Setup and Config

Discussion in 'Trojan Defence Suite' started by Blackspear, Dec 13, 2002.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Question: I've just setup TDS as per Fanj's advice, upon rescan of my system the following files came up as being detected:

    C:\windows\system32\smss.exe
    C:\windows\system32
    srss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\windows\system32\explorer.exe
    C:\program files
    ommon files\microsoft shared\vs7debug\mdm.exe
    C:\windows\system32\nod32cc.exe
    C:\windows\soundman.exe
    C:\program files\eset\amon.exe
    C:\program files\eset\pop3scan.exe
    C:\program files\winamp3\winampa.exe
    C:\windows\system32
    tfmon.exe
    C:\program files\ostat\ostat.exe
    C:\ program files\zone labs\zonealarm.exe
    C:\ program files\file-ex 3\fileex.exe
    C:\ program files\replicator\ptreplicator.exe
    C:\windows\system32\nod32m2.exe
    C:\windows\system32\nvsvc32.exe
    C:\windows\system32\zonelabs\vsmon.exe
    C:\ prog~1\greatis\regrun~1\watchdog.exe
    C:\ program files\icqlite\icqlite.exe
    C:\documents and settings
    raig\desktop\bigpond.exe
    C:\ program files\internet explorer\iexplore.exe
    C:\windows\msagent\agentsvr.exe

    I have added these to my "Exclude" list after looking at each file.

    Does this only exclude the particular file or the entire folder, as in the entire "System32" folder instead of just "System32\smss.exe" o_O I wouldn't have thought so, but worth the ask :D

    2nd Question is:
    C:\windows\system32\svchost.exe constantly tries to act as a server, I have blocked this with ZoneAlarm, without any negative affects being noticeable. Any ideas as to why this is trying to be a server and for what purpose? o_O

    I have always had the understanding that next to nothing should be a server. The only things I have are my ISP - Bigpond, ICQ, Messenger and Pop3 Scanner.

    Cheers.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    I'll leave the rest up to the TDS people but you can read this about svchost:
    %SystemRoot%\System32\Svchost.exe is a generic process name for services that run from dynamic-link libraries (DLLs). When you start Windows XP, Svchost,exe constructs multiple lists of service groupings that need to be loaded.

    Source

    Regards,

    Pieter
     
  3. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I suppose, what you see is the memory scan, they shouldn’t be excluded (if possible), because those programs can be corrupted.
    Dolf
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LOL :D thanks Pieter, that is way over my head :D

    I would see this try to act as a server only every now and then, so I wondered why it would try to access the internet. Just thought it shouldn't need to, and have blocked it, unless someone can advise me otherwise :D

    Cheers.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Here is something that might help you decide on that one:
    Q :Why does SVChost.exe try to access ports 80, 1900
    A :SVChost.exe is the service loader used by services that are embodied in a DLL instead of an .exe file (and by some with .exe files). From what I've been able to piece together, ports 80 and 1900 are used by Windows XP's AutoUpdate feature. *If* you're running XP *and* this feature is enabled on your machine, let them through. Otherwise, block them.

    Source

    Regards,

    Pieter
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Many thanks, now i understand :D

    Cheers.
     
  7. FanJ

    FanJ Guest

    Hi Blackspear,

    Quote:
    [hr]
    Question: I've just setup TDS as per Fanj's advice, upon rescan of my system the following files came up as being detected:

    C:\windows\system32\smss.exe
    etc.etc.
    [hr]

    Could you please give some more info about this.
    Maybe post a screenshot; or copy/paste those lines from the TDS-3 window?
    In that way we might get perhaps a better understanding of what option in TDS-3 is giving you those detections.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have just removed all the files in question from my exclusion list, rescaned and they haven't appeared again...

    Not sure what the story was...

    Thanks for your help anyway.

    Cheers :D
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Blackspear,
    i was shocked seeing that list, as those i recognize seem normal legal files, so my first impression was a bad install or in the worst case a bad infection. But now you don't have these alerts anymore i feel much better for you.
    Was this before or after your most recent radius update?
    Please keep an eye on next alerts.
    You might know aftrer scanning you can rightclick a file for deeper examination or the last option to save it as a textfile in the scandump.txt file in the TDS-3 directory.
    That way it's far more easy to paste such a scanlist in your posting (and remove sensitive info like pathnames if necessary) and ask people's opinion.
    Looking forward to your next experience.
    You might like to play with the several scan options checked and sensitivity slider on highest, etc.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Jooste, this was before the update. I then removed everything back out of my exclude list, and rescanned, it came up fine. Then saw the update warning, did that and rescanned.

    Thanks for your help :D

    Cheers.
     
  11. FanJ

    FanJ Guest

    Hi Blackspear,

    In case you have enabled the option to log, you can have a look at your log-file of TDS-3.
    You can find it here:

    C:\[your-TDS-3-folder]\Logs\dec\13-12-02 vr.txt

    Of course you might have installed TDS-3 on another partition/drive than C.
    As you can see in that full path, I have changed there -before my posting here- the name of the folder in which TDS-3 is installed on my system, into [your-TDS-3-folder].

    "dec" means the month.
    "13-12-02 vr" means of course the day (remember: I have the Dutch version of Windows, so in English versions this might have another look; "vr" means in Dutch "vrijdag" which is in English "Friday").

    Well, I hope you get the picture where to look for the log-file.

    Now, if you have logging enabled, you can see there what was mentioned in the TDS-3 console-window at the time that you got those warnings which you mentioned in your first posting in this thread.
    So, if you would like, you could copy/paste a part of that log here.
     
  12. FanJ

    FanJ Guest

    This is where the console-logging is enabled:
    the first option in "Misc Options".

    [​IMG]
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This is the log:

    21:21:13 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    21:21:13 [Init] Started 13-12-02 21:21:13 E. Australia Standard Time (UTC: -10), Internet Time @514.73
    21:21:13 [Init] Loading TDS-3 Systems ...
    21:21:13 [Init] • Priority : OK.
    21:21:13 [Init] Token successfully adjusted.
    21:21:13 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    21:21:13 [Init] • Plugins : OK. Loaded 13
    21:21:13 [Init] • Exec Protection : Not Installed
    21:21:13 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    21:21:13 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    21:21:13 [Init] Licensed users can use the Update facility from the TDS menu
    21:21:13 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    21:21:16 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    21:21:16 [Init] • Systems Initialised [20548 references - 6445 primaries/5122 traces/8981 variants/other]
    21:21:16 [Init] Radius Systems loaded. <Databases updated 13-12-2002>
    21:21:16 [Init] TDS-3 Ready. <Craig@xxx.xx.xxx.xxx, 127.0.0.1 - Australia>
    21:21:16 [TDS] Good evening Craig. Go home! The weekend is here at last!
    21:21:23 [Memory Scan] Memory scan started, please wait a moment ...
    21:22:50 [Memory Scan] Memory scan complete.
    21:22:52 [Mutex Memory Scan] Started...
    21:23:08 [Mutex Memory Scan] Trojan mutex(es) found:
    21:23:08 [Trace Scan] Started...
    21:23:20 [Trace Scan] Finished.
    21:23:27 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    21:23:27 [CRC32] Started - verifying 31 files ...
    21:23:28 [CRC32] Test finished.

    and yet the only files found were those posted above...

    Cheers :D
     
  14. FanJ

    FanJ Guest

    Oops, I have to admit that I too am now a little bit in the dark.
    I was hoping for a bit more info from the log....

    What I did noticed, was this:
    21:22:52 [Mutex Memory Scan] Started...
    21:23:08 [Mutex Memory Scan] Trojan mutex(es) found:


    I myself (W98SE) get this:
    23:51:01 [Mutex Memory Scan] Started...
    23:51:02 [Mutex Memory Scan] Finished (no trojan mutexes found).

    I hope Wayne, Gavin, Jooske, and/or Pilli have a better idea about what was going on!
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Excuse , now i'm completely confused.
    Blackspear, from your earlier posting i understood nothing more was found.
    I was talking alerts after a full system scan which allerts appear in the little extra window down at the console after a full system scan.
    So this is why i was reallly concerned about alarms on those legit files.

    Now after Jan's posting and your reaction i think to understand you are talking about the CRC check, as that is last from your logfile and you point about those files above.
    About CRC ecks Jan knows a lot, how to check and what to check and all that and there is a thread about how to add files to the CRC check list, to Jan the honor to go into that.

    On my system i get there a message certain files are not found, as it is looking in system32 while i have system on a win98 and i know they are checked there too as i added them to that place in the CRC scan txt file in the menu TDS > Edit Config Text files > CRCfiles.txt

    I got almost the impression from your first message you were displaying the running processes from the System Analysis > Process List

    In any case it is strange for me, that after excluding and no longer excluding them from scanning, updating (did you make more other changes in settings??) you would not get those same alerts any more.

    The alerts, like said, come in the little extra window, which you also see appear during the initial startup scans before TDS tells you all scannign and CRC scans have finished, for instance after a full system scan (System testing > Full system scan)
    The results from that alerts window with a right click on any of the files you can save to the scandump.txt file which you find back in your TDS-3 directory.
    It was all time this alert result i was talking about and which we would like to see here.
    You might find in your console log something like

    [File Scan] Scanning in A:\ ...
    [File Scan] Scanned 0 files: 0 alarms in 2,472656 seconds (Avg 1, files/sec)
    [File Scan] Scanning in C:\ ...
    [File Scan] Scanned 89930 files: 78 alarms in 11180,69 seconds (Avg 9,04 files/sec)
    [File Scan] Scanning in D:\ ...
    [File Scan] Scanned 40133 files: 80 alarms in 3947,664 seconds (Avg 11,17 files/sec)
    [File Scan] Scanning in E:\ ...
    [File Scan] Scanned 730 files: 80 alarms in 478,2266 seconds (Avg 2,53 files/sec)
    [File Scan] Scanning in F:\ ...
    [File Scan] Scanned 12 files: 80 alarms in 0,21875 seconds (Avg 55,86 files/sec)
    [File Scan] Scanning in G:\ ...
    [File Scan] Scanned 0 files: 80 alarms in 45,53906 seconds (Avg 1, files/sec)
    [File Scan] Scanning in H:\ ...
    [File Scan] Scanned 0 files: 80 alarms in 0 seconds (Avg -1,#IND files/sec)
    [File Scan] Scanning in I:\ ...
    [File Scan] Scanned 0 files: 80 alarms in 0 seconds (Avg -1,#IND files/sec)
    [File Scan] Scanning in J:\ ...
    [File Scan] Scanned 0 files: 80 alarms in 0 seconds (Avg -1,#IND files/sec)
    [File Scan] Scanning in K:\ ...
    [File Scan] Scanned 0 files: 80 alarms in 0 seconds (Avg -1,#IND files/sec)
    [Scan] Finished.
    [Text Dump] Saved to x:\xxxxxxxxxx\xxxxxxxx\TDS-3\scandump.txt

    The textdump i did manually and i edited away date and time and pathnames.
    Don't let the amount of alarms on my system confuse you, as i know my test zoo.
    The scandump.txt from that would contain each file and kind of alert, etc. BTW: that file is overwritten with each dump to keep it small, so either let that happen or copy the interes
    ting parts away if you really think you would need them.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I was getting the same as you - no trojan mutexes found.
    After setting up config as per your post, and then rerunning, up popped the above (apparant problems), from which I then tried placement into exclusion... and then removal from exclusion...

    Cheers.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Jooske, no, you were correct in the first place, the alerts were after a full system scan, and the alerts were in the little extra window down at the bottom of the console, after the full system scan had been completed.

    I made NO other changes, other than removing from the exclusion list... and then re-scanning.

    I didn't save them to the scandump.txt, the option was there, but chose not to...

    Not sure what was going on, but it is no longer there now :D

    Cheers.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    ... and leading me in even more confusion..

    I must admit i have my config a bit different as i have all checked which is possible in startup and scan options, and the slider on highest sensitivity all time and even client/edit scans and the whole lot, except NTFS ADS which are not possible on Win98Se unfortunately (or maybe i'm lucky with that). I did not exclude nothing, all other bits and bytes are looked at. So scanning my system does take several hours; i unmapped part of the network (as you can see in my former posting) to have it finished quicker to add that logpart for you from the console.

    The alerts scandump could contain lines like
    Scan Control Dumped @ 21:43:33 13-12-02
    Suspicious Filename: Dual extensions
    File: x:\windows\desktop\test.vbs.vbs
    Generic Detection: Possible trojan with password-stealing capability
    File: x:\program files\xxxxxxxxxx\xxxx\scanalerts\pwledit.exe
    (wehich is an original MS Wins install file, i love to tell this all time!!)
    Positive identification: Demo.Leaktest (Not a trojan)
    File: x:\program files\xxxxxx\temp\ldn9385.tmp
    Positive identification <Adv>: Executable contains a mIRC Script
    File: x:\xxxxx\mirc\clean\test.exe
    (which is the testfile from DCS in their free tool Mirclean)
    etc etc etc

    So such a scandump log i thought you were talking about in first instance!
    I'm sure you can imagine my confusion now :)
     
  19. FanJ

    FanJ Guest

    Hi Jooske,
    All the time during this thread the CRC-checking was going through my head; just like you mentioned.
    That was one of the reasons I wanted to see the full console-log at the time those things happened.
    But it seems that it is not related to the CRC-checking:

    So those alerts were in that bottom window of the console, and that is not the place were alerts from the CRC-checking appear.
    So we can conclude the CRC-checking has nothing to do with it.

    It is a pity that it seems that there is no more evidence about what happened; so there is hardly any way left to come to conclusions, I'm afraid at this moment....
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Great Craig, we were posting at the same time twice so i did not see your reaction and i think the confusion is solved this moment.
    The saving to scandump is just to have something to look at any deeper and the kind of specific alerts given, or in case DCS likes that for looking deeper for you --or we here in the forum--
    It will not grow extensely as it's overwritten each time, like said and my file is now 10kb so i can live with that (the computer too).
    I see you start discovering TDS more by the moment and seem to like it :) Did not realise you're from down yunder as displayed in your console log? Nice, many Oz people here.

    Keep an eye on those alerts, hope of course it will stay all blank but that's almost impossible these days, and depending on the alerts it's nothing till high alarm.
    Positive identifications <Adv> need more attention, and you might like to ask Gavin about such finds, just in case, and submit them (zipped if possible).
    Positive identification with a name what it is no need to submit as Gavin added the code already to the Radius and you might like to check wityour other av/at software another time and decide to aks Gavin or whatever you want to do with it. Etc. Time will tell you.
    You might like to read the 16 ways to smell a rat (at least 20 ways by now), and in the Helpfile the hunting for a trojan or what to do in case of a find, etc. Nice reading and you feel the drivers seat more and the steering more in your hands with all that and decide your time for Action!
    (and here comes MrBlaze for sure with some activity report)
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I once had the most terrible results from the following:
    On another computer i had a trial TDS for testing and started it via the network from the main computer. You don't want to see the alerts from that and the CRC check and autostart warnings, as the system is completely different, other windows version, etc.
    Very nice when i closed it and started it again from the other computer itself, as of course it alerted again for all kinds of changed files etc etc.
    I tried such a thing with PE too with the eval on the one and the full version on the other computer and changed console colors and language settings to be able to see what was exactly started in such circumstances.
    Give it a try if you have the possibility to know what happens exactly.

    With this, in case of doubt: yes it is possible to scan your whole network from one computer and to use the broadcast functions to chat with a person on the other computer via the network if all is set up correctly in the network.
    So Tassie_Devils might send messaged to the kids if he likes, etc.
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Many thanks Jooske, I appreciate yours and Fanj's help (and others). I wouldn't have persisted with the program (with it appearing to hang my system) had it not been for this forum. I have a powerful system (P4 2.0GHz, 512MB DDR RAM, GF4 MX440 64MB DDR V/card etc) and wouldn't have suspected the program was still running and my system not being able to handle other functions at the same time.

    This is why, to me there should be something that shows the program is doing things and to be patient :D

    Cheers.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Heard your teeth grinding so had to help you out as quick as possible to keep them complete.
    But i'm surprised it is hanging such a powerful system. Hmm wonder if Wayne/Gavin/Jason has a good response to that, being familiar wit XP. Maybe something in a setup config somewhere........


    Edited:
    Glad to be of help, you're welcome, always a joy seeing people discovering their system even more and TDS with that making security a joyous task (new hobby?)
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Yeah it turns my system into a PIG when it's running, and it remains a little piggish until I turn it completely off.

    So not sure what's going on, would like to know o_O

    Cheers :D
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Like this elephant?
     

    Attached Files:

Thread Status:
Not open for further replies.