I have a Trojan Dropper problem

Discussion in 'Trojan Defence Suite' started by Protean, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. Protean

    Protean Guest

    TDS-3 has picked up 24000+ infected files, mostly Trojan Dropper but also keylog.god and Rat Cabronator. I shall probably re-format as they are every where, does TDS-3 allow me to delete more than one file at a time?
     
  2. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Yeah same problem here I THINK IT"S THE DEFS, THE LATEST DEFS 7-12-2004 have that problem. The eariler ones do not so I guess someone screwed up with Heuritics. :)
    Boy you better fix it soon or many unexperienced users start killing their own processes rendering their windows boxes useless. :)
    YOU GET SOMETHING LIKE THIS RIGHT?


    Scan Control Dumped @ 15:27:08 12-07-04
    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\system32\winlogon.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\system32\winlogon.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\system32\winlogon.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\system32\winlogon.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\system32\services.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\sygate\spf\smc.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\system32\spoolsv.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\explorer.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\explorer.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\intel\intel application accelerator\iaanotif.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\intel\intel application accelerator\iaanotif.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\intel\intel application accelerator\iaanotif.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\system32\tcaudiag.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\processguard free\dcsuserprot.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\intel\intel application accelerator\iaantmon.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\progra~1\symant~1\symant~1\vptray.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\processguard free\pg_msgprot.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\processguard free\pg_msgprot.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\progra~1\nsclean\boclean\boclean.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\spywareguard\sgmain.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\spywareguard\sgmain.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\analog devices\soundmax\smagent.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\program files\apc\apc powerchute personal edition\apcsystray.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\msagent\agentsvr.exe

    Positive identification (embedded in file): TrojanDropper.ÿÿÿÿÿÿÿÿÿ
    File: c:\windows\msagent\agentsvr.exe

    File Trace: Default trojan filename: Keylog.GOD
    File:

    File Trace: Default trojan filename: RAT.Cabronator
    File:
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello there, no you have no infections, today there was a corrupt update so please grab the update from another mirror till you get the real 35749 references. In your update.cfg list are several, would like to know which mirror you used, was that the http://tds.diamondcs.com.au/radius.td3 ?
    http://radius.turvamies.com/radius.td3
    http://www.diamondcs.com.au/tds/radius.td3
    http://diamondcs.fileburst.com/radius.td3

    Please try one of those --- hope you get the right one immediately.
    and no system reformat, not necessary, just a new radius file which is not corrupt and all should be well again.
     
  4. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    1st link POOCH SCREWED

    2nd link WORKS GREAT

    3rd link POOCH SCRWED

    4th link haven't tested it



    SO ANYONE WITH THIS PROBLEM USE THE 2nd LINK PROVIDED BY JOOSKE ie.
    http://radius.turvamies.com/radius.td3
     
  5. Whynot

    Whynot Registered Member

    Joined:
    Feb 8, 2004
    Posts:
    50
    Just been screwed. Rather than submit the "infected" file I deleted it - winlogon.exe. Oh well, time to dig around recovery console. Beware of this folks- TV was crap tonight anyway :rolleyes:
     
  6. cynic

    cynic Guest


    Actually only the last mirror came up clean when I rescanned. Others were chockfull of "positive identifications"
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Turvamies too? hmmmmmmmm while that one gives most people the right amount of references so i would think that should be a right version - that's where i took it and did not get alerts....... hmmm
     
  8. hayc59

    hayc59 Guest

    working very well here also
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Last friday when the first files appeared and today again, i see so often symantec users involved.
    Can't imagine that is the cause, do all people with problems have NAV or is that just pure coincidense and do other people without NAV also have problems?

    On the other hand, if it was symantec related people would not have right updates from several other mirrors.
    Last firday the first i saw was from a person scanning with lots of other scanners up at the same time, the same infections as those on top in the lists here; there the problem disappeared with closing the other scanners.
    But there the update was ok.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jooske, No symantec here, so I think it is a radius problem
     
  11. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    I did manual dl from Turmavines site, no probs.. correct file figures, no alerts.

    TAS
     
  12. larus

    larus Registered Member

    Joined:
    Jul 3, 2004
    Posts:
    1
    wow you guys are cool to have figured that one out, i just got victimized by the same thing recently and it ended up reinstalling damn windows. anyway thanks for the help guys!
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If ever anything happens again, please first of all come check the forums if anybody knows anything.
    I hope you did not get to reformat from yesterday's update?
     
  14. Tired

    Tired Registered Member

    Joined:
    Oct 18, 2002
    Posts:
    50
    Location:
    Boston
    I manually dowloaded 2x and got different info.
    There are no positives and here is what I have is this correct?
    35777 ref, 14016 prim, 9987 traces, 11774 variants
    Jooske said this is what it is supposed to be.
    "the real 35749 references"

    PLEASE LET MR KNOW. I have been dealing with this all day!!

    Thanks, Tracy
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    [35777 references - 14016 primaries/9987 traces/11774 variants/other]
    Looks rather familiar with your current one's eh? the other value was yesterday's update, Gavin added several detections as you see.

    Wow, the 14,000 primaries were passed, imagine whenGavin started there might have been 4000 or 9000 references, now even a manyfold of everything!
     
  16. pruizgarcia

    pruizgarcia Registered Member

    Joined:
    May 25, 2004
    Posts:
    5
    Thank God I stopped by the forum before reformatting. TDS had found over 5400 instances of TrojanDropper before I stopped it and I was ready to kill. Downloaded updates, everything find now.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thank you for stopping by and telling us, another system saved from unnecessary reformatting!
    Security can be rather exiting at times.............!
     
  18. Protean

    Protean Guest

    Thanks for your help, no alerts now. (wasn't looking forward to doing a format)
     
Thread Status:
Not open for further replies.