TDS Can't Delete Trojan - help

Did a full system scan with today's Radius on my W 98 SE:
nothing found.

 

Thanks Jan, neither on my win98se; also not with a separate trace scan.
Hope this info helps Gavin to locate what's happening.

 

Full system scan with today's Radius on my W XP Pro:

ALERT: Continues to show:

File Trace: Default trojan filename: Possibly Worm.Coronex - submit
File: C:\My Downloads\Unreal 2: The Awakening (full).exe

Deep Scans against invidual files continue to show NEGATIVE and can find nothing in the registry whatsoever that's related.

 

Well, TDS has to be picking it up from somewhere - doesn't it?

I'm still doing "Searches" on different keywords - so far all I've found is two references to "awakening" in TDS's logs. Pete

 

Hi Paul!

Sorry, but this is a system process:

Process File: smss or smss.exe
Process Name: Session Manager Subsystem
Description: The Session Manager Subsystem initializes system environment variables, MS-DOS devices names such as LPT1 and COM1, loads the kernel for the Win32 subsystem, and starts the Windows Logon Process
Common Errors: N/A
System Process: Yes

I wouldn't delete it, would damage your system.

Best regards!

Patrice

 

I don'tk now if anyone hasn't allready mentioned it but have you guys tried scanning for it or at least searching for the .exe in a safe mode? or booting of an NTFSDOS disk and searching for it there?

Cheers,

 

Hi all,

Just scanned my XP computer. No Worm.Coronex found.
Just one dialer, that was recently added to the definitions, in my Restore folder.

Regards,

Pieter

 

That safe mode sounds interesting for a try.
Was not mentioned yet.
NTFS files...... thought it could explain why it was not on win98se systems, but now i can think it could be dutch windows versions are not affected, maybe.

Did you locate them with TDS on your systems?

 

Greetings....don't usually comment at this forum so feeling out of place....but will offer some info

several months ago I experience the same behavior as mention in this thread...after installing a legal program..
no matter what measures taken a particular listing continue to re-insert itself....(I consider this trogan behavior)
after much researching into the os.....several listing were located (all the same name).....in:
Registry
outlook express DBX folders
ssmenu folder

a "wipe" of the registry entry at first glance appeared to remove the entry....only to have it return again later

the outlook express "entries" ..same results/lack of

ssmenu..appeared as the "main home" of the bug

numerous means of removal proved useless...all listings would show as removed....an just return later.......
tools such as: Regcleaner.....Xcleaner...Spybot....an encryption .....all useless.....the bug would be removed and just return again....opps, should have mentioned that the program that inserted the bug had long been removed from the os when the above results/lack of resulted.....I hit that thing with just about every known means of removal...over and over for three months....failing to remove it each time....finally came time for my routine reformat...which of course did remove it.
my reason for mentioning this is because as has been reported "nothing" is being sent to the TDS people....when users attempt to do so.........an if the bug in question here in this thread is like the one I had..."nothing" will ever be sent to TDS because there is nothing to send.....its just an entry....no actual file..no actual exe....just an entry in the folders/registry........but inspite of not "being there" that darn thing would become active.....made my os un-stable..monitor shimmered (which is how I could tell when the bug re-entered itself) anyone who ever had a monitor overheat would understand
never had I experienced anything of the nature of that bug...in fact I experiment on trying to remove it...did everything....changed D value...editted dbx files..ssmenu(even in safe mode....
make no mistake...in my case the bug was trying to call home (blocked of course) my guess is that the bug was ment to be an automatic update feature of the program that was installed.....best I can offer......good luck (oh, the bug was not listed by the same name as the installed program)

 

Quickly: I've right-click scanned everything in "My Downloads" folder with TDS, NOD and SpyCop (individually).

(And this was after thoroughly deleting all excess garbage by first running SBS&D, ADIOS! and the freeware XCleaner and re-starting).

Nada.

Message is still showing in TDS when I fire the program up, though.

Oh, if it helps, I'm running NTFS here, too.

And I'm not using System Restore - haven't been for quite awhile.

Gotta get to work. Haven't had a chance to check out my son's profile yet.

Later. Pete

 

Spy 1

Pete, my other post must sound wierd....don'y quite know how to properly explain the exploit I experienced trying.

Check the ssmenu...for what...can't say..you will have to use notepad and just go through the entries looking for something odd/ a real hassle....one thing is certain..if this is anything like what I had TDS will continue to alert......
Wayne, Gavin or Paul may be able to understand by their experience what I am trying to explain here. The bug simply can't be cleaned.......cause the ssmenu is in constant use..(if the bug is located there) even in safe mode the ssmenu is in use by the system...by design changes will be prevented........

hope you find the solution...this is above me so just offering what I can..which may be nothing worth while.....in my case both spybotsd and xcleaner showed the bug in "start-up programs".......msconfig also showed it...gone then re-appearing

snowy

 

Having mention using notepad to check ssmenu...thing is..even if you locate the bug....it may be a waste of time unless someone here knows how to clean the ssmenu..I don't. LOL

 

Googled for you, but don't find much; could this do the tric?
"Instead of booting to DOS with a bootdisk, in a DOS window use this
command: regsvr32.exe /u ssmenu.dll then reboot and delete the file." Suppose that could be done in the Start > run that command too to unregister it.
I don't know if the thing can be deleted without damaging your system and where it comes from?

 

Jooske

wasn't sure if your post was intended for me or Pete....in my case I reformatted weeks ago....which resolved the problem.
But you made good suggestions....at first I thought the exploit was a boot virus so installed several boot virus anti-virus programs.........nope, no good........did a scanreg/fix without any good results on the exploit......can't count how many ways I hit that bug......an learned humilty in the end and reformatted.........
In the past nothing ever got past my security....nothing has since.......the bug was a first and hopefully last.........I don't think it was ment to be harmful but it was in that it drained resources..(like a DOSS) hammering to call home.
Locating the bug was not a problem....getting rid of it was. Perhaps of interest..my guess is that the bug can only enter the os by some install of a program....the bug itself was extremely small...contained a url......which led me to the software vendor.....under another name..further research revealed both companies were one and the same. I wont mention vendor names so as to prevent it from appearing as a flame......the company for all purposes provides good products an may not even be awear of the exploit....(I don't use e mail so didn't contact the vendor)
Hope I haven't intruded here......nothing I said may be even remotely related to the issue at hand but always offer a helping hand when I possibly can.

snowy

 

one final thought.....just a thought......a person could install script defender......enter "exe" in the intercepts....re-start the computer.....an every "exe" will need user permission to load......possible to "abort" the bug.......that may reveal the registry entry....may even abort the bug......as stated just a thought. Obviously the bug will still need to be cleaned/removed but the info needed to do so may be revealed.

 

just a note to all

i uninstalled tds and then reinstalled and the bug did not show with a complete scan...it is only after i updated the program that the bug showed in the trace scan...as a noobie to comp. security i would like to remove and prevent this from happening again...

i read the previous posts and i will wait to proceed...
thanks for all....

 

Ok ignore this one, we've found a trace bug with certain traces that can cause this possibility.. won't happen again I hope

 

Snowy, if you have WormGuard you can use that in the same ways, and you could block that specific file from ever executing at all.
The other command i gave is to unregister the dll so it can't do anything and you can delete it or maybe need a reboot first to be able to.
You must have learned a lot from all this and prevent a complete reformat with your knowledge.
What i found about the thing you mentioned is that it did come with an install so if you remember with which program you'll probably not install that one again!

Anyway, the problem here with the TDS trace scan find has been solved as Gavin just posted, so looking forward to people's experiences with tonight's updated scan.
It must have been in very specific conditions and systems as there were so few reports.

 

Snowman - Thanks for the input, my friend! Guess it was a "ghost" after all. Pete

 

Spy 1

always most willing to assist you in any way...cause thats what friends do.......how do the kids say it "got your back" LOL

**************

Jooske

The suggestions you made were certainly great....will defintely keep them in mind. But hey, I am just a struggling newbes that knowledge evades....but a country boy can survive LOL
Wormguard is a great product.....so is TDS...in all honesty.. I never planned on using computers...honestly....was just curious...purchased one...an here it is years later...an still not sure if I want to use computers.......hmmmmm, looks like a guy who can't make a decision.......there goes my business.
all kidding aside.....Jooske due to my prolong illness the past year I put off lots of things...installing software..home maintance....etc., its been a real struggle Jooske....an with the grace and help of my higher power someday soon perhaps my life will "go back on line"

My compliments to the TDS folks...for resolving that issue so quickly.........

 

Time to make sure you're msagent ready, speakers loud and play the InnerPeace script which shipped with TDS.
HA!! Security can be so much fun!
Our security guys from DCS must be celebrating their sacred ANZAC Day by now, being half a day ahead, sooooo let's see into it to keep our systems tiptop! And go celebrate, there's always a reason!

 

For what its worth....After using TDS to scan the C: drive today the exact same message as reported by Spy1 showed up as an alert. Couldn't submit it due to some internet connection problems, so I deleted it. A re-boot and re-scan with TDS gave a clean bill of health. TDS/WormGuard/NOD32 all active on the system (XP-SP1) prior to doing the first scan. Must have been a false positive?

 

Hi Konyntje, did you update the radius before the first scan mentioned here or after that? There was a little bug Gavin mentioned, repaired in the later updates.

 

Hi Jooske,
I updated after my first scan.

I didn't have any anti-trojan software on my old machine - 133MHz, Windows 95. TDS is the first and only trojan tool I've ever used on my new machine, and this is the first time its ever raised an alert - false positive or not; scared the livin' *bleep* outta me. LOL

...You guys do a great job here.

 

Congratulations with your new machine then! Must be quite a difference! Feeling a bit proud and happy you first give TDS all space to start your security experience. (of course!) May it be a happy road you walk together.

It was a little bug, which was solved in later versions of the radius database, so nothing to worry about anymore.
If that was the only alert i congratulate you with your clean system, and please keep it that clean.
The DCS guys have a whole arsenal for fighting trojans and worms, in which they are the specialists plus registry protection.
In the forums here and at DCS we love to help you with that.

Further we recommend special virus fighting products which are not in the DCS toolkit, spyware detection, firewalls, etc, walk through the forums with growing surprise and the will to get the best for your personal needs.

For TDS i start it manually after reboot --on your XP you can have it in the autostart and delay it a bit to start nicer if you like. I configured it with all possible tests checked and the tests themselves also with every option on and on highest sensitivity. So it does take a little more time but i hope all is found if there were.