Need help deciphering what TDS-3 found

Discussion in 'Trojan Defence Suite' started by Delias, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. Delias

    Delias Guest

    We started having problems (started slowing down and IE wasn't working properly) with our computer last friday.

    Since then I have done the following:
    Ran Adaware, Spybot S&D, ran three separate anti-virus scans (two online (Trend and CA), one on the computer (NAV)). Microsoft updates, NAV virus updates, AdAware updates and Spybot S&D updates were all current before doing any scans.

    AdAware and Spybot both found a few things but were cleaned first time through and haven't shown up since running those two a few more times. If it helps I can paste what they found. The Trend AV scan was done first and showed nothing, so did both of the other AV scans.

    Since we then started having problems with another program (Window Washer) I downloaded TDS-3 after the tech help from Window Washer didn't solve that problem. (They suggested the freeze problem with Window Washer was a corrupted cookie)

    TDS-3 gave me the following:
    Alarm:
    File Trace: Default trojan filename
    Name:
    RAT.Fraggle Rock Lite [Keylog}
    File:
    C:/system.dll

    I found one reference on this forum about RAT.Fraggle Rock Lite and then made double sure I was running TDS-3 from Administrator. I got the same alarm from TDS-3.

    Is this a false alarm? If so, how can I be sure? If not how do I correct the problem?

    If someone needs a Hijackthis log I can provide that as soon as I can get back to the computer in question and run HJT.

    Thank you for any help!
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Delias, Quite a story, can you please post your operating sytem details.
    I am pretty sure that that C:\system.dll is the culprit as there should be no such .dll in the root directory if you are running XP.

    Please ZIP a copy of it and email to submit@diamondcs.com.au - Once you have done that please try and rename system.dll to system.bak, if you cannot do it in normal windows please try to do so in Safe mode.

    If you have TDS3 with the latest radius file do a full scan with all of the Scan options selected in the Configuration window.

    If the alert comes up again and you can choose to delete the file but please do not delete it until you have sent a copy to DCS.

    HTH Pilli
     
  3. Delias

    Delias Guest

    Thanks Pilli,

    I guess I did leave out a few things.

    OS is Windows XP Home Edition, current on all critical updates per Microsoft site.

    As soon as I can I will zip up the file and send it your way and afterwards attempt your suggestions.

    Thanks for your help!

    Delias
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    C:/system.dll is frequently the dropper for a high rate phione dialler for porn sites

    to remove the rest of the files it drops, if adaware hasn't already and to see what else is there please do this

    go to https://www.wilderssecurity.com/showthread.php?t=12516 and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  5. Delias

    Delias Guest

    dvk01 -
    Porn phone dialer...huh, interesting...

    A few questions as Windows is doing a full scan at start up and seems to be taking its sweet time (ie. sending the hijackthis log and system.dll will take longer then I expected)

    Should the hijackthis log be run only in normal bootup or is safe mode okay? I plan on attempting to zip the suspect file in safe mode.

    I'm assuming I should disable the system restore function in XP before renaming or deleting the suspect system.dll file?

    Thanks!
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    you need to run hjt in normal mode as we need to see what ius starting and running and in safe mode it will only show what runs in safe mode and most baddies don't run when in safe mode

    don't worry about system restore until you have fixed everything that needs fixing.

    if you disable system restore now with any baddie still on there and reeanble it they will be oput straight back into the resatore folder
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Delias, The full scan does take a time and is best done with your AV disabled. The full scan is a very deep scan and uses a lot of resources, usually one would do it maybe once a week when you are away from your PC.

    HJT should be done in normal mode when all the normal services are running

    If the file is found to be suspect then disabling system restore rebooting then re-enabling would be a good idea :)

    Cheers Pilli
     
  8. Delias

    Delias Guest

    Here is the requested HJT log after using TDS-3 to whack 7 suspect files (double extensions) and 4 copies(my assumption) of the same porndial.a

    Big Thanks to all that are helping!

    Logfile of HijackThis v1.97.7
    Scan saved at 9:22:49 PM, on 4/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\HJT\HijackThis.exe

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Gronk"
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Gronk"
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.6707986111
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    that log looks clear, Tds should have got them all
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well that is good news - Thanks dvk01 :)
     
  11. Delias

    Delias Guest

    dvk01- Thank you for looking. That was much welcomed news!

    Pilli- Is there anyway to keep updated on the file I sent to the address you suggested?

    I can't say it enough, Thank you both for all your help!

    Delias
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Gavin will probably email you with his analysis or post here :)

    Glad to have been of assistance.
     
Thread Status:
Not open for further replies.