rat aforce.gen trojan

Discussion in 'Trojan Defence Suite' started by mooseboy84, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. mooseboy84

    mooseboy84 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    ok ill guess ill start like this.

    last week i got an email from comcast saying my computer was in violation for spamming. at that point i ran nortons virus scan, adaware, spy bot, spy cleaner, etc. they found some things but nothing to special.

    then i found out about tds3 and ran it. since ive run it, its found a ratforce trojan.
    - replaced link to image with attachment - snap

    the problem i have now is i dont know how to delete it. tds cant, and when i go into the folder and try to ctrl+ delete it doesnt work either.

    what also is strange is i can change the file name. i changed it too .txt and opended it up and it had some strange things inside of it.

    URL Removed for review - Pilli

    i can change the file name, but cannot delete the things inside and save it. basiclly i cant do anything about the access of the file to destroy it.now i really want to get rid of this. does anyone have a way to get rid of this?

    in my systems folder, i have a netsfell.dat and the .dll file. the dat file doesnt have a worm/trojan, but i think i might want to delete that as well. i need help!:'(

    thanks
     

    Attached Files:

    Last edited by a moderator: Jun 27, 2004
  2. mooseboy84

    mooseboy84 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    i also must add i ran the scan and port 5000 is open. :(
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    It is almost certainly running from startup and therefore cannot be deleted unless you stop the process.
    You could try deleting the files in safe mode, press F8 continuously just before windows boots.
    If you do manage to locate the files please zip them and submit@diamondcs.com.au for further analysis before you delete them

    Try this link for other removal instructions: https://www.wilderssecurity.com/showthread.php?t=37936

    If that does not succeed go here: https://www.wilderssecurity.com/showthread.php?t=15913 and follow the instructions.

    HTH Pilli
     
    Last edited: Jun 27, 2004
  4. mooseboy84

    mooseboy84 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    well i booted from safe mode and tried deleting and i couldnt. the file was being accessed.

    i tried using the unistall method using rundll32 and that didnt work. i ran hijack this and it showed no worms or bots trying to access ie. im at a loss of what to do now.

    i belive somehow this dll is using is svchost.exe. tinys firewall shows svchost using port 5000. when i boot in safe mode and try to delete the file i cant because its says its being used. o_O
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If it is running and connecting to the outside world Port Explorer would show it being in use and it is possble to kill it with that (connection). At least yuou can then see which application is using it.

    But your screenshot with the TDS alert shows it's location as well?

    Did you also post the HJT log for the Hijackthis experts to help you cleaning, as they might know additional ways?
     
  6. mooseboy84

    mooseboy84 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    ok i WAS able to delete the file, but it was kinda tricky.

    i booted AGAIN in safe mode under administrator. this time i went to the properties of the dll, clicked on the security tab and changed all the permissions for the "owner". i checked all the file access for the dll and dat to the "owner" and closed the properties. i tried to go back and check, and All the boxes were shaded meaning i couldnt change the security access. this really scared me at first, but i just restarted in normal mode...

    once i was in normal mode, i was able to delete the files. i tried to zip them but it wouldnt allow me. i just deleted them and was glad i was able too. i know sent the .dll file using the submit feature inside tds. in fact i think i sent it 3 times by mistake.:D im not positive if i was able to submit .dat file however.

    the files are deleted now.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Phew! Sounds like a real strange one that, anyway glad that it appears to have been deleted. Make sure that you disable system restore to clear existing points then reboot. Re-enable system restore & create a new restore point. This is just in case you need to restore and the nasty is still in an old restore piont.

    Pilli :)
     
Thread Status:
Not open for further replies.