DLL and services.exe detected as trojans.

Discussion in 'Trojan Defence Suite' started by Alu, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. Alu

    Alu Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    wininv.dll and services.exe were detected as the Prorat trojans, is it safe to delete these files?
     
  2. FanJ

    FanJ Guest

    Hi Alu,

    Which program detected them as that Trojan?
    Was it TDS-3 ?

    If yes, please give a scandump from a full system scan by TDS-3 (scanning while no other AV/AT/etc was running.
     
  3. Alu

    Alu Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    It was TDS-3. Prorat copies itself onto these two (and more) files but I know my system uses these files. Oh and im so computer illiterate , i dont know what exactly your refering to (the scan dump) :D

    Oh and no AV items were running.
     
  4. FanJ

    FanJ Guest


    Hi Alu,

    No problem ;)

    Am I right that you have let TDS-3 do a full system scan?
    In the bottom half of its console you will find those warnings.
    Right click on them to save them.

    You might also have a look at the log files of TDS-3.
    Assuming here that you have set up TDS-3 to create log files.
    You can find the logfiles here:
    in your TDS-3 directory, go to the Log sub-directory; there you will find for every month and every day of the last year (counting back from this moment) your log files.
    In the logfile of the day (assuming TDS-3 detected it now) you will also find your scandump. In that case, just go to the sub-directory July (maybe named jul) and the according day.
    The log file is a text file, so you can copy and paste the important of it.

    I hope this might help you a little bit.
    Please feel free to ask more questions about it, anytime !
     
  5. Alu

    Alu Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    11:54:29 [Init] Started 07-07-04 11:54:29 Central Standard Time (UTC: 6), Internet Time @746.17
    11:54:29 [Init] Loading TDS-3 Systems ...
    11:54:29 [Init] Token successfully adjusted.
    11:54:29 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    11:54:29 [Init] • Plugins : OK. Loaded 13
    11:54:29 [Init] • Exec Protection : Not Installed
    11:54:29 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    11:54:29 [Init] Licensed users can use the Update facility from the TDS menu
    11:54:29 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    13:58:33 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    13:58:33 [Init] Started 07-07-04 13:58:33 Central Standard Time (UTC: 6), Internet Time @832.33
    13:58:35 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    13:58:35 [Init] Started 07-07-04 13:58:35 Central Standard Time (UTC: 6), Internet Time @832.35
    13:58:35 [Init] Loading TDS-3 Systems ...
    13:58:35 [Init] Token successfully adjusted.
    13:58:39 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    13:58:39 [Init] Started 07-07-04 13:58:39 Central Standard Time (UTC: 6), Internet Time @832.40
    13:58:39 [Init] Loading TDS-3 Systems ...
    13:58:39 [Init] Token successfully adjusted.
    13:58:43 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    13:58:43 [Init] Started 07-07-04 13:58:43 Central Standard Time (UTC: 6), Internet Time @832.44
    19:34:21 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    19:34:21 [Init] Started 07-07-04 19:34:21 Central Standard Time (UTC: 6), Internet Time @1065.52
    19:34:21 [Init] Loading TDS-3 Systems ...
    19:34:21 [Init] Token successfully adjusted.
    19:34:21 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    19:34:21 [Init] • Plugins : OK. Loaded 13
    19:34:21 [Init] • Exec Protection : Not Installed
    19:34:21 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    19:34:21 [Init] Licensed users can use the Update facility from the TDS menu
    19:34:21 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    19:34:26 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    19:34:26 [Init] • Systems Initialised [31397 references - 11211 primaries/8986 traces/11200 variants/other]
    19:34:26 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
    19:34:26 [Init] TDS-3 Ready. <Joe@67.97.60.231, 192.168.0.1, 127.0.0.1 - United States>
    19:34:26 [Tip Of The Day] TDS-3 has the unique ability to enumerate 16-bit processes in Windows NT/2K - just go to System Analysis | Process List, and select 16-bit Process List.
    19:34:26 [TDS] Good evening Joe.
    19:34:29 [Mutex Memory Scan] Started...
    19:34:31 [Mutex Memory Scan] Finished (no trojan mutexes found).
    19:34:31 [Trace Scan] Started...
    19:34:45 [Trace Scan] Finished.
    19:34:45 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    19:40:20 [Quit] Unloading ...
    19:41:14 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    19:41:14 [Init] Started 07-07-04 19:41:14 Central Standard Time (UTC: 6), Internet Time @1070.30
    19:41:14 [Init] Loading TDS-3 Systems ...
    19:41:14 [Init] Token successfully adjusted.
    19:41:14 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    19:41:14 [Init] • Plugins : OK. Loaded 13
    19:41:14 [Init] • Exec Protection : Not Installed
    19:41:14 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    19:41:14 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    19:41:14 [Init] Licensed users can use the Update facility from the TDS menu
    19:41:14 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    19:41:19 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    19:41:19 [Init] • Systems Initialised [35654 references - 13916 primaries/9967 traces/11771 variants/other]
    19:41:19 [Init] Radius Systems loaded. <Databases updated 07-07-2004>
    19:41:19 [Init] TDS-3 Ready. <Joe@67.97.60.231, 192.168.0.1, 127.0.0.1 - United States>
    19:41:19 [Tip Of The Day] If your machine has minimal resources, run minimal sockets! Sockets can be relatively expensive in terms of resources.
    19:41:20 [TDS] Good evening Joe.
    19:41:22 [Mutex Memory Scan] Started...
    19:41:24 [Mutex Memory Scan] Finished (no trojan mutexes found).
    19:41:24 [Trace Scan] Started...
    19:41:39 [Trace Scan] Finished.
    19:41:39 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    19:42:18 [CRC32] Started - verifying 29 files ...
    19:42:22 [CRC32] File doesn't exist: C:\Program Files\TDS3\tds-3.exe
    19:42:27 [CRC32] Test finished.
    19:43:08 [Memory Scan] Memory scan started, please wait a moment ...
    19:43:09 [Memory Scan] Memory scan complete.
    19:43:09 [Mutex Memory Scan] Started...
    19:43:11 [Mutex Memory Scan] Finished (no trojan mutexes found).
    19:43:11 [Trace Scan] Started...
    19:43:26 [Trace Scan] Finished.
    19:43:26 [Service\Driver Scan] Scanning for services and drivers ...
    19:43:29 [Service\Driver Scan] Scanned 313 services and drivers.
    19:43:29 [File Scan] Scanning in A:\ ...
    19:43:30 [File Scan] Scanned 0 files: 0 alarms in 1.0625 seconds (Avg 1. files/sec)
    19:43:30 [File Scan] Scanning in C:\ ...
    20:13:28 [ICMP] Ping reply from 127.0.0.1: size=32 status=0 time=0ms ttl=250
    20:21:24 [File Scan] Scanned 65122 files: 15 alarms in 2274.188 seconds (Avg 29.64 files/sec)
    20:21:24 [File Scan] Scanning in D:\ ...
    20:21:24 [File Scan] Scanned 0 files: 15 alarms in 0 seconds (Avg -1.#IND files/sec)
    20:21:24 [File Scan] Scanning in E:\ ...
    20:21:24 [File Scan] Scanned 0 files: 15 alarms in 0 seconds (Avg -1.#IND files/sec)
    20:21:24 [File Scan] Scanning in F:\ ...
    20:21:24 [File Scan] Scanned 0 files: 15 alarms in 0 seconds (Avg -1.#IND files/sec)
    20:21:24 [Scan] Finished.
    20:23:42 [Trace Scan] Started...
    20:23:59 [Trace Scan] Finished.


    Yes you are correct. Any verdict?
     
    Last edited: Jul 7, 2004
  6. FanJ

    FanJ Guest

    Hi Alu !

    I see you have the trial version of TDS-3.
    But not the latest definitions ;)
    Please have a look at this site:
    http://tds.diamondcs.com.au/index.php?page=update
    Users of the trial (evaluation) version have to download the latest Radius file (the Trojan definitions for TDS-3) manually.

    Quote:
    Keeping the databases up-to-date is the single most important responsibility of any anti-virus or anti-trojan scanner user, and TDS makes this easy and provides both automatic and manual means of updating. TDS3 users can easily update to the latest database manually by following these simple instructions.

    MANUAL UPDATE

    1. Close TDS if it is running.

    2. Download the latest RADIUS database: Latest Radius.td3 (Important: Right-click and choose Save Target As)

    3. Save the downloaded radius.td3 file to your TDS directory, over-writing the existing radius.td3

    You can then start TDS and it will load the new database.

    - end quote -


    I also seem to see that there were not any files scanned (please take my bad eyes in mind, I might make a mistake here).

    You might have a look at this thread:
    Basic configuration of TDS-3
    It gives new users an idea of the basic configuration of TDS-3, although the default settings might well be OK :)


    So if I might give a little advice: please have a look at those two above mentioned sites.

    PS: your scandump didn't give a sight of what malware was detected by TDS-3 on which files.
     
  7. Alu

    Alu Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    Im following your directions as I type, but I should say I have a problem with these two files and prorat. Incase ive mislead you in some way. Configuration help has helped me a ton, ty. Im just trying to clean these files and i dont know what i should do with them. :eek: Removal instructions on symantec do not work :(


    PS I forgot, its Backdoor.prorat 1.8. I made a post on antitrojan and I was told to change the exe name on TDS so it would run. If youd still like the log, ill have it posted tomorrow. Its late :p

    Goodnight :)
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Alu, Sounds like they are still running and therefore cannot be deleted.
    You could try removing the files in "Safe Mode" Restart your PC and after system diagnostics but before windows starts press F8 several times, you should see a start up screen with several options, select Safe mode. After windows starts navigate to the files and zip them up then submit to submit@diamondcs.com.au for analysis.

    HTH Pilli
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, i jump in on Jan's remark about the logs:
    indeed the console log you jsut posted and could give all kinds of info on other finds.
    But the scanned files from the bottom console should be saved separately:
    like said, rightclick on one of the alerts, choose "save to text"
    this will save all those alerts from that window to a file named Scandump.txt, which shows up immediately if you let it or can be found back in the TDS directory.
    We would like to see the contents of that Scandump.txt file in your posting.
    Thanks in advance!


    Services.exe and that win..dll i have seen declared to nasties in several HJT logs, but it depends on what and where they are and what more is the matter on your system. Maybe they're just innocent files in your case unfortunately with the same name or code parts so indeed submitting them to Gavin on submit@diamondcs.com.au or the support@ will give you a good analysis of the situation.
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  11. Alu

    Alu Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    Scan Control Dumped @ 15:24:21 08-07-04
    Suspicious Filename: Dual extensions
    File: c:\program files\tds3\firefoxsetup-0.9.1.exe

    Positive identification: RAT.ProRat 1.8 (UPX)
    File: c:\windows.1\services.exe.tcf

    Positive identification (DLL): RAT.ProRat 1.1 (dll)
    File: c:\windows.1\system32\wininv.dll

    I had another program rename it(services.exe) though its still detected as a trojan.

    It also removed winkey.dll that had been on my computer to. Id pay no mind to the suspicious file name, i downloaded that from mozilla in the hopes to prevent such a bad infestation like ive had for a week from ever happening again.

    fservice.exe, and sservice.exe which were also problems were deleted, but I suspect they will be back at my next restart. I have read that ProRat alters the wininv.dll file to reinstal inself and run at startup and such has been happening.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Now your determination of the Prorat fits complete eh?
    TDS is not looking especially for filenames but for the code pieces in them, so you should be able to name them anything but you still would get the detections.
    Are these really the only alerts left from TDS? Even with all scanoptions checked? would have expected a few more, but since you deleted some already...........
    Think it would be a good plan to post a HiJackThis log in the HJT forum, see in thread [thread]15913[/thread] how to, as there might show up more nasty things.
    If posting there you might like to add this URL so people can see this part of it.

    The dual-extension alert is no problem since i expect yuou to know that file as part of your firefox browser. Only thing is it is in such a strange place! in your TDS3 directory? How is that possible?
    Or is it a file of 0 bytes size small? Then you can delete it.

    Keep us informed how it goes!


    Wait a moment, your former scan said theer were 15 alarms, did you delete all of those or where are they now?
     
  13. Alu

    Alu Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    I used another trojan remover called "Trojan Hunter" and it seems to have helped remove alot of the nasties, thus why you see the oddities in my post. I will look into HJT, thanks.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmmmmmmmm i see you were in the middle of a cleaning session of a Browser hijack (?) in the HJT forum, now i wonder if these new events you're posting here are related to that other one or is this a new infection?



    TH is no problem as it runs smooth with TDS. But close it's resident protection and better completely during a scan with TDS.
    TDS can clean the alarms too for you: rightclick on an alarm and chose "delete" if you like and are sure it should go.
     
Thread Status:
Not open for further replies.