this is my first time here so please bare with me. I am running the latest def's of td3 and this is what I got back:
Scan Control Dumped @ 10:09:55 02-02-05
RegVal Trace: Trojan please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft SourceSafe=C:\WINDOWS\system\csrss.exe]

Suspicious Filename: Excessive space characters
File: c:\documents and settings\all users\documents\my music\paterson filings 2000 to 2003 .vbs

Suspicious Filename: Excessive space characters
File: c:\documents and settings\all users\documents\my pictures\mike desautels palm card draft (2) .vbs

Suspicious Filename: Excessive space characters
File: c:\documents and settings\all users\documents\my videos\dscc finance master a .vbs

Suspicious Filename: Dual extensions
File: d:\temp\trillian-v0.74f.exe
I don't really know what to do now. any help would be welcome. also the 3 vb scripts that are listed are undeletable so far.

-{ Quote: "this is my first time here so please bare with me. I am running the latest def's of td3 and this is what I got back:
Scan Control Dumped @ 10:09:55 02-02-05
RegVal Trace: Trojan please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft SourceSafe=C:\WINDOWS\system\csrss.exe]

Suspicious Filename: Excessive space characters
File: c:\documents and settings\all users\documents\my music\paterson filings 2000 to 2003 .vbs

Suspicious Filename: Excessive space characters
File: c:\documents and settings\all users\documents\my pictures\mike desautels palm card draft (2) .vbs

Suspicious Filename: Excessive space characters
File: c:\documents and settings\all users\documents\my videos\dscc finance master a .vbs

Suspicious Filename: Dual extensions
File: d:\temp\trillian-v0.74f.exe
I don't really know what to do now. any help would be welcome. also the 3 vb scripts that are listed are undeletable so far." }-Hi xBeanx & welcome to the forum

You can always submit the files in question to submit@diamondcs.com.au the makers of TDS-3, they will check them and get back to you with a verdict. :)

-{ Quote: "Hi xBeanx & welcome to the forum

You can always submit the files in question to submit@diamondcs.com.au the makers of TDS-3, they will check them and get back to you with a verdict. :)" }-

Thank You for the reply, I have sent that email off. Also I was wondering if the vbs's were tied to the exe that I sent. those things are untouchable. no copy , edit, delete nothing.

Hi xBeanx. :)

Welcome to Wilders.

Since this is a TDS detection issue i'll move this thread over to the Trojan Defense Suite forum. ;)



snowbound

-{ Quote: "RegVal Trace: Trojan please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft SourceSafe=C:\WINDOWS\system\csrss.exe]" }- This could well be a Trojan as csrss is usually in the windows\system32 folder. So please submit it.
To be sfae got to the system folder and rename it to csrss.bak and reboot to ensure that your machine still functions correctly.
Zip a copy of the file and submit@diamondcs.com.au for analysis.

Regarding the double extentions, these are normally OK such as the trillion entry which use a version number before the .exe seperated by a dot.
The others are suspicious only if you do not recognise the source, try scanning the files with your AV scanner or an on line scanner.

HTH Pill.

More than likely a member of the Webus family of trojans.

Adds one of the following values:

"ccpApps" = "%System%\csrss.exe"
".WMAudio" = "%System%\csrss.exe"
"Prog" = "%System%\csrss.exe"
"FiendlyType" = "%System%\csrss.exe"
".TEXTCONV" = "%System%\csrss.exe"
"Microsoft SourceSafe" = "%System%\csrss.exe"
"RegDone Ex" = "%System%\csrss.exe"
"BuildLabs" = "%System%\csrss.exe"