Need Help :(

Discussion in 'Trojan Defence Suite' started by micaelis, Nov 9, 2004.

Thread Status:
Not open for further replies.
  1. micaelis

    micaelis Guest

    hi i got this alarm from my tds-3:

    Scan Control Dumped @ 13:58:45 09-11-04
    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Windows Compliant=blyfcl.exe]

    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe]

    just wanna know, is this bad? because i never got any alarm with my AV.

    thanks in advance.

    regards,
    micaelis
     
  2. FanJ

    FanJ Guest

    Hi micaelis,

    Just to make sure:
    Are you running TDS-3 as admin ?

    Please have a look at the following thread from Gavin:
    RUN AS for TDS-3 - TRACE scan, multiple user problems

    I am not saying that this must be the reason of your alert, but please have a look at that thread, and -if needed- follow the guidelines from Gavin in that thread.

    Does that solve your problem ?
    Please let us know !

    Cheers, Jan.
     
  3. micaelis

    micaelis Guest

    hi fanJ,

    im pretty much sure that i was running as admin but ill try that guidelines and see if it fixes the problem. thanks fanJ ( ill let you know tomorrow what happens
    when i get back to work :) )

    thanks again!

    regards,
    micaelis
     
  4. micaelis

    micaelis Guest

    hi fanj,

    the alarm is still there:

    Scan Control Dumped @ 14:37:35 10-11-04
    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe]

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\irving\local settings\temp\hp psc 900 series\cdimage\setup\motive\install.wse.exe

    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\irving\my documents\leaktest.exe

    Positive identification: DDoS.RAT.SDBot.jg2
    File: c:\windows\system32\tftp2628 <------ this one is new :( ( i dont know where it came from. I tried scanning it with my AV and other AT program but did not get anything. )


    regards,
    micaelis
     
  5. FanJ

    FanJ Guest

    Hi micaelis,

    Sorry to hear that !

    First the two more easier ones:

    1.
    Suspicious Filename: Dual extensions
    File: c:\documents and settings\irving\local settings\temp\hp psc 900 series\cdimage\setup\motive\install.wse.exe

    By default TDS-3 warns you for such files with dual extensions.
    Sometimes they are harmless, sometimes not...

    What if you clear your temporary file/folders ?


    2.
    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\documents and settings\irving\my documents\leaktest.exe

    Nothing wrong here.
    It is only a demo.
    Up to you whether to delete it or not.
     
  6. micaelis

    micaelis Guest

    hi fanj,

    i actually knew about the double extension and leaktest :) but the one thing that really bothers me is ddos.rat warning. i just wanna know if its alright just to ignore this warning. :(

    thanks fanj

    regards,
    micaelis

    p.s. i wonder what advice the dcs crew can give me.
     
  7. FanJ

    FanJ Guest

    Now about the other two ones:

    Scan Control Dumped @ 14:37:35 10-11-04
    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=blyfcl.exe]

    Positive identification: DDoS.RAT.SDBot.jg2
    File: c:\windows\system32\tftp2628 <------ this one is new ( i dont know where it came from. I tried scanning it with my AV and other AT program but did not get anything. )

    Did you let TDS-3 do a full system scan while your other scanners (AV for example) were temporarily disabled?

    Could you give more info abour your Windows version and Anti-virus program?

    About this file:
    c:\windows\system32\tftp2628
    Could you please send it to Gavin: submit at diamondcs.com.au
    if possible zipped
    What is the extension of that file?

    Maybe we need expert help here from Gavin and/or HJT-experts.
     
  8. micaelis

    micaelis Guest

    hi fanj,

    i did a tds-3 full scan with my AV is on but let me give it a try if my AV is off (Hopefully i can do it today 'coz im about to leave here in the office :) ). the file type for "c:\windows\system32\tftp2628" is unknown. btw im using nod32 ( everything is up to date ). thanks again fanj

    regards,
    micaelis
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Definitely remove both the EXE file and that TFTP file ! make sure you are updated with Windows Update, you were exploited thats why you have a TFTP file !

    Heres what to do.. first update with Windows Update
    While you wait, run TDS and go to the Autostart Explorer (press CTRL-A)
    In there, find this

    Windows Compliant = blyfcl.exe

    2 entries, right click and delete both, kill blyfcl.exe with the Task Manager too - and email the file blyfcl.exe to submit@diamondcs.com.au. Then delete it

    Also delete c:\windows\system32\tftp2628, either manually or by right-clicking the alarm and delete it with TDS

    After Windows Update completes, allow it to reboot or reboot manually, you should be clean now. But email support a log from ASViewer please
    http://www.diamondcs.com.au/index.php?page=asviewer

    Not surprised your AV missed these, things are getting worse with these open source trojans.
     
  10. FanJ

    FanJ Guest

    Thanks Gavin for jumping in !!! :D

    Warm regards, Jan.
     
  11. micaelis

    micaelis Guest

    hi fanj & gavin,

    Sorry for the late reply, i did some updates and deleted those files. i made a backup of the file to send it to you gavin. thank you so much fanj and gavin..

    regards,
    micaelis

    (kinda dissappionted with my nod32 :( but good thing i have tds3 :p )
     
Thread Status:
Not open for further replies.