trojan found using TDS but location is in TDS folder

Discussion in 'Trojan Defence Suite' started by drocket2, Mar 18, 2004.

Thread Status:
Not open for further replies.
  1. drocket2

    drocket2 Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    3
    i origionally did a scan and got a log like this:

    Scan Control Dumped @ 18:15:42 17-03-04
    RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

    RegVal Trace: RAT.Netbus 1.70 (Dropper.Memory): HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SYSTRAY=C:\WINDOWS\System32\a.exe]

    Positive identification <Adv>: Possible WebDownloader
    File: c:\documents and settings\derek mcdonnell\local settings\temp\bridge.exe

    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: c:\documents and settings\derek mcdonnell\local settings\temp\installer2.exe

    Positive identification <Adv> (in archive): Suspicious: Microsoft-tagged exe built with Borland compiler
    File: installer2.exe (In c:\my shared folder\deadaim.4.5-snd.rar)

    Positive identification <Adv> (in archive): Suspicious: Microsoft-tagged exe built with Borland compiler
    File: unstsa2.exe (In c:\my shared folder\deadaim.4.5-snd.rar)

    Positive identification: RAT.Iroffer 1.2b13a
    File: c:\recycler\s-1-5-21-725345543-688789844-854245398-1004\dc3.exe

    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: c:\windows\unstsa2.exe



    I posted it on another website to get their analysis so i opened it again and scaned again to get those files up to delete them and it came up with finding that unstsa2.exe file appearing in a tds-3 folder C:\Program Files\TDS3\xDynamic\unstsa2.exe im afraid to delete since it may be part of tds but im not sure if that is a quarantine folder or what.
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Please submit bridge.dll this could be a trojan or adware DLL

    Then submit a.exe from System32 folder, and remove that startup entry SYSTRAY

    The files in TDS.UNPK are files that have been unzipped, I recommend you submit them all for analysis anyway. Also post your ASViewer results :

    http://www.diamondcs.com.au/index.php?page=asviewer

    Turn on the options to show all autostarts (press F2 F3 F4) then SAVE and email the text file, we will look for suspicious startups

    All to be mailed to support@diamondcs.com.au which is fine :) Send me a PM if you would like me to help you over the weekend
     
  3. drocket2

    drocket2 Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    3
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Derek McDonnell@DEREK-POO28FF92, 03-19-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\ssflwbox.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\ssflwbox.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /installquiet
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
    C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DeadAIM
    rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RunDLL
    rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\systray
    C:\WINDOWS\System32\a.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\STYLEXP
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Derek McDonnell.job
    C:\PROGRA~1\NORTON~1\NAVW32.EXE
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\Navw32.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Derek - In ASV, when you go to the "Main" button on the interface and click on it, do you have checkmarks in front of "Show Services", "Show Drivers" and "Show Active Setup Components"?

    The only reason I ask is that my output here looks a lot different than yours (it helps to spread the second column out to the right, too). Pete

    *Also, I believe they wanted you to email the results to them.
     
  5. drocket2

    drocket2 Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    3
    ok i forgot to press F2 F3 F4 so here is everything, gavin wanted me to post the asviewer results here and i also emailed it to diamonds support.




    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Derek McDonnell@DEREK-POO28FF92, 03-19-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\ssflwbox.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\ssflwbox.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /installquiet
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
    C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Derek McDonnell.job
    C:\PROGRA~1\NORTON~1\NAVW32.EXE
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\Navw32.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
    C:\WINDOWS\System32\rundll32.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ccEvtMgr\
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    HKLM\System\CurrentControlSet\Services\ccSetMgr\
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    HKLM\System\CurrentControlSet\Services\Cnxtdiag\
    C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\EPSONStatusAgent2\
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Fallback\
    C:\WINDOWS\System32\DRIVERS\fallback.sys
    HKLM\System\CurrentControlSet\Services\Fsks\
    C:\WINDOWS\System32\DRIVERS\fsksnt.sys
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\IRoffer\
    C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe -s
    HKLM\System\CurrentControlSet\Services\K56\
    C:\WINDOWS\System32\DRIVERS\k56nt.sys
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\NProtectService\
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SAVScan\
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ServU\
    C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe -s
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SoftFax\
    C:\WINDOWS\System32\DRIVERS\faxnt.sys
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\StyleXPService\
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    HKLM\System\CurrentControlSet\Services\Symantec Core LC\
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    HKLM\System\CurrentControlSet\Services\symlcbrd\
    \??\C:\WINDOWS\System32\drivers\symlcbrd.sys
    HKLM\System\CurrentControlSet\Services\SYMTDI\
    \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Tones\
    C:\WINDOWS\System32\DRIVERS\tonesnt.sys
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\V124\
    C:\WINDOWS\System32\DRIVERS\v124nt.sys
    HKLM\System\CurrentControlSet\Services\vsdatant\
    \??\C:\WINDOWS\System32\vsdatant.sys
    HKLM\System\CurrentControlSet\Services\vsmon\
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WmdmPmSp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
Thread Status:
Not open for further replies.