Strange behaviour

Discussion in 'Trojan Defence Suite' started by Andy B, Jul 21, 2004.

Thread Status:
Not open for further replies.
  1. Andy B

    Andy B Guest

    A couple of PCs in our office are exhibiting some odd behaviour:

    - The task manager has a "flashing" process in it (in both cases explorer.exe).
    - Windows Media Player will not start on one machine
    - All sorts of strange things are happening on the other (files opening randomly, etc).

    I haven't got any idea why this is happening (I'm a security nuff-nuff) but I suspect that it could be a trojan that has injected itself into the explorer process?

    Could anyone shed some light on this for me in terms of what the problem could be and what we should do about it?

    Thanks guys,

    Andrew
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Andy, looks not good.
    If possible start with disconnecting the suspicious systems from the network, but everywhere in every pc a deep scanning is needed anyway.

    Start with one pc closing all scanners completely, install TDS on it (www.diamondcs.com.au) , back on the download page get the radius update, reboot if you hadn't done yet (you might have to get this before disconnecting from the network for your internet access)
    Start TDS and after it's initial scans go to the System Testing > Scan Control, check all scanoptions and let TDS do it's scanning.
    This same action you can do at the several pc's at a time of course certainly if you decided not to disconnect them from the network yet.
    Is it a large network and are the pc's far away from each other?
    Anyway, in the end you'll see the scan alerts in the bottom window, which you can save to text (scandump.txt) to see what is there.
    TDS does not clean it for you, it detects and keeps decissions about deleting or not to yourself.
    So you might like to post your scandump so we can help you deciding about next steps.
     
  3. Andy B

    Andy B Guest

    Thanks Jooske,

    I've had a go at that, downloaded TDS-3 and the updated database and tried the program on four PCs. Nothing came up in any scans and the odd behaviour has continued (now one of the users has had three network drives connected and disconnected). I've tried scanning for spyware and adaware as well - to no avail.

    There doesn't seem to be any rogue processes on the machine - apart from the processes flashing in the task manager all seems normal. Anything else I could try?

    Andy :)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The machine with the windows media player not starting at all, are there any other things on that?
    Are you on a network thin clients - MSI - with the ability to have a whole clean setup with just pressing F12 or is it not that centralised in your network setup?
    And if so, is it still the same behavior?
    Starting to think of a HW problem in the network itself.

    Was TDS with a full system scan and all scanoptions checked all clean? Wow, that doesn't happen too often: most of time there are at least some alerts.
    (double extensions, suspicious files, etc)
    Is the problem on all pc's including the server?

    Which systems are they, win2003 server and XP pro workstations?
    all fully patched?
    Did it start after patching, any changes?


    EDIT:
    what exactly do you mean with "flashing" ? do you mean the explorer process is blinking on and off or something else?
    If you search for the explorer.exe how many instances do you find and exactly which locations?
    The original one should be in windows\explorer.exe so if it is in windows\system32\explorer.exe than it is really very suspicious, but TDS would have alarmed on worm/trojan there.
     
    Last edited: Jul 21, 2004
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please email support with a log from ASViewer-

    http://www.diamondcs.com.au/index.php?page=asviewer
    Run ASViewer, then turn on the options to show all autostarts by going to the menu and tick the 3 top options (or press F2 F3 F4 once each)
    Then SAVE and email the text file, we will look for suspicious startups
    Do not make any changes with ASViewer until advised - just in case
     
Thread Status:
Not open for further replies.