tds3 support

hello,

this seems to be a predictable thing for me. everytime i log in to the wilders forum, i've got a support annoyance that bugs me. last time was nod32, this time it is tds3. for the first time since being a lisensed tds operator, i had the trojan. it was the rat.k0wbot. just like a father whose first baby had his first colds, i didn't know what to do.

nod32 identified it and deleted the worm (so i thought). to be sure, i started tds3 and with trace scan on identified 2 regvals. i right-clicked each on the alarm window and deleted each. rebooted, amon didn't say anything and restarted tds3. trace scan indicates that the 2 regval (explorer32.exe) are still there. shouldn't they already been deleted?

i panicked and emailed support@diamondcs.com.au. the diamondcs team (whoever they are) answered within 12 hours (that's very good) asking me to send them scandump.txt and then delete kernel32.dll(space) using autoexplorer. i searched my hdds where the scandump is but can't locate it. searched kernel32.dll(space), not found. my concern grew from 10% to 100% and relayed back to support@diamondcs.com.au. as i was waiting for their reply i went to the bitdefenders' website and search k0wbot. i found out about explorer32.exe and blah...blah...blah, deleted it using autoexplorer, rebooted, rescanned with tds3 and trace scan came back negative. all's well that ends well.

then the big annoyance came in. the reply from support@diamondcs.com.au simply and bluntly told me to "send us the exe file but if tds can detect it, WE DON'T WANT IT". so i replied, "it is not what you want but what i need as a licensed tds operator". i am getting pissed off now. imagine, the diamondcs team is asking me a copy of the file already but hasn't touch anything on how i am going to get rid of the trojan using the "by far, the best trojan defense around". i am not an expert. i do not even know what a scandump.txt or kernel32.dll(space) are. what i ONLY want is to get rid of the trojan. is there anything simpler than that?

support...support...support...

 

Hi

I know the first time you are alerted to a virus or Trojan it can be very nerve racking situation.

You have NOD32 and TDS so you have good protection.

The location of scandump.txt is in your TDS directory(folder).

You did a search and deleted the exe files.
The files are written to auto start from the registery that's why they kept coming back.

NOD32 didn't remove them when it deleted the rat.

A dll (dynamic link library) is a set of instructions. Usually instructions that are used frequently. They are used so the programmers don't have to keep writing them over and over.

TDS tech support has been very good with my problems.
I think that they meant if TDS has detected it they already have it and know all about it so they don't need it.

You followed all the necessary steps and sucessfully removed it.

As you said "all's well that ends well"

Regards

 

There are a few things in your story.
As you talked about support annoyance i held back, if you don't mind. First of course: which windows version are you using? One with system restore like ME or XP?
In that case an autostart file comes back unless you disable restore, delete the thing and reboot.
Indeed, if TDS detects a file they don't need it, the scandump indicates more.

In the Helpfile is a good instruction what to do when some infection is located, steps to take, in "Disinfection - Removing trojans" and "Hunting Unknown trojans"
complete with clear screen shots.

Is your system ok after the cleansing? Kernel32.dll is a systemfile, which you probably got back from your install cd-rom or a backup?
A good description is also here at bitdefender
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=87 and a free removal tool at http://www.bitdefender.com/html/free_tools.php .
With scanning, nothing more found, nocopies of the nasty as it has the habit of copying itself a lot?

 

Hi zak_dashiell,

Firstly, if the file was removed then you have nothing to worry about. I do not remember for sure if you said whether you had the trojan still on your system or had deleted it, in which case it would be important to identify this trojan with a file scan in TDS. This file identification would have been happening however, as we already identify both main variants of this bot/worm. As for wanting a copy, if this was a new variant it is also a priority to add detection for other users, hence a request for a copy if not already detected.

If the traces were not deleted then you can delete them from Autostart Explorer. A scandump would be helpful to see the trace value reported, but from memory (sorry not at work right now ) this was indeed a very long string and TDS could have had a problem with that. One thing to remember, traces are far from critical when it comes to disinfection. They can be very useful to show up an infection if the file was not detected, but a trace which attempts to run a non existent file will not do anything, it will just be ignored by Windows.

I apologise for your frustration in this matter, if in the future TDS or your antivirus has indeed deleted the trojan FILE, do not worry too much

 

grey_ghost,

thank you for the encouragement... i really don't have any doubts about the capabilities of tds3 and nod32 and you confirm them for me. but i couldn't find the scandump.txt in the tds folder either. i even used powerdesk file finder to locate it... no luck...

jooske,

i use winxp pro with system restore disabled (i prefer to use drive image if i have problems). i have also used the helpfile to initially solve the problem. i used the instructions from the bitdefender site to clean the system (that's where the irony is, i use their "support" even if i don't use their software). i am sure that it is clean now since i scanned my system 2x each with nod32 and tds3 after each reboot. otherwise, i would just have to reformat my hdd and put in the drive image and just forget about nod32 and tds3.

gavin,

"One thing to remember, traces are far from critical when it comes to disinfection. They can be very useful to show up an infection if the file was not detected, but a trace which attempts to run a non existent file will not do anything, it will just be ignored by Windows."

now i understand that it is not really critical as long as the exe is not there anymore but a trace is still a trace and bothersome especially if everytime i start tds3 they show in the alarm window.

my sincerest apologies for my ignorance and sentiments to your support. i am no expert and didn't know what to do. it was really my first time to have tds3 do its job.

regards,

zak

 

Hi

Just a quick reminder if needed.
If you have made a backup since you got the rat and before you removed it, it will be in your backup image.

If it is backed up to a partition, separate drive, or removable media that you haven't scanned.

Regards

 

Very good point !

Another is that as far as I know, scanners will not scan inside a proprietary image format like .GHO (Norton Ghost) we dont have the specs to do so. It is useful if you are a Ghost user however that Ghost Explorer will allow you to delete a file from within the image.

 

Saw your remark about the scandump.txt still open. If not made automatically, after the scanning process, in the alerts window, rightclick on one of the finds, and choose the option to save as text. The whole list will then be copied to the scandump.txt file, which you'll find in the TDS-3 directory. And that's the file which will be overwritten with next time scan results, so you won't get a many mb long scan results reportage.

Hope you find your system clean in the backups and images too. This is what i meant with the restore remark.

 

i believe that the images are clean. i made them before nod32 warned me about the rat. and i scan all drives with tds3 and nod32 every time there are updates. thanks for reminding me anyway but i may not be needing the images this time since i believe that i have deleted the rat already or am i wrong again?

jooske,

thanks for showing me how to create a scandump.txt

 

You're welcome!

Is there any way to make sure the images are clean too? Imagine: it would rarely happen an infection excists more then a couple of hours before one of the developers would notice and find a cure for it, and very soon all about have them added to their signatures. Say you are infected, in the few hours before NOD32 or another one alarms, etc.
But this K0wbot is not really new, have seen its name changing from virus to trojan and worm to a backdoor, a rat version could be new, but the signatures are known.
If you are able to make sure for the images, do by all means, and you know now what to look for and to get rid of them if not.