Last night TDS3 found a trojan. I deleted it thinking I could later find out what it was called from the TDS log file but it doesn't have its name. The log file for that day just has 20:07:38 [Mutex Memory Scan] Started... 20:07:50 [Mutex Memory Scan] Trojan mutex(es) found: but not its actual name. The file was called symantec32.exe but I'm guessing the file name doesn't really help identify what it was. Is there a way to find out what Trojans TDS3 has recently found? Thanks.
Hi Sard, welcome to the forum! If there is a mutex found, it would display it's name and the file where it is. This you'll see in the main console. Normally it starts scanning for mutexes and there is either "no mutex found" or like you display Mutexes found with nothing behind it is there is none or the name of the find if there is some. What makes you think it was the symantec32.exe file? How was it displayed? In TDS > View Logfile you can find the logs from the console and find back that alert to past here. Other alerts are in the bottom windows after a scan and those you can save to the Scandump.txt by rightclicking one of the alerts and save to text. Allso that text you can paste in a posting here for advice.
Looks like I should have right clicked and produced a Scandump.txt file. I assumed the specific info on the lower window would be automatically saved as most other scanners keep a record of what infections they detect. I know it was the symantec32.exe file because it was displayed in the lower window and I kept a copy to sent to ESET as NOD32 failed to detect it.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.LJ&VSect=T TDS, SpybotS&D, Ad-aware all should have been able to deal with it. Think after it's deletion do another scan, eventually also an online scan like at housecall, with your other scanners closed completely (TDS you can keep active, but don't have it scanning at the same time) This worm has nasty possibilities as you can read. You might like to post your AutoStartViewer log (with all option chosen) from the DiamondCS free products site or send it to support@diamondcs.com.au , and'/or HijackThis log [thread]15913[/thread] to see if you're really clean from everything.
Here's the results from AutoStart viewer DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Admin@FRED, 07-17-2004 c:\winnt\system32\autoexec.nt C:\WINNT\system32\mscdexnt.exe C:\WINNT\system32\redir.exe C:\WINNT\system32\dosx.exe c:\winnt\system32\config.nt C:\WINNT\system32\himem.sys c:\winnt\system.ini [drivers] timer=timer.drv c:\winnt\system.ini [boot]\shell C:\WINNT\Explorer.exe c:\winnt\system.ini [boot]\scrnsave.exe (NONE) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell C:\WINNT\Explorer.exe HKCU\Control Panel\Desktop\scrnsave.exe (NONE) HKCR\vbsfile\shell\open\command\ C:\WINNT\System32\WScript.exe "%1" %* HKCR\vbefile\shell\open\command\ C:\WINNT\System32\WScript.exe "%1" %* HKCR\jsfile\shell\open\command\ C:\WINNT\System32\WScript.exe "%1" %* HKCR\jsefile\shell\open\command\ C:\WINNT\System32\WScript.exe "%1" %* HKCR\wshfile\shell\open\command\ C:\WINNT\System32\WScript.exe "%1" %* HKCR\wsffile\shell\open\command\ C:\WINNT\System32\WScript.exe "%1" %* HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager mobsync.exe /logon HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundFusion RunDll32 hercplgs.cpl,BootEntryPoint HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Logitech Utility C:\WINNT\Logi_MwX.Exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HGTXPEI C:\WINNT\system32\FirstReboot.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui C:\Program Files\Eset\nod32kui.exe /WAITSERVICE HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ad Muncher C:\Program Files\Ad Muncher\AdMunch.exe /bt HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe C:\WINNT\system32\internat.exe HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ C:\WINNT\system32\NETSHELL.dll C:\WINNT\System32\webcheck.dll C:\WINNT\system32\stobject.dll C:\WINNT\Tasks\At5.job symantec32.exe C:\WINNT\Tasks\At7.job symantec32.exe C:\WINNT\Tasks\At8.job symantec32.exe C:\Documents and Settings\Admin\Start Menu\Programs\Startup\MemTurbo.lnk C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute C:\WINNT\system32\PDBoot.exe autocheck autochk * HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit C:\WINNT\system32\userinit.exe HKLM\System\CurrentControlSet\Control\WOW\cmdline C:\WINNT\system32\ntvdm.exe HKLM\System\CurrentControlSet\Control\WOW\wowcmdline C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ C:\WINNT\system32\imon.dll C:\WINNT\system32\msafd.dll C:\WINNT\system32\rsvpsp.dll HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\ C:\WINNT\system32\JAVASUP.VXD And this is from HijackThis Logfile of HijackThis v1.97.7 Scan saved at 15:18:32, on 17/07/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINNT\system32\RunDll32.exe C:\Program Files\Ad Muncher\AdMunch.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\FastCheck.exe C:\WINNT\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\WinRAR\WinRAR.exe D:\temp\Rar$EX00.157\asviewer.exe C:\WINNT\system32\notepad.exe D:\refreshrate\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\system32\FirstReboot.exe O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Download with GetRight - D:\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - D:\GetRight\GRbrowse.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: FlashGet (HKLM) O9 - Extra 'Tools' menuitem: &FlashGet (HKLM) O10 - Broken Internet access because of LSP provider 'imon.dll' missing O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38151.5369675926 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2 O17 - HKLM\System\CS1\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2 O17 - HKLM\System\CS2\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2 Trend Micro online scan is still running. Have already run KAV trial and it found nothing. I ran TDS3 after NOD32 found the following things http://uberish.fastmail.fm/1.jpg and I suspected it might be missing some. I have no idea why suddenly all these trojans and worms were appearing. I've just finished testing with Shields up at http://www.grc.com/ and It turns out I had my Netbios ports open to the world which I have now closed. Maybe that had something to do with it.
Hi again, waiting for the TDS scandump.txt in your next posting? Guess the mutex was for Worm.Spybot.LJ ? Did you fix this one somehow? O10 - Broken Internet access because of LSP provider 'imon.dll' missing Can NOD32 support tell you how to? That symantec32.exe thing is still in the autostart here: HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ C:\WINNT\system32\NETSHELL.dll C:\WINNT\System32\webcheck.dll C:\WINNT\system32\stobject.dll C:\WINNT\Tasks\At5.job symantec32.exe C:\WINNT\Tasks\At7.job symantec32.exe C:\WINNT\Tasks\At8.job symantec32.exe I expected these hkeys as well, but maybe you deleted those already? It creates the following registry entry so that it executes at every system startup: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run Symantec Security = "symantec32.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices Symantec Security = "symantec32.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run Symantec Security = "symantec32.exe" Is it also visible in the msconfig? in the taskmanager? you'll have to stop them to be able to delete them completely. Did you do another search on the system for the file? Make sure you have set folder options to show everything. If TDS doesn't find any infections anymore, run SpyBotS&D with a fresh update and let it look for everything suspicious, including the registry. If any keys are still not ok spybot will see them for you.
Definitely, nice spotting Jooske Netbios closed - good. What about your user accounts ? make sure ALL user accounts have a strong password. This might require you to Log Off, then try to Logon as Administrator with no password. If you can, thats terrible and you need to set a good strong password on that account too
Was just pointed to this thread about the HJT - NOD32 thing, nothing wrong with that O10 line, so nothing to fix there. https://www.wilderssecurity.com/showthread.php?p=160317 You don't run Port Explorer yet, to keep an eye on what is connecting? Do your firewall logs show many portscans for instance on port 17300 to name one used a lot by spybots, and there will be more common ports for the spybots? With Port Explorer you can put incoming data packets under socket spy and look in the log what it was, which application is doing it, and where, etc, so easier to locate and kill such applications/servers immediately.
