# Trojan Problem



## TheMailMan78 (Apr 1, 2011)

Ok MSE just found a Trojan on my rig. However the Trojan was in a trainer for a video game I have had for a few years now. I mean this trainer is from 2009 I believe. Why is MSE just NOW picking it up? Could it be a false reading with the new definitions? Should I be worried about anything?

I ask because Malwarebytes never picked it up ether.

Here is the name of the Trojan.
Win32/Dynamer!dtc

Heres a link to the info...
http://www.microsoft.com/security/p...=Trojan:Win32/Dynamer!dtc&threatid=2147638124


----------



## CrackerJack (Apr 1, 2011)

If it's been on your computer this long and hasn't cause a problem.. i wouldn't worry. Yeah prob just a false reading. I have a folder that gets false reading all the time    no issues tho


----------



## streetfighter 2 (Apr 1, 2011)

Trainers are often picked up as viruses because they use dll injection and other such things which would throw flags in your typical anti-virus.  If the anti-virus you're using has been recently updated it may have modified it's heuristics, and as such, made a false-positive.

If you're still concerned, try uploading the file to virustotal.com.


----------



## TheMailMan78 (Apr 1, 2011)

CrackerJack said:


> If it's been on your computer this long and hasn't cause a problem.. i wouldn't worry. Yeah prob just a false reading. I have a folder that gets false reading all the time    no issues tho



lol how would I know if it caused a problem ya know?



streetfighter 2 said:


> Trainers are often picked up as viruses because they use dll injection and other such things which would match the heuristics scanners in your typical anti-virus.  If the anti-virus you're using has been recently updated it may have modified it's heuristics, and as such, made a false-positive.



See thats what I was thinking. But it seem to pick up a particular one which had me a little nervous.


----------



## sniviler (Apr 1, 2011)

I wouldn't worry about it after 3yrs, to be safe when I use trainers or no cd/dvd exe's I disable my network connection.

I use MSE too, give AVG Free a try for another quick scan.


----------



## CrackerJack (Apr 1, 2011)

TheMailMan78 said:


> lol how would I know if it caused a problem ya know?


point taken, well the first i would check is if it's using a abnormal amount of cpu/ram usage. if not... well you computer is still running i assume so.. it's ok 



edit: plus the WinBench and Ping program i made gave false reading also... And they were perfectly clean


----------



## twilyth (Apr 1, 2011)

I'd split the tie with something like Avast, spybot, avira (free or trial version), etc.  If 2 of the 3 pick it up, then I would take it seriously.

Also, just because the trainer is from 2009 doesn't mean it couldn't have been infected more recently.


----------



## Black Panther (Apr 1, 2011)

> Trojan:Win32/Dynamer!dtc is a name used for trojan detections that have been added to Microsoft antimalware signatures after advanced automated scan analysis.



Source


----------



## crazyeyesreaper (Apr 1, 2011)

its a false positive mailman seriously just grab Malwarebytes and do a scan done, if that dosent pick it up its gaurenteed a false positive, ive had trainers do it before roughly 20+ of them in all since 2006 none were real viruses aka 1 would get picked up via an anti virus but is deemed clean by 4-5 others, so dont sweat it


----------



## TheMailMan78 (Apr 1, 2011)

Black Panther said:


> Source



Yeah I know. I posted that link. But what does it mean.



twilyth said:


> I'd split the tie with something like Avast, spybot, avira (free or trial version), etc.  If 2 of the 3 pick it up, then I would take it seriously.
> 
> Also, just because the trainer is from 2009 doesn't mean it couldn't have been infected more recently.



How? I havent even ran it in months. Maybe in a year.


----------



## CrackerJack (Apr 1, 2011)

TheMailMan78 said:


> Yeah I know. I posted that link. But what does it mean.
> 
> 
> 
> How? I havent even ran it in months. Maybe in a year.



I believe he means, if you actually ran it since then..


----------



## TheMailMan78 (Apr 1, 2011)

CrackerJack said:


> I believe he means, if you actually ran it since then..



Oh no. I haven't ran it in forever. Not only that Ive rebuilt my OS a few times since running it last.

I think its what streetfighter 2 said about the heuristics. Anyway MSE just deleted it.


----------



## Kreij (Apr 1, 2011)

As, SF2 said, upload the file to VirusTotal. It will run it thought something like 20 different virus scan engines.


----------



## 95Viper (Apr 1, 2011)

Kreij said:


> As, SF2 said, upload the file to VirusTotal. It will run it thought something like 20 different virus scan engines.



^This!^

VirusTotal


----------



## Wrigleyvillain (Apr 1, 2011)

Trojan problem? Maybe next time don't buy the extra large Magnums. I mean I can't blame you and all but if they just aren't working out in the field you gotta swallow that pride, bro!


----------



## alexsubri (Apr 1, 2011)

Well according to 
	

	
	
		
		

		
			





 it is a false trojan. As stated above Trainers are injecting themselves into the game, cause a false alarm on your anti virus. Most likely it was the virus update. Don't sweat it.


----------



## twilyth (Apr 1, 2011)

TheMailMan78 said:


> How? I havent even ran it in months. Maybe in a year.



You don't have to run a program for it to get infected.  A virus can look for exe's in the NTFS tables and infect them.  I don't know how common that is though.  Apparently not very.

alexsubri:  Virus total looks like a really cool app.


----------



## TheMailMan78 (Apr 1, 2011)

Well shit MSE deleted the file. What do?


----------



## DannibusX (Apr 1, 2011)

My problem with Trojan is I've never seen the serial number.


----------



## 95Viper (Apr 1, 2011)

Lotta trolling around here, lately...

Back on topic.



TheMailMan78 said:


> Well shit MSE deleted the file. What do?



Did it actually delete it or is it in quarantine?

Look here: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Quarantine\

or,

How do I remove or restore items quarantined by Microsoft Security Essentials?

Help and How-to


----------



## Completely Bonkers (Apr 2, 2011)

Damn, MSE just cut my backdoor to TMM's webcam. 

If you need a backup copy of that file... I have it as well as your large collection of f4p material and IRS submissions


----------



## TheMailMan78 (Apr 2, 2011)

95Viper said:


> Lotta trolling around here, lately...
> 
> Back on topic.
> 
> ...



No I checked. They are gone.


----------



## Kreij (Apr 2, 2011)

Problem solved then, no?


----------



## 95Viper (Apr 2, 2011)

TheMailMan78 said:


> No I checked. They are gone.



Well, let's see how good MSE is... Get Recuva or some other file recovery software and see if it can pull it out.



Kreij said:


> Problem solved then, no?



That is true funny.   Dam* good come back!


----------



## TheMailMan78 (Apr 2, 2011)

Well heres a link to the trainer. I am pretty sure this is the same one. It wont let me DL it anymore. Maybe someone could try for me and upload it to virustotal.com?

http://www.cheathappens.com/download_file.asp?id=23346


----------



## Kreij (Apr 2, 2011)

So you want us to download a potentially infected file so we can check it for you?
Have you slipped a cog, TMM?


----------



## 95Viper (Apr 2, 2011)

I got the file and got 23 out of 42 hits...

VirusTotal results of  jerclib4chotrn-ch.zip

Edit:
It is a zip and it won't do anything, unless you un-zip and run it.


----------



## TheMailMan78 (Apr 2, 2011)

Kreij said:


> So you want us to download a potentially infected file so we can check it for you?
> Have you slipped a cog, TMM?



I found the same exact file on other site here

http://games.softpedia.com/progDownload/Clive-Barkers-Jericho-4-Trainer-for-10-Download-22609.html

No not if you don't want to. But some people have rigs they don't care about or are just daring. I am hoping someone like that might help me.



95Viper said:


> I got the file and got 23 out of 42 hits...
> 
> VirusTotal results of  jerclib4chotrn-ch.zip
> 
> ...



So it is in fact a trojan?


----------



## Kreij (Apr 2, 2011)

Not necessarily. It just may have a signature similar to a trojan.
It may be benign.

When's the last time you used the trainer?


----------



## 95Viper (Apr 2, 2011)

I would say it is a high probability... but, what Kreij said could be true.  I had that happen one time I can recall - a long time ago.

The one at Softpedia was 22 out 41 tests

Edit:
This file is not a trojan or virus, but it is a test file that contains the coded string of one.  Guess you could say it is neutered.

The Anti-Virus or Anti-Malware test file (read the complete text, it contains important information)


----------



## TheMailMan78 (Apr 2, 2011)

Kreij said:


> Not necessarily. It just may have a signature similar to a trojan.
> It may be benign.
> 
> When's the last time you used the trainer?



Months and MONTHS ago. Maybe a year. Not sure. Ive rebuilt my system a few times since then.



95Viper said:


> I would say it is a high probability... but, what Kreij said could be true.  I had that happen one time I can recall - a long time ago.
> 
> The one at Softpedia was 22 out 41 tests



Thanks Viper for checking the files for me. I really appreciate it.


----------



## Kreij (Apr 2, 2011)

So just delete the bitch and be done with it.


----------



## TheMailMan78 (Apr 2, 2011)

Kreij said:


> So just delete the bitch and be done with it.



Oh its been gone. MSE deleted on the spot. Im just worried because I bank on this thing sometimes.


----------



## 95Viper (Apr 2, 2011)

TheMailMan78 said:


> Thanks Viper for checking the files for me. I really appreciate it.



No problem...

You want the file, I can re-name it and e-mail it to you.

Try it now:http://www.eicar.org/anti_virus_test_file.htm


----------



## TheMailMan78 (Apr 2, 2011)

Links dead

http://the anti-virus or anti-malwa...ete text, it contains important information)/


----------



## Kreij (Apr 2, 2011)

So now Viper is going to send TMM a file that fails on 50% of the AV tests.
You guys are insane.


----------



## 95Viper (Apr 2, 2011)

Kreij said:


> So now Viper is going to send TMM a file that fails on 50% of the AV tests.
> You guys are insane.



Well, it is dormant now, but if he wants it to play with, ain't my computer it is loose on!

Edit: Kreij, I will let loose and you get a head shot on it before it grabs MM...

EDIT edit:
Knock Knock, Mailman, gotta deliver for ya!


----------



## TheMailMan78 (Apr 2, 2011)

Kreij said:


> So now Viper is going to send TMM a file that fails on 50% of the AV tests.
> You guys are insane.



Wait.....why would I DL that? Ive got OCD and I'm already fighting this damn trojan fear.


----------



## Kreij (Apr 2, 2011)

@Viper : Delete the file, it's potentially a problem.
@TMM : I checked the code, it's just a fap trainer, you're already an expert and don't need it.


----------



## TheMailMan78 (Apr 2, 2011)

Kreij said:


> @Viper : Delete the file, it's potentially a problem.
> @TMM : I checked the code, it's just a fap trainer, you're already an expert and don't need it.



You downloaded the trainer for real?


----------



## Undead46 (Apr 2, 2011)

Why did you stick a condom in your computer, is the real question... -.-

But in all serious, probably just a false positive.

I get a detection from MSE whenever I install CrystalDisk[Mark/Info] into my computer...


----------



## Kreij (Apr 2, 2011)

TheMailMan78 said:


> You downloaded the trainer for real?



Ummm ... No.


----------



## 95Viper (Apr 2, 2011)

Kreij said:


> @Viper : Delete the file, it's potentially a problem.
> @TMM : I checked the code, it's just a fap trainer, you're already an expert and don't need it.



It is gone.  It was harmless unless run in the wild.

@TheMailMan78> Sorry, but I could not resist... MMMM, weakness Trojan OCD mmmmm, filed away for rainy day.


----------



## TheMailMan78 (Apr 2, 2011)

95Viper said:


> It is gone.  It was harmless unless run in the wild.
> 
> @TheMailMan78> Sorry, but I could not resist... MMMM, weakness Trojan OCD mmmmm, filed away for rainy day.



What do you mean wild?


----------



## Kreij (Apr 2, 2011)

TheMailMan78 said:


> What do you mean wild?



It will only affect aboriginal people in third world desert countries who have iPads.


----------



## 95Viper (Apr 2, 2011)

Not in a secure virtual enviroment(sandbox).
Wild running free on your system(no restraints).

or what Kreij said, maybe!


----------



## TheMailMan78 (Apr 2, 2011)

95Viper said:


> Not in a secure virtual enviroment(sandbox).
> Wild running free on your system(no restraints).
> 
> or what Kreij said, maybe!



Great.....just great.


----------



## Kreij (Apr 2, 2011)

TMM, quit worrying about it. If it's been on your system(s) since 2009 it most likely was designed in a way that today's anti-virus heuristic, detection engines fuss about.

Worse case you re-install it and due to it's replication abilities, you cause massive world-wide power outages, failed nuclear containment and more e-mail spam.


----------



## streetfighter 2 (Apr 2, 2011)

Kreij said:


> TMM, quit worrying about it. If it's been on your system(s) since 2009 it most likely was designed in a way that today's anti-virus heuristic, detection engines fuss about.


I agree with Kreij.  There are even some programming languages (like Autoit) whose binaries are picked up by most virus scanners.

Also I wanted to mention, that in all 48 posts thus far, no one has [explicitly] written the words "*Virtual Machine*".  This is a task that is most well suited for a VM:
1) Boot up VM
2) Download potentially infected file
3) Scan->Unzip->Scan
4) Upload it to virustotal.com
5) Load up Process Monitor and set it to filter for the suspect executable.
6) Run the suspect executable
7) Observe it's behavior in Process Monitor and run additional virus scans/hijackthis/etc

TMM may be OCD, but I'm paranoid to the point of wearing a Kevlar lined tin-foil hat.  My method is excellent assuming you have some experience with the given tools.

@95Viper - Up yours for proving me wrong.   I'm keeping the tinfoil hat, it saves me from having to talk to the neighbors.


----------



## 95Viper (Apr 2, 2011)

streetfighter 2 said:


> Also I wanted to mention, that in all 48 posts thus far, no one has written the words "Virtual Machine".  This is a task that is most well suited for a VM:



I believe I mentioned it.

To quote myself...


95Viper said:


> Not in a secure virtual enviroment(sandbox).
> Wild running free on your system(no restraints).



Edit:

VirusTotal works on zipped files....no need to extract and no tin foil hat required!


----------

