Virus found in TDS.Unpk

Discussion in 'Trojan Defence Suite' started by mfreemanhcp7, Jan 14, 2004.

Thread Status:
Not open for further replies.
  1. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Probably nothing to worry about but after downloading the latest radius update my resident shield of AVG warned of a virus located in the TDS.Unpk folder - 00000275.com

    I assume that this folder (TDS.Unpk) contains the latest trojan updates and that AVG has picked up on the file name (o_O??) so I should ignore the alarm.

    Is my assumption correct, or is the folder integrity corrupted.

    Thanks
     
  2. FanJ

    FanJ Guest

    Hi,

    I have the feeling that there was more going on, but I'd better leave that to the DCS-guys.

    Some remarks however:

    The radius file is not in your TDS.Unpk dir.
    In TDS.Unpk you might find files that were unpacked by TDS-3 during a scan by TDS-3. On my W 98 SE box that almost only happens if I do a right-click-scan and not after a full system scan with TDS-3.

    Simply only the fact that you downloaded the latest Radius file cannot have triggered your AV to its alert. You must have done something else too in the meanwhile. At least in my humble opinion ;)
     
  3. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    I get that warning a lot, so I think I know what it is.

    When TDS unpacks files it does that to that folder.
    Some AV's don't recognize the files packed, but catch them in the unpacked state.

    Sorry FanJ. Now I notice you practically said the same thing. Back to lurking mode
     
  4. FanJ

    FanJ Guest

    I understand StAnger, thanks !!!

    But then, after having downloaded the latest Radius-file, there must have been done something else on his system.
    Simply only downloading/installing the Radius-file cannot suddenly trigger your AV to a file in TDS.Unpk.

    At least there must have been also one of the following things after downloading the Radius-file:
    - some kind of scan with TDS-3 that made a new file to TDS.Unpk.
    - an update of the AV that made it to trigger on that file.
    - some kind of new scan with the AV that made it to trigger on that file.
     
  5. FanJ

    FanJ Guest

    Heya StAnger :)

    Oops, our postings crossed; I didn't see your editing ;)

    No problem, of course not !!!
    Everybody's input is always most welcome !
    Not any need to go back to lurking state.
    And, as always, I might well be wrong !

    Cheers, Jan.
     
  6. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Lurking state is not bad. It is like resting. Taking an afternoon nap, so to speak. :)
    I would also like to know if he was scanning with any of the programs at the time. I only get those warnings when I am scanning with TDS and forget to disable the resident scanner of the AV.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi, The Unpk folder is where TDS unpacks and scans a copy of an original file, after which it normally is deleted.
    If not this time, most probably next time, or you can do it manually.
    So there is a real nasty on your system, unless the av/at scanner is alarming on something which it should not alarm on at all (false positive) or it is indeed a virus or other nasty, which TDS doesn't scan for.
    Which infection are you warned for?
    As it is a copy of something which is or was elsewhere on your system, you might like to send it to TDS lab, submit@diamondcs.com.au
     
  8. Jack S

    Jack S Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    3
    Location:
    USA
    I submitted this problem about a month ago...haven't heard anything back... o_O

    Same exact thing happens to me. I think it may be an issue with AVG 7
     
  9. FanJ

    FanJ Guest

    Hi,

    With all due respect, I don't understand it.

    What I read in the first posting, is this:
    "after downloading the latest radius update my resident shield of AVG warned of a virus located in the TDS.Unpk folder".

    As I tried to say earlier, I think that simply only downloading the Radius-file cannot cause this.

    What happens if you download/install the Radius-file?
    Then this file is changed: Radius.TD3
    And that file is NOT in ...xDynamic\TDS.Unpk
    The Radius-file is located in your TDS-3 directory.
    Also might be changed: radius.bak
    And sometimes there is a change in those files:
    advscan.dll and/or DCSMUTEX.DLL
    Both these two files are also in your TDS-3 directory.

    If you don't believe me:
    1- use a good "file-integrity-checker",
    2- put all your files from your TDS-3 directory and all its sub-dir's in it,
    3- run that "file-integrity-checker" before and after you download the Radius-file.
    4- see which files are changed.


    The only thing I can think about, are the following possibilities:
    1.
    During an update of the Radius-file (not manually but by TDS-3), TDS-3 temporarily puts a file in ...xDynamic\TDS.Unpk and then deletes it.
    I really don't know whether that happens !
    I doubt it, but who knows...
    I hope the DCS-guys could inform us about that.
    Maybe also some kind of program that in real time monitors exactly which files are newly-added/changed/deleted during the installation of the Radius-file, could help here.
    2.
    It was NOT only the download/install of the Radius-file that triggered your AV.
    There was also some other thing happening.

    Now about xDynamic\TDS.Unpk
    That's indeed, like Jooske wrote, the place where TDS-3 unpacks some files for scanning them.
    Downloading the Radius-file doesn't mean scanning.

    May I please ask you to tell us exactly what happened?
    Did you do, besides downloading the Radius-file, also another thing, and what was that?


    PS:
    This posting was really not meant to be offensive in any way, just for my understanding.
    Of course I can be wrong in what I described above !

    Cheers, Jan.
     
  10. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Hi,

    Thanks for the replies to my original posting. Sorry it's taken some time to get back but I have been away and not able to get near a computer in that time.

    This is what happened:

    I tried to install Kazaa (foolish I now know- but anyway....), the install attempt failed but of course still left the nasties (spyware etc..) lurking on my system, which I thought Adaware and Spybot had got rid of. Whilst online (because i'm only a measly dial-up boy) I downloaded the latest Radius update and immediately ran a scan as I always do after an update. TDS thus found some nasties which I assume must have been left behind by Kazaa. I subsequently left TDS to clean the files. Following this (not immediately) the Resident Scanner of AVG reported trojan files loacted in the TDS.Unpk folder - the trojan was referred to as 'Trojan Horse Dropper.dnetA' (I think) and the file names are:

    A0000005.com
    A0000029.com and
    A0000050.com

    Although there are lots of files in this folder incl. bulldownload which I know to be associated to Sharman Networks!!

    Unfortunately, AVG is unable to open the folder or files for cleaning.

    After reading Jooske's reply, I guesss that TDS found the nasty originally and cleaned the files after unpacking them in the .Unpk folder. AVG could not detect the infection/intrusion until TDS had done this.

    Now I just need to know how to get rid of the files from the TDS.Unpk folder - can I just delete them? This doesn't seem good enough to me??

    BTW I have since run further scans but the files still remain.

    Does anybody want me to zip and submit - if, thru which route, (support@dia... or TDS/Help/Submit file...)

    Alternatively, just tell me it's my own stupid fault for playing around with Kazaa, (Ooops)

    Many thanks

    :oops:
     
  11. FanJ

    FanJ Guest

    Hi,

    Thanks ! :)

    When TDS-3 found the Trojan(s), did you then tell TDS-3 to delete it?
    If TDS-3 gives an alarm, then the user must tell TDS-3 what to do with it by right-clicking on that alarm.

    Keeps TDS-3 giving that alert after a second scan with TDS-3?

    Do I understand you right that the following 3 files are in TDS.Unpk

    A0000005.com
    A0000029.com and
    A0000050.com

    If so, I would suggest to send them :
    submit@diamondcs.com.au
    So Gavin can have a look at them.
    And then you can delete them from your directory TDS.Unpk

    Looking at the name of those 3 files, it could be possible that those are related with a system-restore.
    But I am not sure about that because I myself have only Windows 98 SE.
    I hope someone else will jump in here.
     
  12. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Hi FanJ

    Yes, I told TDS to delete the files - not sure if that was the correct option since it's the first time TDS has found any suspicious files on my machine.

    TDS did not repeat the alarm.

    The files A000...etc were located in the TDS.Unpk folder - Yes

    I have shut down and re- opened/scanned several folders/files since and the files in question have disappeared from the folder (as Jooske had suggested). if they reappear again (maybe from system restore) I shall submit to Gavin for info. Meanwhile I will look in my virus vaults for copies.

    Thanks again you guys, it's really great to have such an excellent product with unrivalled support forums!!! :D
     
  13. FanJ

    FanJ Guest

    Hi user formerly known as mfreemanhcp17,

    I'm glad it's solved and your system is clean :)

    Cheers, Jan.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Noticed Gavin is asking more frequently of files to be submitted to him anyway.
    If there is a positive identification by TDS with tha nasty's name in most cases it will not be necessary, also not the suspicious file names with double extensions, but it is about those "positive id <adv>" "possible trojan/worm" or where another scanner says something is wrong where TDS doesn't alarm or in some cases where TDS alarms where another AT scanner doesn't beep at all.
    Had the impression such a..... names like you had could be system restore files.

    TDS scans in that Unpk area a COPY of the original file which should disappear after that with the results in the alerts console. from where you --with a right click on a selected alert- can examen the file deeper, submit or delete it or save the output to the scandump.txt file.

    If there is that copy in your Unpk folder, there must be or have been somewhere an original of the file too, which is located with full pathname in the alerts window. But if TDS with a deep scan does not locate them anymore, they must have disappeared or blocked by another scanner, maybe you did a disable system restore - reboot - enable system restore - manually new restore point action and the files should no longer be there, except for the copies in the Unpk which in this case for reasons unknown were not deleted as they should.

    It's always nice to know which nasties you were involved with to do some googling about what it does and what more to look for and to know you are really ok if the other issues are not there.
    It's a strange and complicated world, but the good part we learn a lot of it and about our systems!
     
  15. jay111

    jay111 Registered Member

    Joined:
    Jan 12, 2004
    Posts:
    14
    :D
    hi there !
    i use Kazaa Lite++
    no spyware whatsoever just plenty of freebies.
    regards
    jay111 :D
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Kazaa Lite is in fact illegal ;)

    regards.

    paul
     
  17. SteveS

    SteveS Guest

    I am new to TDS3 and after reading some of the threads on this forum, I checked my TDS.Unpk subdirectory. I found several files that appear to multiply with each full system scan. I am now up to 6097 total files. Currently, TDS does not report any warnings during a full system scan and Nod32 does not report any virus during a scan of this subdirectory. I have deleted these files numerous times, but after each scan they reappear in increasing numbers. I have sent a small sample of the files to DCS for their review. I would appreciate any insights or suggestions that may help me resolve this situation. Thanks

    Steve :p
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Steve and welcome!
    So if you miss a file you first look if there might be a copy overthere, don't you?
    Have not the slightest idea why in some cases the files stay there, i just checked again, empty here.
    Suppose those are specific files, archives maybe on your system?
    Is this since the beginning? Does TDS scan well, i mean does it ever find anything of which you know it is either a testfile or suspicious? An easy test is to make a test file you put on your desktop with a name like test.vbs.txt for which TDS should give a suspicious file name double extensions, and you have the CRC32 file scan, etc.
    I'm not recommending to intentionally get a nasty file to see if TDS alarms on it. Which reminds me the Mirclean program on the DCS free tools page has a testfile included, which is completely harmless and TDS alarms on it as test.worm.
    So with such tests you know for sure if TDS is doing it's tasks properly and is properly installed.
    If not, uninstall, get a fresh download and reinstall (closing first all av/at and resident protection, registry protection and all that kind of programs, maybe even reboot before installing)
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi SteveS, They where TDS has upcked files for scanning and are usually deleted after scanning, so you can probably safely delete them :) + You may have a corrupt install as Jooske says so that might be your best first move.
     
  20. SteveS

    SteveS Guest

    I sincerely appreciate your quick response to my inquiry. As suggested, I did a fresh re-install of TDS3, which included the following: Complete uninstall of the program; deleted all remaining registry entries and removed all remaining file folders associated with the program; rebooted the machine; downloaded TDS3 and installed. On the first full system scan, the previously reported files reappeared in the TDS3.Unpk subdirectory. The files are listed as a0134820.rse. When I view the properties of the file, most of the files list "rse" under the name and company. With the exception of files listed under Wormguard, all files are assigned file names similiar to the one described above with various number variations listed after the "a". Am I missing something, or do I have a nasty infection? Neither TDS3 or Nod32 are reporting any viruses. Thanks

    Steve :oops:
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I found this out about .RSE http://www.rsempire.org/ Not a trekky by any chance? :)
    Sorry for the frivolous answer :eek: Hopefully DCS will answer properly in the morning.
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are those
    files from system restore?
    or
    small NTFS ADS streams smaller then 88 bytes?
    Then still they should have no reasdons top remain in the folder and should be deleted with a next scan.
    If those are system restore files, you can safely delete them , in the scan options for the NTFS streams you can ignore them smaller tehn 88 bytes. Those can be added by software like scanners to add some information about files -- TDS does not do so btw.
     
  23. SteveS

    SteveS Guest

    How can you tell if they are system restore files?
     
  24. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    about the system restore file i don't know i don't use it :)

    but i just wanted to say that i have only 2 files in this folder, so may be as suggested by Jooske you have a broken installation ?
     
  25. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Yes, but not to use it.... ;)
     
Thread Status:
Not open for further replies.