Real Weird Question

Discussion in 'Trojan Defence Suite' started by WilliamP, May 12, 2004.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I just ran a Hijackthis scan and my TDS3 doesn't show up as a running process. It is there and is in task manager. Whats up.
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Haven't seen that before.. might just be a bug with HijackThis ?
    Will see if its on my machine - yep it is :) Check carefully again ?
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi WilliamP, It works fine here and if you look through those ppl sending in HJT logs that run TDS3 you will see that it is shown.

    HTH Pilli
     
  4. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I just ran HJT log and TDS3 doesn't show up. Ran Asviewer and it doesn't show up. Open Task Manager and it showes TDS3 exe at 10,236 Mem usage. I download updates and everything seems normal. What is going on? :rolleyes: Could it be that I don't have it load with Windows and run it after the desk top comes up?
     
    Last edited: May 13, 2004
  5. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Come on guys some one please give me some help here. I just want to be sure my TDS3 is OK. :doubt:
     
  6. FanJ

    FanJ Guest

    Hi William,

    First some screenshots.

    This one is from WinTasks Pro (TDS-3 was started manually).
    Full path to my TDS-3 directory "edited out".
     

    Attached Files:

  7. FanJ

    FanJ Guest

    This one is from TaskInfo :
     

    Attached Files:

  8. FanJ

    FanJ Guest

    Now DiamondCS AutostartViewer:

    Please take notice that I could make a mistake here (no excuse, but for example: my bad eyes could well fool me here; and I could of course make another error!!).

    I don't start TDS-3 automatically.
    I only start it manually (my choice, others might well choose a completely different set-up).

    I don't see TDS-3 mentioned at the AutostartViewer-log (all three options in the Main-tab of ASViewer enabled: Show Services, Show Drivers, Show Active Setup Components).
     
  9. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I run a Hijack this scan from time to time and compare them just to see if and what may have been added. I had an older scan that showed TDS and now it doesn't show. I can tell from my PG logs that Execution Protector is working. It shows in Task Manager. I just can't understand it not showing up as a running process in HJT.
     
  10. FanJ

    FanJ Guest

    OK William,

    Now I would like you to have a look in TDS-3 at the Configuration-menu.

    I will show you my set-up but I would like to emphasize my own set-up:
    1.
    I run Windows 98 SE so I don't have to use:
    Boost TDS Process Priority (NT)
    Boost TDS Token Privileges

    2.
    I have an old system (P3-600MHZ).
    I have choosen not to do the Process Memory Space Scan at the start-up of TDS-3.
    It is a very important part of TDS-3. I run it manually.

    3.
    Minimise TDS to:
    Not very important: just your own choice.

    4.
    And now we might come to the culprit:
    How are you starting TDS-3?
    As you can see: I myself have choosen to not "Run at Windows Startup".
    As I said: I run TDS-3 manually. That is my own personal choice, everyone should choose what he/she would like.
    Would you please check and check again which option you have set up there?
    You also have to keep in mind that the "real-time" part of TDS-3 (Execution Protection) will only work if
    4-a: TDS-3 has been started and
    4-b: it has been installed (in TDS-3: TDS > Execution Protection > Install)


    Well, I hope that this might help you a little bit.
    Please feel free to ask questions about it :)

    Regards, Jan.
     

    Attached Files:

  11. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I allways start TDS after getting to the desktop. I know the Ex.Protection is on and working. TDS3 .exe shows up in Task Manager. I really don't see how I can have a problem with TDS. Everything works. It just don't show up in HJT scan. I deleted HJT and redownloaded . Same results. Jan the only differenses in our configs are I have checked the boost's ,don't check initialize sockets or greet with speech.
     
  12. FanJ

    FanJ Guest

    Hi William,

    At the moment I don't have the latest version of HijackThis.
    I will later download it and have a look.

    Maybe an expert on HJT would jump in here ;)

    But, at least for the moment, it seems to me that you don't have a problem:
    You don't start TDS-3 automatically; maybe that could explain why TDS-3 doesn't show up in HJT. But, as said, I haven't at the moment the latest HJT and I need an HJT-expert here ;)
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Maybe HJT changed?
    Did you create the startup list from HJT too?
    In mine it shows fine there, it did not in the HJT log this time.
     
  14. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  15. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Yes I have PG protecting TDS, but I also have it protecting NOD and NOD shows up. I am 99% sure there is no problem.
     
  16. FanJ

    FanJ Guest

    Hi William,

    I think you are right ;)
    Or I must make a bad mistake...

    Reason: you don't start TDS-3 automatically but manually !

    1. AutostartViewer:

    The name says it ;)
    TDS-3 does not start automatically on your system.


    2. HijackThis:

    Again: TDS-3 does not start automatically on your system.

    There are two different occasions in your case:
    2-a:
    You run HijackThis while TDS-3 has not been started:
    You will not see TDS-3 in the HijackThis-log.
    2-b:
    You run HijackThis while TDS-3 has been started:
    You will see TDS-3 in the "Running processes" list of the HijackThis-log:
    C:\...\TDS-3.EXE
    (Note: I have deleted the full path to my TDS-3 directory).


    Some remarks:
    Please note that this was tested on Windows 98 SE.
    And, of course, I could make a mistake...
    But I too think that there is no problem on your system with regard to this issue ;)

    Cheers, Jan.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yep, this 2-b situation is how i see it in my HJT log.
     
  18. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Soon as everything loads and my desk top is up, I double click the TDS3 icon. I then will check for updates. When that is finished I minimize it to the task bar. Execution Protection is on and shows in the PG log. But it doesn't show in HJT.
     
  19. FanJ

    FanJ Guest

    Execution Protection isn't an exe but a hook (dll).
     
  20. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    Hi William
    Did you try DCS APM? It shows TDS-3 running, same with HJT.

    Just to test the 'manual start' theory, I stopped TDS-3, checked that it wasn't running using APM and then started it.

    I then ran APM and it shows that TDS-3 is running.

    Next I ran the HJT Startup list, which contains Running Processes, and there was TDS-3 again, as it should be.

    Is this what you're having a problem with?

    EDIT: Possibly the key thing here is where you're looking. The main list is just the Startup stuff. You need to click on the Config button in the lower right corner, and then on the new window, click on Misc. Tools and finally click on the Generate startuplist log button. You will see the running processes and if you had TDS-3 running before you did this, it will show up.
    :)

    Jim
     
    Last edited: May 16, 2004
  21. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    FanJ you said that exPro is a dll. What is execprot.exe?
     
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi William, Execprot.exe is the executable which is launched when execprot.dll hooks another .exe starting.

    Process guard will then show an entry similar to this in it's log:

    16 May 22:54:06 - [EXECUTION] c:\tds3\ext.sys\execprot.exe with commandline c:\tds3\ext.sys\execprot.exe tds|tdsdll-test:c:\winnt\system32\freecell.exe was ALLOWED to run
     
  23. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Well as far as I am concerned ,that means that TDS3 must be running. Everytime something is executed I get a log in PC. You have to love it!
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
Thread Status:
Not open for further replies.