Wondering why tds-3 didn't find these?

was just wondering why tds-3 didn't find these? is it because they are viruses and not worms? even though one is marked worm?
I update and run tds-3 everyday. just ran stinger and it found:
McAfee AVERT Stinger Version 2.3.8.0 built on Aug 9 2004

Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Aug 9 2004.
Ready to scan for 46 viruses, trojans and variants.
Scan initiated on Tue Aug 10 19:19:42 2004

C:\WINNIT\system32\systemc32.exe\systemc32.exe

Found the W32/Sdbot.worm.gen.g virus !!!

C:\WINNIT\system32\systemc32.exe\systemc32.exe has been deleted.

C:\WINNIT\system32\WinFixID.exe\WinFixID.exe

Found the W32/Sdbot.worm.gen.g virus !!!

C:\WINNIT\system32\WinFixID.exe\WinFixID.exe has been deleted.

C:\WINNIT\system32\zonealarm.exe

Found the W32/Sdbot.gen.r virus !!!

C:\WINNIT\system32\zonealarm.exe has been deleted.

Number of clean files: 63795

Number of infected files: 3

Number of files deleted: 3

 

Hi there, and welcome to Wilders!

Have you submitted these files to DCS so that they can take a look and answer your question?

 

umm nope.. if stinger deleted them where do i find them?

 

Hi there and welcome to the forum!
Have you thought of the possibility of false positives so TDS had not any reason to detect innocent code?
Like the zonealarm.exe for instance, which should normally be a normal valid part of the ZoneAlarm firewall, but the location is suspicious, as i think it should be default in c:\program files\zonelabs\zonealarm\zonealarm.exe
Did you for all files check for possible other instances on your system?

Wait a moment...... aren't these all parts of the padobot?
When you used TDS to scan, did you have any of the other scanners or their resident protection up? This would block files for TDS to access them for scanning properly. Several scanners have the habit to either hide or lock any access to files they found and more of the kind.
If you do have the padobot or did have, there should be more wrong on your system. Did you get in [thread]15913[/thread] the HijackThis software to create a HJT log with all uptions checked? If you make your log, do you see anything suspicious?
Make sure all hidden files and extensions are showing in the windows folder options so you can find whatever is there.

 

thank you for the kind welcomes !!

i was thinking about innocent files too
i don't run zone alarm.. I have a new machine and didn't download, install or transfer any files for zonealarm. but I may have transferred the exe.

but what about the other files?

 

We crossed postings while i got a clear (clain?) moment of the padobot possibility. Now you say you never had zonealarm that confirms it.
Now we must make sure you're really clean.
So make sure TDS is fully updated, close all other scanners and their resident parts (some people try to scan with TDS in safe mode, might work) and do a full system scan with all scan options included and worm slider on highest sensitivity.
Now looking forward to your scandump.txt. Can take a while, so have a long hot coffee or a cold thing.


If your stinger would make backups or quarantine files they should be somewhere findable there.
Of course you can have them back if you're running XP and get back to an older system restore point, but i guess you're not really looking forward to that. Once you're cleansed out i hope you don't forget to disable restore and reboot and enable restore again and make a new nice clean restore point from there to be really rid of them.

SpyBotS&D and Ad-Aware should find the nasty yoo, including the registry keys where it might be hiding more.

 

here is my hijackthis log...but this is after stinger found & deleted those files, I don't have any other scanner up "other scanners or their resident protection up" I only run tds-3 and run housecall and stinger on occasion or hijack this on occasion.. i've never heard of padobot.. what is it?
Logfile of HijackThis v1.97.7
Scan saved at 8:19:42 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNIT\System32\smss.exe
C:\WINNIT\system32\winlogon.exe
C:\WINNIT\system32\services.exe
C:\WINNIT\system32\lsass.exe
C:\WINNIT\system32\svchost.exe
C:\WINNIT\system32\spoolsv.exe
C:\WINNIT\system32\CTsvcCDA.exe
C:\WINNIT\System32\svchost.exe
C:\WINNIT\system32\regsvc.exe
C:\WINNIT\system32\MSTask.exe
C:\WINNIT\System32\WBEM\WinMgmt.exe
C:\WINNIT\system32\MsPMSPSv.exe
C:\WINNIT\system32\svchost.exe
C:\WINNIT\System32\svchost.exe
C:\WINNIT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINNIT\system32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNIT\SOUNDMAN.EXE
C:\WINNIT\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CManager\CManager.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNIT\system32\wuauclt.exe
C:\Program Files\Efficient Networks\EnterNet 300\app\EnterNet.exe
D:\SETI@home.exe
D:\Colostomy\tds-3.exe
C:\WINNIT\msagent\AgentSvr.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
D:\Program Files\Opera75\opera.exe
E:\test\Setups\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNIT\system32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series (Copy 2)] C:\WINNIT\system32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P32 "EPSON Stylus C82 Series (Copy 2)" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TDS3] D:\Colostomy\TDS-3.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNIT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Alcohol.exe Autorun] D:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\CManager\CManager.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38156.5874652778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB

 

okies.. will do that... keep you "posted" *snicker*

 

Hi,

I saw this:

O4 - HKLM\..\Run: [TDS3] D:\Colostomy\TDS-3.exe

Does that mean that you have TDS-3 installed on your D drive ?

As far as I know TDS-3 should be installed on the C drive !!!
However I am not completely 100 % sure of that...

 

Hmmm I have my TDS3 on drive F. Nothing but the OS on C.

 

i renamed tds=3's folder to colostomy as recomended so malware writers would'nt find it easily lol
and yes only OS is on my C:\
i just did a full system scan with everything loaded.
it didn't find anything.

still wondering about those originaly posted files.

 

Hi Chloe,

I think it is simply a case of "nothing can detect everything" They do look like newer variants, attackers are constantly modifying SDBot and trying to create new undetected versions. If you dont have a firewall installed, you should have one to protect against self spreading worms which use new unpatched exploits

TDS-3 should detect most in memory if you use the Process Memory Scan (included in a full scan) and it may often find them as suspicious, in which case they should be sent to submit @ diamondcs.com.au for analysis. And no, its no problem to install to D:\

 

ok! thank you. what firewall do you recommend? Itried zonealarm but it was awfully dificult to configure for some reason with the programs I use...but if you like zonealarm i will try it again.

and thank you for all your help.

if anyone knows how to retrieve stinger deleted files i will be glad to send them in for an analysis.

 

ZoneAlarm is supposed to be easy to use, i found it not too bad. I've got a lot of time for Kerio, which works very well for me and is rather easy to use. Worth a try, www.kerio.com , trial which becomes a free version after 30 days. Of course there is a firewall forum here at Wilders !

One thing to make sure you do right if you try Kerio - dont choose your dialup/dsl/cable as a TRUSTED connection, since its not. Its the internet connection and is not safe to trust.. thats why you need to apply firewall rules for that connection