Regval trace:please submit

Discussion in 'Trojan Defence Suite' started by xBeanx, Feb 2, 2005.

Thread Status:
Not open for further replies.
  1. xBeanx

    xBeanx Registered Member

    Joined:
    Feb 2, 2005
    Posts:
    2
    this is my first time here so please bare with me. I am running the latest def's of td3 and this is what I got back:
    Scan Control Dumped @ 10:09:55 02-02-05
    RegVal Trace: Trojan please submit: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft SourceSafe=C:\WINDOWS\system\csrss.exe]

    Suspicious Filename: Excessive space characters
    File: c:\documents and settings\all users\documents\my music\paterson filings 2000 to 2003 .vbs

    Suspicious Filename: Excessive space characters
    File: c:\documents and settings\all users\documents\my pictures\mike desautels palm card draft (2) .vbs

    Suspicious Filename: Excessive space characters
    File: c:\documents and settings\all users\documents\my videos\dscc finance master a .vbs

    Suspicious Filename: Dual extensions
    File: d:\temp\trillian-v0.74f.exe
    I don't really know what to do now. any help would be welcome. also the 3 vb scripts that are listed are undeletable so far.
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi xBeanx & welcome to the forum

    You can always submit the files in question to submit@diamondcs.com.au the makers of TDS-3, they will check them and get back to you with a verdict. :)
     
  3. xBeanx

    xBeanx Registered Member

    Joined:
    Feb 2, 2005
    Posts:
    2
    Thank You for the reply, I have sent that email off. Also I was wondering if the vbs's were tied to the exe that I sent. those things are untouchable. no copy , edit, delete nothing.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi xBeanx. :)

    Welcome to Wilders.

    Since this is a TDS detection issue i'll move this thread over to the Trojan Defense Suite forum. ;)



    snowbound
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    This could well be a Trojan as csrss is usually in the windows\system32 folder. So please submit it.
    To be sfae got to the system folder and rename it to csrss.bak and reboot to ensure that your machine still functions correctly.
    Zip a copy of the file and submit@diamondcs.com.au for analysis.

    Regarding the double extentions, these are normally OK such as the trillion entry which use a version number before the .exe seperated by a dot.
    The others are suspicious only if you do not recognise the source, try scanning the files with your AV scanner or an on line scanner.

    HTH Pill.
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    More than likely a member of the Webus family of trojans.

    Adds one of the following values:

    "ccpApps" = "%System%\csrss.exe"
    ".WMAudio" = "%System%\csrss.exe"
    "Prog" = "%System%\csrss.exe"
    "FiendlyType" = "%System%\csrss.exe"
    ".TEXTCONV" = "%System%\csrss.exe"
    "Microsoft SourceSafe" = "%System%\csrss.exe"
    "RegDone Ex" = "%System%\csrss.exe"
    "BuildLabs" = "%System%\csrss.exe"
     
Thread Status:
Not open for further replies.