Need help with TDS Alarm

Hi,

I am evaluating TDS Profesional and ran a scan. It came back with an Alarm that read:

File trace: Default trojan filename
Trojan.Obsorb please submit
Documents and Settings/All Users/Documents/Nasty.exe, Ezy.exe, Obsorb.exe

I marked these files deleted and it came back that the files are deleted but when I reran the scan the same messages were reported.

In addition, I tried to open up the folder but XP disallowed access and reported no files in this folder.

I would appreciate it, if someone can explain to me what is going on. Thank you very much for any assistance that you can provide me.

Sincerely,
Rich

 

Hi Rich,
after deletion and the new scan, were they in the same location or in system restore or other place?
You did not submit them as the indication was?
submit@diamondcs.com.au and submitviruses@yahoo.com.au

Hope XP users can tell if there should be any files in that folder (which sounds as a normal common folder)
See a description here which tells it can only run on win9x systems so your XP should be safe; there is told to get to the files in safe mode to be removed, and step by step the registry keys and locations which might be there to be removed -- guess they should not be there as it never can have ran at all on your XP system fortunately.

After the system is clean, put back the system restore function (all possible infected former restore points have gone with disabling it) and don't forget to manually make a new restore point, so you have a clean one to restore to.


I hope it helps; please keep us posted how it goes.

 

Hi Jooske,

Thanks much for offering your assistance.

1) Yes, the files still appeared in the same folder - the folder is inaccessible.

2) Norton does not find any virus after I run a complete system scan.

3) I tried submitting but I cannot get the email to work. I think I need a password and there doesn't seem to be a way to enter a password in TDS.

4) I followed the instructions on the sheet that you directed me to. I don't think there was any thing to delete in the registry. The directions are a bit ambiguous (lousey).

5) The TDS scan reports 0 files read yet it reports this Alarm in the File scan. I can't figure out what it is reading to report this Alarm.

6) I ran RAV online virus detection on this folder and it also reported no viruses detected.

Do you have any idea why TDS is reporting a virus and in a folder which seems to have no files?

Thanks for all of your help.

Sincerely,
Rich

 

Is your system set to show all files, including hidden ones?

 

Hi,

I changed the settings to show all hidden and system files. The results, after running TDS, appear to be the same. I tried to delete the files, TDS reports that they are deleted, but when I re-run, the files are still reported as being there. I still cannot access this directory. It is marked as read-only, and the system does not allow me to change its attribute. Norton does not report any files in this folder nor does it report any viruses.

Thanks for your help.

Rich

 

Paul, i would if possible like the files --if there are any-- to be forwarded to Gavin.
Either there is in the coverage of trojans something which might be able to be refined, but then there need to be files, so indeed a reboot in safe mode would be a next option to try to get to the files or via msdos (is that still possible in XP?)
The disable / enable system restore / make manual new restore point after that would be a next step yes for sure!

Rich did you install any software recently or did you receive and maybe open a possible suspicious amail?

 

Hi everyone,

I turned off system restore and went into safe mode. I attempted to get into the directory through the cmd prompt ... but access was denied. It has a Read-only attibute that cannot be changed.

McAfee could not find any virus ... but I am not sure it is checking this directory since it appears all access is denied. Which begs that question .. how does TDS access it?

A re-rean TDS and same results. Whille it says that the files are deleted, they are still there.

Thanks for all of your help.

Wishing you a happy holiday season!

Rich

 

Hi again,

I have loaded new programs lately, but all came from good sources.

I do not download email. I use the yahoo online web service.

How do I do a manual restore? It seems like I can only turn on system restore again.

Thanks

Rich

 

Hi Rich,
it could be interesting to know when you first got this alarm and if you can find out exactly which programs you installed.
It could be there exists some trojan code close to what is checked on your system, so if there would be files and if the TDS lab can get a hand on your files they might be able to refine detection so you're not bothered any longer

You did not have the specific registry keys and the trojan --if it is there at all-- can't run on a XP system at all, so you're still on the safe side of it.

Once you went to the same area to enable system restore again, you have options to create a new system restore point from there.
It's important you create a new restore point as with the disable system restore and reboot all former restore points have disappeared and you need a point to be able to turn back to just in case.
Maybe a XP user can walk you step by step through that part.

 

Hi Jooske,

First, I wanted to wishi you a very happy holiday!

I first detected the virus yesterday, but I have not idea when it may have first been installed in the directory, since I am primarily using Norton at this time for protection. I am in the process of evaluating TDS-3.

I have tried all kinds of ways of getting into the folder and looking to see whether the files are already there, but the folder seems to be completely inaccessible. If you have any ideas - I am all ears. Otherwise, I have no idea of how to verify the existence of these files - or how to delete them.

Any ideas of how I can get them over to you?

Regards,
Rich

 

Here it is!

Logfile of HijackThis v1.97.7
Scan saved at 3:41:02 AM, on 12/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\TrojanHunter 3.7\TrojanHunter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rich F\My Documents\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Rich F\Application Data\Mozilla\Profiles\default\2dytn477.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Rich F\Application Data\Mozilla\Profiles\default\2dytn477.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4310/mcfscan.cab

 

In the meantime thinking of a nice file, from the DiamondCS sites in the free tools
dellater:
Put DelLater in the root, C:, for easy path access.
All you have to do is get a command prompt at C:\ > and type in dellater.exe<space>Driveletter\Folderpath\fullfilenamewithextension, and hit Enter, to get the popup confirmation.
Then reboot.
Maybe it works for your hidden files as well, fingers crossed. The popup should at least tell if the file has not been found. If it works no samples for the lab, but at least your system is cleaned from them.

I'm not familiar enough to check all in the hijackthis posting, sure you will get good comments soon.

 

Hi richrf,

There is nothing wrong with your log.
The reason you can´t delete those files is because that folder is Read Only for every account (even Administrator)

To change that:

XP-Home

However, you can set XP Home permissions in safe mode. Note, Windows may ask for the administrator's password. This is not the one for your administrator account, rather it is the machine's administrator account for which users are asked to create a password during setup.

If you created no such password, when requested, leave blank and press enter.

Open Explorer, go to Tools and Folder Options, on the view tab, scroll to the bottom of the list, if it shows "Enable Simple File Sharing" deselect it
and click apply and ok. If it shows nothing or won't let you make a change, move on to the next step.

Navigate to the files, right click, select properties, go to the Security tab, click advanced, go to the Owner tab and select the user that was logged on when you were refused permission to access the files. Click apply and
ok. Close the properties box, reopen it, click add and type in the name of the user you just enabled. If you wish to set ownership for everything in the folder, at the bottom of the Owner tab is the following selection:
"Replace owner on subcontainers and objects," select it as well.

Once complete, you should be able to do what you wish with these files when you log back on as that user.


XP-Pro

If you have XP Pro, temporarily change the limited account to administrative. First, go to Windows Explorer, go to Tools, select Folder Options, go to the View tab and be sure "Use Simple File Sharing" is not selected. If it is, deselect it and click apply and ok.

If you wish everything in a specific folder to be accessible to a user, right click the folder, select properties, go to the Security tab, click Advanced, go to the Owner tab,
select the user you wish to have access, at the bottom of the box, you should see a check box for "Replace owner on subcontainers and objects," place a check in the box and click apply and ok.

The user should now be able to perform necessary functions on files in the folder even as a limited account. If not, make it an admin account again, right click the folder, select Properties, go to the Security tab and be
sure the user is listed in the user list. If not, click add and type the user name in the appropriate box, be sure the user has all the necessary permissions checked in the permission list below the user list, click apply and ok.

That should do it and allow whatever access you desire for that folder even in a limited account.

HTH,

Pieter

 

There are couple more possibillities,
Check your TDS3 folder for any 0 Byte files and delete them, these can sometimes lead to erroneous results
Re-install TDS3 with no other programmes runnigng as there may have been some corruption during the install.

Enjot your Christmas and hope that we can soon resolve your problem.

Our turkey is nearly cooked!

 

Hi Peter,

Thank you very much for you help ... and wishing you a very happy holiday season.

The strangest thing ....

I went through the process that you suggested which enable me to access the "Documents" folder. But when I accessed this folder, the "All Users" folder had vanished. Then I re-ran TDS-3 and it no longer reported the viruses being there. What a strange, strange, situation. Any ideas about what may have happened??

Thanks to all who have helped me out.

Regards,
Rich

 

The exact same thing is happening to me - same alert, file names, location, can't open Documents folder, TDS can't delete. Has additional information come to light? I'm really uncertain how things turned out for richrf. After he gained access to the Documents folder, did he then lose his entire All Users folder? I don't want that to happen!

Was there anything in the Documents folder after all? or was it really empty? Did TDS3 alert to the files and then allow deletion, or were the files just not there? I don't really understand what happened.
And I'm not confident in my ability to do things like this.

I'd like to send the files to TDS, but can't figure out how to do the email configuration settings.

 

Hi Marie, You can ZIP them up & send them using your normal email programme to support@diamondcs.com.au

 

Except, I can't open the All Users\Documents folder to do that. TDS is the only one claiming they exist (computer search with all files unhidden finds nothing). The folder's Properties says it is empty but TDS keeps finding them there. I thought the email feature in the TDS console could get at them - somehow! - to mail them. (Can it?)

 

Please will you right click on the "All users" folder then select properties this should open a box alled "All users Propertis box" Now look at the Attributes section and make sure that "Hidden" is not tcked. If it is ticked then this could be the reason you are not seeing the files within.
For instance this is a path to backup catalogue under All Users.

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\NTBackup\catalogs51\2F8470CF.V01

 

It looks like things are okay now. The Documents folder itself wasn't hidden, nor was All Users. I went to the Security tab, and then I could open the folder. The files weren't there. Ran the scan again and it came up clean, so it looks like I'm in good shape. I didn't lose the All Users folder, or whatever it was that richrf said happened to him. I appreciate your help.