Scan Result

Discussion in 'Trojan Defence Suite' started by Vietnam Vet, Nov 30, 2003.

Thread Status:
Not open for further replies.
  1. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi,

    Got this result running a scan.

    Scan Control Dumped @ 14:47:20 29-11-03
    Generic Detection (in archive): Possible trojan with password-stealing capability
    File: passdump.exe (In c:\my documents\my downloads\new apps\passlock.zip)

    I am sure you will recognize this, since it is a DiamondCS patch for the WNetEnumCachedPasswords function. :) Had not run a full scan in a while since I was offline for the most part, for close to a month, and reformatted the computer during this time frame. Consequently, I am not sure when this detection first showed up.

    While I have the generic sensitivity at it's highest setting, this has pretty much always been the case.

    Just thought you should know so you could take appropriate action(if any required at all). Thanks.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot! With so many new references added they can come close to other excisting codes. Thanks for the headsup, sure Gavin will refine the databases once extra! At least it detects is fot it's proper function relating to passwords stealing.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Well its a safe file, so I'll say that first - dont worry about it :)

    Actually we could have made TDS not detect some things like this, but heuristic/generic detections are like that, they pick up things that they shouldn't :) The alarm is correct in a way, this does have cached password capabilities, a favourite for RAT's and PSW trojans for over 10 years.

    Possibly have a folder of known safe tools in your exclude list if you worry about such alarms :)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    OK Gavin, hoped it would be possible to change the alert description like you did for other files in the past, like leaktest and such, to spare confusion. Was not meanting to sit on your chair! (wouldn't be able to never!)
     
  5. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi,

    Gavin, no worries here. Just posted in case you wanted to change anything. Fine with me just the way it is. :)


    Jooske, don't think you need to apologize. Everyone knows how helpful you always are. :D Your thoughts were the same as mine were when I originally posted. Besides, as busy as the folks down under are, I'm sure they wouldn't mind a few extra helping hands. ;)
     
  6. stumped

    stumped Guest

    help please .
    i have just learned a few more things about tds3. upon a full system scan im apparantly missing some major system files ?
    before a re- install. please can someone tell me what this all means e.g crc32 etc, i mean it says no regedit.exe ,(works fine ?).
    are the files related to a network ?. damn im dumb lol . at least i didnt start the thread .lol. anyways here is the scan result .
    i appreciate any help.Thanks Jooske for your advice or i would have lost this.

    19:01:40 [Init] Started 30-11-03 19:01:40 New Zealand Standard Time (UTC: -12), Internet Time @292.82
    19:01:40 [Init] Loading TDS-3 Systems ...
    19:01:40 [Init] Token successfully adjusted.
    19:01:40 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    19:01:41 [Init] • Plugins : OK. Loaded 13
    19:01:41 [Init] • Exec Protection : OK. Installed
    19:01:43 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    19:01:53 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    19:01:54 [Init] • Systems Initialised [25490 references - 8347 primaries/6891 traces/10252 variants/other]
    19:01:54 [Init] Radius Systems loaded. <Databases updated 12-06-2003>
    19:01:54 [Init] TDS-3 Ready. <P c@0.0.0.0, 127.0.0.1 - new zealand>
    19:01:54 [Tip Of The Day] When in doubt, email support@diamondcs.com.au - we're standing by for you, and you should receive a swift response. Support hours are Monday - Friday, 9-5 Western Standard Time
    19:01:54 [TDS] Good evening P c.
    19:02:40 [CRC32] Started - verifying 29 files ...
    19:02:41 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
    19:02:41 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
    19:02:42 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
    19:02:43 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
    19:02:44 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
    19:02:44 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
    19:02:45 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
    19:02:47 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
    19:02:49 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
    19:02:52 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
    19:02:52 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
    19:02:54 [CRC32] Test finished.
    19:06:02 [Memory Scan] Memory scan started, please wait a moment ...
    19:06:05 [Memory Scan] Memory scan complete.
    19:06:05 [Mutex Memory Scan] Started...
    19:06:07 [Mutex Memory Scan] Finished (no trojan mutexes found).
    19:06:07 [Trace Scan] Started...
    19:06:17 [Trace Scan] Finished.
    19:06:17 [ServiceScan] Scanning for services and drivers ...
    19:06:18 [ServiceScan] Scanned 18 services and drivers.
    19:06:18 [File Scan] Scanning in A:\ ...
    19:06:20 [File Scan] Scanned 0 files: 0 alarms in 2.195313 seconds (Avg 1. files/sec)
    19:06:20 [File Scan] Scanning in C:\ ...
    19:19:37 [File Scan] Scanned 15921 files: 0 alarms in 796.8594 seconds (Avg 20.98 files/sec)
    19:19:37 [File Scan] Scanning in D:\ ...
    19:29:35 [File Scan] Scanned 352 files: 0 alarms in 597.4766 seconds (Avg 1.59 files/sec)
    19:29:35 [File Scan] Scanning in E:\ ...
    19:29:35 [File Scan] Scanned 0 files: 0 alarms in 0.0625 seconds (Avg 1. files/sec)
    19:29:35 [Scan] Finished.
    19:31:34 [Memory Scan] Memory scan started, please wait a moment ...
    19:31:39 [Memory Scan] Memory scan complete.
    19:31:39 [Mutex Memory Scan] Started...
    19:31:41 [Mutex Memory Scan] Finished (no trojan mutexes found).
    19:31:41 [Trace Scan] Started...
    19:31:50 [Trace Scan] Finished.
    19:31:51 [CRC32] Started - verifying 29 files ...
    19:31:52 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
    19:31:53 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
    19:31:53 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
    19:31:54 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
    19:31:54 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
    19:31:55 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
    19:31:55 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
    19:31:56 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
    19:31:56 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
    19:31:57 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
    19:31:58 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
    19:31:59 [CRC32] Test finished.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In TDS > Edit Files > CRCscan.txt
    Open that one and hunt for the files in your system; you'll have to change maybe the windows directory name and location of the files, some you won't have (is there an autoexec.bat on an XP ssytem? thought not!)
    In the sticky threads in this forum is a very nice explanation and recommendation how to work with the CRC scan and what to add to it.
    Do you have TDS speaking? Do you like the system to call "Good morning Pee, why don't you ever take me out for lunch?!" In configuration you can make of it what you want TDS to call you, including Panazu if you like.


    Now i see you come from down down yunder! Wow! that's really the other side of the planet in summer time while we are nearing winter time!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.