TDS trace scans?????

Discussion in 'Trojan Defence Suite' started by Grasshopper, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Thanks Frank ! :)

    I have just asked the DiamondCS-guys for some help.
    Given the different time-zones it could take a little while ;)

    Cheers, Jan.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Neither would i; maybe you can try the properties and run as anyway to see if that makes any difference.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    If you only have one account it is Admin by default :)

    I think a HiJackThis listing may be of some help now, so can you post one please Grasshopper.

    As far as I know Process Guard could not cause these errors as it does not scan anything as such.

    It may also be interesting to attach a copy of your PG log if you have not deleted it, may give us another clue :)
     
  4. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Hello all ,

    I have uninstalled Process Guard again and this time TDS still gives me the trace alerts in c:, Very confusing but I'm not ruling out PG yet .

    Here is my Hijack this log

    Logfile of HijackThis v1.97.7
    Scan saved at 10:09:30 PM, on 20/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    G:\WINDOWS\System32\smss.exe
    G:\WINDOWS\system32\winlogon.exe
    G:\WINDOWS\system32\services.exe
    G:\WINDOWS\system32\lsass.exe
    G:\WINDOWS\system32\svchost.exe
    G:\WINDOWS\System32\svchost.exe
    G:\WINDOWS\system32\spoolsv.exe
    G:\WINDOWS\Explorer.EXE
    G:\Program Files\Eset\nod32krn.exe
    G:\PROGRA~1\Security\Outpost\OUTPOS~1\outpost.exe
    G:\Program Files\Eset\nod32kui.exe
    G:\Program Files\Security\Spyware G\SpywareGuard\sgmain.exe
    G:\Program Files\Security\Spyware G\SpywareGuard\sgbhp.exe
    G:\PROGRA~1\INCRED~1\bin\IMApp.exe
    G:\Program Files\Internet Explorer\iexplore.exe
    G:\Documents and Settings\Frank\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.105.136.160:80
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\Security\Spyware G\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - G:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [nod32kui] "G:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Outpost Firewall] G:\PROGRA~1\Security\Outpost\OUTPOS~1\outpost.exe /waitservice
    O4 - Startup: SpywareGuard.lnk = G:\Program Files\Security\Spyware G\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - G:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38088.2726388889


    I am definitely not an expert at this but nothing here seems out of the ordinary.

    I'm sure we will come up with something .

    regards
    Frank
     
  5. FanJ

    FanJ Guest

  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi everyone,

    Until recently I wasn't aware of machines having a NON hard drive as C: which is the problem, the TRACE scanner was never designed with this in mind and there are many hard-coded worm names listed.

    I would suggest you avoid using the trace scanner at all - since you have no traces coming up apart from those erroneous ones. If you do run the trace scanner you should be able to save the scandump and just ignore those alarms which refer to C:\ hard coded paths - anything else is a realistic trace alarm and should be investigated as normal. Of course feel free to email me if you have questions on any of the detections :)
     
  7. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Hi all,

    I'm back up and running after a reformat and putting my hard drive as C: again , I came to the same conclusion as Gavin as far as the HD designation was concerned and reformated yesterday , not that I understand TDS well enough to realize what exactly it was doing but because from my point of view it was the only thing that made any sense . I knew my computer was clean and the trace targets were all in C: so the HD designation was pretty much the only other thing it could be .

    I haven't reinstalled Outpost or Process Guard yet and so far TDS is back to normal, hopefully all will work as they should .

    Thanks everyone for your help and I will let you know how all goes in the next day or so.

    Thanks again,
    Frank
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Your welcome Grashopper, I think we have all probably learnt a bit more :)

    Enjoy your weekend - Pilli
     
  9. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Greetings one and all,

    I reinstalled Process Guard and Outpost yesterday and all programs seem to be playing well with each other so far. :D
    TDS is running fine now with my HD as C: "phew" ;)
    Outpost still has small glitches in it but I think these are Small problems with The new 2.1 version and hopefully not related to Process Guard .

    When those of us (the average people)who are not so bright operating computers run into problems , we tend to place blame on the first thing that makes sense to us , in my case it was PG , since I had just installed it , It seemed to me to be the most likely culprit , this was not the case and I apologize to the creators for jumping to that conclusion.

    Thanks again for all your help and patience dealing with us, the average people.

    Frank
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Grasshopper, No problem, that's what these forums are for, we all try to help each. :D
    Any furthe problems please do not be afraid to ask.

    Cheers - Pilli
     
  11. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Hi all ,

    Just to satisfy my own curiosity , can anyone from Diamond tell me what TDS was giving me trace alerts ono_O was it a list of nasties TDS has in its own database o_O

    Just wondering ,
    thanks
    Frank
     
  12. FanJ

    FanJ Guest

    (not being an employee of DCS)

    Yep, that's right.
    File traces are far from the only ways TDS-3 is able to detect a Trojan.
    But, according to the TDS-3 Help-file, some Trojans install a nasty file in a "default" location. If it is the only Trojan that puts always a certain file in such a place, then DCS adds such a file-trace for it.

    I hope that helps ;)
     
  13. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Yep it does and thank you .
    I hope we never stop learning , it's kind of fun at times.

    Frank
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.