New user questions regarding TDS-3

Discussion in 'Trojan Defence Suite' started by haggard, Jun 3, 2003.

Thread Status:
Not open for further replies.
  1. haggard

    haggard Guest

    I purchased TDS-3 last night and after reading through around 60% of the help files I can honestly say this trojan scanner is what I have been looking for. I only wish I was advanced enough to use some of its more complex and powerful tools.

    However I have a few questions.

    1. Once I activate the Environment Settings List I recieve only 7 values far from what was shown in the help files./ OS-win98se/.

    2. Under Scan Control / Advanced Scan Options/ Regarding the Scan for EICAR test string option. I am not clear what TDS-3 does with this does it copy a eicar test string from some location in its files and after activating it attempts to find it itself. Or does it activate the file to test your AV scanner to see if it can pick it up. Or does TDS-3 merely note that an EICAR test file exists. Or do you have to manually d/l and install a EICAR test file and TDS-3 will attempt to find it. In anycase once checked and TDS-3 reloaded neither TDS nor Norton (AV) picked up a EICAR test string.

    3.Do I have the full version of TDS-3 I recieved the .kf file and was directed to a page where the evaulation TDS-3 was located so I d/led it and installed the key as mentioned does this activate the full version from the eval version.

    4.First scan revealed four suspicious files with dual extensions three with a (tmp.exe) and another which was named quake iii with a dual extension I cannot recall in anycase I have quake installed on my system but when I performed a second scan only the three files where found so could this quake iii file have been what I believe is called a false positive or did it change itself. I think it is important to note here that awhile back something was installed on my system called qtxxx the reason for the xxx is because its name changed. The two times I hunted it down it was a different file but it always had the qt/QT prefix. Anyway I havent seen it around for a very long time so maybe it was a legitimate program. Anyway I rarely if ever send in unknown files. I will submit known files but who knows what the unknown files might carry out with them.

    I will post back about other questions about unknown processes to see if they are legitimate.

    5. Someone has been methodically scanning my ports for the last three days now. I believe there are two constant ip addresses I was wondering if there is a quick start guide to using some of the TDS tools mentioned in help and the faq to discourage this activity. Note it may be my isp but I do not know why they would be scanning some many ports.

    6. Using System Analysis/ Memory objects tree I have found a listing called hiddenwindow in outlook express which I use as a newsreader it is not configured for email. Is this normal.

    I guess this is the question I will ask the most or its variant is this normal. Should item xxx be here at this location. What does this program do etc...
     
  2. haggard

    haggard Guest

    Two more questions.

    1. What is the current build version mine is 3.2.0 and yet I have been reading about v3.2.1 is this for XP. I just purchased TDS as I mentioned so if it isnt exclusive to winXP why do I have v.3.2.0.

    2. How many forums/areas do you have to register in. I see that I am a guest here but logged in on the diamondcs page.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I'll try to answer a few of the most important ones.. :)

    You should have installed the demo version and added the keyfile to the TDS folder, so you should be registered next time you start TDS.

    EICAR scanning is for detection of an EICAR.COM test file. TDS also detects other TEST files, and we even added LEAKTEST from GRC.COM which a few users wanted to show up. This is just for showing a positive detection with file scanning, try it if you wish :)

    Suspicious files with dual extensions, excess spaces and other things are just warnings, as long as you understand they CAN be dangerous, you can analyse the file yourself. A file named program.100.exe would not be suspicious to me, but one called mypic.jpg.EXE would be extremely suspicious, and 10 times out of 10 it would be a trojan :)

    If you are ever suspicious of files you can zip and email them to submit@diamondcs.com.au no problems about there being any complications, just send the file in and we will let you know what to do, if anything :)

    Hmm Environment settings are normal, this is just grabbed from Windows and is definitely correct. You can type SET and the DOS command prompt to see these.

    v3.2.1 is just a repackaged version with newer databases and some very small fixes, so you do have the current version. This is the only version that has been available for some time, and will be the last TDS 3.x version.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Haggard,
    welcome!

    For the QTxxx file, Quick Time? MSN Messenger?
    I deleted the key for those from my autostart via TDS > System Analyses > Autostart Explorer.

    Scanning back in the means resolve their IP and whois, whould alert them you are aware of them. You could email their abuse and ask them to stop.
    Of course you can try the UDP broadcast and the other network tools to let them know you're aware of them if it helps.
    In case of specific trojan ports you might like to unpack in the Scripts area the Screx script and use it as an emulator. Read it's instructions and try if you like it.
    In the TDS Private areas Andreas posted a new beta version of Screx.

    I'm trying to remember what about the hiddenwindow in OE, good that you found it, but am trying to remember if there is a howto avoid it.


    For the registering of the forums:
    there is one for the Wilders forum where you are now, and one separate for the DCS forums on the DCS site, with an extra request for access to the private licensed TDS operators only area over there. The URL is in my signature.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Haggard & welcome!

    Gavin & Jooske have covered most of your queries, I am sure you will enjoy the TDS experiance & as Jooske says join the private forum as there are many useful threads of information covering all aspects of TDS3 operation + many useful tips & scripts.
     
  6. Elmvale

    Elmvale Guest


    I assume a TDS 4 version is on the way.... :D


    When is it's expected release date??


    Thanks!
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey Haggard,

    One thing that may be confusing is that (since the 3.21 version was a minor update) when you start up TDS and info begins to scroll in the main screen you will still see it show the version as 3.20 but if you look in the Add/Remove programs list you should see it there as 3.21

    AFAIK, The ExecProt capability only works when the program is properly registered so you may want to consider that as assurance that you are fully online.

    The dual extension tmp.exe seems a bit odd to me. You may want to use one of my favorite TDS functions the "String Extractor" in the utilities menu of TDS. This will list any ASCII (cleartext) strings in the executable you point it to which should help set your mind at ease about the innocuousness (that CAN'T be a real word) of the file or, alternatively, alarm you enough to send the file to Gavin for him to look at :)

    See ya

    PS, I heartily agree with Jooske's recommendation of SCREX. I don't operate TDS without it! :D
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Elmvale, TDS4 & WG4 are "on the way" but no release date has been announced. :D
     
Thread Status:
Not open for further replies.