Strange Problem

Discussion in 'Trojan Defence Suite' started by Loki, Sep 8, 2002.

Thread Status:
Not open for further replies.
  1. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hello,

    Hi I've just re-installed Win XP pro on my second computer. I made one account a limited user and then installed some programs, I only went online for windows update. OK I've installed TDS3 and ran a check of my system under the limited user and TDS3 goes nuts! So now I log off and log on as Admin and run TDS3 again and everything is ok. So I log back on as the limited user and TDS3 finds the same things as the first time. So here's what TDS3 found:

    Scan Control Dumped @ 17:07:54 08-09-02
    File Trace: Default trojan filename: Sokets de Troie
    File: C:\XPPRO\Temp\Tcv.exe

    File Trace: Default trojan filename: Sokets de Troie
    File: C:\XPPRO\Temp\winstart.bat

    File Trace: Default trojan filename: Sokets de Troie
    File: C:\XPPRO\Temp\Tmp_.exe

    File Trace: Default trojan filename: Suspicious
    File: C:\XPPRO\temp\winstat.exe

    File Trace: Default trojan filename: Worm.VBS.Calendarios
    File: C:\XPPRO\temp\winsys.vbs

    File Trace: Default trojan filename: RAT.Phoenix II
    File: C:\XPPRO\TEMP\ .exe

    File Trace: Default trojan filename: RAT.Phoenix II
    File: C:\XPPRO\TEMP\ FMXZFMR.exe

    File Trace: Default trojan filename: RAT.Phoenix II
    File: C:\XPPRO\TEMP\ GAXGMEL.exe

    File Trace: Default trojan filename: RAT.Glacier (log)
    File: C:\XPPRO\temp\Psw.tmp

    File Trace: Default trojan filename: RAT.Acid Reign
    File: C:\XPPRO\temp\acid.exe

    File Trace: Default trojan filename: RAT.GirlBoy
    File: C:\XPPRO\TEMP\RunDll.exe

    File Trace: Default trojan filename: FTP.CyberSpy FTP
    File: C:\XPPRO\temp\GFTP.exe

    File Trace: Default trojan filename: Worm.Roach
    File: C:\XPPRO\temp\DCCOM32.EXE

    File Trace: Default trojan filename: RAT.Phoenix II
    File: C:\XPPRO\Temp\~P2.exe

    File Trace: Default trojan filename: Worm.Alal
    File: C:\XPPRO\Temp\Blabla.vbs

    File Trace: Default trojan filename: RAT.CHCB
    File: C:\XPPRO\Temp\WinPad.exe

    File Trace: Default trojan filename: Worm.Floodnet
    File: C:\XPPRO\Temp\cute.exe

    File Trace: Default trojan filename: RAT.Phoenix II
    File: C:\XPPRO\Temp\ PBHTDOF.exe

    File Trace: Default trojan filename: Suspicious
    File: C:\XPPRO\Temp\server.exe

    As the limited user I can't open the Temp file so I logged on as the admin and there's only 2 files 0kb there. So whats going on?
    I've installed NOD32 but need to update it but don't want to reconnect to the Internet with that computer. Well I'm thinking I'll be safe and re-install. I just posted because I've never seen TDS3 do this find something under one user and not as another. I might have understood if it had found them while logged as admin and not found as limited user. Thanks and sorry for the long post, any ideas about what happened would be nice. Boy do I ramble...

    Loki
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Loki!
    Don't bite your nails yet!
    Another user solved the kind of problem with installing TDS both as an administrator ans as a user.
    Could this help in your situation too?
    For security reasons you might like to limit the user a little less and do most what you want to do on that account and only use the admin account if you really have to, as little time connected to internet as possible.
    So this explains the value this moment of installing TDS on both accounts. Not sure how this will be in the coming version 4.
    You will be able to scan all partitions and the whole system with both versions though, so you don't start TDS at both levels at a time.
    Please keep us updated how it goes with this!
     
  3. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi Jooske,

    Well I posted and then checked to see who was logged in here and saw you so I knew I would get a fast answer. I set that computer up with the limited account to do as you suggested by using it and not an admin account. I don't know if I installed TDS3 with the run as command but I will try to re-install as the limited user. Thanks and i'll let you know what happens.

    loki
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for so much trust!
    Fingers crossed! Expecting those two accounts on XP. You also did install it on the system itself didn't you, and not installing from the other computer via the network? That might sometiimes give unexpected results too, most certainly if you start the version on the remote computer from the local computer and you have TDS already running on the local one. It is very well possible, but needs some configuration to do so.
     
  5. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hello,

    Well I un-installed TDS3 and tried to re-install as a limited user but no go on that. So I did a run as admin install and than reran the scan and still came up with the trojans. So I logged off the limited account and logged on as admin and scanned again came up clean. So I upped the limited user to power user and than logged onto that account and re-scanned came up clean. Seems to be a problem only with limited user rights. Power user works ok. Leave it to MS to make life difficult. So with the limited account upped to a power user system scanned clean.

    Oh I installed from the download and added my key file and updated the radius file to current. Almost time to un-install TDS3 from my other system and practice using TDS3 over the network.

    Everything looks good now.

    Thanks Jooske
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds good! Glad that worked for you.

    Why would you uninstall from the other computer to run it over the network? You can and scan the logical drives/partitions of the whole network remotely, but for the memory you need the local install.
    You might like to practise communicating with your other system and see how that looks like. (the network functions)
     
  7. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi,

    well here my current scan with TDS3:

    17:54:05 [Radius] Radius Systems loaded. <Databases updated 08-09-2002>
    17:54:05 [Radius Update] Update complete.
    17:56:01 [CRC32] Started - verifying 31 files ...
    17:56:47 [Memory Scan] Memory scan started, please wait a moment ...
    17:56:47 [CRC32] Test finished.
    17:56:48 [Memory Scan] Memory scan complete.
    17:56:48 [Mutex Memory Scan] Started...
    17:56:49 [Mutex Memory Scan] Finished (no trojan mutexes found).
    17:56:49 [Trace Scan] Started...
    17:57:01 [Trace Scan] Finished.
    17:57:01 [Service\Driver Scan] Scanning for services and drivers ...
    17:57:01 [Service\Driver Scan] Scanned 279 services and drivers.
    17:57:01 [File Scan] Scanning in A:\ ...
    17:57:26 [File Scan] Scanned 1 files: 0 alarms in 25 seconds (Avg 1.04 files/sec)
    17:57:26 [File Scan] Scanning in C:\ ...
    18:04:28 [File Scan] Scanned 7366 files: 0 alarms in 421.4844 seconds (Avg 18.48 files/sec)
    18:04:28 [File Scan] Scanning in D:\ ...
    18:05:11 [File Scan] Scanned 986 files: 0 alarms in 43.40234 seconds (Avg 23.72 files/sec)
    18:05:11 [File Scan] Scanning in E:\ ...
    18:05:11 [File Scan] Scanned 0 files: 0 alarms in 0.015625 seconds (Avg 1. files/sec)
    18:05:11 [File Scan] Scanning in F:\ ...
    18:06:36 [File Scan] Scanned 225 files: 0 alarms in 85.23828 seconds (Avg 3.64 files/sec)
    18:06:36 [Scan] Finished.
    18:16:53 [Infection Test] File infection test started. Please wait a moment while baits are deployed and tested.
    18:16:53 [Infection Test] EXE infection testing started ...
    18:16:54 [Infection Test] WARNING!Possible viral infection - test .exe file changed after execution.File datestamp has changed.
    18:16:54 [Infection Test] D:\TDS3\result.exe is possibly infected.
    18:16:54 [Infection Test] COM infection testing started ...
    18:16:55 [Infection Test] WARNING!Possible viral infection - test .com file changed after execution. File datestamp has changed.
    18:16:55 [Infection Test] D:\TDS3\result.com is possibly infected.

    As you can see the virus test is giving me warnings but only when run as the upgraded power user account. When I run the same test as admin system is clean. I ran a NOD32 scan on this computer with the lastest data base and that scan is clean.

    Loki
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Loki,

    We are testing and replicate your initial results, we are aware of the trace problem. This will be resolved for TDS-4.

    We are not able to reproduce the problem with the file infection test, please zip and email the COM and EXE files which are showing up as infected, we will check them just in case. The test is most likely producing a false reading as well but just to be sure I will take a look at the files when we receive them :)
     
  9. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi Gavin and Jooske,

    Well I had decided to re-install Win XP before I saw your post so it's to late to zip those files. I would have gladly done so. Re-installing Win XP in no way reflects on TDS3 I believe that the NTFS file system got corrupted while installing. So I'm almost up and running on that system and hope things work better this time. By the way the files test.com and test.exe are they in the TDS folder InfTest, this way if I need to ever zip them i'll know where they are.

    Thanks for your time and Help.
    Loki
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you try in the meantime and getting a better or same result? Must be the two you mention.
     
Thread Status:
Not open for further replies.