152 detected" - went into SEP's Client Mngt logs and the intrusions are listed there, as Outgoing to 175.126.123.219 (which the site shows as Capture and Share - apparently a Korean site).
Windows process is C:\Windows\System32\svchost.exe
 
Ok, so here's the deal. You have an infection that NONE of the scanners seems to want to identify or even recognize. It is trying to phone home. My advice is, disconnect that system, NOW, from the internet, and wipe the whole thing with a clean install.

Yes, you MIGHT be able to figure out what is on there. Yes, you MIGHT be able to apply some kind of mitigation or removal process on that infection. No, you cannot GUARANTEE that it isn't so deep into your registry and file system that you can never actually get rid of it or that you won't end up playing a systemic game of whack-a-mole until the little bastard decides it's infected enough other machines and decides to lock up your machine until you pay a ransom. And if you think it can't happen, I assure you, it can.

Entire city, state and federal governments and organizations have resolved to simply pay the ransoms in order to regain access to their entire databases and system infrastructure rather than run the risk of losing it permanently, and even the best protected systems are vulnerable to infections or intrusions that aren't known yet.

I don't think it's worth the risk. I'd change ALL of my passwords and user names for my financial institution and website logins, immediately, and do not reconnect that machine to the internet until you've eradicated the installation that is on there.

svchost.exe is a normal windows process, but it is just about THE most vulnerable process for an infection to take over because it IS a normal process and if an infection can compromise the system and run a malignant version of a normal windows process it can often avoid detection or removal by many scanners because it just looks normal to them.

I'm not an expert in this area, well, expert compared to a lot of people, not expert compared to actual security experts, but I know enough to know when you have to throw in the towel and say that any attempt at cleaning the infection is simply not worth the risk that it may not be fully cleaned afterwards. There is only one way to do it for sure, and that's to wipe it out. In this case, it's even likely that the infection may not even allow you to attempt to roll back OR it may have already been on the system biding it's time when the last restore image was taken.
 
  • Like
Reactions: Dean0919
Solution

USAFRet

Titan
Moderator
"More info ..." = why has this system not been wiped yet?

Sorry, but if a friend or family member brought their system to me like this...full wipe and reinstall.

If you've gone through multiple av and malware tools, and something still reports as a trojan....nuke the system and start over.
 
  • Like
Reactions: Dean0919

punkncat

Champion
Ambassador
Something I would suggest before wiping is to take a full "snapshot" (as it were) of ALL installed programs and utilities, browser add ons, tool bars. Chances are pretty good IMO that wifey installed some app/program/funny face maker (and such) that is trying to call out. Symantec isn't finding it, because you told it to allow install, but is stopping the phone home.
 
  • Like
Reactions: Dean0919
Something I would suggest before wiping is to take a full "snapshot" (as it were) of ALL installed programs and utilities, browser add ons, tool bars. Chances are pretty good IMO that wifey installed some app/program/funny face maker (and such) that is trying to call out. Symantec isn't finding it, because you told it to allow install, but is stopping the phone home.
Did you miss the "update Google chrome" pop up and prompt that she clicked ok on? No problems before that. Problems after that. No such popup for a normal Google Chrome browser update which just like Firefox is done silently in the background and the only prompt you'll ever get is whether you want to restart the browser to complete the update. The fact that they got a popup asking to update Chrome is pretty much a dead giveaway.

I understand the reasoning behind taking a snapshot, but bottom line, if the system is compromised, so is any snapshot.
 

punkncat

Champion
Ambassador
Did you miss the "update Google chrome" pop up and prompt that she clicked ok on? No problems before that. Problems after that. No such popup for a normal Google Chrome browser update which just like Firefox is done silently in the background and the only prompt you'll ever get is whether you want to restart the browser to complete the update. The fact that they got a popup asking to update Chrome is pretty much a dead giveaway.

I understand the reasoning behind taking a snapshot, but bottom line, if the system is compromised, so is any snapshot.

I did miss that. Sounds like the culprit is in the open.

Perhaps my wording is incorrect so much as a technical term. I literally meant like a screen shot of everything installed/list of everything, not like a ghost image or restore point. But, rather a mute point in light of what I missed.
 

Gemo

Distinguished
Mar 17, 2013
39
0
18,540
Thanks for the great help - I'm throwing up the white flag and am now working on upgrading to Win 10 (long overdo anyways), with a clean install (and some 'strong" advice to my better half)...

Stay well, Glen
 

Dean0919

Honorable
Oct 25, 2017
269
40
10,740
One more thing I would add: I would advise everyone to not click on any popup that says "update your app" or "there's update available and click to update", unless you're 100% sure it's your app's updater telling you (which you can recognize by it's interface and placement on screen). So, when such pop ups appear, it's always better to simply ignore it, then go in your app's "help" menu and click "about". This is the place for most applications where you can check for updates. If your app really has new update, it will tell you there and you can update it, if not, seems like that pop up telling you to update your app was popup bringing virus.
 
Last edited:
  • Like
Reactions: Darkbreeze
Status
Not open for further replies.