Newbie: Help with positive identification

Discussion in 'Trojan Defence Suite' started by roadrunner191, Mar 13, 2005.

Thread Status:
Not open for further replies.
  1. roadrunner191

    roadrunner191 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    6
    I just recently installed this software and got the following alarm:

    Positive identification (DLL): TrojanSpy.Win32.SCKeyLog.j (dll)
    File: c:\winnt\system32\sysdll.dll

    When I right click on the file, it does not allow me to delete it. Is this some form of spyware and how can I get rid of it??

    Thx.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello there.
    That is a keylogger and as long as it's running it will not be killed.
    You can look in the task manager for this process trojanspy.win32.sckeylog.j_(5).exe and kill that.
    Then delete it in the TDS alert window.
    Now do another search with windows explorer for the file trojanspy.win32.sckeylog.j_(5).exe
    Delete it.
    If you're not 100% sure of the sysdll.dll rename it with adding .tmp behind it or save a zipped copy, till you're sure about it.
    Now disable your system restore, reboot and enable system restore again and manyually create a new restore point as now all the older restore points have gone and now you have a clean one to go back to in future if necessary.


    I'll tell you why i'm carefull with not deleting the sysdll.dll completely yet. There are more trojans using that filename, but in other locations and then more other files are involved. (like AIM thief etc).
    In the descriptions for this keylogger i did not see this filename mentioned yet (still searching for you) so looking if there could be more files needed to be deleted.
     
    Last edited: Mar 13, 2005
  3. roadrunner191

    roadrunner191 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    6
    Hi,

    Thanks for your post. I looked in the task manager for process trojanspy.win32.sckeylog.j_(5).exe....nothing there. I also did a file search using explorer for the file trojanspy.win32.sckeylog.j_(5).exe....no file found.

    Any comments on how I should proceed now? I haven't renamed the sysdll.dll file yet. How do I disable my system restore?

    Thx again for your assistance.
     
  4. roadrunner191

    roadrunner191 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    6
    I'm running Windows 2000 pro....don't think there is a system restore option.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're right, i forgot Winnt is win2000 in many cases.
    No system restore is in this case very helpful so you can't get re-infected after removing nasties :)
    Now i wonder which process you do have running.

    Was this the only infection mentioned or was there more?

    I would most certainly zip the file and submit it to submit@diamondcs.com.au to make sure it is really this infection.
    The files mentioned could be without that (5) part maybe, but i'm sure you searched everything (hidden files and exgtensions set to show up).
    You might be lucky it has not been running and did not do any harm, maybe, which could explain the other files are not there.

    If you want to be all sure you can do some more security testing with [thread=50662] this thread [/thread]. Especially the spybotS&D could be helpful there. And clean out the browsers caches.
     
  6. roadrunner191

    roadrunner191 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    6
    This was the only file found. I do run Spy-Bot on a regular basis, although it doesn't pick up anything resembling this file.....mostly just tracking cookies.

    I have submitted the file for analysis.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please keep us informed. If the file is renamed or zipped it can't run. Gavin might have more ideas which filenames and processes to look for.
    The files i mentioned belong to this infection, and the file you found should not belong to it, so maybe there is something else the matter. I can't find any info telling it could be a normal valid system file so keep it disabled for now. If a program would need it it will ask for it soon enough.
     
  8. roadrunner191

    roadrunner191 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    6
    Hi again,

    Thanks for your prompt posts. I just scanned Registry & File Traces and got the following:

    RegVal Trace: DDoS.RAT.Crezy: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [sysdll=C:\WINNT\system32\sysdll.exe]

    I right-clicked and deleted the file...rebooted....and ran the scan again. Exact same alert appeared again. Wondering why it reappears after being deleted??

    I notice this is again targeting that sysdll file...although this time its sysdll.exe.

    Any comments?

    Thanks.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad that i didn't trust it in the first place as it doesn't fit.
    I'm looking at several trojans and worms using the sysdll.exe and none is nice.
    I can't find info about that Crezy thing, but other names. Those can be the same with another name, it can be very different things too.
    If you still find it somewhere in your recyclebin submit a zipped copy too.

    I can but advice to take the long way with the many steps from the instruction as it looks like there is some nasty in your autostart adding itself again after deletion and reboot.
    Deleting just the sysdll.exe and sysdll.dll is not sufficient as we see now.
    It will mean really to produce a hijackthis log, autostartviewer log, using ad-aware and spybotS&D etc.
     
  10. roadrunner191

    roadrunner191 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    6
    Since I have another system that has recently had a fresh clean install of Windows 2000 Pro, I went searching for a sysdll.dll file and a reference in the registry to sysdll.exe. No file and registry reference existed in that system

    I have since deleted both the file and registry reference in this system and ran another scan of Registry & File Traces, and C:\Winnt.

    This time scan gave no alarms.

    Does this mean that my system is cleaned or do you think these files and registry references will return?

    Thx.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Its gone, good job :)

    As this was a keylogger, you should assume that someone has been seeing all your keystrokes for SOME period. Change any and all passwords and be very wary of what might have been captured. Run updated scans with your AV, make sure TDS was updated too ? if not, update and scan again
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds like a very good job.
    Did you look at properties and modification date on your system with that file? It would give some indication when it came to your system.
    In the windows explorer it could be possible to see which other files were new that date.

    Both sysdll.dll and sysdll.eze i see in google only in relation to several very bad trojans/keyloggers/rats so they never can be system files and you can delete now the copy you had.
    I hope you still tried at least the scans with Hijackthis from the posting i mentioned above to look at your startups.
     
  13. JustBob

    JustBob Guest

    I too have just recently seen SYSDLL.EXE running from \windows\system32. In closer inspection of the file, I've noticed the words SNAPKEY.COM inside the program that I have. My auto run registry key is named "System DLL Resources".

    I've been recently looking into monitoring software for the kid's computers. So I had tried a trial program called SnapKey. I have since uninstalled it, but it seems to have "missed" the removal of the monitoring program. This particular program has a JPEG library built-in, because it can take screen snapshots, and also seems to have a web POST functionality so it can send anything to snapkey.com. I'm not sure yet if the POST function is only used for feedback or for bad intentions like sending screenshots to their web site.

    My SYSDLL.EXE program seems to use SYSDLL.USR, SYSDLL.TID, SYSDLL.ADV, SYSDLL.TMP, & SYSDLL.BIN. But after uninstall, it left .BIN, .EXE, .TID, & a .ST file, all in the \system32 directory. At the beginning of the .BIN file, which seems to be modified at boot, contains "System DLL Resource Cache, DO NOT DELETE".

    If you have these .EXE or .BIN files, you can open them up in WordPad and search for the phrase above, or search for the word "snapkey" to see if you have this particular monitoring program.
     
  14. JustBob

    JustBob Guest

    Nevermind about most of the previous post. I didn't realize that you have to use the same installer to uninstall it. But it did leave the .bin file behind, which is the encrypted log file. And I still never found an actual use in the program for their embedded POST feature. Unless it's perhaps for their SnapVue feature which is some sort of remote monitoring program.
     
Thread Status:
Not open for further replies.