Unknown Trojan Not Picked Up By TDS

About a week ago when running a Pest Patrol search I turned up what is classified by Pest Patrol as an "Unknown Trojan" Key Logger. When I select and remove the lil bugger, I get an error message, [Unable to load function: FT_THUNK {KERNEL32.dll}] But than it goes on to apparently delete the files. It than requires a reboot to be finalized and a rescan shows the files to be removed.

However when I run a specific application they reload. (Warcraft III, sorry.. I'm an avid gamer). So not knowing what more to do... I purchased TDS and bought the license. I have run the program, updated, when they are removed and when pest patrol says they are there and TDS does not find anything.

This is highly annoying as I just spent nearly $50.00 for a pretty trojan program that does not seem to see the trojan. Pest Patrol logs seem to suggest that this particular trojan creation date is 8/9/04. So it seems pretty new.

The files that are picked up are: sintfnt.dll, sintf32.dll, sintf16.dll, cmdlineext02.dll.

Now just so everyone reading this knows. I have spybot s&D, Updated Adaware, Hijack This, Reg Organizer, Pest Patrol, TDS, and I do regular scans with Trend Micro's House Call.

Does anyone have any suggestions on what I should do next? I would appreciate any and all feedback.

Thanks

Bubba HoTep

 

I just re-ran Trend Micro's House Call last night and found one non-cleanable.

BKDR AGENT.CE

Does anyone know what this file does? It is embedded deep in a Documents & Settings folder.

Thanks

Bubba

 

More info here

Hope this helps...

Let us know how you go...

Cheers

 

these links have alot of info on your pest

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127679

http://www.f-secure.com/v-descs/agent_ce.shtml

 

TDS didnt detect this? Tut tut.

 

I re-updated Trend Micro House Call this morning and have viewed the first 30minutes of the run and found that is not picked up on the insect where it was on last scan..

Thanks for the links on this bug. I have noted that it would need to access the net through a port and given DSL I have no open ports on my firewall. Not to mention my Zone Alarm Pro will I'm sure detect anything trying to access the internet.

Hopefully I will be rid of this tonight. Given that it appears to be a new backdoor variant I can understand why there is so little about it out. I'm sure we'll see more in the weeks and months to come. Still a little peeved that TDS did not pick it up either yet Pest Patrol knew something was wrong and Trend Micro House Call confirmed it.

I'll repost this evening and let people know where I am at.

Bubba

 

But you did submit the file/s to DCS for analyzation, right?

 

Unfortunately I did not. When Trend Micro gave me the option to delete I deleted it. If it comes back I will send in the file.

I have been on this forum now a day or two. My normal course of action for the past 10 years has been to find these and remove them as quickly and easily as possible.

Again, I will be certain to take care of that for future matters but have not as of yet.

Bubba

 

Please keep us informed how it goes.
And submit your finds please.
What is also very helpful and necessary is to close other scanners completely (including their resident protection) when using another scanner.
TDS does not need to be closed, only don't have it actively scanning with TDS at the same time of using any other scanner.
This is to give full access to all files by the other scanners.
If i'm not sure i zip a file and submit it and/or get an extra scan of that file with my other scanners and online at kaspersky's for instance.

 

Ok, after yet another Trend Micro complete scan I have turned up nothing. So it appears to have deleted the BKDR_AGENT.CE

However, the other "Unknown Trojans" detected by Pest Patrol continue to show up. The 4 files mentioned in my above posts. Should I send these in and have them checked?

If so, what utility do people use to zip them? I don't have Winzip and when I looked it only has a 20 or so day trial before you have to purchase a license. Is there a utility built into XP already?

Feedback appreciated, as it currently stands I'm well on my way to Hari Kari. Get obsessed with these irritations. I appreciate everyone's assistance.

Bubba

 

You can have the files checked here, as well you can send them to submit@diamondcs.com.au and samples@nod32.com and there is more information on submitting samples here

Let us know how you go...

Cheers

 

Thanks for the info.... but does XP have a zip utility or will I need to go out and buy one?

Bubba

 

XP has it's own, however you can also download Ultimate Zip from here

Hope this helps...

Cheers

 

I thought I would share this information with everyone, note where it came from. There is also something else I found out on another forum and I will be posting that in the near future and it is highly interesting.

"Hello,


In regards to the files SintfNT.dll, Sintf16.dll, Sintf32.dll, these
are used in/for the copy protection for Diablo II and Warcraft III. I am
unsure if these are normally native Windows files or something the copy
protetion generates if they are not there. In testing something I
deleted them, reinstalled Diablo II and the files came back. In all I would
tend to say you are getting a false positive from Pest Patrol and you
might want to check with the makers of it as to why or at least let them
know and send the files in to them so they can look at them. As for
the fourth file you mention I could not find it on my system(s). Here
again I would send this one in to Pest Patrol and have them look at it to
see why it keeps getting reported.

I know you said you have checked your system multiple times however
from the list of software you use like TDS, Zone Alarm, etc. I am not
seeing an actual anti-virus program listed there. Do you have an actual
anti-virus program like Norton, Panda, Kaspersky, Fprot, etc.? If you
don't you may seriously want to look in to getting one as anti
Trojan/spyware software isn't ment for detecting viruses, just as AV software isn't
ment for detecting trojans/spyware even though each can at times detect
some of the more popular trojans/viruses respectively.

Regards,
Norm H.
Anti-Piracy Team
Blizzard Entertainment"

More to follow.

Bubba

 

So it appears the "Unknown Trojans" detected by Pest Patrol are false positives, have you sent these off to Pest Patrol for analysis?

Now that your system is clean you may want to take a look here for further discussion on security and how to make your system that much stronger, and here for more discussions.

Hope this helps…

Let us know how you go…

Cheers

 

The following was taken from Security Forums regarding this same issue. I hope the links come through with this as they are super and anyone who is dealing with these files would find them very interesting. If they don't come through see this link to the forums.

http://www.security-forums.com/forum/viewtopic.php?t=20775&highlight=

These files are part of some incidious "copy protection" schemes devised by software/music lobbies to basically cripple your system into being unable to copy their products - a well known such "protection" used by a certain "reputable" record company works by secretly installing a driver on your computer that cripples your CD-ROM drive's ability to digitally extract audio, thus making it impossible for you to copy an audio CD without heavy distortion. Way to go, we're all thiefs now, we buy their junk and they cripple our machines in return.

Quick Google on the subject revealed some interesting results, this one for example.

These files were placed in your system either by one of Blizzard's products, or some other game you have installed, or even by some music CD you inserted in your computer (yes, they are actually at a stage where they secretly installing things in your computer without your knowledge just by inserting a legally bought music CD on the drive).

This is yet another reason why I strongly recommend people disable autorun notification on their drives. At least that way you can be sure that when you put a CD on, it'll only run if you want it to run - which in case of a music CD will help you be sure you're not running anything other than you opening your favorite CD Player application and hitting play.

 

Very interesting, I know the RIAA etc have been messin with P2P music files for a while now but this is new, if what you said is true then it breaches the Digital Millennium Copyright Act sighed by bill clintonin 1996.

 

Not to beat the proverbial horse senseless but, this was from an update. Meaning, everytime you connect to say "Battlenet" through Blizzard to play online, the program checks for the most current updates. This did not start occurring until the very latest update towards the middle to end of September.

I've been reading more and more about this on multiple forums. What's more, it's not just Blizzard but on a google search these were found as part of a piece of music cd.

It's all been done very very quietly. So whose worse? People who pirate software, music or movies or the companies who are placing items on peoples pc's unbeknownst to the owner. Nobodies clean anymore.

Think I'll go shower.

Bubba

 

I have encountered the same, exactly same problem wit Pest Patrol detecting "sintfnt.dll" and "sintfnt32.dll", and having them back after deletion. I am an hardcore gamer, and I can assure you that those "pests" come back when running many games. Actually, I am playing Archangel (jowood), and it keeps reinstalling those dlls every time I launch the game.

I am not sure what those files really are. But it seems to me, from what informations I gathered, that it is assiociated to a "Securom V2"... Whatever it is.