Help with Trojan hunter

jaykay · Cadet Joined: Jan 24, 2004 Posts: 1 Location: USA

Help

How do I delete a UPX unpacked file as detected by Trojan Hunter..

Thanks

edit ** I should mention I was only given the option to ignore UPX unpacked files and couldn't seem to find a way to delete them... as opposed to ignoring them.

Magnus · Posted: Thu Jan 29, 2004 4:59 am Post subject:

It's not necessarily a malware file since it's only detected as being suspicous, but if you want to delete it you can do it using Windows Explorer like with any other file.

jaykay · Guest

Thanks for replying.

The one I'm after definately looks like malware and I would like to delete it, though I can't find it using windows explorer... seems to be embedded in downloaded program files in windows.

Guest · Posted: Thu Jan 29, 2004 7:10 am Post subject:

Try clearing out your temporary internet files in Internet Explorer.

jaykay · Guest

Ive tried that one too. Sad

jaykay · Guest

Anyone have any advice on how to delete a UPX unpacked file as detected by Trojan Hunter... Thanks.

Mariner · Posted: Fri Jan 30, 2004 10:14 am Post subject:

Don't know if this is of any use but, have you revealed hidden files then searched for the offending item?

jaykay · Guest

Fraid not I have tried that but it must be embedded or hidden quite deep because I can't find it using conventional search means.

Mariner · Posted: Sun Feb 01, 2004 10:16 am Post subject:

Did you run Trojan Hunter again after making hidden files visible?

Run your AV as well with hidden files visible, see if that reveals anything.

LookBak · Cadet Joined: Feb 03, 2004 Posts: 3 Location: Australia

jaykay · Guest

claire · Posted: Thu Feb 05, 2004 11:14 am Post subject:

Hi Jaykay,

AV means Anti Virus software(like NOD,AVG,NAV etc)

jaykay · Guest

Thanks Claire (im using AVG btw)

Okay so interesting development. Used Winzip to try and get in there and Winzip actually detected the rogue file. However, when I tried to delete it reappears and has actually (after x amount of attempts at getting rid of the bastard) quadrupled itself!

I can only find the file by using winzip in Windows Explorer by right clicking on the donwloaded program files folder and using the Winzip (add to winzip file option). However by using the winzip wizard or manually it doesn't let me find it.

LookBak · Cadet Joined: Feb 03, 2004 Posts: 3 Location: Australia

Jay Kay if you received the message from TrojanHunter "Unable to unpack upx-packed file" the following may be of some use that was posted on A TrojanHunter forum at http://forum.misec.net/board/Trojans/1052172376

Part of the posting is as follows:

When TH goes to scan a compressed file, like a ZIP or an RAR or these UPX things, it needs to un-compress the file or extract it, in order to look at the actual files that are inside it. It has to put these un-compressed files somewhere while it is scanning them, so it asks Windows where to put temporary files. That is where it is getting that long directory string from. The one with the ~1 stuff in it.

The reason you can't usually find the file by the part just at the end is that when Windows looks for files, it doesn't try to un-compress and extract them all to see what it inside them, so it isn't seeing the individual file(s) that TH is complaining about.

Now, all TH is saying is that it can't figure out how to unpack that particular file. It isn't actually saying that there is anything bad with the file, because it can't even get far enough to see what the file really says.

If you had a trojan running, it would need to be sitting in memory while it is running, and TH scans your memory for nasties, and it isn't finding anything nasty running. So while you still need to try to figure out what the source of this file that can't be unpacked is, and send it in to Magnus so he can take a look at it, in case it is a new trojan, you don't have exidence of anything running in memory that TH is aware of at this time.

You can use a UPX124W.ZIP (upx stands for Ultimate Packer of Executables) at http://upx.sourceforge.net/#download

Download and extcract file upx.exe to your c:\ directory will do
All UPX supported file formats can be unpacked using the -d switch . Bring up a command prompt and type cd c:\ if any other dierctory is indicated. That will bring up c:\ type upx -d 'path and name of file' you want to unpack
eg if you wanted to unpack a file called wunderbah in windows\temp directory you would type at c:\prompt upx -d c:\windows\temp\wunderbah (include whatever file extension is also)

A good tip is to always indicate what Operating System you are using. It makes i easier to give some tips for maybe solving a problem as WinNT win2000 and WinXP have numerous diferences to Win98 or Win98se.
As to showing hidden files here is what to do. Open Windows Explorer and if using Win98 on Menu Bar up top select 'view' (Win NT 2000 and XP you select 'Tools' on menu bar) Then select 'folder options' when that comes up you see a tab called 'view' Click that and under section 'Hidden Files and Folders' place radio button (little black dot)
next to 'show hidden files and folders' You may also want to take tick out of 'hide file extensions for known file types'
Click 'apply' then 'OK' an you are done.

hope of some value

Cheers


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 841 pages served in previous 5 minutes. Page Rendered: 0.396 seconds.