Hi

I have been a registered user of TDS3 for about 1 year and to date have never had a positive identification of any nasties. Did a full system scan today (usually done every day) and got the following:

"Scan Control Dumped @ 22:26:56 12-02-05
Positive identification <Adv>: Possible WebDownloader
File: c:\program files\common files\microsoft shared\office11\msoxmled.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\program files\microsoft office\office11\msohtmed.exe"

This identification was not there when I did full scan yesterday and previously. These 2 files are an integral part of MS Office 2003 I assume. I have not used Office for weeks (only Word and Excel ever used).

I have searched the forum for reference to these files but have not been able to find an answer to my problem.

Am I to assume that the above results are false positives and if not, am I able to delete them without compromising the workings of Office 2003?. I have used repair Office 2003 facility and still get the same result as above. No system restore used on my Winxp as I image my system to backup HD approx 3-4 times weekly. Yes, I tried restoring image, but still the same result.

Any assistance/advice would be appreciated.

noel1947

Hi noel1947,

Got the same alert today as well. Found info on msoxmled.exe here (http://www.hijackfree.com/en/processdetails/?id=120) . Couldnt find any info either on msohtmed.exe.

HTH

Darkmatter

darkmatter

Yes I found that reference during my searching of Google for a solution. I should have stated in my original post that I am using Firefox and Spysweeper/NAV show them as clean.

Regards

noel1947

I would assume that it's a false positive due to an over sensitive detection being set by Gavin to atempt to catch some of the new baddies who are causing major problems

I'm sure that he will fix it on Monday's update but it would be wise to email support@diamondcs.com.au to alert them to the problem

Yes, there is also a report of this in the DCS private forums and the user has not changed anything in office since his last scan, so I believe these may well be FPs :o

Pilli

Sorry for posting out of the topic of this thread.
-{ Quote: "Yes, there is also a report of this in the DCS private forums and the user has not changed anything in office since his last scan, so I believe these may well be FPs :o
Pilli" }-
I dont find out where the DCS private forum for licensed/registered users? Is this you mean to "http://diamondcs.com.au/forum/"
.tia.

Many thanks everyone for their responses.

I had submitted them to Support before posting, so will await response from
Gavin or fix in Monday's update before deleting them again.

Regards and thanks again.

noel1947

Hi All,

I have been lurking on these message boards for several months now reading all of the interesting AV and AT info.

I finally thought I should go ahead and register now that I have an actual topic to post about 8)

I got those same two Office 2003 hits today as well as a third: MSNBOOT.EXE. That file is supposedly a MSN setup file.

The two Office files TDS 3 found are dated July 14th 2003 and both have digital signatures.

It seems like all of the potential false positives are related to Microsoft files :)


Thanks,
Dave

You are correct Dave. ;D

I posted here (http://www.wilderssecurity.com/showthread.php?t=66027) about MSNBOOT.EXE and believe it's a false positive.

Hi guys,

TDS-3 found this trojan msohtmed.exe which is found in the Microsoft Office10 directory. Interestingly Ewido, TrojanHunter and BOClean missed it, but ProcessGuard stopped it dead in its tracks.

I deleted it, but every time I try to re-install Office, the little bugger comes back. Before I do an image restore, I would like to know if anyone has any ideas how this trojan keeps finding its way back onto my system. Thanks for any help.

Rich

Hello richrf,

You may want to take a look at this thread that has been posted here (http://www.wilderssecurity.com/showthread.php?t=66067).

Regards,
hardyhar

Hi hardyhar,

Thanks for the link. More info:

1) I've been scanning with TDS-3 pretty regularly for the last year or so and this is the first time it came up with this nasty.

2) My son has the same .exe and TDS-3 does not have any problem with it on his machine.

3) When I delete the nasty, and start-up Word, he gives me a message whether I want to "repair" the feature (with no other message). I respond no.

4) It tries to start itself up if I don't delete it. ProcessGuard detects it and stop it, though it still lingers in memory. This only happens if I have not deleted it yet. After I have deleted it, it does not show its face.

5) The Windows Installer tries to start itself up when I reboot - presumably to fix the file. I am not sure this is normal behavior.

So something seems rotten. I'm still awaiting positive ID from DiamondCS. I sent it in on Fri.

Rich

AS I said in my previous post

there are several new web downloaders that are causing tremendous problems at the moment, they really infect the computers very badly and removal of them and their passengers are extremely difficult if not almost impossible without very specialised help

Gavin has obviously tried to set a generic detection to block them downloading or running on a TDS protected computer.

The problem with generic detections is that if they are set wide enough and sensitive enough some genuine files will always come under suspicion.

The code for the downloaders would have enough similar points to the genuine M$ files that a mistaken identity is possible

I think I would rather be warned that a genuine file is a "POSSIBLE" downloader than have an infected computer

Unfortunately it's a catch up game with the evil scum who invent these viruses/trojans etc and any defensive program will make a couple of errors when looking for them

luckily enough because TDS puts you in the driving seat and lets you decide what is bad and good and doesn't automatically delete or fix anything unlike many other security programs false positives are not the problem they would be with those other programs

just leave the files alone for now and I'm sure that Monday's definition files will fix the problem

richf, These are probably proper office files as stated in the other thread. Hopefully the new defs on Moday will sort the problem.

Pilli

Spy sweeper also says this is a Phishing Trojan - http://www.dslreports.com/forum/remark,11041049~mode=flat .

But when you look at msohtmed.exe it appears to be a official microsoft office file?

I am confused...

TDS is finding the office 10 version as a possible webdown loader on my computer as well so I can 100% guarantee that it's a false positive so just stop panicking and wait till it's fixed in the next update

DO NOT delete the file or do anythng with it

Thanks Pilli. Some of the bahavior is kind of odd though. The installer keeps trying to launch itself even when I am not accessing MS Office tools. It just seems kind of wierd.

Rich

Hi Rich, As you are concerned about this it may be as well to copy /zip and submit@diamondcs.com.au for analysis, even if it ia an FP it will help Gavin fine tune the definition.

Thanks. Pilli

Hi Pilli,

I am a bit concerned, especially since it tries to launch itself at startup. I don't remember seeing this behavior before. I already sent a copy to Gavin last Fri. but have not heard back from Diamond. So I sent another copy just in case it got lost in the mail.

Rich

Thanks Rich, I'm sure that Gavin will deal with it Monday as they have the weekend off :)

Oddly enough, my previous full install of MS Office never caused TDS to alarm. By coincidence, I did another full install with updates yesterday that later alarmed on the MSOHTMED.EXE file during a TDS scan. Should be no cause for alarm though as it is the Office *.htm editor. Have experienced no odd behavior with the file as in richrf's case though.

Hopefully the merging of the other thread concerning this same topic does not cause any heart burns. I suggest all concerned heed what dvk01 posted above.

-{ Quote: "TDS is finding the office 10 version as a possible webdown loader on my computer as well so I can 100% guarantee that it's a false positive so just stop panicking and wait till it's fixed in the next update

DO NOT delete the file or do anythng with it" }-

I too have got these positive identifications together with:

Posative identification (embedded in file) TrojanClicker.Win32.Agent.ap3
c:\program files\palm\hswizardnotyfy.dll

This file still has its original date, owner etc. and I'm assuming this is also a false pasitive. It is part of my Palm PDA synchronising software.

You might like to submit that file too so it can be corrected in the detections.
submit@diamondcs.com.au

Don't I have to be a registered user to submit a file like this. I'm still evaluating this software.

Any submissions are welcome :)

Thank you. Pilli

Pilli et all

Latest definitions installed tonight still recording both files as positive identification. E-mail received from DCS earlier today advised that both files are definitely false positives and would be fixed with tonight's update. Looks like Gavin and crew still have a bit of fine tuning to go.

I am content to let them work through it. At least my e-mail to DCS received a prompt response, not like some software producers who ignore their clients.

Regards

noel1947

Thanks, Are your definitions as follows:
Systems Initialised [46861 references - 22725 primaries/11983 traces/12153 as Gavin posted quite late today.

Cheers. Pilli

It should be fixed with THOSE figures.. :)

Thanks Pilli

-{ Quote: "Don't I have to be a registered user to submit a file like this. I'm still evaluating this software." }-

I don't think so... just send it to submit@diamondcs.com.au and explain you are just using the trial version. I would have thought that it would not matter since the more people that submit files like this helps them to fix their definitions and improve on their product so its a benefit.

You need to close TDS & restart it then it doesn't detect it

just installing the new definitions still leaves the old detections as well as the new ones

Just downloaded this mornings update 14/02/2005 and re-run a full scan. Nothing reported. I'm impressed with the response from Diamondcs support.

On behalf of DCS, Thanks. ;D