Newbie questions! (<g>)

Discussion in 'Trojan Defence Suite' started by spy1, Mar 17, 2002.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, just d/l'ed the trial version of TDS (would have purchased it outright - sight unseen - if it weren't for the fact that I had to make sure it wasn't going to conflict with anything already on this here WinMe computer).

    I'm confused about the radius update location. Since it's a trial copy, it won't update itself from the program - it tells me to go to here: http://tds.diamondcs.com.au/ , but when I do, I'm not seeing anything anywhere that tells me where the manual radius update location is (told ya'! newbie! lol!). Where's the manual update? (* Note: never mind, I found it: http://tds.diamondcs.com.au/radius.td3 )

    Also, should I allow it to 'Initialise Sockets' in Startup/Configuration?  Right now, I have that UN-selected.

    Other than that, I've got everything in the world checked that it will accept on the trial copy - does that sound like a good way to have it?

    I copied the scandump.exe to notepad and this is what it said:

    Scan Control Dumped @ 12:02:56 17-03-02
    Live trojan found (in process memory): RAT.Theef
     File: C:\WINDOWS\START MENU\PROGRAMS\STARTUP\COOKIEM.EXE

    Suspicious Filename: Dual extensions
     File: c:\program files\trillian-v0.725.exe

    I realize that the cookiem.exe is a false alarm, but what does the trillian entry mean? (Yes, I know it says it's got dual extensions, but what's the significance of that - if any?).

    Having quite a bit of fun with this, so far! Pete
     
  2. Liquid_Fish

    Liquid_Fish Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    81
    On the dual extension thing.

    Some bad guys try to hide a trojan by disguising them as anouther file type so that you will run it.  For example

    Letter.txt.exe

    If you have the 'hide extensions' checked in the Explorer options the file will look like this

    Letter.txt
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi spy!
    Sorry kept you waiting, just before i was able to send the message away the whole page froze, no movement, not any possibility to copy or whatever, starting all again with the message. So sorry if i sound a bit less friendly than my original reply (which you don't know now :()

    Hear about many people using WinME without a problem for so far it's about TDS. Other problems with drivers and HDs filling itself i hear often, even without using the thing. In v4 all eventual Win versions problems with TDS and WG must be completely over.

    That's right, for the trial version only the manual update and reload TDS after that to be really sure that new update is used. So you have 11773 references now?
    Sounds very good, for sure! But i have the sockets also on, on automated. It's an extra watchdog for those known trojan ports. With the script function you could do a lot more with the scripted function on the sockets, did not see people posting scripts for that yet.

    If the file is real or a false alert, please be so kind as to send it to the TDS lab with a click of the button, so they can add it to their databases for correction. Every developer is happy to prevent false alarms.
    The double extensions i saw explained already.
    Today i just got an email with an attachment of a so called image.forgot the first extension and .com so i was alarmed and WG blocked it, even though all virus scanners said it is clean. Such a big questionmark i send on as well for further examination. Of course we always hope to come with something new! which is difficult with the people roght on top of those things all time.
    I'm sure you're enjoying yourself and most of all when yuou can use the scripting function among others; did you see the possibility to shout back at an intruder? And to see packets going in and out of your system and all those nice things; so i discovered months ago the CodeRed attacks all time, among others.
    Lots of fun with it and don't hesitate to ask!
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, Jooske!  Between your answer and wizards' PM's I'm starting to get a handle on things.

    I'll send the logfile tomorrow - running out of time today. Pete
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Pete,
    Not the logfile, but the possible nasty itself, just a right mouse click, choose send the file (after the scan from the alerts window)

    Glad you like TDS.
    In time on the private forum you'll like it even more with all the gems and jewels: why you think it's a Diamond product:)?

    If you run into more questions, please ask!
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Scan Control Dumped @ 15:45:23 19-03-02
    Suspicious Filename: Dual extensions
     File: c:\program files\trillian-v0.725.exe

    Positive identification <Adv>: Possible keylogger
     File: c:\program files\pcihookprotect\hprot32.exe

    What's with the HookProtect warning? it's been on my computer the whole time and TDS just picks it up today?

    False alert after the last TDS update? Pete
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again,
    the dual extension is in this case not to worry about as it's a known program. In v4 this should be soved.
    But the pcikeylogger is better to send to the TDS lab for them to look into. It might be indeed they have tightened up the detection, by which this show up now. And if it's a false alarm, your forwarding of the file enables the lab to update the database even more. Probably has part of known keyloggers signature included.
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Sent. Pete
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Great Pete, thanks in name of all humanity on this internet part of the planet.
    Hope to ever hear about it!

    (should there be a comma between Great and Pete? :0)

    The Full system Scans unveiled several legal windows files with password stealing capacities, like pwledit.exe.
    Of course they were so kind to look into them and tell why this alert. Same reason, it does take passwords.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    lol! You're too much, woman! Pete
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oops! :D
    Licenced, certificated, some education, yep. <teeeheee>
     
Thread Status:
Not open for further replies.