Need help deciphering what TDS-3 found

We started having problems (started slowing down and IE wasn't working properly) with our computer last friday.

Since then I have done the following:
Ran Adaware, Spybot S&D, ran three separate anti-virus scans (two online (Trend and CA), one on the computer (NAV)). Microsoft updates, NAV virus updates, AdAware updates and Spybot S&D updates were all current before doing any scans.

AdAware and Spybot both found a few things but were cleaned first time through and haven't shown up since running those two a few more times. If it helps I can paste what they found. The Trend AV scan was done first and showed nothing, so did both of the other AV scans.

Since we then started having problems with another program (Window Washer) I downloaded TDS-3 after the tech help from Window Washer didn't solve that problem. (They suggested the freeze problem with Window Washer was a corrupted cookie)

TDS-3 gave me the following:
Alarm:
File Trace: Default trojan filename
Name:
RAT.Fraggle Rock Lite [Keylog}
File:
C:/system.dll

I found one reference on this forum about RAT.Fraggle Rock Lite and then made double sure I was running TDS-3 from Administrator. I got the same alarm from TDS-3.

Is this a false alarm? If so, how can I be sure? If not how do I correct the problem?

If someone needs a Hijackthis log I can provide that as soon as I can get back to the computer in question and run HJT.

Thank you for any help!

 

Hello Delias, Quite a story, can you please post your operating sytem details.
I am pretty sure that that C:\system.dll is the culprit as there should be no such .dll in the root directory if you are running XP.

Please ZIP a copy of it and email to submit@diamondcs.com.au - Once you have done that please try and rename system.dll to system.bak, if you cannot do it in normal windows please try to do so in Safe mode.

If you have TDS3 with the latest radius file do a full scan with all of the Scan options selected in the Configuration window.

If the alert comes up again and you can choose to delete the file but please do not delete it until you have sent a copy to DCS.

HTH Pilli

 

Thanks Pilli,

I guess I did leave out a few things.

OS is Windows XP Home Edition, current on all critical updates per Microsoft site.

As soon as I can I will zip up the file and send it your way and afterwards attempt your suggestions.

Thanks for your help!

Delias

 

dvk01 -
Porn phone dialer...huh, interesting...

A few questions as Windows is doing a full scan at start up and seems to be taking its sweet time (ie. sending the hijackthis log and system.dll will take longer then I expected)

Should the hijackthis log be run only in normal bootup or is safe mode okay? I plan on attempting to zip the suspect file in safe mode.

I'm assuming I should disable the system restore function in XP before renaming or deleting the suspect system.dll file?

Thanks!

 

Hi Delias, The full scan does take a time and is best done with your AV disabled. The full scan is a very deep scan and uses a lot of resources, usually one would do it maybe once a week when you are away from your PC.

HJT should be done in normal mode when all the normal services are running

If the file is found to be suspect then disabling system restore rebooting then re-enabling would be a good idea

Cheers Pilli

 

Here is the requested HJT log after using TDS-3 to whack 7 suspect files (double extensions) and 4 copies(my assumption) of the same porndial.a

Big Thanks to all that are helping!

Logfile of HijackThis v1.97.7
Scan saved at 9:22:49 PM, on 4/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Gronk"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Gronk"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.6707986111
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Well that is good news - Thanks dvk01

 

dvk01- Thank you for looking. That was much welcomed news!

Pilli- Is there anyway to keep updated on the file I sent to the address you suggested?

I can't say it enough, Thank you both for all your help!

Delias

 

Gavin will probably email you with his analysis or post here

Glad to have been of assistance.