Need Help :(

Discussion in 'Trojan Defence Suite' started by micaelis, Nov 9, 2004.

Thread Status:
Not open for further replies.
  1. micaelis

    micaelis Guest

    hi i got this alarm from my tds-3:

    Scan Control Dumped @ 13:58:45 09-11-04
    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Windows Compliant=blyfcl.exe]

    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe]

    just wanna know, is this bad? because i never got any alarm with my AV.

    thanks in advance.

    regards,
    micaelis
     
  2. FanJ

    FanJ Guest

    Hi micaelis,

    Just to make sure:
    Are you running TDS-3 as admin ?

    Please have a look at the following thread from Gavin:
    RUN AS for TDS-3 - TRACE scan, multiple user problems

    I am not saying that this must be the reason of your alert, but please have a look at that thread, and -if needed- follow the guidelines from Gavin in that thread.

    Does that solve your problem ?
    Please let us know !

    Cheers, Jan.
     
  3. micaelis

    micaelis Guest

    hi fanJ,

    im pretty much sure that i was running as admin but ill try that guidelines and see if it fixes the problem. thanks fanJ ( ill let you know tomorrow what happens
    when i get back to work :) )

    thanks again!

    regards,
    micaelis
     
  4. micaelis

    micaelis Guest

    hi fanj,

    the alarm is still there:

    Scan Control Dumped @ 14:37:35 10-11-04
    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe]

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\irving\local settings\temp\hp psc 900 series\cdimage\setup\motive\install.wse.exe

    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\irving\my documents\leaktest.exe

    Positive identification: DDoS.RAT.SDBot.jg2
    File: c:\windows\system32\tftp2628 <------ this one is new :( ( i dont know where it came from. I tried scanning it with my AV and other AT program but did not get anything. )


    regards,
    micaelis
     
  5. FanJ

    FanJ Guest

    Hi micaelis,

    Sorry to hear that !

    First the two more easier ones:

    1.
    Suspicious Filename: Dual extensions
    File: c:\documents and settings\irving\local settings\temp\hp psc 900 series\cdimage\setup\motive\install.wse.exe

    By default TDS-3 warns you for such files with dual extensions.
    Sometimes they are harmless, sometimes not...

    What if you clear your temporary file/folders ?


    2.
    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\irving\my documents\leaktest.exe

    Nothing wrong here.
    It is only a demo.
    Up to you whether to delete it or not.
     
  6. micaelis

    micaelis Guest

    hi fanj,

    i actually knew about the double extension and leaktest :) but the one thing that really bothers me is ddos.rat warning. i just wanna know if its alright just to ignore this warning. :(

    thanks fanj

    regards,
    micaelis

    p.s. i wonder what advice the dcs crew can give me.
     
  7. FanJ

    FanJ Guest

    Now about the other two ones:

    Scan Control Dumped @ 14:37:35 10-11-04
    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe]

    Positive identification: DDoS.RAT.SDBot.jg2
    File: c:\windows\system32\tftp2628 <------ this one is new ( i dont know where it came from. I tried scanning it with my AV and other AT program but did not get anything. )

    Did you let TDS-3 do a full system scan while your other scanners (AV for example) were temporarily disabled?

    Could you give more info abour your Windows version and Anti-virus program?

    About this file:
    c:\windows\system32\tftp2628
    Could you please send it to Gavin: submit at diamondcs.com.au
    if possible zipped
    What is the extension of that file?

    Maybe we need expert help here from Gavin and/or HJT-experts.
     
  8. micaelis

    micaelis Guest

    hi fanj,

    i did a tds-3 full scan with my AV is on but let me give it a try if my AV is off (Hopefully i can do it today 'coz im about to leave here in the office :) ). the file type for "c:\windows\system32\tftp2628" is unknown. btw im using nod32 ( everything is up to date ). thanks again fanj

    regards,
    micaelis
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Definitely remove both the EXE file and that TFTP file ! make sure you are updated with Windows Update, you were exploited thats why you have a TFTP file !

    Heres what to do.. first update with Windows Update
    While you wait, run TDS and go to the Autostart Explorer (press CTRL-A)
    In there, find this

    Windows Compliant = blyfcl.exe

    2 entries, right click and delete both, kill blyfcl.exe with the Task Manager too - and email the file blyfcl.exe to submit@diamondcs.com.au. Then delete it

    Also delete c:\windows\system32\tftp2628, either manually or by right-clicking the alarm and delete it with TDS

    After Windows Update completes, allow it to reboot or reboot manually, you should be clean now. But email support a log from ASViewer please
    http://www.diamondcs.com.au/index.php?page=asviewer

    Not surprised your AV missed these, things are getting worse with these open source trojans.
     
  10. FanJ

    FanJ Guest

    Thanks Gavin for jumping in !!! :D

    Warm regards, Jan.
     
  11. micaelis

    micaelis Guest

    hi fanj & gavin,

    Sorry for the late reply, i did some updates and deleted those files. i made a backup of the file to send it to you gavin. thank you so much fanj and gavin..

    regards,
    micaelis

    (kinda dissappionted with my nod32 :( but good thing i have tds3 :p )
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.