PDA

View Full Version : TH logfile review-anyone here please? TIA

slammer_JvA
March 7th, 2004, 02:29 PM
Little mr. Inpatient as I tend to be sometimes (... :-[ ;))...
here's a quote from an entry I made on the Mischel Internet Security website.

I am having difficulties to see the forest for the trees... (and one has to start somewhere )

Can anyone here please be so kind to give me some pointers/advice on this logfile, and what to do with it?

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\Program Files\Common Files\updater\sui.exe (Adware.Euniv.100)
Warning: Unable to unpack UPX-packed file C:\Program Files\Risk\TRAINER.EXE (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{1209D00C-11FE-4E79-856E-B4B79564FE0A}\RP40\A0003657 .exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{1209D00C-11FE-4E79-856E-B4B79564FE0A}\RP42\A0007601 .exe (Add to ignore list)
Found trojan file: C:\System Volume Information\_restore{1209D00C-11FE-4E79-856E-B4B79564FE0A}\RP42\A0007607 .exe (Adware.Euniv.100)
Warning: Unable to unpack UPX-packed file C:\unzipped\file1\EA.Games.Multi.Keygen.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file F:\GAMES\file1.zip/EA.Games.Multi.Keygen.exe (Add to ignore list)
Found trojan file: F:\SECURITY\leaktest1.2.exe (LeakTest.102)
3 trojan files found


Like to learn!
Thanks in advance,
Grtz,
Slammer
Paul Wilders
March 7th, 2004, 05:09 PM
slammer,

-{ Quote: "File scan
Found trojan file: C:\Program Files\Common Files\updater\sui.exe (Adware.Euniv.100)" }-

This sounds like a positive identification. Submit the file to the software developer for examination.

As for UPX files: TrojanHunter is unable to cope with these - for that reason the software pops up this warning on all UPX files.

-{ Quote: "Found trojan file: C:\System Volume Information\_restore{1209D00C-11FE-4E79-856E-B4B79564FE0A}\RP42\A0007607 .exe (Adware.Euniv.100)" }-

Disable System Restore, if possible reboot in the Safe Mode, and perform a new scan (provided the file has been examined and isn't a false positive). Let the software tkae care of the cleaning. You can enable System Restore after this.


As for the UPX) Games multi.key generator: on first glance it looks like a cracking tool generating illegal key files for games software. It's very common those files do come with sort of a "bonus" - a trojan/backdoor infecting a system. If[/ib] we are talking about such an illegal cracking tool, your system fairly sure has been backdoored. Make sure to get rid of it and change [b]all passwords after doing so - they are out in the open for many to abuse.

regards.

paul
illukka
March 8th, 2004, 03:05 PM
no trojan hunter only reports files it can not unpack, for example files packed with a modified upx, or those that are crypted/protected..for example i have a private upx version and trojan hunter warns on all trojans packed with it.

it does not warn on all upx files and it can unpack a lot of upx packed files
Paul Wilders
March 8th, 2004, 05:24 PM
-{ Quote: " quoting: illukka link=board=25;threadid=23886;start=0#msg141407 date=1078776307]
no trojan hunter only reports files it can not unpack, for example files packed with a modified upx, or those that are crypted/protected..for example i have a private upx version and trojan hunter warns on all trojans packed with it." }-

Seems like we agree in essence here ;)

-{ Quote: "it does not warn on all upx files and it can unpack a lot of upx packed files" }-

..at the moment, not that many IMHO. That said: I'm convinced v4 will be an improvement in this regard ;)

regards.

paul
slammer_JvA
March 9th, 2004, 05:11 AM
-{ Quote: " quoting: Paul Wilders link=board=25;threadid=23886;start=0#msg141022 date=1078697364]


As for the UPX) Games multi.key generator: on first glance it looks like a cracking tool generating illegal key files for games software. It's very common those files do come with sort of a "bonus" - a trojan/backdoor infecting a system. If[/ib] we are talking about such an illegal cracking tool, your system fairly sure has been backdoored. Make sure to get rid of it and change [b]all passwords after doing so - they are out in the open for many to abuse.

regards.

paul

" }-

:o ...busted! :-[ ;) (as said b4: I'm no saint...not proud of it...)

Then again: I already suspected and expected such a thing you describe here...I'm no real nitwit.
Will certainly follow your advice on this. Tnx.
(btw You've got mail :) )
Regards,
slammer
slammer_JvA
March 9th, 2004, 05:17 AM
While we're at it: what about this one? Puzzles me: Is this a real (Trojan) threat?! Because if it is... >:(

-{ Quote: " quoting: slammer_JvA link=board=25;threadid=23886;start=0#msg140938 date=1078687764]
Found trojan file: F:\SECURITY\leaktest1.2.exe (LeakTest.102)

" }-

(The only dumb Q is the one never asked, right? ;))
grtz,
slammer
Paul Wilders
March 9th, 2004, 06:23 AM
Hi slammer,

No comment on the keygen - you know our view on this ;)

I will check my inbox soon!


As for your latest question: no real thread - GKweb is the expert on these for sure; he'll drop by to explain no doubt. You can delete the file btw if you feel like it.

regards.

paul
Paul Wilders
March 9th, 2004, 06:26 AM
you might have a look at this thread (http://www.wilderssecurity.com/showthread.php?t=22427;start=0) ;)

regards.

paul