View previous topic :: View next topic |
Author |
Message |
jaykay
Cadet
Joined: Jan 24, 2004
Posts: 1
Location: USA
|
Posted: Wed Jan 28, 2004 10:07 am Post subject: Help with Trojan hunter |
|
|
Help
How do I delete a UPX unpacked file as detected by Trojan Hunter..
Thanks
edit ** I should mention I was only given the option to ignore UPX unpacked files and couldn't seem to find a way to delete them... as opposed to ignoring them. |
|
Back to top |
|
|
Magnus
TrojanHunter
Joined: Sep 02, 2003
Posts: 46
Location: Sweden
|
Posted: Thu Jan 29, 2004 4:59 am Post subject: |
|
|
It's not necessarily a malware file since it's only detected as being suspicous, but if you want to delete it you can do it using Windows Explorer like with any other file. |
|
Back to top |
|
|
jaykay
Guest
|
Posted: Thu Jan 29, 2004 7:06 am Post subject: |
|
|
Thanks for replying.
The one I'm after definately looks like malware and I would like to delete it, though I can't find it using windows explorer... seems to be embedded in downloaded program files in windows. |
|
Back to top |
|
|
Guest
|
Posted: Thu Jan 29, 2004 7:10 am Post subject: |
|
|
Try clearing out your temporary internet files in Internet Explorer. |
|
Back to top |
|
|
jaykay
Guest
|
Posted: Thu Jan 29, 2004 7:15 am Post subject: |
|
|
Ive tried that one too. |
|
Back to top |
|
|
jaykay
Guest
|
Posted: Fri Jan 30, 2004 9:16 am Post subject: |
|
|
Anyone have any advice on how to delete a UPX unpacked file as detected by Trojan Hunter... Thanks. |
|
Back to top |
|
|
Mariner
Site Moderator
Premium Member
Joined: Aug 25, 2003
Posts: 1904
|
Posted: Fri Jan 30, 2004 10:14 am Post subject: |
|
|
Don't know if this is of any use but, have you revealed hidden files then searched for the offending item? |
|
Back to top |
|
|
jaykay
Guest
|
Posted: Sun Feb 01, 2004 9:59 am Post subject: |
|
|
Fraid not I have tried that but it must be embedded or hidden quite deep because I can't find it using conventional search means. |
|
Back to top |
|
|
Mariner
Site Moderator
Premium Member
Joined: Aug 25, 2003
Posts: 1904
|
Posted: Sun Feb 01, 2004 10:16 am Post subject: |
|
|
Did you run Trojan Hunter again after making hidden files visible?
Run your AV as well with hidden files visible, see if that reveals anything. |
|
Back to top |
|
|
LookBak
Cadet
Joined: Feb 03, 2004
Posts: 3
Location: Australia
|
Posted: Tue Feb 03, 2004 8:39 pm Post subject: |
|
|
jaykay wrote: |
The one I'm after definately looks like malware and I would like to delete it, though I can't find it using windows explorer... seems to be embedded in downloaded program files in windows. |
In downloaded program files directory right click all files indicated there and choose 'properties' Then select 'dependency' tab and note files associated with the DPF file that are loacted elsewhere on your computer, usually windows\system directory (win98) or system32 (Win NT 2000 XP)
You may then delete the DPF if you suspect it of being suspicious and then navigate to the directories of the files listed as 'dependant' and delete the dependant files also. As with any file deletion be careful. It is a good idea to view the properties of any file you wish to delete to ensure some indication of the file description. For example. I have only one DPF on my system. It is update active x control for windows update. Its has 3 dependant files , two of which are in my system32 directory. I checked them out and see that both are dll files and their description indicates they are both connected with windows update. So if I want to get rid of the update control I delete the update class in DPF directory and also the dlls in sytem32 directory.
Hopefilly of some use to you in
cheers
|
|
Back to top |
|
|
jaykay
Guest
|
Posted: Thu Feb 05, 2004 9:12 am Post subject: |
|
|
Mariner wrote: |
Did you run Trojan Hunter again after making hidden files visible?
Run your AV as well with hidden files visible, see if that reveals anything. |
I'm not too sure how to make Hidden Files visible but I'm not too sure if this will solve the problem as Trojan Hunter is detecting a file - this UPX upacked file... the problem is that it can't unpack the file and hence won't allow me to clear it.
Sorry to be dense but what is the 'AV'.
Thanks to Lookback as well. I went in to downloaded program files and viewed the dependencies but there is nothing suspicios there. As far as Windows is concerned the rogue program doesn't seem to exist yet
|
|
Back to top |
|
|
claire
Site Moderator
Premium Member
Joined: Apr 21, 2002
Posts: 4866
Location: Belgium
|
Posted: Thu Feb 05, 2004 11:14 am Post subject: |
|
|
Hi Jaykay,
AV means Anti Virus software(like NOD,AVG,NAV etc)
_________________
Carpe Diem |
|
Back to top |
|
|
jaykay
Guest
|
Posted: Thu Feb 05, 2004 1:47 pm Post subject: |
|
|
Thanks Claire (im using AVG btw)
Okay so interesting development. Used Winzip to try and get in there and Winzip actually detected the rogue file. However, when I tried to delete it reappears and has actually (after x amount of attempts at getting rid of the bastard) quadrupled itself!
I can only find the file by using winzip in Windows Explorer by right clicking on the donwloaded program files folder and using the Winzip (add to winzip file option). However by using the winzip wizard or manually it doesn't let me find it. |
|
Back to top |
|
|
LookBak
Cadet
Joined: Feb 03, 2004
Posts: 3
Location: Australia
|
Posted: Thu Feb 05, 2004 9:47 pm Post subject: |
|
|
Jay Kay if you received the message from TrojanHunter "Unable to unpack upx-packed file" the following may be of some use that was posted on A TrojanHunter forum at http://forum.misec.net/board/Trojans/1052172376
Part of the posting is as follows:
When TH goes to scan a compressed file, like a ZIP or an RAR or these UPX things, it needs to un-compress the file or extract it, in order to look at the actual files that are inside it. It has to put these un-compressed files somewhere while it is scanning them, so it asks Windows where to put temporary files. That is where it is getting that long directory string from. The one with the ~1 stuff in it.
The reason you can't usually find the file by the part just at the end is that when Windows looks for files, it doesn't try to un-compress and extract them all to see what it inside them, so it isn't seeing the individual file(s) that TH is complaining about.
Now, all TH is saying is that it can't figure out how to unpack that particular file. It isn't actually saying that there is anything bad with the file, because it can't even get far enough to see what the file really says.
If you had a trojan running, it would need to be sitting in memory while it is running, and TH scans your memory for nasties, and it isn't finding anything nasty running. So while you still need to try to figure out what the source of this file that can't be unpacked is, and send it in to Magnus so he can take a look at it, in case it is a new trojan, you don't have exidence of anything running in memory that TH is aware of at this time.
You can use a UPX124W.ZIP (upx stands for Ultimate Packer of Executables) at http://upx.sourceforge.net/#download
Download and extcract file upx.exe to your c:\ directory will do
All UPX supported file formats can be unpacked using the -d switch . Bring up a command prompt and type cd c:\ if any other dierctory is indicated. That will bring up c:\ type upx -d 'path and name of file' you want to unpack
eg if you wanted to unpack a file called wunderbah in windows\temp directory you would type at c:\prompt upx -d c:\windows\temp\wunderbah (include whatever file extension is also)
A good tip is to always indicate what Operating System you are using. It makes i easier to give some tips for maybe solving a problem as WinNT win2000 and WinXP have numerous diferences to Win98 or Win98se.
As to showing hidden files here is what to do. Open Windows Explorer and if using Win98 on Menu Bar up top select 'view' (Win NT 2000 and XP you select 'Tools' on menu bar) Then select 'folder options' when that comes up you see a tab called 'view' Click that and under section 'Hidden Files and Folders' place radio button (little black dot)
next to 'show hidden files and folders' You may also want to take tick out of 'hide file extensions for known file types'
Click 'apply' then 'OK' an you are done.
hope of some value
Cheers
_________________
Eternal Vigilance |
|
Back to top |
|
|
|