TDS-3 is reporting the following in my alarm section:

File Trace: Default trojan filename
Possibly Worm.Coronex - submit
C:\Downloads

I tried right clicking in my alarm area and deleting...3 times...every time it said it was deleted, but after turning my PC off and then rebooting cold, it keeps coming back.

What is Worm.Coronex? How dangerous is it?

How the heck do I get rid of it???


Thanks! ???

Hi MarkWW!

It looks to me as if the Worm.Coronex is installing itself every time back onto your harddisk... Have you checked the autostart? Is something else in the autostart you don' know?

Go to the TDS-3 console and press Ctrl-O. Check all your processes. If you don't know what they are, come back and let us know the names of all the processes.

Best regards!

Patrice

i have the same prob... :'(

these are the processes

c:\windows\system32\smss.exe
\winlogon.exe
\services.exe
\lasaa.exe
\svchost.exe
\svchost.exe
\spoolsv.exe
c:\windows\explorer.exe
c:\windows\wanmpsvc.exe
c:\windows\msagent\agentsvr.exe

any help appreciated...

For both of you, did this just start with the latest TDS radius update or has it been happening for a while?

jmiller - Your list looks normal except - is "lasaa.exe" a typo? There is a real process called "lsass.exe".

the process name is

c:\windows\system32\lsaaa.exe

it has happened since the last update...i am not a registered user but after this, i think i will be....
also...when i update, the update does not seem to be recognized...maybe i am updating from the wrong place...regardless...should i then delete the lsass.exe?

thanks

sorry...lsass.exe

Hi jmiller!

Are these all processes running on your computer? Which OS do you use? Did you really do it with the TDS-3 console?

All these processes are Windows processes. But there are two processes which aren't necessary.

First wanmpsvc.exe:

WAN MiniPort Service installed by AOL 7.0 and later versions on Windows 2000/XP systems.
Recommendation :
Irrelevant to the VAST majority of AOL users, if not all of them. Some users, however, have reported errors with this service. We advise therefore that you go into "Control Panel \ Administrative Tools \ Services" and set this service to Manual.

Second spoolsv.exe:

Are you using a network printer? If not, disable this service. You find this service in your connection properties (Printer and Sharing).

Regards,

Patrice

"lsass.exe" is the real and proper Windows program. I was concerned when I saw a different spelling as that is a common thing real trojans do - they use a name very similar to a real file in hopes of not being noticed.

Typos can be dangerous when trying to figure out what's a real file and what's not. ;)

No, don't delete it. More analysis has to be done by the DCS folks to figure out if this is a false positive or something else.

Hi jmiller,

To update a trial version you need to download http://tds.diamondcs.com.au/radius.td3 (Direct download link) and replace the one currently in your TDS directory.

Regards,

Pieter

all right...thanks for the tip :D

i have windows xp with all relevant upgrades and service packs

the trojan/virus is found by tds3 in

C:\My Downloads\Unreal 2: The Awakening (full).exe

i do not have unreal and when i checked my download folder nothing is there...

very perplexing and annoying...

? :-\

what to do?

Hi jmiller!

Can you once start regedit and search for this entry:

The Awakening (full).exe

Regards,

Patrice

all right...whew...
searched regedit in local machine and current user in system and software and didnt find anything...i dont know were else to look in regedit as it is a maze of potential screwups for me....yowsers!
what now...
btw...thanks for the time

;D

Hi all,
if TDS says "suspicious" or "possible" it had code in it, but it is not 100% guaranteed a trojan, unless the alert is telling so. So i would surely recommend in the alerts window, rightclick on the specific file and press the submit option.
Of course would prefer you to find the file in your folders, and send it zipped to submit@diamondcs.com.au but as you have difficulty finding it.......
Please do in this case, before deleting the thing and wait for further instructions from the TDs lab.

Are you sure you have all files visible?

Hi jmiller!

O.K. let's try the next thing. Go and download PowerTools or Regcleaner from this site:

http://www.vtoy.fi/jv16/shtml/software.shtml

If you have installed it, do a registry clean.

Regards,

Patrice

yea...no files in my docs folder
and i submitted the file to help all i could...
thanks ;D

And are you both sure if you click in TDS > System analysis > Autostart explorer ; there is nothing suspicious in that one?
And if you look at the other options and tabs, nothing there either? system files, startup folders, service drivers?

checked registry entries with power tools and only found one i dont know about
author software
C07ft5Y WinXp

does this help? ::)

i am unsure of the autostart processes...there is too much there i dont know about...i have scanned with the other tools and found nothing except with the trace scan

Hi jmiller!

Have you used TDS-3 Process List (Ctrl-O). If not, please do so and tell us all the processes you have there!

Best regards,

Patrice

P.S. You can delete all the registry entries which the tool registry cleaner of PowerTools shows you are safe to delete.

TYPO ? Are You sure ?

Lasaa.exe

Traffic virus marketing warrior

adds permssions to TEMPDB every time computer starts


just mentioning

For the Autostart: that's a reason more why i try to keep it as small as possible, so i see changes sooner :)

You might like to get the free AutostartViewer at the DCS site too, to see the startups, as it gives the registry key beside the process so it might give some better indication.
And that one you can save to a txt file for more study.


As you say you see the nasty only as a trace scan: have you been infected and could this be part of a not completely removed infection? Than it can be really hard to find it, so wait for the lab results and possible recommendations what's next to do.

If you could be clean after deleting, disable the system restore or it comes back with next reboot, after enable the system restore again and make manually a new restore point if you know you are clean.
Might help here too!

all right...here are the running processes:

c:\windows\system32\smss.exe
\winlogon.exe
\services.exe
\lsass.exe
\svchost.exe
\svchost.exe
\spoolsv.exe
c:\program files\tools\smc.exe (my firewall)
\alwil software\avast4\aswupdsv.exe
\alwil software\avast4\ashserv.exe
\alwil software\awast4\ashdisp.exe
c:\progra~1\alwils~1\avast4\ashmaisv.exe
c:\windows\explorer.exe
c:\windows\wanmpsvc.exe
c:\program files\internet explorer\iexplore.exe
c:\opfor\tds-3.exe
c:\windows\msagent\agentsvr.exe

all right...thats the lot of em...

:P

If that \lsass.exe is the real original one and no typo this time there seems nothing suspicious.


In the meantime looked for the worm.coronex, could not find info in the trojan/worms area, maybe Gavin can explain more.

Mhh... nothing suspicious so far... If you are unsure about such processes go here:

http://www.pacs-portal.co.uk/startup_pages/startup_a.php

Or just right click in Windows Explorer on the file and check it (properties).

That's funny in a way. :P Did you already do a whole system scan with your Avast-Software?

Greetings,

Patrice

i have not used my avast anitvirus since my resident program did not detect the trojan/worm...should I?

Well, give it a try. But first update it (if you haven't done that so far).

Greeting,

Patrice

all right...i am going to scan my system completely with both tools tds3 and avast...thanks for all the help and support and i will post anything interesting later...gnight all... 8)

Hi jmiller!

Just got some thoughts about this issue here:
-{ Quote: " quoting: jmiller link=board=5;threadid=8679;start=0#56240 date=1051083961]
C:\My Downloads\Unreal 2: The Awakening (full).exe
" }-

Start the regedit again and search for the following strings:

-unreal
-awakening
-Downloads (check what registry entries you have here)
-corona

Best regards!

Patrice

Maybe this will help in tracking it down:
http://www.sarc.com/avcenter/venc/data/w32.coronex@mm.html

You will have to copy and paste the link because of the @.

Regards,

Pieter

Good link Pieter! :D

jmiller search your whole harddisk after corona.exe

Regards,

Patrice

Thanks a lot Pieter, strange that googling just for coronex didn't give any proper results. The list is incomplete, as "the awakening (full)" was not in that list of games names :)
So jmiller to you the honor of a uniquity till now.
I'm shocked to see the infected file can grow to 270mb! Hope that will never be the size it's trying to attach for resend (not, as far as i read the description, but imagine!)

Dumb luck Jooske. :)
I stumbled upon a thread on a Dutch forum posted by Geeske about this worm and put two and two together. (5, right?)
It is on the list though, third from the bottom:
Unreal 2: The Awakening (full).exe

Regards,

Pieter

Glad you haven't been infected with this one..

Does the trace alarm go away when you update the databases and run a trace scan again ? It must be that this is a trace scan bug, there is one other we know of :(

all right, back again.
did a complete system scan with tds3 updated
scanned with avast updating is automatic

and still only trace scan from tds3 registers the worm

my documents is still showing nothing in it, even checked properties and show zero kb

checked the symantec site and looked in regedit under the appropriate strings and did not find the keys that were in the internet explorer or the windows boxes...

did a complete search of harddrive "c" for corona.exe: did not find anything....

also...i sent the file trace to tds by rightclicking the worm in the alarm section of tds but i got a message from them saying nothing was sent?

and why doesnt the file show in my documents?
its like a ghost.... :o

thanks again for all the help :P

Now i'm thinking, connecting all the messages and Gavin's explanation....... possibly nothing there and no more alarm after today's update?

Yep, now it's up to DCS to help you!

I would deinstall and reinstall TDS-3 to see if it solves the problem. But perhaps this isn't necessary. Let's wait for the answer of DCS.

the alarm is still there:

File Trace: Default trojan filename

Possibly Worm.Coronex - submit

C:\My Downloads\Unreal 2: The Awakening (full).exe

i delete it and it comes back...

i submitted it and it hasnt been sent?

maybe it is a ghost.... :o

i will be back tomorrow(later today) with an update of my situation...

thanks
;)

-{ Quote: "c:\windows\system32\smss.exe" }-

IMO this one could - possibly - be the culprit. If my memory serves me right, this .exe can be used as a very nastie devil in disguise, detected approx February 2003. I'll drop DCS an email with specs and where to get it.

regards.

paul

Hi,

I just received a warning from Sophos:

http://www.sophos.com/virusinfo/analyses/w32coronexa.html
[hr]
Description
W32/Coronex-A is an internet worm which emails itself to every contact in the Windows address book.

The email characteristics vary depending upon the current day of the week, as follows:

---snip by FanJ (see that Sophos page !)---


When first run, the worm displays a message box with the text "SARS Virus, corona virus", copies itself to the Windows folder as Corona.exe and creates the following registry entry so that corona.exe is run automatically each time Windows is started:

http://www.wilderssecurity.com/attachments/Corona_worm_2003_04_23.gif

The worm copies itself to the C:\My Downloads folder using 1 of the 24 filenames listed below, depending upon the current hour of the day:

Age Of Mythology.exe
Battlefield 1942 (full).exe
Black Hawk Down (full).exe
Command & Conquer: Generals.exe
Cossacks Full Version.exe
Dark Age of Camelot.exe
Doom 3.exe
Grand Theft Auto 3 (full).exe
Jedi Knight II.exe
Master Of Orion 3.exe
Medel Of Honor: Allied Assault.exe
Oni full.exe
Quake 3 Full Version.exe
Rainbow 6 Full.exe
Return to Castle Wolfenstien (Full).exe
Starcraft full.exe
The Lord of the Rings.exe
The Sims: Unleashed.exe
Tribes 2 (full).exe
Ultima Online.exe
Unreal 2: The Awakening (full).exe
Unreal.exe
Warcraft III Full.exe
White and Black.exe

When run with a -A command line switch (i.e. on startup), the worm runs continuously in the background and emails itself when the time is 1 minute past any hour.

The worm also changes the start page for Microsoft Internet Explorer by setting the registry entry

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
---deleted by FanJ---

Nice catch, Jan!

regards.

paul

I notice even though the pages you both posted and newsgroups discussions about this nasty excist loud and clear, pasting the coronex or any complete name in google doesn't give any results any more, while before one just needed to name any nasty and in some cases adding trojan or worm or virus with that would bring the valid search results.
I noticed in more cases google doesn't give this kind of wanted information so i really hope they're not cutting down their once fabulous service. Will try copernic now even though i don't really like that one.

The sophos info is about identical of the symantec; on that page it says it's only discovered 21 april and page written 22 april. so it is a rather new nasty.
Wondering why it keeps coming back, unless you have to deal with cleaning - disable system restore - reboot - enable system restore - make a new restore point manually and it should really be gone.

I'm running a FSS now myself did one too yesterday with the other update and had no alarms of that one, today with yesterday's and today's updates ran trace scans several times and not that alert nowhere. So ............ hmm
Could more people please run the trace scan and see if anything suspicious jumps up?

-{ Quote: " quoting: Forum Admin link=board=5;threadid=8679;start=30#56276 date=1051099136]
Nice catch, Jan!

regards.

paul
" }-

Thanks Paul, but:
The honour goes to Pieter !!! ;)

Yeah, I'm getting it, too (since yesterday).

Still got it after doing this mornings' scan with the latest DB. (See screenshot).

Hey Pete, that is surprising!
Thanks for your alert! Yours is at least telling it was submitted, so Gavin has proof now i hope if the file was not empty.
Could it be some systems are affected by this and others not? (like win98se ?)

Hi, Jooske!

The only reason I tried to send it in again this morning was because I had the same situation as jmiller - DCS never got anything when I sent it to them yesterday.

I went through the same procedure as jmiller (looking for "corona.exe" - nope, not here - looking for the registry key indicated in the Sophos description - don't have it, sorry - homepage was never hi-jacked (three different programs aboard to prevent that anyway! :) ).

I notice also that it's always detected as the "Unreal2: The Awakening (full).exe" - the name doesn't change as indicated by Sophos according to the hour of the day.

I'm pretty much leaning towards this as being a false positive, possibly caused by a plain-text sig that's "hitting" on either "corona.exe" (are there any other programs than the malware one that use that?) or "Unreal2.." itself. Pete

*I guess I need to go into my son's profile on here and scan from there, too, though.

Yep, it remains on my computer as well...

I've searched my whole harddisk after corona.exe -- comes up with nothing.

Ran a complete scan with TDS-3....continues to identify it being there and all attempts to delete with TDS fail.

I ran a full scan (deep) with the latest NOD-32 - nothing detected and the AMON memory monitor by NOD continues to find nothing as well!

Submitted the file to TDS through the program - can't find it in folders to submit any other way.

Searched Registry...

Negative



You Wrote to the other fellow:

Just got some thoughts about this issue here:
Quote from: jmiller on Today at 02:46:01am C:\My Downloads\Unreal 2: The Awakening (full).exe



Start the regedit again and search for the following strings:

-unreal
-awakening
-Downloads (check what registry entries you have here)
-corona

Best regards!

Patrice

Let's keep it on a false positive bug for the moment as nothing was found on your system and of al the others.

I'm not so sure...

The other day, someone who received a file from me a real audio (.ram) stated their anti-virus indicated it had a virus, although it didnt' identify it. I thought there antivirus might be simply mis-identifying a real audio file .ram as a virus.

Since I run NOD-32, latest version and it scans ALL incoming & outgoing files, I assumed they were mistaken but now I'm beginning to wonder.

Especially with the information I read at:
http://www.sophos.com/virusinfo/analyses/w32coronexa.html

If this is a false positive, why are there only two of us reporting it?

Three by now, SPY1 too.
Did the other person tell which file it was and did you scan it with TDS with every scanoption checked and worm slider on highest sensitivity?

Do you keep copies of your sent mail? Might be worth to do so if not and save a few outgoing emails in another folder outside the email client for deep scanning.


I still wonder if maybe only windows XP could be effected here? I run win98se and no alerts, not yesterday and not today outside my test files.
The database is surely growing, with olders files now alerted on with possible new names then before.

Did a full system scan with today's Radius on my W 98 SE:
nothing found.

Thanks Jan, neither on my win98se; also not with a separate trace scan.
Hope this info helps Gavin to locate what's happening.

Full system scan with today's Radius on my W XP Pro:

ALERT: Continues to show:

File Trace: Default trojan filename: Possibly Worm.Coronex - submit
File: C:\My Downloads\Unreal 2: The Awakening (full).exe

Deep Scans against invidual files continue to show NEGATIVE and can find nothing in the registry whatsoever that's related.

Well, TDS has to be picking it up from somewhere - doesn't it?

I'm still doing "Searches" on different keywords - so far all I've found is two references to "awakening" in TDS's logs. Pete

Hi Paul!

-{ Quote: " quoting: Forum Admin link=board=5;threadid=8679;start=30#56274 date=1051098650]
-{ Quote: "c:\windows\system32\smss.exe" }-

IMO this one could - possibly - be the culprit. If my memory serves me right, this .exe can be used as a very nastie devil in disguise, detected approx February 2003. I'll drop DCS an email with specs and where to get it.

regards.

paul

" }-

Sorry, but this is a system process:

Process File: smss or smss.exe
Process Name: Session Manager Subsystem
Description: The Session Manager Subsystem initializes system environment variables, MS-DOS devices names such as LPT1 and COM1, loads the kernel for the Win32 subsystem, and starts the Windows Logon Process
Common Errors: N/A
System Process: Yes

I wouldn't delete it, would damage your system.

Best regards!

Patrice

I don'tk now if anyone hasn't allready mentioned it but have you guys tried scanning for it or at least searching for the .exe in a safe mode? or booting of an NTFSDOS disk and searching for it there?

Cheers,

Hi all,

Just scanned my XP computer. No Worm.Coronex found.
Just one dialer, that was recently added to the definitions, in my Restore folder. ;)

Regards,

Pieter

That safe mode sounds interesting for a try.
Was not mentioned yet.
NTFS files...... thought it could explain why it was not on win98se systems, but now i can think it could be dutch windows versions are not affected, maybe.

Did you locate them with TDS on your systems?

Greetings....don't usually comment at this forum so feeling out of place....but will offer some info

several months ago I experience the same behavior as mention in this thread...after installing a legal program..
no matter what measures taken a particular listing continue to re-insert itself....(I consider this trogan behavior)
after much researching into the os.....several listing were located (all the same name).....in:
Registry
outlook express DBX folders
ssmenu folder

a "wipe" of the registry entry at first glance appeared to remove the entry....only to have it return again later

the outlook express "entries" ..same results/lack of

ssmenu..appeared as the "main home" of the bug

numerous means of removal proved useless...all listings would show as removed....an just return later.......
tools such as: Regcleaner.....Xcleaner...Spybot....an encryption .....all useless.....the bug would be removed and just return again....opps, should have mentioned that the program that inserted the bug had long been removed from the os when the above results/lack of resulted.....I hit that thing with just about every known means of removal...over and over for three months....failing to remove it each time....finally came time for my routine reformat...which of course did remove it.
my reason for mentioning this is because as has been reported "nothing" is being sent to the TDS people....when users attempt to do so.........an if the bug in question here in this thread is like the one I had..."nothing" will ever be sent to TDS because there is nothing to send.....its just an entry....no actual file..no actual exe....just an entry in the folders/registry........but inspite of not "being there" that darn thing would become active.....made my os un-stable..monitor shimmered (which is how I could tell when the bug re-entered itself) anyone who ever had a monitor overheat would understand
never had I experienced anything of the nature of that bug...in fact I experiment on trying to remove it...did everything....changed D value...editted dbx files..ssmenu(even in safe mode....
make no mistake...in my case the bug was trying to call home (blocked of course) my guess is that the bug was ment to be an automatic update feature of the program that was installed.....best I can offer......good luck (oh, the bug was not listed by the same name as the installed program)

Quickly: I've right-click scanned everything in "My Downloads" folder with TDS, NOD and SpyCop (individually).

(And this was after thoroughly deleting all excess garbage by first running SBS&D, ADIOS! and the freeware XCleaner and re-starting).

Nada.

Message is still showing in TDS when I fire the program up, though.

Oh, if it helps, I'm running NTFS here, too.

And I'm not using System Restore - haven't been for quite awhile.

Gotta get to work. Haven't had a chance to check out my son's profile yet.

Later. Pete

Spy 1

Pete, my other post must sound wierd....don'y quite know how to properly explain the exploit I experienced trying.

Check the ssmenu...for what...can't say..you will have to use notepad and just go through the entries looking for something odd/ a real hassle....one thing is certain..if this is anything like what I had TDS will continue to alert......
Wayne, Gavin or Paul may be able to understand by their experience what I am trying to explain here. The bug simply can't be cleaned.......cause the ssmenu is in constant use..(if the bug is located there) even in safe mode the ssmenu is in use by the system...by design changes will be prevented........

hope you find the solution...this is above me so just offering what I can..which may be nothing worth while.....in my case both spybotsd and xcleaner showed the bug in "start-up programs".......msconfig also showed it...gone then re-appearing

snowy

Having mention using notepad to check ssmenu...thing is..even if you locate the bug....it may be a waste of time unless someone here knows how to clean the ssmenu..I don't. LOL

Googled for you, but don't find much; could this do the tric?
"Instead of booting to DOS with a bootdisk, in a DOS window use this
command: regsvr32.exe /u ssmenu.dll then reboot and delete the file." Suppose that could be done in the Start > run that command too to unregister it.
I don't know if the thing can be deleted without damaging your system and where it comes from?

Jooske

wasn't sure if your post was intended for me or Pete....in my case I reformatted weeks ago....which resolved the problem.
But you made good suggestions....at first I thought the exploit was a boot virus so installed several boot virus anti-virus programs.........nope, no good........did a scanreg/fix without any good results on the exploit......can't count how many ways I hit that bug......an learned humilty in the end and reformatted.........
In the past nothing ever got past my security....nothing has since.......the bug was a first and hopefully last.........I don't think it was ment to be harmful but it was in that it drained resources..(like a DOSS) hammering to call home.
Locating the bug was not a problem....getting rid of it was. Perhaps of interest..my guess is that the bug can only enter the os by some install of a program....the bug itself was extremely small...contained a url......which led me to the software vendor.....under another name..further research revealed both companies were one and the same. I wont mention vendor names so as to prevent it from appearing as a flame......the company for all purposes provides good products an may not even be awear of the exploit....(I don't use e mail so didn't contact the vendor)
Hope I haven't intruded here......nothing I said may be even remotely related to the issue at hand but always offer a helping hand when I possibly can.

snowy

one final thought.....just a thought......a person could install script defender......enter "exe" in the intercepts....re-start the computer.....an every "exe" will need user permission to load......possible to "abort" the bug.......that may reveal the registry entry....may even abort the bug......as stated just a thought. Obviously the bug will still need to be cleaned/removed but the info needed to do so may be revealed.

just a note to all

i uninstalled tds and then reinstalled and the bug did not show with a complete scan...it is only after i updated the program that the bug showed in the trace scan...as a noobie to comp. security i would like to remove and prevent this from happening again...

i read the previous posts and i will wait to proceed...
thanks for all.... :D

Ok ignore this one, we've found a trace bug with certain traces that can cause this possibility.. won't happen again I hope :)

Snowy, if you have WormGuard you can use that in the same ways, and you could block that specific file from ever executing at all.
The other command i gave is to unregister the dll so it can't do anything and you can delete it or maybe need a reboot first to be able to.
You must have learned a lot from all this and prevent a complete reformat with your knowledge.
What i found about the thing you mentioned is that it did come with an install so if you remember with which program you'll probably not install that one again!

Anyway, the problem here with the TDS trace scan find has been solved as Gavin just posted, so looking forward to people's experiences with tonight's updated scan.
It must have been in very specific conditions and systems as there were so few reports.

Snowman - Thanks for the input, my friend! Guess it was a "ghost" after all. Pete

Spy 1

always most willing to assist you in any way...cause thats what friends do.......how do the kids say it "got your back" LOL

**************

Jooske

The suggestions you made were certainly great....will defintely keep them in mind. But hey, I am just a struggling newbes that knowledge evades....but a country boy can survive LOL
Wormguard is a great product.....so is TDS...in all honesty.. I never planned on using computers...honestly....was just curious...purchased one...an here it is years later...an still not sure if I want to use computers.......hmmmmm, looks like a guy who can't make a decision.......there goes my business.
all kidding aside.....Jooske due to my prolong illness the past year I put off lots of things...installing software..home maintance....etc., its been a real struggle Jooske....an with the grace and help of my higher power someday soon perhaps my life will "go back on line"

My compliments to the TDS folks...for resolving that issue so quickly.........

Time to make sure you're msagent ready, speakers loud and play the InnerPeace script which shipped with TDS.
HA!! Security can be so much fun!
Our security guys from DCS must be celebrating their sacred ANZAC Day by now, being half a day ahead, sooooo let's see into it to keep our systems tiptop! And go celebrate, there's always a reason!

For what its worth....After using TDS to scan the C: drive today the exact same message as reported by Spy1 showed up as an alert. Couldn't submit it due to some internet connection problems, so I deleted it. A re-boot and re-scan with TDS gave a clean bill of health. TDS/WormGuard/NOD32 all active on the system (XP-SP1) prior to doing the first scan. Must have been a false positive?

Hi Konyntje, did you update the radius before the first scan mentioned here or after that? There was a little bug Gavin mentioned, repaired in the later updates.

Hi Jooske,
I updated after my first scan.

I didn't have any anti-trojan software on my old machine - 133MHz, Windows 95. TDS is the first and only trojan tool I've ever used on my new machine, and this is the first time its ever raised an alert - false positive or not; scared the livin' *bleep* outta me. LOL

...You guys do a great job here.

Congratulations with your new machine then! Must be quite a difference! Feeling a bit proud and happy you first give TDS all space to start your security experience. (of course!) May it be a happy road you walk together.

It was a little bug, which was solved in later versions of the radius database, so nothing to worry about anymore.
If that was the only alert i congratulate you with your clean system, and please keep it that clean.
The DCS guys have a whole arsenal for fighting trojans and worms, in which they are the specialists plus registry protection.
In the forums here and at DCS we love to help you with that.

Further we recommend special virus fighting products which are not in the DCS toolkit, spyware detection, firewalls, etc, walk through the forums with growing surprise and the will to get the best for your personal needs.

For TDS i start it manually after reboot --on your XP you can have it in the autostart and delay it a bit to start nicer if you like. I configured it with all possible tests checked and the tests themselves also with every option on and on highest sensitivity. So it does take a little more time but i hope all is found if there were.

Hi

Did you try to create onither folder in your HD
let's say called Test and copy/move all files from c:\downloads folder and then delete/rename the original folder with that ureal file stuff , then scan again with TDS

Hi New User, for what purpose?
Did you do so and experience anything special?
The trace result exception has been solved if you refer to that.