Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 13th, 2008, 9:30pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   netdde.exe false positive		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: netdde.exe false positive  (Read 494 times)
glt
Newbie
*





   


Posts: 4
netdde.exe false positive
« on: Aug 20th, 2007, 11:13am »		 Quote Quote  Modify Modify
Hi all,
 
My first post Smiley
We've been using TrojanHunter for a couple of years now.
This looks like our first false positive (good going guys!).
After downloading the latest ruleset today, TH said:
 
File scan
Found trojan file: C:\WINDOWS\system32\netdde\netdde.exe (Generic.TrojanDownloader.A)
1 files identified
 
1) This is a standard Windows OS file
2) The file hasn't changed since July 30, 2006.
 
So, I think this is a false positive. Can you confirm this?
 
The system is:
Windows Server 2003 Standard Ed. SP1.
 
Cheers,
Geoff
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: netdde.exe false positive
« Reply #1 on: Aug 20th, 2007, 1:21pm »		 Quote Quote  Modify Modify
I'm pretty confident, like you, that this is a false positive.  Would you please submit the file netdde.exe to Mischel Internet Security for analysis by Gavin or Magnus just to make sure.  The link below describes how to submit.  
 
I will email Gavin as well to check your forum post.
 
 
http://www.misec.net/forum/board/FAQ/1139308293
 
And Welcome to the forum  Cheesy
« Last Edit: Aug 20th, 2007, 1:22pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: netdde.exe false positive
« Reply #2 on: Aug 20th, 2007, 3:12pm »		 Quote Quote  Modify Modify
Got an email back from Gavin that this is NOT a False Positive.
 
I recommend that you look deeper into your system to ensure that other infections are not present.  It would be good to follow the procedure in the link below to thoroughly test your system.  Please post the requested logs at the end of the procedure so that we can assist further.
 
http://www.misec.net/forum/board/FAQ/1170863449
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
glt
Newbie
*





   


Posts: 4
Re: netdde.exe false positive
« Reply #3 on: Aug 20th, 2007, 3:46pm »		 Quote Quote  Modify Modify
Hi,
 
OK. I was fooled by the netdde folder. The service
in services.msc had a truly plausible description
-man these guys are good sometimes.
 
Anyway, the server is remotely managed so I am somewhat
limited in the actions I can perform, but here is the Hijackthis
log, after removal of the HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netdde
service entry.
 
Thanks for the help!
Cheers,
Geoff
PS edited to remove IP addresses
 
Logfile of HijackThis v1.99.1
Scan saved at 4:41:37 PM, on 8/20/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
e:\SQL2000\MSSQL\binn\sqlservr.exe
E:\mysql\bin\mysqld.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\VisNetic\Smtp.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\System32\svchost.exe
e:\SQL2000\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\AspQMail\Aspqmail.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\windows\system32\inetsrv\w3wp.exe
D:\WebSite\Originlab\glt\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xxx.xxx.xxx.xxx/index.aspx?s=8&lm=214&pid=1018
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clien t/wuweb_site.cab?1184261677092
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89616D4E-9555-447B-B285-738DDFE8A101} : NameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA1F86F0-45C7-4792-B095-0D7B6044E688} : NameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AspQmail - ServerObjects Inc. - C:\AspQMail\Aspqmail.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: MySql - Unknown owner - E:\mysql\bin\mysqld (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VisNetic Control Service (VisNeticControl) - Deerfield Communications Inc. - C:\VisNetic\Control.exe
O23 - Service: VisNetic IM Service (VisNeticIM) - Deerfield Communications Inc. - C:\VisNetic\IM.exe
O23 - Service: VisNetic POP3/IMAP Service (VisNeticPOP3) - Deerfield Communications Inc. - C:\VisNetic\Pop3.exe
O23 - Service: VisNetic SMTP Service (VisNeticSMTP) - Deerfield Communications Inc. - C:\VisNetic\Smtp.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
 
« Last Edit: Aug 20th, 2007, 3:54pm by glt » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: netdde.exe false positive
« Reply #4 on: Aug 21st, 2007, 1:53am »		 Quote Quote  Modify Modify
Thanks for the HJT log.  It is missing some elements which is typically caused by one of the infections that impact HJT itself.
 
Please rename HiJackthis.exe to something like AnalyzeMe.exe and then re-run/post a new HJT log.
 
Also, your version of TH is significantly out-of-date.  The latest version is 4.7.932.  You should update to the latest version.  It can be downloaded from the "Download TrojanHunter Now" link at the top of the forum page.  The link below provides guidance as to how to uninstall and re-install the new version of HJT.
 
http://www.misec.net/forum/board/FAQ/1139255716
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
glt
Newbie
*





   


Posts: 4
Re: netdde.exe false positive
« Reply #5 on: Aug 21st, 2007, 9:15am »		 Quote Quote  Modify Modify
Hi,
 
Changing the file name seemed not to add anything new.
What exactly are you expecting to see that's missing?
Here's the new log. Again, IPs removed.
Will update TH after this.
Cheers,
Geoff
 
Logfile of HijackThis v1.99.1
Scan saved at 10:11:15 AM, on 8/21/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
e:\SQL2000\MSSQL\binn\sqlservr.exe
E:\mysql\bin\mysqld.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\VisNetic\Smtp.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\System32\svchost.exe
e:\SQL2000\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\AspQMail\Aspqmail.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
D:\WebSite\Originlab\glt\clever.exe
D:\WebSite\Originlab\glt\check.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://xxx.xxx.xxx.xxx/index.aspx?s=8&lm=214&pid=1018
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clien t/wuweb_site.cab?1184261677092
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89616D4E-9555-447B-B285-738DDFE8A101} : NameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA1F86F0-45C7-4792-B095-0D7B6044E688} : NameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AspQmail - ServerObjects Inc. - C:\AspQMail\Aspqmail.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: MySql - Unknown owner - E:\mysql\bin\mysqld (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VisNetic Control Service (VisNeticControl) - Deerfield Communications Inc. - C:\VisNetic\Control.exe
O23 - Service: VisNetic IM Service (VisNeticIM) - Deerfield Communications Inc. - C:\VisNetic\IM.exe
O23 - Service: VisNetic POP3/IMAP Service (VisNeticPOP3) - Deerfield Communications Inc. - C:\VisNetic\Pop3.exe
O23 - Service: VisNetic SMTP Service (VisNeticSMTP) - Deerfield Communications Inc. - C:\VisNetic\Smtp.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5671
Re: netdde.exe false positive
« Reply #6 on: Aug 21st, 2007, 10:40am »		 Quote Quote  Modify Modify
Hmmmm,  was expecting to see some 02 and 03 entries for BHOs and Toolbars in IE6.  However you probably do not have any in the Server, eh?
 
I'm not seeing anything that looks suspicious in your HJT log.  I recommend that you upgrade TrojanHunter to the latest version, update its rulesets to the latest, and run a full scan to see if anything else is detected.  
 
Also, if you can, run a remote scan on it per Kaspersky.  The online remote scanner is found here.
 
http://www.kaspersky.com/virusscanner
 
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
glt
Newbie
*





   


Posts: 4
Re: netdde.exe false positive
« Reply #7 on: Aug 21st, 2007, 10:55am »		 Quote Quote  Modify Modify
Hi siliconman01,
 
Absolutely correct. No one uses this server to
do e-mail, browsing (except me for windows updates)
etc. And I would immediately remove any BHOs or
Active X objects that appeared. Another reason
why its unclear how they got in.
 
TH+ruleset is up to date and scanning now. It found the
netdde Trojan nicely this time BTW. I kept a copy for
analysis later.
 
We do have Symantec-AV Corp Ed. on the server, but
will do the Kaspersky scan too as you suggest -defense
in depth etc, etc.
 
Thanks for the help.
Cheers,
Geoff
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register