hi i got this alarm from my tds-3: Scan Control Dumped @ 13:58:45 09-11-04 RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\Run [Windows Compliant=blyfcl.exe] RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe] just wanna know, is this bad? because i never got any alarm with my AV. thanks in advance. regards, micaelis
Hi micaelis, Just to make sure: Are you running TDS-3 as admin ? Please have a look at the following thread from Gavin: RUN AS for TDS-3 - TRACE scan, multiple user problems I am not saying that this must be the reason of your alert, but please have a look at that thread, and -if needed- follow the guidelines from Gavin in that thread. Does that solve your problem ? Please let us know ! Cheers, Jan.
hi fanJ, im pretty much sure that i was running as admin but ill try that guidelines and see if it fixes the problem. thanks fanJ ( ill let you know tomorrow what happens when i get back to work ) thanks again! regards, micaelis
hi fanj, the alarm is still there: Scan Control Dumped @ 14:37:35 10-11-04 RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe] Suspicious Filename: Dual extensions File: c:\documents and settings\irving\local settings\temp\hp psc 900 series\cdimage\setup\motive\install.wse.exe Positive identification: Demo.Leaktest 1.1 (Not a trojan) File: c:\documents and settings\irving\my documents\leaktest.exe Positive identification: DDoS.RAT.SDBot.jg2 File: c:\windows\system32\tftp2628 <------ this one is new ( i dont know where it came from. I tried scanning it with my AV and other AT program but did not get anything. ) regards, micaelis
Hi micaelis, Sorry to hear that ! First the two more easier ones: 1. Suspicious Filename: Dual extensions File: c:\documents and settings\irving\local settings\temp\hp psc 900 series\cdimage\setup\motive\install.wse.exe By default TDS-3 warns you for such files with dual extensions. Sometimes they are harmless, sometimes not... What if you clear your temporary file/folders ? 2. Positive identification: Demo.Leaktest 1.1 (Not a trojan) File: c:\documents and settings\irving\my documents\leaktest.exe Nothing wrong here. It is only a demo. Up to you whether to delete it or not.
hi fanj, i actually knew about the double extension and leaktest but the one thing that really bothers me is ddos.rat warning. i just wanna know if its alright just to ignore this warning. thanks fanj regards, micaelis p.s. i wonder what advice the dcs crew can give me.
Now about the other two ones: Scan Control Dumped @ 14:37:35 10-11-04 RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe] Positive identification: DDoS.RAT.SDBot.jg2 File: c:\windows\system32\tftp2628 <------ this one is new ( i dont know where it came from. I tried scanning it with my AV and other AT program but did not get anything. ) Did you let TDS-3 do a full system scan while your other scanners (AV for example) were temporarily disabled? Could you give more info abour your Windows version and Anti-virus program? About this file: c:\windows\system32\tftp2628 Could you please send it to Gavin: submit at diamondcs.com.au if possible zipped What is the extension of that file? Maybe we need expert help here from Gavin and/or HJT-experts.
hi fanj, i did a tds-3 full scan with my AV is on but let me give it a try if my AV is off (Hopefully i can do it today 'coz im about to leave here in the office ). the file type for "c:\windows\system32\tftp2628" is unknown. btw im using nod32 ( everything is up to date ). thanks again fanj regards, micaelis
Definitely remove both the EXE file and that TFTP file ! make sure you are updated with Windows Update, you were exploited thats why you have a TFTP file ! Heres what to do.. first update with Windows Update While you wait, run TDS and go to the Autostart Explorer (press CTRL-A) In there, find this Windows Compliant = blyfcl.exe 2 entries, right click and delete both, kill blyfcl.exe with the Task Manager too - and email the file blyfcl.exe to submit@diamondcs.com.au. Then delete it Also delete c:\windows\system32\tftp2628, either manually or by right-clicking the alarm and delete it with TDS After Windows Update completes, allow it to reboot or reboot manually, you should be clean now. But email support a log from ASViewer please http://www.diamondcs.com.au/index.php?page=asviewer Not surprised your AV missed these, things are getting worse with these open source trojans.
hi fanj & gavin, Sorry for the late reply, i did some updates and deleted those files. i made a backup of the file to send it to you gavin. thank you so much fanj and gavin.. regards, micaelis (kinda dissappionted with my nod32 but good thing i have tds3 )