trojan found using TDS but location is in TDS folder

i origionally did a scan and got a log like this:

Scan Control Dumped @ 18:15:42 17-03-04
RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

RegVal Trace: RAT.Netbus 1.70 (Dropper.Memory): HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SYSTRAY=C:\WINDOWS\System32\a.exe]

Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\derek mcdonnell\local settings\temp\bridge.exe

Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
File: c:\documents and settings\derek mcdonnell\local settings\temp\installer2.exe

Positive identification <Adv> (in archive): Suspicious: Microsoft-tagged exe built with Borland compiler
File: installer2.exe (In c:\my shared folder\deadaim.4.5-snd.rar)

Positive identification <Adv> (in archive): Suspicious: Microsoft-tagged exe built with Borland compiler
File: unstsa2.exe (In c:\my shared folder\deadaim.4.5-snd.rar)

Positive identification: RAT.Iroffer 1.2b13a
File: c:\recycler\s-1-5-21-725345543-688789844-854245398-1004\dc3.exe

Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
File: c:\windows\unstsa2.exe



I posted it on another website to get their analysis so i opened it again and scaned again to get those files up to delete them and it came up with finding that unstsa2.exe file appearing in a tds-3 folder C:\Program Files\TDS3\xDynamic\unstsa2.exe im afraid to delete since it may be part of tds but im not sure if that is a quarantine folder or what.

 

Hi,

Please submit bridge.dll this could be a trojan or adware DLL

Then submit a.exe from System32 folder, and remove that startup entry SYSTRAY

The files in TDS.UNPK are files that have been unzipped, I recommend you submit them all for analysis anyway. Also post your ASViewer results :

http://www.diamondcs.com.au/index.php?page=asviewer

Turn on the options to show all autostarts (press F2 F3 F4) then SAVE and email the text file, we will look for suspicious startups

All to be mailed to support@diamondcs.com.au which is fine Send me a PM if you would like me to help you over the weekend

 

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Derek McDonnell@DEREK-POO28FF92, 03-19-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\ssflwbox.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\ssflwbox.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /installquiet
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DeadAIM
rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RunDLL
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\systray
C:\WINDOWS\System32\a.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\STYLEXP
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Derek McDonnell.job
C:\PROGRA~1\NORTON~1\NAVW32.EXE
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD

 

Derek - In ASV, when you go to the "Main" button on the interface and click on it, do you have checkmarks in front of "Show Services", "Show Drivers" and "Show Active Setup Components"?

The only reason I ask is that my output here looks a lot different than yours (it helps to spread the second column out to the right, too). Pete

*Also, I believe they wanted you to email the results to them.

 

ok i forgot to press F2 F3 F4 so here is everything, gavin wanted me to post the asviewer results here and i also emailed it to diamonds support.




DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Derek McDonnell@DEREK-POO28FF92, 03-19-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\ssflwbox.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\ssflwbox.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /installquiet
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Derek McDonnell.job
C:\PROGRA~1\NORTON~1\NAVW32.EXE
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
C:\WINDOWS\System32\rundll32.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ccEvtMgr\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
HKLM\System\CurrentControlSet\Services\ccSetMgr\
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
HKLM\System\CurrentControlSet\Services\Cnxtdiag\
C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\EPSONStatusAgent2\
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\Fallback\
C:\WINDOWS\System32\DRIVERS\fallback.sys
HKLM\System\CurrentControlSet\Services\Fsks\
C:\WINDOWS\System32\DRIVERS\fsksnt.sys
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\IRoffer\
C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe -s
HKLM\System\CurrentControlSet\Services\K56\
C:\WINDOWS\System32\DRIVERS\k56nt.sys
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\NProtectService\
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SAVScan\
C:\Program Files\Norton AntiVirus\SAVScan.exe
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ServU\
C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe -s
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SoftFax\
C:\WINDOWS\System32\DRIVERS\faxnt.sys
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\StyleXPService\
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
HKLM\System\CurrentControlSet\Services\Symantec Core LC\
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
HKLM\System\CurrentControlSet\Services\symlcbrd\
\??\C:\WINDOWS\System32\drivers\symlcbrd.sys
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Tones\
C:\WINDOWS\System32\DRIVERS\tonesnt.sys
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\V124\
C:\WINDOWS\System32\DRIVERS\v124nt.sys
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmdmPmSp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs