Problem

Discussion in 'Trojan Defence Suite' started by dallen, Jan 25, 2004.

Thread Status:
Not open for further replies.
  1. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Dallen, does this happen each time or was this one time, and if so, each time in a specific place? Not a crash on a corrupt rar file, to name an example?
     
  3. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Jooske,

    Good observation. I occurs every time and every time at the same location. It happens when it gets to a folder that houses newly downloaded file sharing files.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Probably a corrupt download or split RAR file Dallen :(
    See if you can scan the rest of your HD without that folder.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Or, quoting Pilli in another posting (was difgging for it, so you beat me Pilli :) )
    "It maybe that TDS is trying to open a compressed file that it cannot handle such as some split archives - Try disabling Deep search inside of zip/rar files and re-scan. "

    Must be possible to locate the culpit that way. You will still be safe as this way the sleeping giant(s) in those archives keep sleeping and life nasties will be found anyway and can't harm you as the exec protection would stop them in their traces.
    Of course i do hope with you there is nothing wrong there.
     
  6. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thanks for the information and help. I am doing as you suggest. However, I have a few questions. What is a .rar file? My intuition tells me that it is similar to a .zip file. How does one decompress a .rar file if that is what it is?

    I did realize that there was a file in that download folder that would not let me delete it. It kept saying that the file was in use by another application, but I wasn't using it. How do I delete it? Did you say that my computer is safe? I completed a full system scan with Norton Antivirus and found nothing in terms of a virus, but I know that doesn't mean anything in the way of a trojan. Again, thanks for your help.

    Jooske,
    Despite our disagreements on some issues I very much respect you and your abilities. FYI.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Dallen, Have you tried deleting it from safe mode? It may not get attched to whatever is using it in safe mode.
    Also you could use Advanced Process Manipulation and/ or DelLater from here: http://www.diamondcs.com.au/index.php?page=products
    If you get stumped, slso download AsViewer from the same site an select Show services & show drivers. Then save the contents to a text file Copy and past into your next post for review

    HTH Pilli
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    dallen - The first (and probably best) thing to try first is to start your computer in "Safe" Mode and see if the file can be deleted then and there normally.

    If it can't (is still "In Use" by something or another) - then you have a couple of freeware options:

    DelLater from DCS: http://www.diamondcs.com.au/index.php?page=dellater

    or

    GiPo@MoveOnBoot v1.9.5 (DIRECT D/L LINK!:

    http://www.gibinsoft.net/gipoutils/bin/moveonb.exe

    Either of those should remove the file at your next boot. Of the two, the GiPo product is easier to fool with - especially since it'll install an entry in your right-click menu that will automatically put in anything you click on to have it removed next time you boot. HTH Pete
     
  9. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Please explain why fragmented files cause TDS-3 to crash.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Dallen, Normal fragmented files do not,
    If you mean corrupted files then TDS has a problem and gets stuck trying to open them, it is a known bug :) And should cause no problem regarding TDS3's efficacy
     
  11. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Is that a problem that is fixable for TDS-4?
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, It has already been addressed so we are informed :)
     
  13. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Pilli,
    I put that folder on my exclusion list and subsequently completed a full system scan which found nothing. Thank you. When you say that there is a corrupt .rar file I have some questions. First, what is a .rar file and how do they get corrupted? Does corrupt mean that I have a nasty on my system, or is it something that I simply delete and move on?
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Dallen, can you tell the name of the file which seems to be in use?
    Normally a d/l folder would contain only files, and nothing installed there, so it does sound suspicious for me if you have a file there which would be in use in any way!
    I'm googling for trojans looking for the d/l folder, but not really successfull in that this moment.
    So a name or program name if you can remember could be helpful.

    A rar is indeed another compression extension like zip.

    file.rar would it look like and the icon looks like a little pile of books in my opinion.
    They can get corrupted because they were already at the place where you got it, during the download process or got corrupted due to o_O on your system.
    TDS can handle rar files, if they are not corrupt so they can't be opened; you would most probably not either if you would try to open and install the file.

    So if you located the one (?) file you might like to submit it to DCS for investigation.

    Like Pilli said, the issue has full attention.

    Looking forward to your next experience with this matter.
     
  15. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I will be leaving school to go home, so give me a few hours to isolate the problem down to the specific file and I will let you know what I find and submit the file if need be. If an .rar or .zip file is password protected could that also cause TDS to crash?
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    As far as i remember not: i have a few p.p. zip files and TDS does find whatever is in them.
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Scans passworded .doc & .cse encrypted files no problem
     
  18. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    OK. Now this is wierd. I'm home and suddenly I get a rash of emails that is alarming. I am going to post the contents of the emails in subsequent emails. I will also submit the two files that were attached to the last two of the series of emails. I am convinced now that I either have a worm or something. I have Worm Guard, TDS, and NAV 2004 Pro. All are up to date (except WG because it doesn't get updates). I've scanned and found nothing.
     
  19. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    The following message contained restricted attachment(s) which have been
    removed:

    From : dallen@purdue.edu
    To : acs@metafile.com
    Subject : Status
    Message-ID: <MDAEMON-F200401261616.AA1609234md50000000283@metafile.com>

    Attachment(s) removed:
    -----------------------------------------
    document.cmd



    The following message contained restricted attachment(s) which have been
    removed:

    From : dallen@purdue.edu
    To : acs@metafile.com
    Subject : Status
    Message-ID: <MDAEMON-F200401261616.AA1609234md50000000283@metafile.com>

    Attachment(s) removed:
    -----------------------------------------
    document.cmd
     
  20. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    From : <postmaster@metafile.com>
    Reply-To : postmaster@metafile.com
    Sent : Monday, January 26, 2004 5:16 PM
    To : dallen@purdue.edu
    Subject : MDaemon Notification -- Attachment Removed


    The following message contained restricted attachment(s) which have been
    removed:

    From : dallen@purdue.edu
    To : ETrap@metafile.com
    Subject : Status
    Message-ID: <MDAEMON-F200401261616.AA1609234md50000000283@metafile.com>

    Attachment(s) removed:
    -----------------------------------------
    document.cmd
     
  21. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    From : <noelprod3@aol.com>
    Sent : Monday, January 26, 2004 5:21 PM
    To : dallen@purdue.edu

    Hotmail has permanently blocked the following potentially unsafe attachment(s): document.pif (30 KB) More Info...
     
  22. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    From : <email@simag.si.edu>
    Sent : Monday, January 26, 2004 5:24 PM
    To : dallen@purdue.edu
    Subject : hi



    Hotmail has permanently blocked the following potentially unsafe attachment(s): text.scr (30 KB) More Info...

    The message cannot be represented in 7-bit ASCII encoding and has been sent as a
    binary attachment.
     
  23. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    From : <alang@bus.wisc.edu>
    Sent : Monday, January 26, 2004 5:24 PM
    To : dallen@purdue.edu
    Subject : Status



    --------------------------------------------------------------------------------

    Attachment : file.zip (30 KB)

    test
     
  24. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    From : Mail Delivery Subsystem <MAILER-DAEMON@aol.com>
    Sent : Monday, January 26, 2004 5:30 PM
    To : <dallen@purdue.edu>
    Subject : Returned mail: User unknown


    --------------------------------------------------------------------------------

    Attachment : attach4 (573 bytes)

    The original message was received at Mon, 26 Jan 2004 17:29:50 -0500 (EST)
    from w-103173.wireless.wisc.edu [128.104.103.173]


    *** ATTENTION ***

    Your e-mail is being returned to you because there was a problem with its
    delivery. The address which was undeliverable is listed in the section
    labeled: "----- The following addresses had permanent fatal errors -----".

    The reason your mail is being returned to you is listed in the section
    labeled: "----- Transcript of Session Follows -----".

    The line beginning with "<<<" describes the specific reason your e-mail could
    not be delivered. The next line contains a second error message which is a
    general translation for other e-mail servers.

    Please direct further questions regarding this message to your e-mail
    administrator.

    --AOL Postmaster



    ----- The following addresses had permanent fatal errors -----
    <dan@aol.com>

    ----- Transcript of session follows -----
    ... while talking to air-xj03.mail.aol.com.:
    >>> RCPT To:<dan@aol.com>
    <<< 550 MAILBOX NOT FOUND
    550 <dan@aol.com>... User unknown
     
  25. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I guess I have to submit the files some other way.
     
Thread Status:
Not open for further replies.