scandump

Discussion in 'Trojan Defence Suite' started by Defender, Sep 23, 2003.

Thread Status:
Not open for further replies.
  1. Defender

    Defender Registered Member

    Joined:
    Sep 23, 2003
    Posts:
    2
    Hi there

    i just downloaded the demo version of TDS3
    i did the full system scan and received a number of alarms
    but i don't know what it means and how to proceed.

    This is my scan dump file

    Scan Control Dumped @ 01:39:35 24-09-03
    Positive identification <Adv>: Possible KeyLogger
    File: c:\windows\system32\aksrvnt.exe

    Positive identification <Adv>: Possible KeyLogger
    File: c:\windows\system32\aksrvnt.exe

    Positive identification <Adv>: Possible KeyLogger
    File: c:\windows\system32\aksrvnt.exe

    Suspicious Filename: Excessive space characters
    File: c:\documents and settings\key\favorieten\welkom op goodfeeling.nl                                                                                                       .url

    Suspicious Filename: HTA file in suspicious location
    File: d:\system volume information\_restore{512e56cb-609c-47fc-82b9-3350691436c9}\rp7\a0003370.hta

    Suspicious Filename: HTA file in suspicious location
    File: d:\system volume information\_restore{affa3f49-b213-46d5-b502-de394bb304b8}\rp5\a0003351.hta

    thx
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Defender and welcome to the forum!
    Did you also update the radius to the most recent one via the web site after installing TDS?

    It is possible aksrvnt.exe is part of an anti-keylogger if you installed that but best send that file zipped to submit@diamondcs.com.au to be sure and you'll get information what next to do with it.


    That goodfeelings URL has so many spaces, everything can be wrong, like in general hiding a double file name and if you don't need it, get rid of it or you might like to change the name of that entry manually so you won't get the alarm anymore.

    The HTA files probably have gone from your system in the installed area as there are no alarms there so you best delete them. Think it's difficult to delete system restore files so if you can't delete them and if you know your system is clean and the way you want it, you might like to disable system restore - reboot - enable system restore - create manually a new system restore point and they're gone.

    Hope this helps. Please check back here also with DCS advice in relation to the aksrvnt.exe.
     
  3. Defender

    Defender Registered Member

    Joined:
    Sep 23, 2003
    Posts:
    2
    Hi
    I hope you received the zipped file
    as i don't know what the program does i didn't remove it.

    HAT files couldn't remove, i followed the insructions about making new system restore point but it didn't help.
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    In this case TDS alerted you of a positive identification. Although not all keyloggers are malware, the system directory is unlikely the place where a 'legal' keylogger should be.
    So I think you should remove the file from it's current location and see if all programs keep working as they should. If not you can always put it back
    Dolf
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Antikeylogger was giving some false alarms and we fixed that.. looks like the new version changed something and not its detected again.. we'll fix that as soon as possible sorry :)

    Otherwise everything looks ok, that suspicious HTA file detection needs reviewing, and triggers on some normal WinXP HTA files.. files used by the tour or some of the help files I think
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    See also here the file mentioned in the last postings.

    Defender, are you sure you disabled the system restore and rebooted and after that reboot you enabled system restore and made a new restore point?
    It should remove all older restore points including the infections and whatever is wrong. If the entries are back in the new system restore it means the files are still on your system. If they are caused by the aksrvnt.exe (o_O) which seems all legally right to excist on your system then the entries have all right to be in system restore too. At the moment i don't see the connection between the two. If they're back in restore and there are no other alarms then those two, this is what it looks like.
     
Thread Status:
Not open for further replies.