:'(Ichecked out my demo version of tds3 with avast antivirus and it reports an UPX.txt Packer ( I detect it first with avast reporting this as ( ASPack - categorized as a trojan packer ) . And then I downloaded Pest Patrol and it reported this UPX.txt in directory External Plug Ins or somewhat , so I have to remove the program .
Is this UPX.txt archive coming with the demo ? Or do I have another Trojan or Worm ? Please , somebody help me !!!

gardelvis,

This is a perfectly safe and sound file, used by many sortalike softwares. It should reside in (5,45 kb in size):

C:\Program Files\TDS3\Ext.Unpk

Here's the contents from this text file:

-----BEGIN PGP SIGNED MESSAGE-----


ooooo ooo ooooooooo. ooooooo ooooo
`888' `8' `888 `Y88. `8888 d8'
888 8 888 .d88' Y888..8P
888 8 888ooo88P' `8888'
888 8 888 .8PY888.
`88. .8' 888 d8' `888b
`YbodP' o888o o888o o88888o


The Ultimate Packer for eXecutables
Copyright (c) 1996-2000 Markus Oberhumer & Laszlo Molnar
http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
http://www.nexus.hu/upx
http://upx.tsx.org


PLEASE CAREFULLY READ THIS LICENSE AGREEMENT, ESPECIALLY IF YOU PLAN
TO MODIFY THE UPX SOURCE CODE OR USE A MODIFIED UPX VERSION.


ABSTRACT
========

UPX and UCL are copyrighted software distributed under the terms
of the GNU General Public License (hereinafter the "GPL").

The stub which is imbedded in each UPX compressed program is part
of UPX and UCL, and contains code that is under our copyright. The
terms of the GNU General Public License still apply as compressing
a program is a special form of linking with our stub.

As a special exception we grant the free usage of UPX for all
executables, including commercial programs.
See below for details and restrictions.


COPYRIGHT
=========

UPX and UCL are copyrighted software. All rights remain with the authors.

UPX is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
UPX is Copyright (C) 1996-2000 Laszlo Molnar

UCL is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer


GNU GENERAL PUBLIC LICENSE
==========================

UPX and the UCL library are free software; you can redistribute them
and/or modify them under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of
the License, or (at your option) any later version.

UPX and UCL are distributed in the hope that they will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; see the file COPYING.


SPECIAL EXCEPTION FOR COMPRESSED EXECUTABLES
============================================

The stub which is imbedded in each UPX compressed program is part
of UPX and UCL, and contains code that is under our copyright. The
terms of the GNU General Public License still apply as compressing
a program is a special form of linking with our stub.

Hereby Markus F.X.J. Oberhumer and Laszlo Molnar grant you special
permission to freely use and distribute all UPX compressed programs
(including commercial ones), subject to the following restrictions:

1. You must compress your program with a completely unmodified UPX
version; either with our precompiled version, or (at your option)
with a self compiled version of the unmodified UPX sources as
distributed by us.
2. This also implies that the UPX stub must be completely unmodfied, i.e.
the stub imbedded in your compressed program must be byte-identical
to the stub that is produced by the official unmodified UPX version.
3. The decompressor and any other code from the stub must exclusively get
used by the unmodified UPX stub for decompressing your program at
program startup. No portion of the stub may get read, copied,
called or otherwise get used or accessed by your program.


ANNOTATIONS
===========

- You can use a modified UPX version or modified UPX stub only for
programs that are compatible with the GNU General Public License.

- We grant you special permission to freely use and distribute all UPX
compressed programs. But any modification of the UPX stub (such as,
but not limited to, removing our copyright string or making your
program non-decompressible) will immediately revoke your right to
use and distribute a UPX compressed program.

- UPX is not a software protection tool; by requiring that you use
the unmodified UPX version for your proprietary programs we
make sure that any user can decompress your program. This protects
both you and your users as nobody can hide malicious code -
any program that cannot be decompressed is highly suspicious
by definition.

- You can integrate all or part of UPX and UCL into projects that
are compatible with the GNU GPL, but obviously you cannot grant
any special exceptions beyond the GPL for our code in your project.

- We want to actively support manufacturers of virus scanners and
similar security software. Please contact us if you would like to
incorporate parts of UPX or UCL into such a product.



Markus F.X.J. Oberhumer Laszlo Molnar
markus.oberhumer@jk.uni-linz.ac.at ml1050@cdata.tvnet.hu

Linz, Austria, 25 Feb 2000



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOLaLS210fyLu8beJAQFYVAP/ShzENWKLTvedLCjZbDcwaBEHfUVcrGMI
wE7frMkbWT2zmkdv9hW90WmjMhOBu7yhUplvN8BKOtLiolEnZmLCYu8AGCwr5wBf
dfLoClxnzfTtgQv5axF1awp4RwCUH3hf4cDrOVqmAsWXKPHtm4hx96jF6L4oHhjx
OO03+ojZdO8=
=CS52
-----END PGP SIGNATURE-----


As you see, there's no need in any way to uninstall TDS3 for this ;) - and no, your system is not compromised in any way.

regards.

paul

Hello gardelvis and welcome to the forum.
As you can see the file is a TXT format, and a txt can never run, so can never be any trojan, let alone a life infection.

As Paul was so kind to post you can see it is a txt file, and there is of course the unpacker itself to unpack files to be able to detect possible malicious code in a protected folder, after which the copied and scanned code is deleted again.

This unpacker is a very known one, as also the other companies whose software you use should have known and added to their definitions since 1996, even if it had been the executable engine itself.


Do the following: TDS installed, update the definitions from the website http://tds.diamondcs.com.au/radius.td3 and put that update in the TDS-3 directory overwriting the current one which came with the installation.
Depending on your system configuration (more drives/partitions, network, whatever you have) you can add to the TDS > Edit Config Scans Text > Scans >Full system Scans.txt all available scans and all logical drives, save and via System Testing > Scan Control > check all possible options and on the next tab too including the worm slider all to the highest sensitvity > OK > open it again for Full System Scan.
As this is a rather heavy process you might like up to speed up the process with closing all unnecessary programs and windows till it's finished. A good moment is when you're not around for a while.
In the bottom console you'll find possible alerts. Rightclick on an alert to get a menu to investigate a file and to save all alerts to one textfile.
I'm interested to read about your possible finds so we can help you advising what to do with those alerts.
Of course hoping you find nothing wrong and your system will be very clean.

The story is this : Recently with avast and tds-3 I detected a trojan horse in a file which were on C:\ddm.exe ( I have a dual booting system with windows XP and Windows 98 first edition ). When I tested the directory of tds-3 with avast home edition 4 it said that the files were impossible to scan because of being packed with ASPACK ( known as a trojan packer ).
Then , after several tests on XP and Windows Avast 4 finally found a Win32:Blaster-C first on my swapfile and then the terrible Win32:Crypto . I suscribed also to the forum of avast and a person nicknamed as Avat Evangelist told me that these were false alarms. But I suspect I´ve got The Crypto thing since every time I connect to the Web my firewall ( which is a Sygate Personal Firewall last home version ) tells me once and another time that a NEW DLL IS LOADED FROM INTERNET EXPLORER ( AND I DIDN´T UPGRADE IT ).
So, In your opinion . Am I Infected by those things ?
Also I checked my pc with PC_CILLIN online ( it didn´t report anything ) and also I downloaded the FixBlaster.exe from SYmantec . So IF you can help me I´d
be very grateful to you . Best Regards and Merry Christmas

After All these things I've explained on re:3 I reinstalled tds3 and scanned with avast and it reports that the directory is compressed by aspack . Please help me !!!

gardelvis,

ASPACK is essentially a very well known and used software; have a look over here (http://www.aspack.com/aspack.html). So the mere fact software is compressed using ASPACK does not imply there's something fishy going on. This goes for TDS3 as well ;)

As for W32 Crypto: as far as I know, this is a [/i]virus[/i] and not a trojan (as you know TDS is not an antivirus), and isn't in the wild yet. Do you have some additional info about this W32 Crypto virus that infected your system before?

-{ Quote: "But I suspect I´ve got The Crypto thing since every time I connect to the Web my firewall ( which is a Sygate Personal Firewall last home version ) tells me once and another time that a NEW DLL IS LOADED FROM INTERNET EXPLORER ( AND I DIDN´T UPGRADE IT )." }-

I would recommend submitting the file(s) in question to your antivirus company for examination. A copy can be submitted as well to DCS.

Merry Christmas to you as well.

regards.

paul

How about confronting PestPatrol and Avast with their detections of a TEXT file describing UPX as a trojan????
A text file CAN NOT run! For PP detecting also INFO about nasties if you configure it to report and scan text files too i can imagine that part, but it should not react on read text files about legal normal software.
Sending the files with your comments to them enables them to refine their detection databases.

Go to http://www.avp.ru/ get to the language version you prefer, at the bottom find "online virus scan" submit the file and in a few seconds you have their reply.

The detected files, zip a copy and do as Paul asked, submit to TDS lab and you will hear their comments.
The original TDS UPX TEXT or EXE files are no trojans, viruses, worms, scripts, dialers, keyloggers or other illegal things.

Info about the Win32:Crypto learns already in the first couple of lines you can't have that infection, as it immediately disables Avast and other scanners, which seem to be working on your system still.
http://www.avp.ch/avpve/newexe/win32/crypto.stm
Read the rest of the article and any suspicious finds, submit them to TDS lab, they will love to help you out where they can, even though it's no trojan.
BTW: for enhancing your security, you probably will love to register your TDS copy, as that enables you to install the exec protection, which scans every executable for possible malicious code before it is allowed to run at all or block it before it's first breathtaking, not a bad idea.
For worms make sure to have WormGuard running too and you will love Port Explorer to keep a real time eye on all connections and data traffic from and to your system.
For the XP partitions you will love the ProcessGuard, so vital processes can't be stopped anymore (or any you protect with it) while you might like in the meantime to encrypt important data on all your system with the CryptoSuite, so trojans nor other spying eyes can get to that at all anymore.
On the DiamondCS products sites you will find a lot of security enhancement to make internet a nice and secure experience again!

Post your experiences back please.

PS: in the meantime i wonder about the ddm.exe : is that a legal file or a recent one?
in case you also find a Sysu.exe you better look here (http://216.239.59.104/search?q=cache:ChW3kAaMVj4J:geekatwork.blogspot.com/+ddm.exe&hl=nl&ie=UTF-8) the ddm mentioned in the article "have your taksbar and desktop icons disappeared" even though you night not have those things happening yet, the ddm alarms me. And here (http://securityresponse.symantec.com/avcenter/venc/data/adware.dynamicupdater.html) and [url=http://securityresponse.symantec.com/avcenter/venc/data/adware.dynamic.html] here [url] for removal instructions if you find the sysu.exe too. That is adware, btw, which adaware and spybotS&D would be able to find for you too.
Can you please give that an extra scan too with the updated TDS and via avp.ru?

With this, did we ask you already for a Hijackthis log posted in the forum, where the specialists will help you looking at it?
You aer double booted, so you might like to post them from both windows versions.
Not sure if your installation is so you can scan from one partition all or that you have to install TDS and the other scanners on each partition and do your scans from theer. For the Hijackthis this is necessary as autostart logging for each partition separately anyway!

Hi Jooske,

ddm as in Dynamic Desktop Media is spyware.
And becoming a very common nuisance very quickly.

Regards,

Pieter

That's right Pieter, thanks, Symantec names it part of Adware.DynamicUpdater, with the name you mentioned for the DDM part of it.
It fits with the story Gardelvis sees updates each time as indeed the thing is updating itself as adware is used to.
suppose it has nestled itself into the IE browser.

I'm surprised even though the symantec sites say linux is not effected, i see it on linux forums mentioned too now.
Hope postings of the hijackthis files can help Gardelvis to be cleansed out completely from every nasty before it was even invented!


Gardelvis, first cleaning out, good tools and sure you'll get some very good advices about some extras you can find in the forums here (thinking of the JavaCool protection too).

Thanks to Paul,Jooske and other people I don't remember for your answers . Finally I decided to format my disks and in the forum of avast ( in which I'm suscribed with the same user name ) a person told me that this were all false alarms. So thank you very much for all the replies
AND HAVE A HAPPY NEW YEAR :)