Can't remove Acid Shivers Trojan

Discussion in 'Trojan Defence Suite' started by Mike Smith, Apr 30, 2003.

Thread Status:
Not open for further replies.
  1. Mike Smith

    Mike Smith Guest

    Hello,

    Running AMD Athlon 1600
    Dual Win98/2000
    TDS-3 Pro (Eval) no update
    Installed on the 2000 machine

    I ran TDS it found

    Scan Control Dumped @ 17:20:17 30-04-03
    (Deleted) RegVal Trace: Acid Shivers/Acid Battery/Acid koR/RAT.RAT: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Explorer=d:\winnt\system\expl32.exe]

    Deleted it, but every time I restart my computer it returns :doubt: .
    Did some work and manualy found the tour98.exe and deleted it (It was located on the win98 hdd), that still did not solve the problem o_O

    Any help would be nice.
    Thanks for your time
    Mike
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Please send the file, EXPL32.EXE in, this looks like a GT Bot variant.. submit@diamondcs.com.au

    Kill the process - TDS Process List (CTRL O) and manually delete the registry entry from Autostart Explorer.. I will email you back quickly with regards to the trojan file
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Mike, i see in your description TDS-3 eval - no update, you did a manual radius update i hope from the website?
     
  4. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol what the hey i mention that old trojan in my post what you do read my post and grab it lol

    strange part is tds was supose to be the first one back in the day to kill this nasty lol
     
  5. Mike Smith

    Mike Smith Guest

    Hello on my 98 box now. Wow quick responses.

    First Jooske: when I said TDS-3 no update, what I ment was I did not update the radius file. I simply downloaded TDS-3 and ran it.

    Second Gavin: I can't find expl32.exe o_O I did manage to get rid of the trojan though :) . I had to go into my WINNT/system file and delete some files I thought/hoped were bad. I found a lot. I did backup my system file foulder though, if you like it all give me your e-mail and I will zip/tar it up for you and give it to you.

    Ohh btw this all started when my ISP told me my box was probing on port 445.

    ohh one last thing did a skan on my 98 box (ie using win9:cool: and it found this
    Scan Control Dumped @ 15:19:27 01-05-03
    Positive identification <Adv>: Possible WebDownloader
    File: c:\program files\online services\msn50\msnboot.exe

    is this a false alarm?


    Thanks for all the help
    Mike
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again Mike, make sure you go to the TDS site and get the latest radius update there (daily updates!) and put it in the TDS-3 directory, which will overwrite the existing one, (re)start TDS and you have the latest update included.
    Please do before your scans.
    In a registered version it goes by button click or automated if configured that way.


    Could that msnboot.exe be the one from the channels for new IE users? Please scan again with an actual radius update and if it persists, then to make sure you can submit the file to the TDS lab submit@diamondcs.com.au
    We had discussions about the file long time ago and detection was refined, so if it would now be there in a new radius file i wonder........ and better be sure.


    Did TDS alarm on the possible bad files? Again, the updated radius....... Please on highest sensitivity and every option checked to be used.

    TDS does make a backup of the important system files too fortunately and copies themback in case of need.

    Trying to remember waht port 445 is ... Microsoft-DS
    You might like to get an Port Explorer eval too to see your processes mapped to ports and outbound connections, so you might be able to find out what is causing those probes. In the registered full version you can go much deeper into that determination and block them while with TDS digging deeper and getting rid of the nasties.

    Please tell us how it goes on both your systems!
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    MSNBOOT.EXE is totally legitimate dont worry ! :D

    Visit http://tds.diamondcs.com.au/index.php?page=update

    Grab the latest database and run a full scan :)
     
Thread Status:
Not open for further replies.