possible trojan?

Discussion in 'Trojan Defence Suite' started by hendricus, May 9, 2003.

Thread Status:
Not open for further replies.
  1. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Hi all there
    What action should i take on this message, other than delete the files.See attachment
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi hendricus, Firstly update your radius file, as your file is either corrupt or wildly out of date.
    http://tds.diamondcs.com.au/radius.td3

    This is todays:

    Systems Initialised [24556 references - 7990 primaries/6485 traces/10081 variants/other]

    After you have loaded the radius file directly into your main TDS3 directory (this will overwrite the corrupt file) - Re-scan, after enabling all of the options in the Scan options menu & report back. Also please state your Operating system.

    Thanks Pilli
     
  3. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Hi, Pilli
    Wildly out of date? I installed this prog about 2 months ago. Why is it's database dated 28-3-2002(!) ?
    I installed the trial version. My OS is Win XP Pro.
    I tried to update the file but it does not seem to work. I still have a database dated 28-3-2002. I updated exactly as you described it.
    What is going wrong?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Did you download the file from the link I supplied?
    Did you then place it into the TDS3 main directory wher you should have been asked if you wanted to overwrite rhe old file?
    Did you then reload TDS3 ?
    The radius database shown in your screanie dated 28-3-02 is over a year old & many thousands of Trojans out of date :eek:
     
  5. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    The database in my screen is very out of date, yeah i understand that!
    Why couldn't i install a trial version with a more recent database?
    By reload TDS-3 you mean start it again, i figure.
    And yes, i used the file from your link.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Hendricus, welcome.
    So several things are not ok.
    First: the evaluation version is for 30 days at most, not 2 months.
    It ships with that older trial database of that date you show 28-03-2002.
    On the site is the explanation after d/l and installing you go back to the site to get the latest radius update, the URL Pilli just gave you; the file you drop as it is in the TDS-3 directory, nothing to unzip or install, where it overwrites the existing radius and like Pilli said it should read the current amount. Now it might be because the evaluation period over it does not get updated, as an invitation to register the sotware to have all the functionallity, including updating.
    In case of registering you would only need to drop the registration keyfile in the TDS directory in the way described in the registration confirmation, start TDS, enjoy the changes and first of all in TDS > Update TDS databases now! and see the database updated to the current value.
    And with that you have even entrance to the hidden -licensed TDS operators only- areas in the DCS forum at the DCS sites.

    Further your screenshot contains your IP, so a next time please load it for instance in paint and make your IP unreadable: even if it could be dynamic, there might always be jokers online trying it.

    I hope just something went wrong somehow with the radius update, as we would like you to scan the most urgently with an updated radius, all scan options checked and on highest sensitivity.

    What you can do now:
    Manually find those files on your system and please zip them. Send those zipped files the most urgent to DCS submit@diamondcs.com.au.
    If explorer.ee is in that location indeed it can be a nasty you can read all about on the DCS site in the archives.
    You might like to rename both those files on your system with an extra extension, like explorer.exe.txt or .bak.
    Anything to make it possible to run in any way.
    In case you would get system errors of missing files from normal programs you want to run you know which files you changed and can rename back, but i don't guess you would want to with these.

    Please report back how it goes.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks Jooske, I missed the "two months" The IP addy is something that most users on dial up on dynamic IP's need not worry about much but obviously Cable/DSl users and those on a fixed IP's should :D
    I'm not sure if hendricus was saying that it was two months with the same installation or a new installation into XP?
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Another niggling little detail is - what version of TDS has he/she got?

    My main interface window doesn't look like that (especially the upper left-hand corner).
     

    Attached Files:

  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ah well, At least the screanie has gone.
    Spy1, Should be version 3.2.1 but the console shows it as 3.2.0 even in a licensed version - You can tell if it is 3.2.1 by going to add/remove programmes where 3.2.1 should be listed correctly :D
     
  10. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    I installed the prog on 24 of april, so that's two weeks ago (time didn't run that fast :) ).
    I deleted the two files, but searching learned that they were still in my system.Slightly different names though, eg MSDOS.EXE-06FDAAB6.pf (indeed in capitals) located in C:/windows/prefetch. Can I still rename them?
    @Jooske: I removed my screenshot , never thought about that IP. And I don't want to register at all, since I am just lurking around in Trojan Hunter possibilities.
    And Spy1 what do you exactly mean? I see a difference in the little icon up left.
    I hope renaming the files will do.
    I didn't manage to get the update, allthough I followed your instructions.
    I thank all of you for trying to help me out.
    Maybe uninstall the trial version and than reinstall it is an option (?)
    !Thnx!
     
  11. Metallica

    Metallica Guest

    hendricus,

    The files in the prefetch folder should disappear by themselves as soon as Windows notices the files are no longer being loaded. The prefetch is a XP gimmick to start programs that are often used quicker.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hendricus, I just tried that link & it is fine? And your trial version should still be valid. You could try uninstall & reinstall should be OK as long as you are within the 30 days. Please stop any running programmes before re-installing such as AV or AT programmes.

    HTH Pilli

    PS stick with TDS - You'll love it once you have tried it properly :D
     
  13. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Thanks again for all your concern, Pilli. The new version of Swat-it will hopely keep the trojans away while I get busy studiyng all the possibilities ( and difficulties) of TDS3. :D
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    hendricus - Don't rely on SwatIt to "keep the trojans away" - it'll (maybe) help you find any trojans already on your computer (if they aren't new, or packed) - but it definitely isn't a resident scanner.

    In my post above, I was merely trying to clarify if you did, indeed, have version 3.2.1 (please check Add/Remove Programs to see if it is).

    I realized after I posted that the screen difference I was seeing was because I was looking at the main interface, not the scan screen. Pete
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Lockdown :eek: Shudders!
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    > I installed this prog about 2 months ago
    You wrote above, so you probably meant weeks. It doesn't have 15 or 30 times running the program with a max of 30 days i hope? That could explain too.
    Did you ever install TDS before in the past?

    Trojan Hunter? Is very different, also in detection methods.

    It's always a thing to shop around for good protection for our valuable systems, take your time, till you know to have the right one for you.
    After putting the radius file into the TDS-3 directory, did you start or re-start TDS then? If not you won't see the new references of course, if we speak of the evaluation version.


    Hope you get rid of the trojans, and be protected from new ones and running them. The registered version of TDS enables more features, among which exec protection to block malicious code from running at all. You can see this more or less as a resident part of TDS. WormGuard has such a protection too for worms and scripts etc in the first place.
    Can you give me the exact name of the second alarm again, the RAT.M....alexM... whatever it was so i can search for a description?
     
  17. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Hi Jooske,
    There's no x amount of times running the program, just the 30 days limit.
    It was my first install of TDS3.
    I restarted TDS3 after putting the radius file into the TDS3 directory.
    The alarm doesn't show anymore after i deleted the files.
    alarm:file trace:default trojan filename
    name:RAT.AlexMessoMalex
    file:Msdos.exe
    @Spy1: I did have version 3.2.1. Thnx for the warnig about Swat-it not being a resident trojanscanner.
    You all thanks for the support so far. Hope to return with some good news!
     
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ah well hendricus "Alls well that ends well" shame you could not zip those files up and send them to gavin@diamondcs.com.au

    BTW did can you check your deleted file folder - If they are there please send them to the above address.

    Cheers Pilli
     
  19. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    hendricus - You're quite welcome. Pete
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks, found some infor about it, they are in the TDS primaries too btw, so no problem you lost the samples.
    Glad you seem clean now. Did the new updated radius show any other alarms now?
     
  21. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Hi, Jooske
    reading your last post there seems te be some misunderstanding. After all the things that went wrong i completely uninstalled TDS3 from my system. So there were no new attempts updating the radius. It was meant as my answer to your remark : "After putting the radius file into the TDS-3 directory, did you start or re-start TDS then? If not you won't see the new references of course, if we speak of the evaluation version."
    I remain curious about Alex MessoMalex (nice name for a freak-show act :D).
    Maybe i try a new attempt to install TDS3, i'd like to see it at work!
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    >I restarted TDS3 after putting the radius file into the TDS3 directory.
    The alarm doesn't show anymore after i deleted the files.<

    With this i suppose you re-installed after uninstalling completely. How else an alarm could show up after scanning?

    The RAT description is a backdoor kind of thing, the name seems exotic yes. Wonder how it got there in the first place.
    It is in the Radius references, and as your update was from over a year ago, longer than that date it's inthere.
    TDS is most certainly worth a good try and i'd like to know if you get it updated properly this time, of course.
    So, go offline, close firewall, every av/at, install TDS, reboot, so all av/at/firewall protection is up, go back to the DCS site and get that radius update, look here for some configuration advices and put checkmarks in every scanoption in TDS and get that full system scan.
    With your replies we hope to be able to help you finetuning your configuration.
    Whioch windows version are you using, btw?
     
  23. hendricus

    hendricus Registered Member

    Joined:
    Mar 5, 2003
    Posts:
    35
    Location:
    Vorden, the Netherlands
    Jooske,
    1. I started this thread with the question: possible trojan. I asked for support and learned among other things that the database was far too old.I followed the suggestion to update the radius. That went wrong.
    Meanwhile I deleted the two files( the possible trojans) and did another scan ( with -again- the old database) The files didn't show.
    2. I completely uninstalled TDS3, installed Swat-it and started to read info about TDS3
    3.Spy1 informed me that Swat-it was not a resident trojanscanner, so I uninstalled it and put TDS3 back on the system. All went well this time and I have an updated radius ( 10-5-2003)! There are no trojans in my system ( xp pro).
    Happy sunday to me, happy sunday to you all. Thanks again for the support.
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Great! Hendricus, All's well that ends well - You have an enjoyable Sunday, we will be around if you need anymore help :D

    Have fun - Pilli
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hendricus,
    thank you so much for the step by step explanation about your computer's situation!
    Think all is clear now and clean as well it seems! Happy to read so!
    If your whole system is clean now, and those were the only alerts before and nothing showing up anymore now while you put checkmarks in every available scan option, i really must congratulate you with such a clean system! Sounds really nice!

    Many people install beside TDS as a special AT a special AV like NOD32 and/or a second opinion av/at like KAV/AVP or the kind, as each has their own ways of detection.
    But take your time if it is about trojans defence equipment, as DCS has more interesting tools in the build to be betatested soon, and you would not like to miss those for sure.

    Beside TDS i wouldn't do without WormGuard which is special for scripts, worms and lots more. The new version will be ready for betatesting soon, looking forward to that as it's rebuild all from scratch and has several really nice new features.

    Port Explorer shows us in one blink of the eye eventual suspicious connections, like your RAT could have been making. With that you could block all traffic and/or spy on the packets sent and received, block and delete them, etc.
    We're currently betatesting a new version of that, with a few new features, and not sure iof this will be the public release or that there might be added even more options!

    And of course a nice firewall you like to complete it.

    With these necessary specialist top notch products you can always add more to your liking.
    You might like to get the free AutostartViewer from the DCS site too, in which you can see all programs with autostart options; i noticed several which i didn't allow autostarts and auto-updates, but they are there so i can be aware of them and check their legallity on my sysdtem if i would not know them, for instance, block/delete/ whatever i would like including deleting their registry keys in a safe way.

    We do like to support you as we love the products so much and learned to use them and keep our systems well protected with them, and for TDS i can say it adds so much fun to security! (hence my fun scripts)

    And a happy Mothersday this sunday! for you and everybody too!
     
Thread Status:
Not open for further replies.