Backdoor.Connection.1.1 located in C:\winnt\system32\mswinsck.ocx

I quaranteed it for now, can I delete this? I have three identical setups here, and it was found on two of the three computers.

Slovak,

By all means: no. Please follow instructions as mentioned in my post over on this thread (http://www.wilderssecurity.com/showthread.php?t=24295) double check first. This might well be a false positive.

Post results after performing the free online scan please.

regards.

paul

Current object: quaraFile0.ess


quaraFile0.ess Archive: GZIP
quaraFile0.ess/1079097497 Ok

Statistics:

--------------------------------------------------------------------------------
Known viruses: 83836 Updated: 12.03.2004
File size (Kb): 54 Scan time: 00:00:01
Speed (Kb/sec): 54 Virus bodies: 0
Archives: 1 Packed: 0
Folders: 0 Files: 2
Suspicious: 0 Warnings: 0

..so it's a false positive eg a perfectly safe and sound file.

Before deleting, it's recommended to perform a double check here.

regards.

paul

I restored it on one, but accidently deleted it on the other :-[ any ideas how to get it back?

I quarantined mswinck.ocx after a scan with ESS.

After a reboot:
- TDS3 could not update its database anymore,
- and the TDS3 GUI would not load.

... I then restored the suspected file, all is OK now ...

-{ Quote: " quoting: hokhost link=board=25;threadid=24345;start=0#msg143040 date=1079097894]
I quarantined mswinck.ocx after a scan with ESS.

After a reboot:
- TDS3 could not update its database anymore,
- and the TDS3 GUI would not load.

... I then restored the suspected file, all is OK now ...
" }-

Hokhost,this is a FALSE positive. I already contacted ESS and they said they will fix it with the next update!

Look here:

http://www.wilderssecurity.com/showthread.php?t=24295

Good for ESS ;)

Gents, please take care here - one can easily delete a vital system file as a result of such a false positive. Testing and playing around with relatively new software can come with risks.

regards.

paul

-{ Quote: " quoting: Slovak link=board=25;threadid=24345;start=0#msg143038 date=1079097862]
I restored it on one, but accidently deleted it on the other :-[ any ideas how to get it back?
" }-

Can you transfer it from one box to another?
Place it in the proper directory
Click Start > run > type or copy&paste regsvr32 "C:\winnt\system32\mswinsck.ocx"

Regards,

Pieter

Pieter,

-{ Quote: "Can you transfer it from one box to another?" }-

That's exactly who the problem has been solved ;)

regards,

paul

It's because I thought it was a FP that I quarantined and not deleted ...
Still, I like Ewido SS :)

Anyone knows when the commercial version will be out ?

Thx

-{ Quote: " quoting: Paul Wilders link=board=25;threadid=24345;start=0#msg143098 date=1079108212]
That's exactly who the problem has been solved ;)
" }-

What, where, how did I miss? ???

Pieter

-{ Quote: " quoting: Pieter_Arntz link=board=25;threadid=24345;start=0#msg144518 date=1079350073]
-{ Quote: " quoting: Paul Wilders link=board=25;threadid=24345;start=0#msg143098 date=1079108212]
That's exactly who the problem has been solved ;)
" }-

What, where, how did I miss? ???

Pieter
" }-

You didn't miss anything - this has been discussed off-board ;)

regards.

paul

I have learned my lesson to always quarantee instead of deleting files no matter what trojan or AV software you use, because none of them are 100% accurate and foolproof.

mswinsck.ocx is really a common part of trojans ( a runtime needed by visual basic backdoors) so to make sure that the server runs on the target( the attacker don't know which OS) machine it's often included in the server package.. examples are mosucker and rewind, or COF

most of the time it's a legit file

-{ Quote: " Current object: quaraFile0.ess

quaraFile0.ess Archive: GZIP
quaraFile0.ess/1079097497 Ok

Statistics:

--------------------------------------------------------------------------------
Known viruses: 83836 Updated: 12.03.2004
File size (Kb): 54 Scan time: 00:00:01
Speed (Kb/sec): 54 Virus bodies: 0
Archives: 1 Packed: 0
Folders: 0 Files: 2
Suspicious: 0 Warnings: 0 " }-

Btw. you can't scan ess-quarantine-files because they're not just zipped, they're also encrypted.