Last night TDS3 found a trojan. I deleted it thinking I could later find out what it was called from the TDS log file but it doesn't have its name.

The log file for that day just has

20:07:38 [Mutex Memory Scan] Started...
20:07:50 [Mutex Memory Scan] Trojan mutex(es) found:

but not its actual name. The file was called symantec32.exe but I'm guessing the file name doesn't really help identify what it was.

Is there a way to find out what Trojans TDS3 has recently found?

Thanks.

Hi Sard,
welcome to the forum!
If there is a mutex found, it would display it's name and the file where it is.
This you'll see in the main console.
Normally it starts scanning for mutexes and there is either "no mutex found" or like you display Mutexes found with nothing behind it is there is none or the name of the find if there is some.
What makes you think it was the symantec32.exe file? How was it displayed?

In TDS > View Logfile you can find the logs from the console and find back that alert to past here.
Other alerts are in the bottom windows after a scan and those you can save to the Scandump.txt by rightclicking one of the alerts and save to text.
Allso that text you can paste in a posting here for advice.

Looks like I should have right clicked and produced a Scandump.txt file. I assumed the specific info on the lower window would be automatically saved as most other scanners keep a record of what infections they detect.

I know it was the symantec32.exe file because it was displayed in the lower window and I kept a copy to sent to ESET as NOD32 failed to detect it.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.LJ&VSect=T

TDS, SpybotS&D, Ad-aware all should have been able to deal with it.

Think after it's deletion do another scan, eventually also an online scan like at housecall, with your other scanners closed completely (TDS you can keep active, but don't have it scanning at the same time)
This worm has nasty possibilities as you can read.

You might like to post your AutoStartViewer log (with all option chosen) from the DiamondCS free products site or send it to support@diamondcs.com.au , and'/or HijackThis log 15913 to see if you're really clean from everything.

Here's the results from AutoStart viewer

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Admin@FRED, 07-17-2004
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
c:\winnt\system.ini [boot]\scrnsave.exe
(NONE)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
(NONE)
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundFusion
RunDll32 hercplgs.cpl,BootEntryPoint
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Logitech Utility
C:\WINNT\Logi_MwX.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HGTXPEI
C:\WINNT\system32\FirstReboot.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ad Muncher
C:\Program Files\Ad Muncher\AdMunch.exe /bt
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
C:\WINNT\system32\internat.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\System32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\At5.job
symantec32.exe
C:\WINNT\Tasks\At7.job
symantec32.exe
C:\WINNT\Tasks\At8.job
symantec32.exe
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\MemTurbo.lnk
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
C:\WINNT\system32\PDBoot.exe
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\imon.dll
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD


And this is from HijackThis

Logfile of HijackThis v1.97.7
Scan saved at 15:18:32, on 17/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\FastCheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
D:\temp\Rar$EX00.157\asviewer.exe
C:\WINNT\system32\notepad.exe
D:\refreshrate\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.co.uk/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\system32\FirstReboot.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - D:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - [url]http://www.wow-europe.com/en/wowbeta/Si.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38151.5369675926[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://active.macromedia.com/flash5/cabs/swflash.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2

Trend Micro online scan is still running. Have already run KAV trial and it found nothing.


I ran TDS3 after NOD32 found the following things

[IMG]http://uberish.fastmail.fm/1.jpg[/IMG]

and I suspected it might be missing some. I have no idea why suddenly all these trojans and worms were appearing. I've just finished testing with Shields up at [url]http://www.grc.com/[/url] and It turns out I had my Netbios ports open to the world which I have now closed. Maybe that had something to do with it.

Hi again, waiting for the TDS scandump.txt in your next posting?

Guess the mutex was for Worm.Spybot.LJ ?
Did you fix this one somehow?
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
Can NOD32 support tell you how to?

That symantec32.exe thing is still in the autostart here:
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\System32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\At5.job
symantec32.exe
C:\WINNT\Tasks\At7.job
symantec32.exe
C:\WINNT\Tasks\At8.job
symantec32.exe

I expected these hkeys as well, but maybe you deleted those already?
It creates the following registry entry so that it executes at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Symantec Security = "symantec32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Symantec Security = "symantec32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Symantec Security = "symantec32.exe"

Is it also visible in the msconfig? in the taskmanager? you'll have to stop them to be able to delete them completely. Did you do another search on the system for the file?
Make sure you have set folder options to show everything.
If TDS doesn't find any infections anymore, run SpyBotS&D with a fresh update and let it look for everything suspicious, including the registry. If any keys are still not ok spybot will see them for you.

Definitely, nice spotting Jooske :)

Netbios closed - good. What about your user accounts ? make sure ALL user accounts have a strong password. This might require you to Log Off, then try to Logon as Administrator with no password. If you can, thats terrible and you need to set a good strong password on that account too

Was just pointed to this thread about the HJT - NOD32 thing, nothing wrong with that O10 line, so nothing to fix there.
http://www.wilderssecurity.com/showthread.php?p=160317


You don't run Port Explorer yet, to keep an eye on what is connecting? Do your firewall logs show many portscans for instance on port 17300 to name one used a lot by spybots, and there will be more common ports for the spybots?
With Port Explorer you can put incoming data packets under socket spy and look in the log what it was, which application is doing it, and where, etc, so easier to locate and kill such applications/servers immediately.