What is this?

Discussion in 'Trojan Defence Suite' started by subzerox, May 5, 2005.

Thread Status:
Not open for further replies.
  1. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    Hello guys i have recently used the trial version of tds-3 and uninstalled it and wiped the remaining files that where still present but one file i can't seem to remove from tds-3 namely the update.exe file.

    I have made several attempts with cyberscrub but when starting with the deleting option "erase beyond recovery" the sysytem automaticly shuts down.

    When doing the jotti malware scan i submitted this file and it gave the message that it could be a piece of firewall or that it could be a malware preventing it to be submitted to the scan.

    I have tried to delete this file several times but no succes and now i discovered it is erased apperantly because now the tds folder is completely gone so why did this happen in such a manor why couldn't i erase this before, what if this whas a piece of malware could it transfer itself to another folder and gave up on the tds-3 update file to make the appereance that it is gone but it is not actually.

    Could somebody actively watch what i am doing and because i am now asking on this forum the solution to erase the update file from tds-3 that i couldn't erase before and that possibly contained the trojan or whatever, and then quickly decided to transfer it to another folder to try to make me think everything is allright?

    Is this a strange event that i at first couldn't erase the file and that was very persistent and could not be erased and now it is erased?
    Can somebody give up on the file from tds-3 update.exe and switched the malware to another file or folder?
     
  2. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    I have read a article about "root kits" today, could this have been a root kit?

    That the upadate file was the place where it was hidden?
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and welcome to the forum!
    First tell us which program told you it was malware?
    Are you using any kind of resident protection, Trend spayware suite, whatever?
    Some of those scanners say all auto-update kind of programs for any scanners and programs are riskware, blocking any access to them hiduing them, deleting them, etc and some don't give users options to decide.
    Riskware, it is called because there are possibilities in the program to auto-update, or doing some other tests when you use it.

    Any time you (un)install a program make sure all scanners and resident protection are completely disabled during the action, with TDS after that it's advisable to reboot.
    update.exe is most certainly no riskware/malware/spyware/rootkit whatever if we talk about the original.
    I presume your file was located int eh TDS directory where you installed it. With all the other programs temporary disabled it should uninstall fine.

    If it was located anywhere else, i hope you have a copy somewhere (in a system restore?) and can submit it to the address ion my signature to be checked.

    But why did you uninstall TDS, did you like to use it?


    EDIT:
    Since i couldn't access jotti's scanner atm (maybe the UR: changed, somebody has the right URL please?) i used the www.virustotal.com scanner with this result:
    Code:
    This is a report processed by VirusTotal on 05/07/2005 at 11:58:16 (CET)
     after scanning the file "update.exe" file.
    Antivirus Version Update Result 
    AntiVir 6.30.0.12 05.06.2005 no virus found 
    AVG 718 05.06.2005 no virus found 
    BitDefender 7.0 05.07.2005 no virus found 
    ClamAV devel-20050501 05.05.2005 no virus found 
    DrWeb 4.32b 05.06.2005 no virus found 
    eTrust-Iris 7.1.194.0 05.06.2005 no virus found 
    eTrust-Vet 11.9.1.0 05.06.2005 no virus found 
    Fortinet 2.51 05.07.2005 no virus found 
    Ikarus 2.32 05.06.2005 no virus found 
    Kaspersky 4.0.2.24 05.07.2005 no virus found 
    McAfee 4486 05.06.2005 no virus found 
    NOD32v2 1.1089 05.05.2005 no virus found 
    Norman 5.70.10 05.03.2005 no virus found 
    Panda 8.02.00 05.06.2005 no virus found 
    Sybari 7.5.1314 05.07.2005 no virus found 
    Symantec 8.0 05.06.2005 no virus found 
    VBA32 3.10.3 05.07.2005 no virus found 
    
    
    
    VirusTotal is a free service offered by Hispasec Sistemas. 
    There are no guarantees about the availability and continuity 
    of this service. Although the detection rate afforded by the 
    use of multiple antivirus engines is far superior to that offered 
    by just one product, these results DO NOT guarantee the 
    harmlessness of a file. Currently, there is not any solution that 
    offers a 100% effectiveness rate for detecting viruses and malware.
    > Go to: Home Contact En español 
    --------------------------------------------------------------------------------
    www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com
    
     
    Last edited: May 7, 2005
  4. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    The URL to Jotti's Malware Scan is http://virusscan.jotti.org/

    Here is the virus report after uploading UPDATE.EXE there:

    File: update.exe

    Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

    MD5 e5977b5549eb8bac514a3ea64f8b3175

    Packers detected: PECOMPACT

    Scanner results
    AntiVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    mks_vir Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    VBA32 Found nothing
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for the URL, i used the same but did not get access, so maybe it was in maintenance that moment.

    For the update.exe you can imagine it has some functionality as explained recently in another thread here.
     
  6. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    Hi guys thank you for recieving me in the forum i thought i wasn't welcome or something because it took so long for anyone to reply to the post i made, but evidently i thought wrong.

    I got the message from jotti malware scan and it said possible malware preventing access or it is a piece of firewall preventing access.
    Since i know it belongs to TDS namely the update file i immediately tried to remove it with cyberscrub, easy to use only right click and gone beyond recovery.

    Well actually i tried this before because i uninstalled TDS-3 (i did like it only the trial period was expired :'( ) and there where some files i had to remove manually and the update file didn't let it remove or erase itself even better when i tried to remove it my whole computer shuts down and restarted.

    I had tried this a couple of times but noticed it was quite persistent and i couldn't get rid of it, then i came to this forum to gain some more information about this, when typing the first post i tried to erase it again and what do you know now, i could get rid of it.

    Offcourse i know the TDS-3 update file itself is no malware but could there be a possibility that the file was corrupted and infected in a later stadium.
    I find it very odd that when visiting this forum and when making a post about the persistence of this file, and trying to erase this file for the last time it allowed itself to get erased, like someone is watching every move and out of precaution switched the file to somewhere else, it sounds a bit paranoid i know but this itself is quite strange why at first i couldn't get it erased and then suddenly i could get it erased.

    Because i read a article about rootkits i thought this was a possibility, could someone switch the malware to another file because the person has forseen that the update file was going to be deleted with the assistance of people on this forum?

    What is by the way the closest to the best way of detecting these rootkits and removing them?

    Hope to hear from you guys
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Was that the only file you had problems with when you scanned your system?
    Now we really like to have your copy of course to see if it was the original! :)
    If there is anything spying on your system, Port Explorer would show the hidden connections!
    And of course, you should make really really sure your system is absolutely clean, for instance using this thread https://www.wilderssecurity.com/showthread.php?t=50662
    TDS is not spying on you and moving away it's files, which would have been extremely difficult since you uninstalled it already.
    Once really really clean, you could prevent rootkits from installing on your system for example with ProcessGuard, scan with TDS, keep an eye on all connections with Port Explorer, etc.
     
  8. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    Yes, the update file from TDS-3 was the only file that gave me concerns regarding the display message in jotti's malware scan.

    And it was a trial version downloaded from the Official diamonds website.

    To make sure working with a clean system i wil format my HD and reinstall windows xp again that wil hopefully result in a clean system.

    Could any malware survive a format?, just curious.

    Bedankt Jooske voor je hulp, (zag ineens in de rechterhoek dat je ook uit nederland komt) :D
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    >Bedankt Jooske voor je hulp, (zag ineens in de rechterhoek dat je ook uit nederland komt)
    Transl: Jooske thanks for your help. Saw suddenly in the upper right corner you are from the Netherlands too.

    Ah, did not see that in your profile! :cool:

    Anyway: yes there are certain kinds of malware which survive a reformat, so it's not adviced in all cases to do unnecessary.
    Would suggest first to go through the cleaning steps as adviced in the cleaning thread, so you know what is the situation on your system.
    After cleansing possible malware, disable system restore, reboot, enable system restore and all the deleted nasties have gone, create a new system restore point from this clean situation and test it.
    If the TDS update.exe was the only alert i would most certainly not reformat as that file is very ok.

    Now get ProcessGuiard as a prevention, TDS as a nice scanner and addition to that (among others), Port Explorer as explained before and WormGuard if you like to add to all that. From there start rebuilding your system and security.
    Did not forget the firewall and the anti-spyware scanners like SpyBotS&D and a few more as adviced in the forums here, etc. Not to forget all JavaCool tools! And a good antivirus to work besides TDS which is an anti-trojan in the first place.
     
Thread Status:
Not open for further replies.