My First Encounter - Nasty.exe

Just had my first encounter with a Trojan (I think). All of a sudden, during a file trace scan, TDS is detecting three filename traces. I've submitted them to DCS, as requested, and then deleted the files using the TDS menu. However, when doing another trace scan, they still show to be there (see image). Why is it still being detected? Also, something else really strange - I can't seem to get access to the directory the files are supposedly in. XP says "Access is Denied", even though I have administrative rights. Also, when I look at the properties of the folder supposedly containing the traces, it shows 0 files and folders within that folder. Any ideas anyone??

 

System restore could be an issue?

 

Have restarted PC and TDS, and still detecting files. Here is a look at scandump file.

Scan Control Dumped @ 10:40:44 25-04-04
File Trace: Default trojan filename: Trojan.Obsorb please submit
File: C:\Documents and Settings\All Users\Documents\Nasty.exe
File Trace: Default trojan filename: Trojan.Obsorb please submit
File: C:\Documents and Settings\All Users\Documents\Ezy.exe
File Trace: Default trojan filename: Trojan.Obsorb please submit
File: C:\Documents and Settings\All Users\Documents\Obsorb.exe

Not sure what you mean - how do you suggest I proceed? A scan of the ...\Documents subdirectory by NOD32 shows: ""Directory path C:\Documents and Settings\All Users\Documents\ is invalid.". Strange...

 

If you are running XP you will also have to delete your Restore points as the Trojan will be in there too. Your AV may not scan in System Volume information such as AVG does therefore this may not be showing in the NOD scan.

Access System Restore and 'turn off' monitoring - reboot your computer - scan again with TDS and your AV and when you are sure everything is clean you can enable SR again.
Right click 'My Computer' - select properties - System Restore you will then see how to delete restore points (stop monitoring) and this is where you go back to enable again.

Please wait for advice on your access denied but this will help you with the System Restore clean afterwards. HTH

 

After you submitted the files or the whole folder if otherways was not possible -- you really will have to close your other anti-virus / anti-trojan scanners to be able to have access to that folder and to be able to submit it --
and afterwards you can clean out what there is is necessary.

If you have cleaned out, deleted the files and reboot, you will most probably find them back thanks to system restore if you're using windows XP or ME.
This is why i said after deleting files finding them back in a next scan could be after a system restore, for example.
It can also be your other scanner moved the original files to a quarantined area, from which they are not accessable with other scanners or maybe only for determination via that own scanner.
Do you know that folder the files were in?
Was it really empty? Do you have your system configured to show all files and all extensions and nothing should be hidden?
Did you also configure the TDS scan for NTFS ADS streams to be detected, for which you can ignore them smaller then 88 bytes or maybe a bit larger too (others can tell exactly which to ignore)
A file 0 bytes might not be really empty but contain those NTFS ads streams for instance, and so there are more things to think about.

Anyway, after cleansing please follow Robyn's nice explanation (thanks Robyn!) about disabling and enabling system restore after cleansing and not forgetting to create manually a new system restore point after that!

If you do a next scan the files should really be gone if you really have the other scanner closed during that scan. You can also hunt for the files and go to www.kaspersky.com/remoteviruschk.html to have in a few seconds online there an opinion with the KAV database.

 

Could it be that this has something to do with what Gavin described in this thread:
RUN AS for TDS-3 - TRACE scan, multiple user problems

D&C, please have a look at that thread.


And:
The TDS-3 Trace-scanner can also have problems if TDS has no access to read files.

 

Turned off System Restore (see below), but could not find how to delete old restore points. Rebooted PC and restarted TDS. Still detecting the three files.

Read it - thanks. There is only one user account on my PC - mine. And I have administrative rights.

The name of the folder is detailed in post above. And I can see it in Windows Explorer, but cannot gain access to it. System is configured to see all hidden / system files. Folder is empty (no files contained within, according to it's properties).

 

I always thought that when you turn "system restore" off , all your restorepoints are gone also. So you don't still need to delete them.

 

By turning off System Restore your restore points will have been deleted. Confirm this by looking to see if you can restore to a date a few days ago - if not then they are all gone and you can create a new one with everything is clean.

Nothing to do with the Trojan but the 12% given to SR could be tuned right down as this is using quite a bit of your HD. I have mine set to 4% but you can choose just how much you want to use of your drive.

I would also clean my temporary Internet files both on and offline.

 

Back to the problem of D&C.

What are file-traces in TDS-3?
Quotes from the Help-file:

What traces are, are physically that, a trace that proves a trojans existence, or has existed on the system previously. Traces are commonly known as footprints. trojans usually copy themselves, or copy components to preset locations on the system. If this is unique to that particular trojan only, then we can add it as a trace, and thus can check if that particular trace exists.

An example of a Netbus Trace is c:\windows\keyhook.dll

This is the default location that Netbus will copy its keylogger component. Simply because this filename exists, is good enough for TDS-3 to show an alarm.

- end quote -

I tend to think that D&C has no Trojan.
What the scan dump shows, is an false alert that can jump up if TDS-3 has no admin rights or if TDS-3 has no access to read a file/folder.

I see these things in the postings by D&C:

1.
Also, something else really strange - I can't seem to get access to the directory the files are supposedly in. XP says "Access is Denied", even though I have administrative rights.
2.
A scan of the ...\Documents subdirectory by NOD32 shows: ""Directory path C:\Documents and Settings\All Users\Documents\ is invalid.".

I don't know whether this is normal on a XP-system (I don't have XP).
But it looks to me that if NOD32 has a problem with that directory, TDS-3 also might have a problem with that directory, so TDS-3 might not be able to read that directory and then TDS-3 could give a false alarm about file-traces.

So the question is:
Why is there a problem with that directory (as both NOD32 and TDS-3 seem to have a problem with it)?

Is there perhaps a corruption on the disk (wild guess)?
D&C, could you do a scandisk and see whether there is a problem?

Which version of XP are you using: XP home or Pro?

 

XP Home. I agree with your assessment above. I believe there is a problem with that directory. Will try a scan of disk. Thanks!

 

Do i understand you understood FanJ asked a windows scandisk first of all, which would repais eventual corruptions if there are.

Delete that whole folder. And make sure every anti-virus also resident scanners parts are closed completely to be able to do so. TDS never blocks access, so you know it is the other scanner not completely closed.
Close that thing completely before doing all this. Something is blocking your access to the files/folder so close those blockers.
After disabling system restore, reboot all restore points are wiped out with that action automatically, which is why you need to make manually a new restore point after enabling it again.
That reboot is imperative in this part.
After you do another scan with either TDS OR NOD32
If you still find the files you post a hijackthis log for the experts to look for you.

Have another time a step by step look through this "Obsorb trojan" page
http://securityresponse.symantec.com/avcenter/venc/data/trojan.obsorb.html
Did you ever see the image displayed on that descriptive page? If not, the trojan might not have been running to do it's job, but it's still good to do the steps described properly, so this is why it is important to post your hijackthis log and maybe also an autostartviewer log.
Has ever one of your scanners ever detected and cleansed anything at all?

 

Jooske,

I believe FanJ has the answer. I don't think I ever had the Obsorb trojan. I read about Obsorb at that link. I never saw that message displayed, and do not have those registry entries. I also never had any unusual occur that would indicate I was infected.

I think something happened to that directory (.../Documents) and that TDS is displaying false warnings because it could gain access to the directory, as FanJ stated.

Not sure what's wrong with the directory. NOD32 does not have any record of coming across any type of malware since I installed it. However, I shut it down, and could still not access OR delete the folder. It's apparently a system folder, or so Windows tells me. I also ran a throrough disk scan - found no problems.

I'm going to try to post the problem on a Windows XP forum and see if I can get any possible solutions. Thanks!

 

Hi D&C,

May I do another wild guess....

I saw that you use ABI-CODER .
I don't know anything about it.
So I had a quick look at their site http://www.abisoft.net/bd.html
It seems to be an encryption-tool by which you can encrypt files.

Could your problem maybe have been caused by somehow encrypting that directory or files in it?

Sorry, it's only a wild guess.....

 

Finally! I've fixed the problem. Using an MS Knowledge Base Article I was able to take control of the folder after restarting PC in Safe Mode. Not sure what caused the problem, but TDS is no longer detecting a problem or the traces of Obsorb. So, in retrospect, I'm not sure that I ever crossed paths with the trojan that TDS found traces of, but I do thank TDS for bringing the folder problem to my attention.

Now that I've spent 25% of my weekend fixing this problem, I'm going to have a drink before starting another week of work. And I'll have an extra one for each of you that assisted in the debugging efforts. Thanks again!!

 

I'm very happy that you could fix it, D&C !

 

I was not 100% certain if you would have been infected before, and now you stepped through the description and registry checking to make sure this is one thing to make it extra certain.
We spent some time digging over internet, reading and searching and on the phone discussing several options.
The folder could be one the system needs or blocked somehow (the corruption with a deep scandisk could repair a possible corrupt folder/directory) and if not it could be deleted in safe mode.
I do hope XP is protected so well if a folder is needed it recreates it after deletion.

Can you be so kind as to post the link to the MS knowledgebase article for our education please? Thanks.

BTW: if you are looking for encryption software you will really love CryptoSuite; have a look at www.diamondcs.com.au/cryptosuite ; read more in the cryptosuite forum here.

 

I came across this thread while looking for a solution. I did find one so I'll post the details of where to look and what to do that dazed_and_confused left out.

Microsoft Knowledge Base Article - 810142 - the cause
Microsoft Knowledge Base Article - 318754 - details about using the solution

It took several attempts to find the right parameters to get things to work. Here's what I ran in console. Adjust path and username as needed.

C:\Documents and Settings\All Users>"c:\program files\resource kit\xcacls" "c:\documents and settings\all users\documents" /T /G usernameRWD;PRWD