Hello,

Running AMD Athlon 1600
Dual Win98/2000
TDS-3 Pro (Eval) no update
Installed on the 2000 machine

I ran TDS it found

Scan Control Dumped @ 17:20:17 30-04-03
(Deleted) RegVal Trace: Acid Shivers/Acid Battery/Acid koR/RAT.RAT: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Explorer=d:\winnt\system\expl32.exe]

Deleted it, but every time I restart my computer it returns :-\ .
Did some work and manualy found the tour98.exe and deleted it (It was located on the win98 hdd), that still did not solve the problem ???

Any help would be nice.
Thanks for your time
Mike

Hi,

Please send the file, EXPL32.EXE in, this looks like a GT Bot variant.. submit@diamondcs.com.au

Kill the process - TDS Process List (CTRL O) and manually delete the registry entry from Autostart Explorer.. I will email you back quickly with regards to the trojan file

Mike, i see in your description TDS-3 eval - no update, you did a manual radius update i hope from the website?

lol what the hey i mention that old trojan in my post what you do read my post and grab it lol

strange part is tds was supose to be the first one back in the day to kill this nasty lol

Hello on my 98 box now. Wow quick responses.

First Jooske: when I said TDS-3 no update, what I ment was I did not update the radius file. I simply downloaded TDS-3 and ran it.

Second Gavin: I can't find expl32.exe ??? I did manage to get rid of the trojan though :) . I had to go into my WINNT/system file and delete some files I thought/hoped were bad. I found a lot. I did backup my system file foulder though, if you like it all give me your e-mail and I will zip/tar it up for you and give it to you.

Ohh btw this all started when my ISP told me my box was probing on port 445.

ohh one last thing did a skan on my 98 box (ie using win98) and it found this
Scan Control Dumped @ 15:19:27 01-05-03
Positive identification <Adv>: Possible WebDownloader
File: c:\program files\online services\msn50\msnboot.exe

is this a false alarm?


Thanks for all the help
Mike

Hi again Mike, make sure you go to the TDS site and get the latest radius update there (daily updates!) and put it in the TDS-3 directory, which will overwrite the existing one, (re)start TDS and you have the latest update included.
Please do before your scans.
In a registered version it goes by button click or automated if configured that way.


Could that msnboot.exe be the one from the channels for new IE users? Please scan again with an actual radius update and if it persists, then to make sure you can submit the file to the TDS lab submit@diamondcs.com.au
We had discussions about the file long time ago and detection was refined, so if it would now be there in a new radius file i wonder........ and better be sure.


Did TDS alarm on the possible bad files? Again, the updated radius....... Please on highest sensitivity and every option checked to be used.

TDS does make a backup of the important system files too fortunately and copies themback in case of need.

Trying to remember waht port 445 is ... Microsoft-DS
You might like to get an Port Explorer eval too to see your processes mapped to ports and outbound connections, so you might be able to find out what is causing those probes. In the registered full version you can go much deeper into that determination and block them while with TDS digging deeper and getting rid of the nasties.

Please tell us how it goes on both your systems!

MSNBOOT.EXE is totally legitimate dont worry ! ;D

Visit http://tds.diamondcs.com.au/index.php?page=update

Grab the latest database and run a full scan :)