I think that something may have attacked TDS on my system. When I try to run a full system scan TDS gets illegally shut down. Here is a picture of the error image:

http://web.ics.purdue.edu/~dallen/error.JPG

Hi Dallen, does this happen each time or was this one time, and if so, each time in a specific place? Not a crash on a corrupt rar file, to name an example?

Jooske,

Good observation. I occurs every time and every time at the same location. It happens when it gets to a folder that houses newly downloaded file sharing files.

Probably a corrupt download or split RAR file Dallen :(
See if you can scan the rest of your HD without that folder.

Or, quoting Pilli in another posting (was difgging for it, so you beat me Pilli :) )
"It maybe that TDS is trying to open a compressed file that it cannot handle such as some split archives - Try disabling Deep search inside of zip/rar files and re-scan. "

Must be possible to locate the culpit that way. You will still be safe as this way the sleeping giant(s) in those archives keep sleeping and life nasties will be found anyway and can't harm you as the exec protection would stop them in their traces.
Of course i do hope with you there is nothing wrong there.

Thanks for the information and help. I am doing as you suggest. However, I have a few questions. What is a .rar file? My intuition tells me that it is similar to a .zip file. How does one decompress a .rar file if that is what it is?

I did realize that there was a file in that download folder that would not let me delete it. It kept saying that the file was in use by another application, but I wasn't using it. How do I delete it? Did you say that my computer is safe? I completed a full system scan with Norton Antivirus and found nothing in terms of a virus, but I know that doesn't mean anything in the way of a trojan. Again, thanks for your help.

Jooske,
Despite our disagreements on some issues I very much respect you and your abilities. FYI.

Dallen, Have you tried deleting it from safe mode? It may not get attched to whatever is using it in safe mode.
Also you could use Advanced Process Manipulation and/ or DelLater from here: http://www.diamondcs.com.au/index.php?page=products
If you get stumped, slso download AsViewer from the same site an select Show services & show drivers. Then save the contents to a text file Copy and past into your next post for review

HTH Pilli

dallen - The first (and probably best) thing to try first is to start your computer in "Safe" Mode and see if the file can be deleted then and there normally.

If it can't (is still "In Use" by something or another) - then you have a couple of freeware options:

DelLater from DCS: http://www.diamondcs.com.au/index.php?page=dellater

or

GiPo@MoveOnBoot v1.9.5 (DIRECT D/L LINK!:

http://www.gibinsoft.net/gipoutils/bin/moveonb.exe

Either of those should remove the file at your next boot. Of the two, the GiPo product is easier to fool with - especially since it'll install an entry in your right-click menu that will automatically put in anything you click on to have it removed next time you boot. HTH Pete

Please explain why fragmented files cause TDS-3 to crash.

Dallen, Normal fragmented files do not,
If you mean corrupted files then TDS has a problem and gets stuck trying to open them, it is a known bug :) And should cause no problem regarding TDS3's efficacy

Is that a problem that is fixable for TDS-4?

Yes, It has already been addressed so we are informed :)

Pilli,
I put that folder on my exclusion list and subsequently completed a full system scan which found nothing. Thank you. When you say that there is a corrupt .rar file I have some questions. First, what is a .rar file and how do they get corrupted? Does corrupt mean that I have a nasty on my system, or is it something that I simply delete and move on?

Hi Dallen, can you tell the name of the file which seems to be in use?
Normally a d/l folder would contain only files, and nothing installed there, so it does sound suspicious for me if you have a file there which would be in use in any way!
I'm googling for trojans looking for the d/l folder, but not really successfull in that this moment.
So a name or program name if you can remember could be helpful.

A rar is indeed another compression extension like zip.

file.rar would it look like and the icon looks like a little pile of books in my opinion.
They can get corrupted because they were already at the place where you got it, during the download process or got corrupted due to ??? on your system.
TDS can handle rar files, if they are not corrupt so they can't be opened; you would most probably not either if you would try to open and install the file.

So if you located the one (?) file you might like to submit it to DCS for investigation.

Like Pilli said, the issue has full attention.

Looking forward to your next experience with this matter.

I will be leaving school to go home, so give me a few hours to isolate the problem down to the specific file and I will let you know what I find and submit the file if need be. If an .rar or .zip file is password protected could that also cause TDS to crash?

As far as i remember not: i have a few p.p. zip files and TDS does find whatever is in them.

Scans passworded .doc & .cse encrypted files no problem

OK. Now this is wierd. I'm home and suddenly I get a rash of emails that is alarming. I am going to post the contents of the emails in subsequent emails. I will also submit the two files that were attached to the last two of the series of emails. I am convinced now that I either have a worm or something. I have Worm Guard, TDS, and NAV 2004 Pro. All are up to date (except WG because it doesn't get updates). I've scanned and found nothing.

The following message contained restricted attachment(s) which have been
removed:

From : dallen@purdue.edu
To : acs@metafile.com
Subject : Status
Message-ID: <MDAEMON-F200401261616.AA1609234md50000000283@metafile.com>

Attachment(s) removed:
-----------------------------------------
document.cmd



The following message contained restricted attachment(s) which have been
removed:

From : dallen@purdue.edu
To : acs@metafile.com
Subject : Status
Message-ID: <MDAEMON-F200401261616.AA1609234md50000000283@metafile.com>

Attachment(s) removed:
-----------------------------------------
document.cmd

From : <postmaster@metafile.com>
Reply-To : postmaster@metafile.com
Sent : Monday, January 26, 2004 5:16 PM
To : dallen@purdue.edu
Subject : MDaemon Notification -- Attachment Removed


The following message contained restricted attachment(s) which have been
removed:

From : dallen@purdue.edu
To : ETrap@metafile.com
Subject : Status
Message-ID: <MDAEMON-F200401261616.AA1609234md50000000283@metafile.com>

Attachment(s) removed:
-----------------------------------------
document.cmd

From : <noelprod3@aol.com>
Sent : Monday, January 26, 2004 5:21 PM
To : dallen@purdue.edu

Hotmail has permanently blocked the following potentially unsafe attachment(s): document.pif (30 KB) More Info...

From : <email@simag.si.edu>
Sent : Monday, January 26, 2004 5:24 PM
To : dallen@purdue.edu
Subject : hi



Hotmail has permanently blocked the following potentially unsafe attachment(s): text.scr (30 KB) More Info...

The message cannot be represented in 7-bit ASCII encoding and has been sent as a
binary attachment.

From : <alang@bus.wisc.edu>
Sent : Monday, January 26, 2004 5:24 PM
To : dallen@purdue.edu
Subject : Status



--------------------------------------------------------------------------------

Attachment : file.zip (30 KB)

test

From : Mail Delivery Subsystem <MAILER-DAEMON@aol.com>
Sent : Monday, January 26, 2004 5:30 PM
To : <dallen@purdue.edu>
Subject : Returned mail: User unknown


--------------------------------------------------------------------------------

Attachment : attach4 (573 bytes)

The original message was received at Mon, 26 Jan 2004 17:29:50 -0500 (EST)
from w-103173.wireless.wisc.edu [128.104.103.173]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<dan@aol.com>

----- Transcript of session follows -----
... while talking to air-xj03.mail.aol.com.:
>>> RCPT To:<dan@aol.com>
<<< 550 MAILBOX NOT FOUND
550 <dan@aol.com>... User unknown

I guess I have to submit the files some other way.

Could be this one:

W32/Mydoom@MM

http://vil.nai.com/vil/content/v_100983.htm

At the moment there are a few mass mailing infections going around like with dumaru and a few more, i also get strange stuff all of a sudden and mailer daemon notifications for bounced emails which never came from me at all, so be very carefull with opening anything at all.
Noticed at yahoo the attachments are not visible from the outside anymore without opening an email, so there i look at the size and subjectline and sender before even touching an email, although after opening till now i saw the attachments in the bottom with ability to scan and clean before opening it. Hope that is with every possible infection there too!

If you do have to submit files please zip them or if that is not possible change the extension into .tmp for instance, so it can't run and scanners might make less problems.

Your attachment was 573bytes, i just had one of 582bytes which was changed into .txt but i don't trust it al all as it does not show up in the email source. So that one goes zipped into further investigation, by no means i dare to separate the attachment from the email.
Nastry stuff!

Why we get those things? Either somebody somewhere has our email on theis computer, is infected or harvested, via internet and wherever and the stuff is massmailed around. Remember klez?

Oops, I seperated the attachment from the email, but I never opened or ran the file. I did not change the extension or zip it though. ::)

There has been an update by LiveUpdate tonight. NAV2004 should be able to detect the virus now.

Depends on: saves Gavin lots of work if we dare to separate the attachments from the email and zip those and submit them that way. But obnly few times i feel really bad about a strange thing and then i don't even dare to separate them. Or i zip the whole stuff email included with the attachment to be sure.
It might also prevent your samples from being corrupted or cleansed by scanners somewhere on the way.

Tonight i had a few very strange things: emails with infected attachments, both came zipped. So i thought that to be handy for forwarding. this was not possible, each time the emailer froze completely. So the only way was copy them first to another folder and attach the whole email plus attachments into a new email and send it that way. i should have zipped them completely i remember now, sorry Gavin!
Anyway, attached into a new email those nests could be sent away.
Nasty things, was i-worm-novarg seemed a few variants.

You might see on your ports lots of portscans on 17300.
Caught various spybots there, also new varieties. So the guys are very occupied to keep us busy it seems.

I downloaded the NAV update and completed an entire system scan. I appears that my system is clean. I have a question. Wouldn't Worm Guard protect me from this type of thing?

Unrelated to this I have another issue. Below is a modified screenshot of a program that has been installed on my system that I can't remove. See the image and you'll see the problem I'm having removing it. Any suggestions?

http://web.ics.purdue.edu/~dallen/Program and Removal Error.JPG

Hi dallen,

Ebates has probably been removed by a spyware-remover.
To remove the orphaned entry in Add/Remove Software, have a look here:
http://www.winguides.com/registry/display.php/110/

Regards,

Pieter

-{ Quote: " quoting: dallen link=board=5;threadid=20366;start=0#msg124173 date=1075140177]
What is a .rar file? My intuition tells me that it is similar to a .zip file. How does one decompress a .rar file if that is what it is?

:o
hi there !
yes it is a zip file specifically zipped and unzipped by WinRAR.
much more powerful than WinZip.
as for your problem in Add Remove, i get rid of them using SpyBot Search and Destroy(freeware) for spyware programmes.
also RegSupreme or Registry Healer will clean up unwanted or deleted programmes in Add Remove.
hoping this helps
regards
jay111 ;D" }-

Thanks very much. I did it and it worked. There was only one confusing thing about the directions given. Specifically, when it said this:

-{ Quote: "To remove a program from the list you can simply highlight and delete the sub-key representing that program." }-

I wasn't sure if it wanted me to delete only the contents of the folder, or the whole folder. I deleted the whole folder. I think the folder is called a "key" and its contents are "key values." However, I figured I didn't need the empty folder in my registry. Oh, I should mention that I used regedit.

Hi dallen,

In this case, where the program was not installed anymore anyway, that was the correct action. :)
Although I always look at the path for the uninstaller and check if that is in the programs folder or somewhere else.

Regards,

Pieter

edited typos