Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Sep 30th, 2008, 6:46pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   support4.exe/lldv.exe?		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: support4.exe/lldv.exe?  (Read 935 times)
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
support4.exe/lldv.exe?
« on: May 28th, 2007, 7:17pm »		 Quote Quote  Modify Modify
After a number of years of using TH, this is the first "hit" I've ever received.  
 
This is my TH message:
 
Found trojan file: D:\i386\Apps\App30984\support4.exe/lldv.exe (Agent.1420)
1 files identified
 
As I usually surf sandboxed and use KIS in addition to TH, I did leave the file intact until someone tells me otherwise.
 
Comments TH gurus?  Smiley
 
Thanks!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5641
Re: support4.exe/lldv.exe?
« Reply #1 on: May 29th, 2007, 12:00am »		 Quote Quote  Modify Modify
Would you please submit lldv.exe for analysis.  It does not seem to be a known executable on Google.  The link below explains how to submit a file.
 
http://www.misec.net/forum/board/FAQ/1139308293
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
Re: support4.exe/lldv.exe?
« Reply #2 on: May 29th, 2007, 2:55pm »		 Quote Quote  Modify Modify
I didn't notice this yesterday as I was running my TH scan and posting while I was doing all my never-ending yard chores. This file is in my D: drive which is my System Recovery partition.
 
If you wish I'll still submit it.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5641
Re: support4.exe/lldv.exe?
« Reply #3 on: May 30th, 2007, 1:44am »		 Quote Quote  Modify Modify
Yes, please submit so that Gavin take a look at the file.  Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
Re: support4.exe/lldv.exe?
« Reply #4 on: May 30th, 2007, 3:35pm »		 Quote Quote  Modify Modify
Well, that partition seems to be protected.  If I try to access it with Windows Explorer I get a "PC Angel" message that says I shouldn't mess with that partition.  I just can't seem to get there but I think I'll try in safe mode.
 
Also, I saw the instructions for submitting a file for licensed users (which includes me).  It says to click on "Submit this file for analysis."  I thought that'd be an easy way to submit but I can't seem to find that option.
 
IP Logged
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
Re: support4.exe/lldv.exe?
« Reply #5 on: May 30th, 2007, 3:51pm »		 Quote Quote  Modify Modify
Shoot, forgot to include this info. Everytime I scan with TH it picks up a different .exe within support4.exe.  The last warning said this: "Found trojan file: D:\i386\Apps\App30984\support4.exe/sqEiKVC.exe (Agent.1420)
1 files identified"
 
But I still can't access my D:System Recovery partition.  This is a 3-month old Gateway box and I'm still getting used to it.
 
Any suggested progs that will allow me to get there?
 
Thanks!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5641
Re: support4.exe/lldv.exe?
« Reply #6 on: May 30th, 2007, 10:53pm »		 Quote Quote  Modify Modify
Quote:
Also, I saw the instructions for submitting a file for licensed users (which includes me).  It says to click on "Submit this file for analysis."  I thought that'd be an easy way to submit but I can't seem to find that option

 
This option only appears if TH finds a "possible trojan"....not if it feels it has clearly identified a trojan.  
 
Can you access those files in SAFE MODE?  If so, copy them off to a CD or other location and then boot back into normal mode and submit the files.  You probably need to be logged in with an Administrator account.
« Last Edit: May 30th, 2007, 10:55pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
Re: support4.exe/lldv.exe?
« Reply #7 on: May 31st, 2007, 1:13am »		 Quote Quote  Modify Modify
Nope, tried my Admin account and safe mode.  Still can't get to that file.
 
BTW, what the heck is "PC Angel"?  I googled and got very little information on this.  
 
I also saw that someone over at CastleCops had identified the support4.exe file as a possible baddie but was locked out of the recovery partition due to PC Angel.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5641
Re: support4.exe/lldv.exe?
« Reply #8 on: May 31st, 2007, 1:58am »		 Quote Quote  Modify Modify
PC Angel  
 
http://www.pcangelle.com/WW70AWP/WW70AWP.EXE/CTX_1452-0-YNYWfayBZH/pcale _welcome/SYNC_600816109
 
Do you have PC Angel on your system?
 
It does look like Support4.exe may be a keylogger.  HOWEVER, its possible that Support4.exe is good program whose name has been mimiced by a bad program.  Happens all the time.  
 
Also, did you try running TrojanHunter scanner in SAFE MODE to see if it could Quarantine these files?
« Last Edit: May 31st, 2007, 2:01am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
Re: support4.exe/lldv.exe?
« Reply #9 on: Jun 1st, 2007, 12:46am »		 Quote Quote  Modify Modify
To answer your question about PC Angel:  When I try to access the system recovery partition I get a window that says it's protected by PC Angel.  That's as far as I can get whether I'm in normal mode, in safe mode, with Explorer or whatever.
 
I ran TH in safe mode and there was a different file recognized (but the path was still support4.exe) but I could not quarantine.  The only option that TH is giving me is to "clean."
 
This box is behind a router, and as I said, I usually surf sandboxed, KIS runs, I also use Spybot, Adaware on demand, SpywareBlaster and TH Guard.
 
I regularly scan with TH and this is the first time anything's been found.
 
I'm thinking I'll just let TH clean those files and maybe clear out my restore points.
 
What do you think?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5641
Re: support4.exe/lldv.exe?
« Reply #10 on: Jun 1st, 2007, 12:59am »		 Quote Quote  Modify Modify
Quote:
I'm thinking I'll just let TH clean those files and maybe clear out my restore points.  
 
What do you think?

 
Yes, I agree with this.  When TH "cleans", it places the cleaned file in Quarantine...assuming you are running V4.6.930 of TH.  Cleaned now means place in Quarantine.
« Last Edit: Jun 1st, 2007, 1:00am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
Re: support4.exe/lldv.exe?
« Reply #11 on: Jun 1st, 2007, 2:57pm »		 Quote Quote  Modify Modify
"When TH "cleans", it places the cleaned file in Quarantine...assuming you are running V4.6.930 of TH.  Cleaned now means place in Quarantine."
 
Ah....that's the bit I was missing.  I didn't know that cleaning quarantines the file.
 
I'll take care of that over the weekend.
IP Logged
NanDog
Newbie
*



Gotta love that tinfoil beanie!

   


Posts: 15
Re: support4.exe/lldv.exe?
« Reply #12 on: Jun 2nd, 2007, 1:12am »		 Quote Quote  Modify Modify
OK, I allowed TH to clean.  Support4.exe now is in quarantine.
 
How do I submit the file?  Is it in my TH folder somewhere?
 
TIA!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5641
Re: support4.exe/lldv.exe?
« Reply #13 on: Jun 2nd, 2007, 1:20am »		 Quote Quote  Modify Modify
Yes.  Look in C:\Program Files\TrojanHunter 4.6\Quarantine.  You will find it in the Quarantine folder.  Note that it will have a weird name and will not be Support4.exe.  That's part of TH's encryption/protection.  Just submit the weird named file and Gavin will be able to analyze it.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 2025
Re: support4.exe/lldv.exe?
« Reply #14 on: Jun 2nd, 2007, 9:07pm »		 Quote Quote  Modify Modify
Thanks! fixed. Submitted file is clean
IP Logged
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register