Okay, just d/l'ed the trial version of TDS (would have purchased it outright - sight unseen - if it weren't for the fact that I had to make sure it wasn't going to conflict with anything already on this here WinMe computer).

I'm confused about the radius update location. Since it's a trial copy, it won't update itself from the program - it tells me to go to here: http://tds.diamondcs.com.au/ , but when I do, I'm not seeing anything anywhere that tells me where the manual radius update location is (told ya'! newbie! lol!). Where's the manual update? (* Note: never mind, I found it: http://tds.diamondcs.com.au/radius.td3 )

Also, should I allow it to 'Initialise Sockets' in Startup/Configuration? *Right now, I have that UN-selected.

Other than that, I've got everything in the world checked that it will accept on the trial copy - does that sound like a good way to have it?

I copied the scandump.exe to notepad and this is what it said:

Scan Control Dumped @ 12:02:56 17-03-02
Live trojan found (in process memory): RAT.Theef
*File: C:\WINDOWS\START MENU\PROGRAMS\STARTUP\COOKIEM.EXE

Suspicious Filename: Dual extensions
*File: c:\program files\trillian-v0.725.exe

I realize that the cookiem.exe is a false alarm, but what does the trillian entry mean? (Yes, I know it says it's got dual extensions, but what's the significance of that - if any?).

Having quite a bit of fun with this, so far! Pete

On the dual extension thing.

Some bad guys try to hide a trojan by disguising them as anouther file type so that you will run it. *For example

Letter.txt.exe

If you have the 'hide extensions' checked in the Explorer options the file will look like this

Letter.txt

Hi spy!
Sorry kept you waiting, just before i was able to send the message away the whole page froze, no movement, not any possibility to copy or whatever, starting all again with the message. So sorry if i sound a bit less friendly than my original reply (which you don't know now :()

{QUOTE-> Okay, just d/l'ed the trial version of TDS (would have purchased it outright - sight unseen - if it weren't for the fact that I had to make sure it wasn't going to conflict with anything already on this here WinMe computer). <-QUOTE}
Hear about many people using WinME without a problem for so far it's about TDS. Other problems with drivers and HDs filling itself i hear often, even without using the thing. In v4 all eventual Win versions problems with TDS and WG must be completely over.

{QUOTE-> I'm confused about the radius update location. Since it's a trial copy, it won't update itself from the program - it tells me to go to here: http://tds.diamondcs.com.au/ , but when I do, I'm not seeing anything anywhere that tells me where the manual radius update location is (told ya'! newbie! lol!). Where's the manual update? (* Note: never mind, I found it: http://tds.diamondcs.com.au/radius.td3 ) <-QUOTE}
That's right, for the trial version only the manual update and reload TDS after that to be really sure that new update is used. So you have 11773 references now?
{QUOTE-> Also, should I allow it to 'Initialise Sockets' in Startup/Configuration? *Right now, I have that UN-selected.

Other than that, I've got everything in the world checked that it will accept on the trial copy - does that sound like a good way to have it? <-QUOTE}
Sounds very good, for sure! But i have the sockets also on, on automated. It's an extra watchdog for those known trojan ports. With the script function you could do a lot more with the scripted function on the sockets, did not see people posting scripts for that yet.

{QUOTE-> I copied the scandump.exe to notepad and this is what it said:

Scan Control Dumped @ 12:02:56 17-03-02
Live trojan found (in process memory): RAT.Theef
*File: C:\WINDOWS\START MENU\PROGRAMS\STARTUP\COOKIEM.EXE

Suspicious Filename: Dual extensions
*File: c:\program files\trillian-v0.725.exe

I realize that the cookiem.exe is a false alarm, but what does the trillian entry mean? (Yes, I know it says it's got dual extensions, but what's the significance of that - if any?). <-QUOTE}
If the file is real or a false alert, please be so kind as to send it to the TDS lab with a click of the button, so they can add it to their databases for correction. Every developer is happy to prevent false alarms.
The double extensions i saw explained already.
Today i just got an email with an attachment of a so called image.forgot the first extension and .com so i was alarmed and WG blocked it, even though all virus scanners said it is clean. Such a big questionmark i send on as well for further examination. Of course we always hope to come with something new! which is difficult with the people roght on top of those things all time.
{QUOTE-> Having quite a bit of fun with this, so far! Pete
<-QUOTE}
I'm sure you're enjoying yourself and most of all when yuou can use the scripting function among others; did you see the possibility to shout back at an intruder? And to see packets going in and out of your system and all those nice things; so i discovered months ago the CodeRed attacks all time, among others.
Lots of fun with it and don't hesitate to ask!

Thanks, Jooske! *Between your answer and wizards' PM's I'm starting to get a handle on things.

I'll send the logfile tomorrow - running out of time today. Pete

Hi Pete,
Not the logfile, but the possible nasty itself, just a right mouse click, choose send the file (after the scan from the alerts window)

Glad you like TDS.
In time on the private forum you'll like it even more with all the gems and jewels: why you think it's a Diamond product:)?

If you run into more questions, please ask!

Scan Control Dumped @ 15:45:23 19-03-02
Suspicious Filename: Dual extensions
*File: c:\program files\trillian-v0.725.exe

Positive identification <Adv>: Possible keylogger
*File: c:\program files\pcihookprotect\hprot32.exe

What's with the HookProtect warning? it's been on my computer the whole time and TDS just picks it up today?

False alert after the last TDS update? Pete

Hi again,
the dual extension is in this case not to worry about as it's a known program. In v4 this should be soved.
But the pcikeylogger is better to send to the TDS lab for them to look into. It might be indeed they have tightened up the detection, by which this show up now. And if it's a false alarm, your forwarding of the file enables the lab to update the database even more. Probably has part of known keyloggers signature included.

Sent. Pete

Great Pete, thanks in name of all humanity on this internet part of the planet.
Hope to ever hear about it!

(should there be a comma between Great and Pete? :0)

The Full system Scans unveiled several legal windows files with password stealing capacities, like pwledit.exe.
Of course they were so kind to look into them and tell why this alert. Same reason, it does take passwords.

lol! You're too much, woman! Pete

Oops! :D
Licenced, certificated, some education, yep. <teeeheee>