All my processes are infected?!?

Discussion in 'Trojan Defence Suite' started by Konyntje, May 10, 2003.

Thread Status:
Not open for further replies.
  1. Konyntje

    Konyntje Registered Member

    Joined:
    Apr 26, 2003
    Posts:
    18
    A very weird thing just happened... I updated my radius, then went directly into Configuration to stopping loading my plugins. I saved and answered 'Yes' to have TDS reload immediately. On re-load, when scanning my processes, each of them got a 'Positive Identification' message; no trojan named just the name of the file. I uploaded the 'Outlook' file to TDS just to be sure, then rebooted. The system came up clean - no messages about anything being infected. Very strange.
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Konyntje,

    did you already do a full system scan after that these messages appeared? What was the result of it? And do you know all the processes which are running in the background? Is there an unusual one?

    Regards,

    Patrice
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Konymtje, Do you have TDS3 to start when windows start? I only ask as there may have been a minor corruption during start up. In XP I start TDS3 manually after everything else has loaded.
    What Operating system are you using?
    Have you closed TDS down completely & do you have Exec protection enabled?

    Sorry more questions than answers :)
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Pilli,
    Ever thought about using Startup Delayer? I'm using Windows XP Pro as well and this little tool helps me out, that TDS-3 is starting automatically as the last application. ;)

    http://www.webattack.com/get/startdelay.shtml

    Best regards,

    Patrice
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    "All my processes" ?? Do you mean all those in the Process List? but not Outlook file?
    Are you using an evaluation version of TDS or a registered one (because of the possibility to use exec protection or not)

    Is this the first time you ran it?
    At installing TDS, did you close all av/at scanners and maybe even rebooted to make sure nothing was still in use by other programs at all?
    Why would you close the plugins? they don't eat resources till used.
    If you scan with the current Radius database and every scan option checked, do you still get those alerts?

    I would indeed recommend at the moment to start TDS manually after reboot and see if this solves the problems.
    If there are still alerts, you might like to rightclick on one of the alerts in the console, save them to Scandump.txt in the TDS-3 directory and include that in a posting here for us to look with you. (you can edit sensitive info away, but we might like in some cases pathnames)
    Looking ward for your next part to help you further.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Patrice, XP has it's own scheduler ;) Agreed, not as flexible as some :(
     
  7. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Pilli,

    which one are you talking about? I just know the setting for the memory priority... o_O

    Regards,

    Patrice
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    This one :D
     
  9. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Ahh.. so this is what you call a Startup Delayer!?! LOL :D
    Not bad, actually I never thought about this possibility...

    Greetings,

    Patrice
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Patrice, We must stay on topic so I shall remove my posted gif as it is not really relevant :D
     
  11. Konyntje

    Konyntje Registered Member

    Joined:
    Apr 26, 2003
    Posts:
    18
    Hi all,
    Sorry for the delay in getting back to you, you know how it is....

    Jooske (et al): I'm a registered user and have been using TDS for about 4 months now. All processes listed in Task Manager were the ones flagged. All scan options are marked for checking at startup. This is the way I've been running for quite a while. I've since done several warm and cold restarts (WinXP), and haven't had any problems. Haven't done a full system scan yet but will one just to be sure. I'm sure everything is OK; probably some kind of weird initialization bug. I just thought I should mention it to the group in case others had the same problem.
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,284
    Location:
    New England
    Yes, it certainly seems like it was "just one of those things". But, I agree with you, it's better to post about it than not, just in case it ends up being something important. You never know for sure unless you post about it. :)
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for coming back with your reaction, as you see it caused some puzzling and discussions among us too!
    Now Pilli can put his startup delayer screenshot back (can you please ?) as extra instruction for TDS delayed startup which seems to help lots of XP users.
    Please do your full system scan with every option checked and look if there is any alert.
    Suppose all is well this time when you look at the process list and everything?
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK Jooske, Here's the info' again :D

    Notes

    To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.
    If you want to configure advanced settings for the task, select the Open advanced properties for this task when I click Finish check box on the final page of the wizard.
    Confirm that the system date and time on your computer are accurate, because Scheduled Tasks relies on this information to run scheduled tasks. To verify or change this information, double-click the time indicator on the taskbar.
    You must supply the password for the account on which you want the the scehduled task to run. The password cannot be blank.
     

    Attached Files:

  15. Konyntje

    Konyntje Registered Member

    Joined:
    Apr 26, 2003
    Posts:
    18
    Well I did a full system scan - nothing came up except for those pesky ADS Hidden Data Streams - so I guess it was just some kind of twitch in the software. Thanks to all for your help and concern.

    Just to switch gears slightly.. is it OK to delete the Alternate Data Streams? I had about 25 of 'em; one was 88 bytes, the rest were zero.
     
  16. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Konyntje,

    yeah you can delete them. You find more information about this issue on the homepage of DCS.

    Best regards,

    Patrice
     
  17. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Streams are generally OK, and since they are being used a bit by legitimate software we now recommend you go to Scan Control, ADS Stream Options, and ignore streams smaller than 256 bytes :)
     
  18. Konyntje

    Konyntje Registered Member

    Joined:
    Apr 26, 2003
    Posts:
    18
    Thanks! I'll adjust the size now.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.