TDS3 log?

Discussion in 'Trojan Defence Suite' started by sard, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Last night TDS3 found a trojan. I deleted it thinking I could later find out what it was called from the TDS log file but it doesn't have its name.

    The log file for that day just has

    20:07:38 [Mutex Memory Scan] Started...
    20:07:50 [Mutex Memory Scan] Trojan mutex(es) found:

    but not its actual name. The file was called symantec32.exe but I'm guessing the file name doesn't really help identify what it was.

    Is there a way to find out what Trojans TDS3 has recently found?

    Thanks.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Sard,
    welcome to the forum!
    If there is a mutex found, it would display it's name and the file where it is.
    This you'll see in the main console.
    Normally it starts scanning for mutexes and there is either "no mutex found" or like you display Mutexes found with nothing behind it is there is none or the name of the find if there is some.
    What makes you think it was the symantec32.exe file? How was it displayed?

    In TDS > View Logfile you can find the logs from the console and find back that alert to past here.
    Other alerts are in the bottom windows after a scan and those you can save to the Scandump.txt by rightclicking one of the alerts and save to text.
    Allso that text you can paste in a posting here for advice.
     
  3. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Looks like I should have right clicked and produced a Scandump.txt file. I assumed the specific info on the lower window would be automatically saved as most other scanners keep a record of what infections they detect.

    I know it was the symantec32.exe file because it was displayed in the lower window and I kept a copy to sent to ESET as NOD32 failed to detect it.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.LJ&VSect=T

    TDS, SpybotS&D, Ad-aware all should have been able to deal with it.

    Think after it's deletion do another scan, eventually also an online scan like at housecall, with your other scanners closed completely (TDS you can keep active, but don't have it scanning at the same time)
    This worm has nasty possibilities as you can read.

    You might like to post your AutoStartViewer log (with all option chosen) from the DiamondCS free products site or send it to support@diamondcs.com.au , and'/or HijackThis log [thread]15913[/thread] to see if you're really clean from everything.
     
  5. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Here's the results from AutoStart viewer

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Admin@FRED, 07-17-2004
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    c:\winnt\system.ini [boot]\scrnsave.exe
    (NONE)
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    (NONE)
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundFusion
    RunDll32 hercplgs.cpl,BootEntryPoint
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Logitech Utility
    C:\WINNT\Logi_MwX.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HGTXPEI
    C:\WINNT\system32\FirstReboot.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
    C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ad Muncher
    C:\Program Files\Ad Muncher\AdMunch.exe /bt
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
    C:\WINNT\system32\internat.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\At5.job
    symantec32.exe
    C:\WINNT\Tasks\At7.job
    symantec32.exe
    C:\WINNT\Tasks\At8.job
    symantec32.exe
    C:\Documents and Settings\Admin\Start Menu\Programs\Startup\MemTurbo.lnk
    C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    C:\WINNT\system32\PDBoot.exe
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\imon.dll
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD


    And this is from HijackThis

    Logfile of HijackThis v1.97.7
    Scan saved at 15:18:32, on 17/07/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\system32\RunDll32.exe
    C:\Program Files\Ad Muncher\AdMunch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\FastCheck.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinRAR\WinRAR.exe
    D:\temp\Rar$EX00.157\asviewer.exe
    C:\WINNT\system32\notepad.exe
    D:\refreshrate\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\system32\FirstReboot.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with GetRight - D:\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - D:\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38151.5369675926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{56F3E848-4BC6-4595-9B0F-C656195CCD26}: NameServer = 10.0.0.2

    Trend Micro online scan is still running. Have already run KAV trial and it found nothing.


    I ran TDS3 after NOD32 found the following things

    http://uberish.fastmail.fm/1.jpg

    and I suspected it might be missing some. I have no idea why suddenly all these trojans and worms were appearing. I've just finished testing with Shields up at http://www.grc.com/ and It turns out I had my Netbios ports open to the world which I have now closed. Maybe that had something to do with it.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again, waiting for the TDS scandump.txt in your next posting?

    Guess the mutex was for Worm.Spybot.LJ ?
    Did you fix this one somehow?
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    Can NOD32 support tell you how to?

    That symantec32.exe thing is still in the autostart here:
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\At5.job
    symantec32.exe
    C:\WINNT\Tasks\At7.job
    symantec32.exe
    C:\WINNT\Tasks\At8.job
    symantec32.exe


    I expected these hkeys as well, but maybe you deleted those already?
    It creates the following registry entry so that it executes at every system startup:

    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Run
    Symantec Security = "symantec32.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunServices
    Symantec Security = "symantec32.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run
    Symantec Security = "symantec32.exe"

    Is it also visible in the msconfig? in the taskmanager? you'll have to stop them to be able to delete them completely. Did you do another search on the system for the file?
    Make sure you have set folder options to show everything.
    If TDS doesn't find any infections anymore, run SpyBotS&D with a fresh update and let it look for everything suspicious, including the registry. If any keys are still not ok spybot will see them for you.
     
    Last edited: Jul 20, 2004
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Definitely, nice spotting Jooske :)

    Netbios closed - good. What about your user accounts ? make sure ALL user accounts have a strong password. This might require you to Log Off, then try to Logon as Administrator with no password. If you can, thats terrible and you need to set a good strong password on that account too
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Was just pointed to this thread about the HJT - NOD32 thing, nothing wrong with that O10 line, so nothing to fix there.
    https://www.wilderssecurity.com/showthread.php?p=160317


    You don't run Port Explorer yet, to keep an eye on what is connecting? Do your firewall logs show many portscans for instance on port 17300 to name one used a lot by spybots, and there will be more common ports for the spybots?
    With Port Explorer you can put incoming data packets under socket spy and look in the log what it was, which application is doing it, and where, etc, so easier to locate and kill such applications/servers immediately.
     
    Last edited: Jul 20, 2004
Thread Status:
Not open for further replies.