A few days ago I had a false positive Alert re Rat.Haxdoor. After spending many hours googling to find more information, scanning etc, I was relieved to hear back that it was just a false alarm. As it was only one file, the last modified date a long time ago and none of the other AT raised any issues, I had been pretty relaxed.

Today, I downloaded the latest radius definitions and redid a scan in safe mode. Everything was clean, no alert re rat.haxdoor anymore nor anything else.

I had decided to purchase TDS-3 to be able to use automatic update and real-time protection but wanted to read up on wormguard and some of the other programs also offered by TDS (package deal). I went to the forum to search for more information and was going to ask some specific questions re CPU usage etc when I stumbled upon another thread re scanning of an individual file. As I wanted to try this ( in order to understand more about the working of TDS-3) I started the scan (working in normal (ie not safe Mode) and was shocked when all of sudden I was flooded with alerts. Mind you, this was just a few minutes after having done a full scan in safe mode with no alerts at all.

Here is just a selection of the alerts:
- worm plea
- worm duster
- worm bizex
- rat.phoenix II
- Rat.Glacier
- Rat.Sweetheart
- Binded.Hir
- worm fourseman
- Rat Cold.fusion
- worm.roach
- worm-alal

and more.
This time they all are in windows/temp\...
with the exception of two files that are in windows/system32.\dllcache\

The actual filenames do not sound harmless anymore (like with rat.haxdoor) but I am now looking at something like temp\great virus creation.kit.exe or temp/blabla.vbs.
By the way I wrote down all these 33 entries by hand as I could not find any log for this. I am sure there must be log of alerts that can be copied/printed/forwarded? The only log I found is the general log that does not show the alerts.

I switched back into safe mode to redo the full scan and the result: no alert whatsoever???
I am also unable to find any of these suspicious files on my PC though how the program was able to upload these to submit@tds (which I did) if I can't find them with explorer searching for all files incl. hidden files is another mystery to me.
Also, looking at some of these threats, they seem to be pretty old and should be covered by NOD32.
Finally, having now done a full scan with Trojanhunter showing absolutely nothing, I wonder even more. Even assuming TDS-3 is the better product, surely Trojanhunter should pick up some of the more than 30 alerts?

Can someone please tell me what is going on? Where do these worms/trojans come from and why did they not show up in the safe mode scan just before? I am using Opera/ Firefox as browser, do not open strange attachments, do not visit "bad" sites, run a firewall.
Btw, the pc is networked - is it possible that the infections come via the network if there are indeed there???


- I am so frustrated.

Since you say the files are in the temp directory, try googling "Ccleaner", tell it to clean the temp directory and whatnot and give your system a good scrubbing. Then retry the scanning. I hope this helps, because this is certainly quite unusual.

Quexx88, I might do that but before making any changes, I still would like to understand why one scan turn up all these alerts when just before and immediately afterwards doing a scan in safe mode, nothing pops up. Also, why can't I see the files when searching for them on my PC? ???

One further update - it appears I only get the alerts when scanning as a restricted user. If doing the scans as an administrator, the result is clean.

Hi beethoven, Yoy must use the "Run As" command to run TDS3 in a restricted user acoount and that is why your scan is showing all those errors.
Please read the following: http://www.wilderssecurity.com/showthread.php?t=29034

HTH Pilli

Pilli - thanks for trying to help me again.

If I follow the advice and try to use run as I get the following error messages:


if run by restricted user and using run as administrator: windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item.
if run in the administrator mode and using run as administrator: the service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


So I assume from your post that while something is wrong with my set-up or config and/or my handling of TDS-3, you don't think that the alert from the scan as per op is correct. Still I wonder, why are all these files listed or from where does TDS-3 retrieve that data. Is it on my PC or not?

Sorry, if this is all very basic for you but I do would like to understand more. :-\

{QUOTE-> Sorry, if this is all very basic for you but I do would like to understand more. <-QUOTE} OK , TDS3 needs to be installed by an administrator into an admin account not as a restricted user. Once installed then to run from a restricted account you must Run As an administrator.
Please read all the stickies above then ask any questions that may arise after you have done so.

If you have TDS3 set up by an administrator then you can simply switch to that Admin account to run scans, not ideal but better than nothing. Using Run As gets over the problem for restricted users.

Pilli

Before installing TDS-3 my XP had only one user set up which also had administrator rights. Then when I got the first alert (false positive) last week in trialling TDS-3, based on some info in the stickies and other info on XP, I realised that to lower the risk of trojans, you should not usually operate your system in admin mode but in restricted used mode ( correct me please if I am wrong). So, I created a new account, turned this account into the administrator and changed the original account that I use for day to day operation of the system, browsing and email into a restricted user.
Obviously that is now causing problems with respect to TDS.

How about I uninstall the current TDS version completely and then reinstall the program as administrator? Given the fact that the run as function does not work currently, perhaps a new installation would avoid these issues?

If I do this, is there anything in particular that I should observe when uninstalling? I still would like to use the program and not find out that the new installation then has other problems due to some left-over registry entries etc.


:-[

OK, I se now what has happened :) Uninstall TDS3 and if you have Execution Protection installed remove it first ie. before uninstalling TDS3.
To be sure also delete the TDS folder but remember to keep your keyfile safe and if you have the latest radius.td3 then keep that to for the new install.
Once in your new account re-install TDS3 as an Admin and hopefully all should be well - BTW that is the way I do it.

Pilli

Thanks Pilli, that's what I will do then.

One last (hopefully) question. I am still wondering where are the alerts came from, ie are there any remnants or trojans on my PC or not? :-\

{QUOTE-> Thanks Pilli, that's what I will do then.

One last (hopefully) question. I am still wondering where are the alerts came from, ie are there any remnants or trojans on my PC or not? :-\ <-QUOTE}

I recommend a full system scan upon completion of re-install dance. Personally, I have all scan and generic detection options [Ctrl+S] checked and sensitivity set to high.

:)

Its called "False Positives" ... TDS just doesn't want to use that termonology.
I am the only user on my PC (just like you) and never have had to log in as an admin to install or uninstall or run it.

Maybe TDS4 will be better ... when is it due to come out? ... oh yea, that was about 6 months ago.

Maybe if they concentrated on the scanning engine and updates more instead of making all the hacker tools (interrogate, TCP Connect, hacker scripts ... etc) that are integrated into it ... TDS would be the better for it.

EDIT: Unnecessary comment deleted. Pilli

{QUOTE-> Maybe if they concentrated on the scanning engine and updates more instead of making all the hacker tools (interrogate, TCP Connect, hacker scripts ... etc) that are integrated into it ... TDS would be the better for it. <-QUOTE} Well you will be delighted with at least one of the versions of TDS4 then ;)

{QUOTE-> no hacking wrote: Its called "False Positives" <-QUOTE}

Hmm, I thought a false positive is if the prog warns about an existing file being infected when in fact it is clean. Within limitations I have no problem with that. In this case it appears I received a list of infected files that were never on my pc?

I have now reinstalled everything and nothing is being shown.

{QUOTE-> In this case it appears I received a list of infected files that were never on my pc? <-QUOTE} Correct, In this case it was because TDS3 was not working properly from the users account. Not FP's more like rubbish due to the mis-configuration :) TDS4 will not have the same limitations.

Pilli

Looking forward to TDS-4 then :D ;D

{QUOTE-> Looking forward to TDS-4 then :D ;D <-QUOTE}

At this

http://www.wilderssecurity.com/showthread.php?t=26249

time...

I've mentioned this before, but just in case the DiamondCS folks didn't hear me - TDS-3 also has troubles updating the database when running under limited account. Instead it should save it's database to a folder in Documents and Settings\AllUsers\, which gets around the problem.

However, I'm pretty sure TDS-4 will do this.