TDS Can't Delete Trojan - help

Discussion in 'Trojan Defence Suite' started by MarkWW, Apr 23, 2003.

Thread Status:
Not open for further replies.
  1. MarkWW

    MarkWW Guest

    TDS-3 is reporting the following in my alarm section:

    File Trace: Default trojan filename
    Possibly Worm.Coronex - submit
    C:\Downloads

    I tried right clicking in my alarm area and deleting...3 times...every time it said it was deleted, but after turning my PC off and then rebooting cold, it keeps coming back.

    What is Worm.Coronex? How dangerous is it?

    How the heck do I get rid of ito_O


    Thanks! o_O
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi MarkWW!

    It looks to me as if the Worm.Coronex is installing itself every time back onto your harddisk... Have you checked the autostart? Is something else in the autostart you don' know?

    Go to the TDS-3 console and press Ctrl-O. Check all your processes. If you don't know what they are, come back and let us know the names of all the processes.

    Best regards!

    Patrice
     
  3. jmiller

    jmiller Guest

    i have the same prob... :'(

    these are the processes

    c:\windows\system32\smss.exe
    \winlogon.exe
    \services.exe
    \lasaa.exe
    \svchost.exe
    \svchost.exe
    \spoolsv.exe
    c:\windows\explorer.exe
    c:\windows\wanmpsvc.exe
    c:\windows\msagent\agentsvr.exe

    any help appreciated...
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    For both of you, did this just start with the latest TDS radius update or has it been happening for a while?

    jmiller - Your list looks normal except - is "lasaa.exe" a typo? There is a real process called "lsass.exe".
     
  5. jmiller

    jmiller Guest

    the process name is

    c:\windows\system32\lsaaa.exe

    it has happened since the last update...i am not a registered user but after this, i think i will be....
    also...when i update, the update does not seem to be recognized...maybe i am updating from the wrong place...regardless...should i then delete the lsass.exe?

    thanks
     
  6. jmiller

    jmiller Guest

    sorry...lsass.exe
     
  7. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jmiller!

    Are these all processes running on your computer? Which OS do you use? Did you really do it with the TDS-3 console?

    All these processes are Windows processes. But there are two processes which aren't necessary.

    First wanmpsvc.exe:

    WAN MiniPort Service installed by AOL 7.0 and later versions on Windows 2000/XP systems.
    Recommendation :
    Irrelevant to the VAST majority of AOL users, if not all of them. Some users, however, have reported errors with this service. We advise therefore that you go into "Control Panel \ Administrative Tools \ Services" and set this service to Manual.

    Second spoolsv.exe:

    Are you using a network printer? If not, disable this service. You find this service in your connection properties (Printer and Sharing).

    Regards,

    Patrice
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    "lsass.exe" is the real and proper Windows program. I was concerned when I saw a different spelling as that is a common thing real trojans do - they use a name very similar to a real file in hopes of not being noticed.

    Typos can be dangerous when trying to figure out what's a real file and what's not. ;)

    No, don't delete it. More analysis has to be done by the DCS folks to figure out if this is a false positive or something else.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi jmiller,

    To update a trial version you need to download http://tds.diamondcs.com.au/radius.td3 (Direct download link) and replace the one currently in your TDS directory.

    Regards,

    Pieter
     
  10. jmiller

    jmiller Guest

    all right...thanks for the tip :D

    i have windows xp with all relevant upgrades and service packs

    the trojan/virus is found by tds3 in

    C:\My Downloads\Unreal 2: The Awakening (full).exe

    i do not have unreal and when i checked my download folder nothing is there...

    very perplexing and annoying...

    ? :doubt:

    what to do?
     
  11. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jmiller!

    Can you once start regedit and search for this entry:

    The Awakening (full).exe

    Regards,

    Patrice
     
  12. jmiller

    jmiller Guest

    all right...whew...
    searched regedit in local machine and current user in system and software and didnt find anything...i dont know were else to look in regedit as it is a maze of potential screwups for me....yowsers!
    what now...
    btw...thanks for the time

    :D
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi all,
    if TDS says "suspicious" or "possible" it had code in it, but it is not 100% guaranteed a trojan, unless the alert is telling so. So i would surely recommend in the alerts window, rightclick on the specific file and press the submit option.
    Of course would prefer you to find the file in your folders, and send it zipped to submit@diamondcs.com.au but as you have difficulty finding it.......
    Please do in this case, before deleting the thing and wait for further instructions from the TDs lab.

    Are you sure you have all files visible?
     
  14. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
  15. jmiller

    jmiller Guest

    yea...no files in my docs folder
    and i submitted the file to help all i could...
    thanks :D
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And are you both sure if you click in TDS > System analysis > Autostart explorer ; there is nothing suspicious in that one?
    And if you look at the other options and tabs, nothing there either? system files, startup folders, service drivers?
     
  17. jmiller

    jmiller Guest

    checked registry entries with power tools and only found one i dont know about
    author software
    C07ft5Y WinXp

    does this help? :rolleyes:
     
  18. jmiller

    jmiller Guest

    i am unsure of the autostart processes...there is too much there i dont know about...i have scanned with the other tools and found nothing except with the trace scan
     
  19. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jmiller!

    Have you used TDS-3 Process List (Ctrl-O). If not, please do so and tell us all the processes you have there!

    Best regards,

    Patrice

    P.S. You can delete all the registry entries which the tool registry cleaner of PowerTools shows you are safe to delete.
     
  20. WasNotMe

    WasNotMe Guest

    TYPO ? Are You sure ?

    Lasaa.exe

    Traffic virus marketing warrior

    adds permssions to TEMPDB every time computer starts


    just mentioning
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For the Autostart: that's a reason more why i try to keep it as small as possible, so i see changes sooner :)

    You might like to get the free AutostartViewer at the DCS site too, to see the startups, as it gives the registry key beside the process so it might give some better indication.
    And that one you can save to a txt file for more study.


    As you say you see the nasty only as a trace scan: have you been infected and could this be part of a not completely removed infection? Than it can be really hard to find it, so wait for the lab results and possible recommendations what's next to do.

    If you could be clean after deleting, disable the system restore or it comes back with next reboot, after enable the system restore again and make manually a new restore point if you know you are clean.
    Might help here too!
     
  22. jmiller

    jmiller Guest

    all right...here are the running processes:

    c:\windows\system32\smss.exe
    \winlogon.exe
    \services.exe
    \lsass.exe
    \svchost.exe
    \svchost.exe
    \spoolsv.exe
    c:\program files\tools\smc.exe (my firewall)
    \alwil software\avast4\aswupdsv.exe
    \alwil software\avast4\ashserv.exe
    \alwil software\awast4\ashdisp.exe
    c:\progra~1\alwils~1\avast4\ashmaisv.exe
    c:\windows\explorer.exe
    c:\windows\wanmpsvc.exe
    c:\program files\internet explorer\iexplore.exe
    c:\opfor\tds-3.exe
    c:\windows\msagent\agentsvr.exe

    all right...thats the lot of em...

    :p
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If that \lsass.exe is the real original one and no typo this time there seems nothing suspicious.


    In the meantime looked for the worm.coronex, could not find info in the trojan/worms area, maybe Gavin can explain more.
     
  24. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Mhh... nothing suspicious so far... If you are unsure about such processes go here:

    http://www.pacs-portal.co.uk/startup_pages/startup_a.php

    Or just right click in Windows Explorer on the file and check it (properties).

    That's funny in a way. :p Did you already do a whole system scan with your Avast-Software?

    Greetings,

    Patrice
     
  25. jmiller

    jmiller Guest

    i have not used my avast anitvirus since my resident program did not detect the trojan/worm...should I?
     
Thread Status:
Not open for further replies.