TDS-specific adwares found

Discussion in 'Trojan Defence Suite' started by Gswiss, Dec 17, 2004.

Thread Status:
Not open for further replies.
  1. Gswiss

    Gswiss Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    17
    I ran TDS-3. The resulting log is shown below. Apparently there are some spywares located in valid Windows programs such as crsss.exe and lssas.exe. Furthermore I found no references of DDoS.RAT.rBot.dy, DDoS.RAT.SDBot and Adware.PurityScan.u (other Puritys, but not .u) elsewhere than with your program.

    Wouldn't one way of fixing crsss.exe and lssas.exe would be to copy those files from an original XP cd-rom? The infected pc is running under XP Pro.

    Scan Control Dumped @ 17:36:05 15-12-04
    Positive identification: DDoS.RAT.rBot.dy
    File: c:\windows\system32\crsss.exe

    Live trojan found (in process memory): DCOM RPC Exploit
    File: C:\WINDOWS\System32\lssas.exe

    Live trojan found: DCOM RPC Exploit
    File: C:\WINDOWS\System32\crsss.exe

    RegVal Trace: Trojan please submit: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [taskmgr.exe=C:\WINDOWS\paintms.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Windows media service=crsss.exe]

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows media service=crsss.exe]

    RegVal Trace: DDoS.RAT.rBot: HKEY_CURRENT_USER
    File: Software\Microsoft\Windows\CurrentVersion\Run [Windows Compliant=gytuil.exe]

    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Windows Compliant=gytuil.exe]

    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Compliant=gytuil.exe]

    Positive identification: DDoS.RAT.rBot.dy
    File: c:\windows\system32\crsss.exe

    Positive identification (embedded in file): Adware.PurityScan.u Dropper.a
    File: c:\documents and settings\liz\local settings\temp\installer.exe

    Positive identification: Adware.PurityScan.u Dropper
    File: c:\documents and settings\liz\local settings\temp\installer.exe
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If you look carefully you will see TDS is correct in it's identifying the dangerous files so let it fix them

    the genuine files are c:\windows\system32\crss.exe NOT CRSSS.EXE note the extra S

    and C:\WINDOWS\System32\lsass.exe NOT LSSAS.EXE Note the spelling

    The safest way to fix the problems is to right click each entry in the TDS bottom window and select delete file or which ever option TDS suggests
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Oh and Purity scan has several different versions, but most antitrojans or adware removers lump them all under 1
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Correction- It's c:/windows/system32/csrss.exe
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    Oops I mis-typed thanks for the correction
     
  6. Gswiss

    Gswiss Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    17
    Thank you very much for your comments. I will proceed with the removal operations and come back to you afterwards. This will take place in a few days as these items are on a friend's pc, not mine.

    Merry Christmas to all.
     
  7. ?shawn

    ?shawn Guest

    I have a problem with windows\system32\lsass.exe...and it shutting my computer down anytime i get online. One thing i figured out by accident was if you put your clock time back a few hours that will keep it from shutting down for how ever many hours you put it backwards im doing this while i serch web for a fix. I know nothing about comp security and need to get rid of this as fast as possible. Just got a job i need to start in a few days and its online work.I tried to delete lsass.exe and i cant. I did a complete system recovery and still the same thing happins.Plzzzz help me.

    Thanks, Shawn

    I hate my security ignorence:(
     
  8. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, ?shawn

    You should not be trying to delete lsass.exe from windows\system32, as that is a genuine file of the OS.

    Do you have TDS-3, if not you can download it here:- TDS-3

    And get the latest update TDS-3 Radius file [database] here:- Radius File

    After you have finish installing TDS-3, Put the Radius file in TDS-3's directory.

    Take Care,
    TheQuest :cool:
     
  9. Gswiss

    Gswiss Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    17
    Thanks for your help. I finally managed to lay my hands on that particular pc and all is well now.
     
Thread Status:
Not open for further replies.