Wondering why tds-3 didn't find these?

Discussion in 'Trojan Defence Suite' started by Chloe, Aug 10, 2004.

Thread Status:
Not open for further replies.
  1. Chloe

    Chloe Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    7
    was just wondering why tds-3 didn't find these? is it because they are viruses and not worms? even though one is marked worm?
    I update and run tds-3 everyday. just ran stinger and it found:

    McAfee AVERT Stinger Version 2.3.8.0 built on Aug 9 2004

    Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
    Virus data file v1000 created on Aug 9 2004.
    Ready to scan for 46 viruses, trojans and variants.
    Scan initiated on Tue Aug 10 19:19:42 2004

    C:\WINNIT\system32\systemc32.exe\systemc32.exe

    Found the W32/Sdbot.worm.gen.g virus !!!

    C:\WINNIT\system32\systemc32.exe\systemc32.exe has been deleted.

    C:\WINNIT\system32\WinFixID.exe\WinFixID.exe

    Found the W32/Sdbot.worm.gen.g virus !!!

    C:\WINNIT\system32\WinFixID.exe\WinFixID.exe has been deleted.

    C:\WINNIT\system32\zonealarm.exe

    Found the W32/Sdbot.gen.r virus !!!

    C:\WINNIT\system32\zonealarm.exe has been deleted.

    Number of clean files: 63795

    Number of infected files: 3

    Number of files deleted: 3

    o_O o_O
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hi there, and welcome to Wilders!

    Have you submitted these files to DCS so that they can take a look and answer your question?
     
  3. Chloe

    Chloe Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    7
    umm nope.. if stinger deleted them where do i find them?
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and welcome to the forum!
    Have you thought of the possibility of false positives so TDS had not any reason to detect innocent code?
    Like the zonealarm.exe for instance, which should normally be a normal valid part of the ZoneAlarm firewall, but the location is suspicious, as i think it should be default in c:\program files\zonelabs\zonealarm\zonealarm.exe
    Did you for all files check for possible other instances on your system?

    Wait a moment...... aren't these all parts of the padobot?
    When you used TDS to scan, did you have any of the other scanners or their resident protection up? This would block files for TDS to access them for scanning properly. Several scanners have the habit to either hide or lock any access to files they found and more of the kind.
    If you do have the padobot or did have, there should be more wrong on your system. Did you get in [thread]15913[/thread] the HijackThis software to create a HJT log with all uptions checked? If you make your log, do you see anything suspicious?
    Make sure all hidden files and extensions are showing in the windows folder options so you can find whatever is there.
     
    Last edited: Aug 10, 2004
  5. Chloe

    Chloe Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    7
    thank you for the kind welcomes !!

    i was thinking about innocent files too
    i don't run zone alarm.. I have a new machine and didn't download, install or transfer any files for zonealarm. but I may have transferred the exe.

    but what about the other files?
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    We crossed postings while i got a clear (clain?) moment of the padobot possibility. Now you say you never had zonealarm that confirms it.
    Now we must make sure you're really clean.
    So make sure TDS is fully updated, close all other scanners and their resident parts (some people try to scan with TDS in safe mode, might work) and do a full system scan with all scan options included and worm slider on highest sensitivity.
    Now looking forward to your scandump.txt. Can take a while, so have a long hot coffee or a cold thing.


    If your stinger would make backups or quarantine files they should be somewhere findable there.
    Of course you can have them back if you're running XP and get back to an older system restore point, but i guess you're not really looking forward to that. Once you're cleansed out i hope you don't forget to disable restore and reboot and enable restore again and make a new nice clean restore point from there to be really rid of them.

    SpyBotS&D and Ad-Aware should find the nasty yoo, including the registry keys where it might be hiding more.
     
  7. Chloe

    Chloe Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    7
    here is my hijackthis log...but this is after stinger found & deleted those files, I don't have any other scanner up "other scanners or their resident protection up" I only run tds-3 and run housecall and stinger on occasion or hijack this on occasion.. i've never heard of padobot.. what is it?
    Logfile of HijackThis v1.97.7
    Scan saved at 8:19:42 PM, on 8/10/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNIT\System32\smss.exe
    C:\WINNIT\system32\winlogon.exe
    C:\WINNIT\system32\services.exe
    C:\WINNIT\system32\lsass.exe
    C:\WINNIT\system32\svchost.exe
    C:\WINNIT\system32\spoolsv.exe
    C:\WINNIT\system32\CTsvcCDA.exe
    C:\WINNIT\System32\svchost.exe
    C:\WINNIT\system32\regsvc.exe
    C:\WINNIT\system32\MSTask.exe
    C:\WINNIT\System32\WBEM\WinMgmt.exe
    C:\WINNIT\system32\MsPMSPSv.exe
    C:\WINNIT\system32\svchost.exe
    C:\WINNIT\System32\svchost.exe
    C:\WINNIT\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINNIT\system32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNIT\SOUNDMAN.EXE
    C:\WINNIT\system32\CTHELPER.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\CManager\CManager.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNIT\system32\wuauclt.exe
    C:\Program Files\Efficient Networks\EnterNet 300\app\EnterNet.exe
    D:\SETI@home.exe
    D:\Colostomy\tds-3.exe
    C:\WINNIT\msagent\AgentSvr.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    D:\Program Files\Opera75\opera.exe
    E:\test\Setups\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNIT\system32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series (Copy 2)] C:\WINNIT\system32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P32 "EPSON Stylus C82 Series (Copy 2)" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TDS3] D:\Colostomy\TDS-3.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNIT\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Alcohol.exe Autorun] D:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Connection Manager.lnk = C:\Program Files\CManager\CManager.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
    O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38156.5874652778
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB
     
  8. Chloe

    Chloe Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    7
    okies.. will do that... keep you "posted" *snicker*
     
  9. FanJ

    FanJ Guest

    Hi,

    I saw this:

    O4 - HKLM\..\Run: [TDS3] D:\Colostomy\TDS-3.exe

    Does that mean that you have TDS-3 installed on your D drive ?

    As far as I know TDS-3 should be installed on the C drive !!!
    However I am not completely 100 % sure of that... :oops:
     
    Last edited by a moderator: Aug 10, 2004
  10. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hmmm I have my TDS3 on drive F. Nothing but the OS on C.
     
  11. Chloe

    Chloe Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    7
    i renamed tds=3's folder to colostomy as recomended so malware writers would'nt find it easily lol
    and yes only OS is on my C:\
    i just did a full system scan with everything loaded.
    it didn't find anything.

    still wondering about those originaly posted files.
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Chloe,

    I think it is simply a case of "nothing can detect everything" :) They do look like newer variants, attackers are constantly modifying SDBot and trying to create new undetected versions. If you dont have a firewall installed, you should have one to protect against self spreading worms which use new unpatched exploits

    TDS-3 should detect most in memory if you use the Process Memory Scan (included in a full scan) and it may often find them as suspicious, in which case they should be sent to submit @ diamondcs.com.au for analysis. And no, its no problem to install to D:\ :)
     
  13. Chloe

    Chloe Registered Member

    Joined:
    Feb 15, 2004
    Posts:
    7
    ok! thank you. what firewall do you recommend? Itried zonealarm but it was awfully dificult to configure for some reason with the programs I use...but if you like zonealarm i will try it again.

    and thank you for all your help.

    if anyone knows how to retrieve stinger deleted files i will be glad to send them in for an analysis.
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    ZoneAlarm is supposed to be easy to use, i found it not too bad. I've got a lot of time for Kerio, which works very well for me and is rather easy to use. Worth a try, www.kerio.com , trial which becomes a free version after 30 days. Of course there is a firewall forum here at Wilders ! :)

    One thing to make sure you do right if you try Kerio - dont choose your dialup/dsl/cable as a TRUSTED connection, since its not. Its the internet connection and is not safe to trust.. thats why you need to apply firewall rules for that connection
     
Thread Status:
Not open for further replies.