Suspicious Filenames

Discussion in 'Trojan Defence Suite' started by njustice, Nov 16, 2003.

Thread Status:
Not open for further replies.
  1. njustice

    njustice Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    14
    TDS-3 found three suspect files. Are these files trojans?

    c:\hp\bin\python-2.2.1.exe
    c:\program files\hewlett-packard\digital imaging\hpisinst
    and a system restore point.

    thanks in advance, Ken
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi njustice, Here is the info' on Python: http://python.org/doc/Summary.html it appears to be a programming language. This maybe being used for some other purpose?

    The next one does concern me: http://www.computing.net/security/wwwboard/forum/6011.html

    Please copy the two files send to: submit@diamondcs.com.au for further analysis.

    Zipping the files where they are will render them unusable for the time being and should be OK providing you notice no detrimental effects

    Thank You. Pilli

    Windows XP creates Restore points on major system changes or when requested: I is possible that TDS is detecting a Trojan trace that has been sved when a restore point was created.

    QUOTE from XP's help file:

    To change System Restore settings
    You can change System Restore settings by:
    Excluding a non-system drive so System Restore does not monitor or restore it
    Resuming System Restore monitoring
    Allocating more disk space to System Restore
    Turning off System Restore
    Turning on System Restore

    Notes

    System Restore is enabled on all drives when you first start your new computer or when the operating system is installed, unless you have less than 200 MB of available space on the hard disk (or the partition that contains your operating system folder).

    If you do not have enough disk space available when your operating system is installed, then you must turn on System Restore, using the preceding steps, after you have made sufficient disk space available.

    If you run out of disk space, System Restore becomes inactive. When you have made sufficient disk space available, System Restore is automatically activated, but all previous restore points are lost.

    When System Restore is turned off on a partition or drive, all restore points stored on that partition or drive are deleted. Changes that are made on an excluded partition or drive are not reverted during a System Restore.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I almost forgot :) if you have the TDS3 trial copy please ensure that you have the latest radius file from here: http://tds.diamondcs.com.au/index.php?page=update Please follow the instructions foe a Manual update.
    Do a full system scan with - In scan control tick all the boxes except for "Scan for clients & edit servers"

    HTH Pilli
     
  4. njustice

    njustice Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    14
    Sent files for analysis.....these programs are in the add/remove panel. Could they be removed from there as I don't use them.

    Python 2.2.1
    Python 2.2 combined Win32 extensions
    HP Photo and Imaging 1.1-PhotoSmart Cameras <----don't use
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You could leave them there (i suppose you zipped the exe files by now to make sure as Pilli advised above!) till you get answers from DCS. They might be ok if you installed them yourself as part of a program. If not, than it's another case.
    The link Pilli posted indeed looks rather suspicious.
    In case it's innocent then there is some code resembling other so with your submissions the database can be refined even more.
    Just make sure you update each day mo-fr for a new scan.
    Wayting for the DCS test results.

    Is there any strange program started in the Process list or Autostart which you don't know?
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    If you, do not use them remove them :) as until analysed they could be malicious or legitimate files. As TDS is showing an alert it is always best to be on the safe side.

    BTW did you scan with the latest radius file installed?

    Pilli
     
  7. njustice

    njustice Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    14
    Yes I scanned with the latest radial file.

    When I tried to uninstall Python 2.2.1 I received a warning from Nortons AV.

    Alert: Malicious Script Detected
    Object: Filesystem Object
    Activity: GetSpecial Folder

    Your computer is halted and needs to do something about this script:
    C:\PROGRA~1\HPINST~\uninstallclient.js Acme....Norton's gave me three choices, I chose to leave it for now.

    How do I Zip the exe file?
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Right click on them & select send to : Compressed (zipped) folder. the file name.zip will be created, then delete the original if you can.
     
  9. njustice

    njustice Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    14
    Ok zipped up the exe. Can I just delete the python 2.2.1 exe within the folder?
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes you can & if it is harmless once analysed then you can extract back again from the .zip file :)
     
  11. njustice

    njustice Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    14
    Okay Philli....thank you for your time and patience.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Glad we could help, Can you post the results of the file analysis when completed please? As this may assist others in the future.

    Thanks Pilli
     
Thread Status:
Not open for further replies.