siliconman01
Global Moderator
Trojans! Chew 'em Up, Spit 'em Out...
Gender: 
Posts: 5516
|
 |
Re: Trojan.win32.dnschanger.mc
« Reply #1 on: Sep 12th, 2007, 2:39pm » |
 Quote  Modify
|
Welcome to the forum arachnid 
First, you really need to update to the latest version of TrojanHunter which is Version 5.0. V4.6 is two significant revisions behind. The link below explains V5.0.
http://www.misec.net/forum/board/TrojanHunter/1189327431
I cannot find any info on the validity of kdemp.exe via a Google search. Therefore it is not possible for me to "guesstimate" whether it is truly malicious or not.
Please do the following:
1. Submit the file kdemp.exe for analysis by Mischel Internet Security. The link below defines how to do this:
http://www.misec.net/forum/board/FAQ/1139308293
2. Run the file kdemp.exe through Virustotal and see what other scanners report. The link below is for Virustotal.
http://www.virustotal.com/
If Virustotal is busy, use Jotti
http://virusscan.jotti.org/
Please post back what these scanners report on the file.
And lastly, the probable cause of THGuard is not alerting first on the previous trojans is a matter of "who detects it the fastest and firstest" locks the infected file so others cannot see it. So ZoneAlarm is probably seeing the infection before THGuard. THGuard polls memory every 10 seconds looking for infections. So there is a fairly large window in there for ZoneAlarm to get there first.
Also the blog on 3-Aug-07 by Gavin Coe "TrojanHunter Detection Rates" might explain further what you are seeing.
http://blog.misec.net/tag/trojans/
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Thankyou for the welcome Siliconman 01 and for the quick response. Have done all that was requested and an email with the file kdemp.exe, zipped and password protected and as an attachement has been sent. I think you might want to have a look at this one asap as it's a real nasty 
. I submitted the file to Virustotal.com but have only listed 5 results as there were quite a few. 
I was pleased to note that version 5 has a revision update included so I won't get caught out running an older version again 
Accept explination as to why Zonealarm would have got to this first as infact I had to disable the online scanner as each time I tried to restore the file from quarantine to submit it the online scanner kept putting it back in. However thankfully Trojan Hunter Guard doesn't take the vast amount of memory that Zonealarm's online scanner does. I am also not convinced that a simple delete of the .exe file that Zonealarm proposes will cure this one. I have no idea where I picked this up, and if it's of any help to you and for referance Hijackthis appears to miss it as well. 
Search
Members
Login
Register