New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 24)
· Marcia's (CO8)
· Bill G's (CO12)
· Paul's (AR 5)
· Robin's (AR 2)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1170
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsFavForums 

Help with Trojan hunter

 
Post new topic   Reply to topic       Computer Cops Forum Index -> TrojanHunter
View previous topic :: View next topic  
Author Message
jaykay

Cadet
Cadet



Joined: Jan 24, 2004
Posts: 1
Location: USA

PostPosted: Wed Jan 28, 2004 10:07 am    Post subject: Help with Trojan hunter
Reply with quote

Help

How do I delete a UPX unpacked file as detected by Trojan Hunter..

Thanks

edit ** I should mention I was only given the option to ignore UPX unpacked files and couldn't seem to find a way to delete them... as opposed to ignoring them.
Back to top
View users profile Send private message
Magnus

TrojanHunter
TrojanHunter



Joined: Sep 02, 2003
Posts: 46
Location: Sweden

PostPosted: Thu Jan 29, 2004 4:59 am    Post subject:
Reply with quote

It's not necessarily a malware file since it's only detected as being suspicous, but if you want to delete it you can do it using Windows Explorer like with any other file.
Back to top
View users profile Send private message Visit posters website
jaykay

Guest






PostPosted: Thu Jan 29, 2004 7:06 am    Post subject:
Reply with quote

Thanks for replying.

The one I'm after definately looks like malware and I would like to delete it, though I can't find it using windows explorer... seems to be embedded in downloaded program files in windows.
Back to top
Guest








PostPosted: Thu Jan 29, 2004 7:10 am    Post subject:
Reply with quote

Try clearing out your temporary internet files in Internet Explorer.
Back to top
jaykay

Guest






PostPosted: Thu Jan 29, 2004 7:15 am    Post subject:
Reply with quote

Ive tried that one too. Sad
Back to top
jaykay

Guest






PostPosted: Fri Jan 30, 2004 9:16 am    Post subject:
Reply with quote

Anyone have any advice on how to delete a UPX unpacked file as detected by Trojan Hunter... Thanks.
Back to top
Mariner

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Aug 25, 2003
Posts: 1904

PostPosted: Fri Jan 30, 2004 10:14 am    Post subject:
Reply with quote

Don't know if this is of any use but, have you revealed hidden files then searched for the offending item?
Back to top
View users profile Send private message
jaykay

Guest






PostPosted: Sun Feb 01, 2004 9:59 am    Post subject:
Reply with quote

Fraid not I have tried that but it must be embedded or hidden quite deep because I can't find it using conventional search means.
Back to top
Mariner

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Aug 25, 2003
Posts: 1904

PostPosted: Sun Feb 01, 2004 10:16 am    Post subject:
Reply with quote

Did you run Trojan Hunter again after making hidden files visible?

Run your AV as well with hidden files visible, see if that reveals anything.
Back to top
View users profile Send private message
LookBak

Cadet
Cadet



Joined: Feb 03, 2004
Posts: 3
Location: Australia

PostPosted: Tue Feb 03, 2004 8:39 pm    Post subject:
Reply with quote

jaykay wrote:

The one I'm after definately looks like malware and I would like to delete it, though I can't find it using windows explorer... seems to be embedded in downloaded program files in windows.


In downloaded program files directory right click all files indicated there and choose 'properties' Then select 'dependency' tab and note files associated with the DPF file that are loacted elsewhere on your computer, usually windows\system directory (win98) or system32 (Win NT 2000 XP)
You may then delete the DPF if you suspect it of being suspicious and then navigate to the directories of the files listed as 'dependant' and delete the dependant files also. As with any file deletion be careful. It is a good idea to view the properties of any file you wish to delete to ensure some indication of the file description. For example. I have only one DPF on my system. It is update active x control for windows update. Its has 3 dependant files , two of which are in my system32 directory. I checked them out and see that both are dll files and their description indicates they are both connected with windows update. So if I want to get rid of the update control I delete the update class in DPF directory and also the dlls in sytem32 directory.
Hopefilly of some use to you in
cheers
Back to top
View users profile Send private message
jaykay

Guest






PostPosted: Thu Feb 05, 2004 9:12 am    Post subject:
Reply with quote

Mariner wrote:
Did you run Trojan Hunter again after making hidden files visible?

Run your AV as well with hidden files visible, see if that reveals anything.

I'm not too sure how to make Hidden Files visible but I'm not too sure if this will solve the problem as Trojan Hunter is detecting a file - this UPX upacked file... the problem is that it can't unpack the file and hence won't allow me to clear it.

Sorry to be dense but what is the 'AV'.

Thanks to Lookback as well. I went in to downloaded program files and viewed the dependencies but there is nothing suspicios there. As far as Windows is concerned the rogue program doesn't seem to exist yet
Back to top
claire

Site Moderator
Site Moderator
Premium Member
Premium Member


Joined: Apr 21, 2002
Posts: 4866
Location: Belgium

PostPosted: Thu Feb 05, 2004 11:14 am    Post subject:
Reply with quote

Hi Jaykay,

AV means Anti Virus software(like NOD,AVG,NAV etc)

_________________
Carpe Diem
Back to top
View users profile Send private message
jaykay

Guest






PostPosted: Thu Feb 05, 2004 1:47 pm    Post subject:
Reply with quote

Thanks Claire (im using AVG btw)

Okay so interesting development. Used Winzip to try and get in there and Winzip actually detected the rogue file. However, when I tried to delete it reappears and has actually (after x amount of attempts at getting rid of the bastard) quadrupled itself!

I can only find the file by using winzip in Windows Explorer by right clicking on the donwloaded program files folder and using the Winzip (add to winzip file option). However by using the winzip wizard or manually it doesn't let me find it.
Back to top
LookBak

Cadet
Cadet



Joined: Feb 03, 2004
Posts: 3
Location: Australia

PostPosted: Thu Feb 05, 2004 9:47 pm    Post subject:
Reply with quote

Jay Kay if you received the message from TrojanHunter "Unable to unpack upx-packed file" the following may be of some use that was posted on A TrojanHunter forum at http://forum.misec.net/board/Trojans/1052172376

Part of the posting is as follows:

When TH goes to scan a compressed file, like a ZIP or an RAR or these UPX things, it needs to un-compress the file or extract it, in order to look at the actual files that are inside it. It has to put these un-compressed files somewhere while it is scanning them, so it asks Windows where to put temporary files. That is where it is getting that long directory string from. The one with the ~1 stuff in it.

The reason you can't usually find the file by the part just at the end is that when Windows looks for files, it doesn't try to un-compress and extract them all to see what it inside them, so it isn't seeing the individual file(s) that TH is complaining about.

Now, all TH is saying is that it can't figure out how to unpack that particular file. It isn't actually saying that there is anything bad with the file, because it can't even get far enough to see what the file really says.

If you had a trojan running, it would need to be sitting in memory while it is running, and TH scans your memory for nasties, and it isn't finding anything nasty running. So while you still need to try to figure out what the source of this file that can't be unpacked is, and send it in to Magnus so he can take a look at it, in case it is a new trojan, you don't have exidence of anything running in memory that TH is aware of at this time.

You can use a UPX124W.ZIP (upx stands for Ultimate Packer of Executables) at http://upx.sourceforge.net/#download

Download and extcract file upx.exe to your c:\ directory will do
All UPX supported file formats can be unpacked using the -d switch . Bring up a command prompt and type cd c:\ if any other dierctory is indicated. That will bring up c:\ type upx -d 'path and name of file' you want to unpack
eg if you wanted to unpack a file called wunderbah in windows\temp directory you would type at c:\prompt upx -d c:\windows\temp\wunderbah (include whatever file extension is also)

A good tip is to always indicate what Operating System you are using. It makes i easier to give some tips for maybe solving a problem as WinNT win2000 and WinXP have numerous diferences to Win98 or Win98se.
As to showing hidden files here is what to do. Open Windows Explorer and if using Win98 on Menu Bar up top select 'view' (Win NT 2000 and XP you select 'Tools' on menu bar) Then select 'folder options' when that comes up you see a tab called 'view' Click that and under section 'Hidden Files and Folders' place radio button (little black dot)
next to 'show hidden files and folders' You may also want to take tick out of 'hide file extensions for known file types'
Click 'apply' then 'OK' an you are done.

hope of some value

Cheers

_________________
Eternal Vigilance
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> TrojanHunter All times are GMT - 5 Hours
Page 1 of 1

 
 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops