Can someone please view my dump and advise action

Discussion in 'Trojan Defence Suite' started by pcpcpc, May 24, 2004.

Thread Status:
Not open for further replies.
  1. pcpcpc

    pcpcpc Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    Hi ive been trying to get rid of a virus for about a week
    AVG finds 14 everytime i run it
    Here is my latest TDS scan dump
    Can anyone help vaccinate my system?



    Scan Control Dumped @ 17:26:25 24-05-04
    Live trojan found (in process memory): DDoS.RAT.SDBot
    File: C:\WINNT\system32\mssee.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Configuration Loaded=mssee.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Configuration Loaded=mssee.exe
    Scan Control Dumped @ 17:26:38 24-05-04
    Live trojan found (in process memory): DDoS.RAT.SDBot
    File: C:\WINNT\system32\mssee.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Configuration Loaded=mssee.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Configuration Loaded=mssee.exe
    Scan Control Dumped @ 17:26:42 24-05-04
    Live trojan found (in process memory): DDoS.RAT.SDBot
    File: C:\WINNT\system32\mssee.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Configuration Loaded=mssee.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Configuration Loaded=mssee.exe
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello and welcome!
    Googling for the filename, not seeing any valid info about it, wether it belongs on XP Pro or win2000 or not.
    Can you please submit a copy of it to submit@diamondcs.com.au either from the console or attached to an email (zipped if possible)
    You were scanning with TDS AVG all closed i hope?
    Is it also running if you look in the process list? Exec Protection should block it from running!
    You can stop it and change the extension to block it from running till you get Gavin's answer after the submission.
    You might get error messages about the Configuration not being able to run as i see it in your dump in run and runservices, so you are prepared but i don't dare to let you change the registry if i'm not 300% certain yet.

    What else does AVG find? Might give some more indications.

    I see it only in one HijackThis log on a german forum and people not touching it, but i don't trust it yet.
    I see we dealt with it recently in another thread, https://www.wilderssecurity.com/showthread.php?t=29265 but the file there had another name.
    The advice in the last post in that thread is very recommendable for your situation too, so please do. While Gavin probably prefers the AutoStartViewer log too (from the DiamondCS products page in the free tools)
    In both cases for HijackThis and AutoStartViewer please check all searchoptions and save the logs to post them.
     
  3. pcpcpc

    pcpcpc Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    hey mate
    thanks fo ryour quick reply
    not sure what you mean by submitting my googling to that email addy though sorry
    Here is an avg scan dump
    Results of Complete Test, date and time 24/05/2004 18:53:54 :

    Testing C:\ serial B0EA-02AE
    C:\DKU\1000 Sex and more.rtf.scr repaired
    C:\DKU\Book Archive.rtf.exe repaired
    C:\DKU\France.doc.exe repaired
    C:\DKU\Full album.mp3.scr repaired
    C:\DKU\How to hack.doc.scr repaired
    C:\DKU\Learn Programming.doc.scr repaired
    C:\DKU\RFC Basics Full Edition.doc.scr repaired
    C:\DKU\Serials.txt.exe repaired
    C:\DKU\Serials.txt.scr repaired
    C:\DKU\Smashing the stack.rtf.scr repaired
    C:\DKU\Windows Sourcecode update.doc.scr repaired
    C:\DKU\Windows Sourcecode.doc.exe repaired
    C:\DKU\WinXP eBook.doc.scr repaired
    C:\DKU\XXX hardcore pic.jpg.exe repaired
    C:\Documents and Settings\Administrator\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\Administrator\ntuser.dat.LOG Cannot open; not checked!

    Test aborted
    215 objects tested, 14 found infected
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again.
    I meant i was googling around myself (searching with google.com) for your filename and saw it only mentioned in two occasions and those were not helpfull for your situation.

    Now first that infection: did you send that mssee.exe to submit@diamondcs.com.au already and change it's name into something like mssee.tmp so it can't run at the moment? As it might be one of the thousands of variants.

    Did AVG also tell what it found in the other files if it was able to repair them?

    Would like to see your HijackThis log as well: please follow the instructions in this thread --step 2 for the HijackThis download and log and how to post it.
    https://www.wilderssecurity.com/showthread.php?t=15913
     
  5. pcpcpc

    pcpcpc Registered Member

    Joined:
    May 24, 2004
    Posts:
    3
    Please, excuse my igonrance...
    How do you want me to send that exe.?
    Actually send the exe. file from my pc?? Or just the log?
    Again sorry
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    There are two ways:
    either from the TDS console where you saw the alert: rightclick on the filename and choose "submit"
    This is only possible if you put your email address and outbox in the Configuration in TDS (upper left)
    The other way is to zip your mssee.exe file and attach it to the email address i gave you; Gavin is aboard, so you could hope for a quick reply on your file.
    He needs the original to help you with that; to avoid damaging your "sample" is why it best zipped.


    EDIT: I seacrched whole internet and asked expert advice, the mssee.exe is no normal win2000 (is that what you're running?) system file, so it appears you can just delete it (but please send first a copy to submit@diamondcs.com.au if you haven't done so).
    The part with possibly having to kill the running process is still valid.
    This is why i think you will like to make that HiJackThis log so we have an overview and can help you delete the registry keys which belong to that so it can't give error messages, nor be installed back, etc.

    Looking forward to your next postings!
     
    Last edited: May 24, 2004
Thread Status:
Not open for further replies.