I am a trial user. I ran TDS-3 for first time (see scandump below). Firts ID is part of commercial shareware. Second ID is program from grc.com. Third ID cannot be found by conventional search.
I believe the first two IDs are false positives. The third ID confuses me. What should I do now? Thanks in advance.

Scan Control Dumped @ 08:18:25 15-02-05
Positive identification <Adv>: Possible keylogger
File: c:\program files\system utilities\advanced system optimizer\advanced system optimizer\spyware detective.exe

Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\program files\utilities\internet security\leaktest.exe

Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll

Hi trial user, Please download the latest definitions (radius file) from here:
http://tds.diamondcs.com.au/index.php?page=update
Follow the installation instructions Close TDS3 and restart and then rescan - Re-post any findings.
Thank you. Pilli

Pilli, thanks for prompt reply. I am almost certain that I did a correct update before the first scan, but I am doing it again (as you suggest) just to be sure.
While i am waiting for the current scan to complete, I have another observation.
Why does TDS-3 continue to tell me to update when I have just done so. This is confusing. Surely a simple little date/time check routine could eliminate this confusion?! :-)

Lynton (Trial User)

OK, The repeated scan is now complete.
"Advanced System Organizer" is no longer identified but the other two still are...waht now?

Present situation is this:

Scan Control Dumped @ 10:23:12 15-02-05
Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\program files\utilities\internet security\leaktest.exe

Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll

As indicated in my first post, I believe the first ID (Leaktest 1.1) is a false positive.

The second ID is very confusing for me because Start > Search can't find the file.

I ran TDS-3 (with fully updated database) and it failed to find "qlowzones-7.gen" a defined trojan that was identified by McAfee's scan as existing in two files on my Hard drive. What gives?

Hi,

For starters, if the antivirus monitor program detects something, the first thing it does is lock access to the file - so TDS couldn't read it to scan its contents anyway

Also, thats a GEN detection, or generic. Have the file submitted for analysis to your AV, we would also appreciate a sample to submit@diamondcs.com.au

If you have to, send the quarantined sample. You shouldn't disable your AV at any time unless you know what you are doing. To submit a file which is still sitting on disk being detected you would need to disable the AV, so quarantine it instead, and dont disable the AV

Gavin,

I ran TDS before I ran the McAfee scan. TDS did not find the trojan. I did not run the antivrus monitor program before running TDS. The "lock access" argument does not hold.
Unfortunately I cannot send you a sample because I trashed the files after McAfee identified them.
The fact remains TDS did not identify the files. McAfee's scan did.

Does your mcafee or other program not have resident protection?
Can you imagine it was a possible false positive from Mcafee? Pity you trashed the files so now the security community will never know if it was a valid detection in the first place? Always submit the files, like Gavin advised.
Maybe you find them back in your system restore :)
I trashed mcafee many years ago.

Also make sure to scan with TDS with all scan options checked and wormslider on highest sensitivity.

the first is NOT a false positive but is as it clearly staes

It's a demo leaktest that has exactly the same signatures as a trojan because it uses the same techniques as many trojans. It is right for TDS to warn you about it

this Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll
is unable to be found by a normal search on your computer because it is in a super-superhidden protected folder that windows will not let you see in normal use

Let TDS fix it by right clicking the entry in the TDS bottom window and select delete

if you really want to view that file it needs a few steps but the easiest way is

to unlock the hidden files download and run
http://mvps.org/winhelp2002/UnlockDPF.bat

to lock them again afterwards downlaod and run

http://mvps.org/winhelp2002/LockDPF.bat

Hi there!
The leaktest is detected on user's request and as you say it does say it is a demo and not a trojan. Just to have users seeing TDS does detect things on your system but it's known innocent.
the other file, make sure you have all hidden files showing windows explorer > tools > folder options > view, make sure to have the hidden files and extensions showing; and try to find it again. It is detected so it is there.

Mcaffees detection for lowzones trojan frequently incorrectly identifies several security applications that are able to lock the internet zone settings to prevent that family of trojans from changing the internet zones settings
I am not saying that this happened in your case but if it id's lowzones correctly then you almost certainly have at least one or more hard to remove adware trojans hidden away on the computer

All of the known low zones trojans attempt to change the security settings to include unwanted entries in your safe zones security settings in IE and many attempt to remove sites from your restricted zones area as well

I have seen mcaffee & several other AV's remove the IEspyad listing that adds the sites to the restricted zones

I think in your case it might be interesting to see a HJT log to see whether there might be a problem on your computer and see what is there

go to here (http://www.thespykiller.co.uk/downloads.htm) and download 'Hijack This!' self extracter. double click on the file and it will self extract to C:\program files\hijackthis.
Go to that folder then doubleclick the Hijackthis.exe
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

can you also look in mcaffee log and see the names of the files that Mcaffee removed as that would be a good indication and post them here for me please

..on the other hand, TDS did make a "positive identification" of the following file:

Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll

which I submitted to you (see earlier post on "false positives") and which your support staff have now informed me is indeed an adware file. They recommend that I delete it.

The interesting thing here is that while waiting for your response, and having pointed out that Start > Search could not find the file, I have run a whole battery of scans (McAfee,Symantec, Ad-Aware, Spybot, Microsoft) and none of them could find the file either.

Since my original thread on this subject has not yet been answered, I will also ask the question here: Does this "positively identified" file actually exist? If it does why can none of the other scanners find it? And why can't I find it when I search for it?

Note to DVK01's post. the ieatgpc.dll or any other .dll for that matter, can be removed using the DCS free tool DelLater found here. Though I am not sure whether it needs to be unhidden first.
DelLater can be found here:
http://www.diamondcs.com.au/index.php?page=products

Pilli

-{ Quote: "Since my original thread on this subject has not yet been answered, I will also ask the question here: Does this "positively identified" file actually exist? If it does why can none of the other scanners find it? And why can't I find it when I search for it?" }- Because it is hidden, see the other thread re. this pest :
http://www.wilderssecurity.com/showthread.php?t=66419

HTH Pilli

dvk01,

Thankyou for your helpful suggestion to download HJT and post the log here. I will attempt to do so.

To make it clear to all parties that the issue between TDS and McAfee had nothing to do with idiosyncratic behaviors (like "lock up" etc) I do not have MacAfee installed on my computer. I used the free scan on their website. I manually trashed the files. I was rather hasty in doing this because the identified files were downloaded from a Paltalk PC room and I was already suspicious. Once my suspicions were confirmed I couldn't get rid of them quick enough. If you can tell me how I can download them safely and package them to you I will see if I can refind them on Paltalk? But I am not keen to get involved in this sticky business without clear instructions.

Note that I also have another problem (outlined above in Post #7) which has not been addressed yet.

wow, all your answers seem to come at once.

Pilli, trhanks for reference back to original thread. dvk01, Jooske thanks for contributions. I will now read and learn.. ;-)

-{ Quote: "dvk01,

Thankyou for your helpful suggestion to download HJT and post the log here. I will attempt to do so.

To make it clear to all parties that the issue between TDS and McAfee had nothing to do with idiosyncratic behaviors (like "lock up" etc) I do not have MacAfee installed on my computer. I used the free scan on their website. I manually trashed the files. I was rather hasty in doing this because the identified files were downloaded from a Paltalk PC room and I was already suspicious. Once my suspicions were confirmed I couldn't get rid of them quick enough. If you can tell me how I can download them safely and package them to you I will see if I can refind them on Paltalk? But I am not keen to get involved in this sticky business without clear instructions.

Note that I also have another problem (outlined above in Post #7) which has not been addressed yet." }-


If they were downloaded from paltalk don't worry about them and don't try to find them again
I'm sure copies will turn up soon enough now we know where to go looking and looking for the baddies is a job for someone with "special protection & knowledge" so you don't get unwittingly infected

many offered files are suspect and normally should be avoided

I've merged both of these threads together so it makes it easier to understand for anyone else with a similar problem and so we can continue this help if needed

DVK, Thanks for merging the threads, I was just about to do it :)

dvk01, thanks for great response. I have downloaded "UnlockDPF.bat" but I need further instruction on where to place this file in order to run it. I am very interested to see this 'super-superhidden protected folder' .


Jooske, I already have all hidden files and extensions displayed. ( windows explorer > tools > folder options > view).

Pilli, I was hoping to use TDS to remove the file after I confirm its existence. What does "DelLater" do that TDS cannot?

anywhere

I tend to download then to desktop & then double click it, you will get a quick black screen flash up then that is it then using windows explorer go to C:\windows or winnt \ downloaded program files and you will see the diffference, you will see all the dll's and inf files etc in that folder whereas previoussly you only saw the cab files containing them

when you have finished playing around then make sure you use the lockPDF.bat to put it back the way it was for safety reasons

-{ Quote: "

Pilli, I was hoping to use TDS to remove the file after I confirm its existence. What does "DelLater" do that TDS cannot?" }-

when a file can't be deleted by TDs or by you because it is in use then dellater can be set to delete it on a reboot before windows grabs it and locks it

personally I prefer killbox rather than dellater, but that is just because I like the GUI rather than using command prompts and I'm lazy doing it so many times a day

Yes, well as long as they do the job :)

dvk01, again thanks for great answers. I copied UnlockDPF.bat to desktop and followed your instructions. I still don't see the hidden file. What might I be doing wrong?
Also thanks for answer on dellater and Killbox. Can you give URL for Killbox, please?

when you open the downloaded program files folder do you see a list of files with dll's & inf files like a normal folder or do you just see a list of controls with installed or unknown beside them

dvk, I just see a list of controls with Installed status...

Not meaning to confuse this thread, here is the HJT log you asked for:

Logfile of HijackThis v1.99.0
Scan saved at 10:30:01 PM, on 15/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\freecell.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINNT\msagent\AgentSvr.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Ad-Aware\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\LYNTON~1\LOCALS~1\Temp\Rar$EX00.656\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\Copernic\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\Copernic\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\Copernic\COPERN~1\COPERN~1.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409[/url]
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url]https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://software-dl.real.com/316c40ec95b6697ffc01/netzip/RdxIE601.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]https://www-secure.symantec.com/techsupp/asa/SymAData.cab[/url]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [url]https://esignaltraining.webex.com/client/v_mywebex/webex/ieatgpc.cab[/url]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [url]http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4427/mcfscan.cab[/url]
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - [url]http://download.paltalk.com/download/0.x/regdload.cab[/url]
O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Aluria Spyware Eliminator Service - Unknown - C:\PROGRA~1\SYSTEM~1\SPYWAR~1\ASE\ASE\ASEServ.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

-{ Quote: "dvk, I just see a list of controls with Installed status..." }-

double click the bat file again and make sure that you see a black screen falsh up

some script blockers in your antivirus will attempt to stop any bat file being run

dvk, there is a flash but it's almost instantaneous and it's not full screen, it's just "window" sized..I suspect it is being blocked...

There's nothing obvious in the HJT log

-{ Quote: "dvk, there is a flash but it's almost instantaneous and it's not full screen, it's just "window" sized..I suspect it is being blocked..." }-

that is what it's supposed to do , just a quick windows size flash up for a microsecond

now open the dpf folder again and see

No luck..:-( ..please check your email..

turn off microsoft Anti spyware first then that blocks if it isn't set right

but just let tds fix it

it isn't worth the aggro to mess around

ok dvk, if you say so...
I'll delete this file that I couldn't find, that no other scanner sees..I would have loved to see this super invisible hidden file but, well, you're right, it's not worth the agro...;-)

Ok that is cool oldtimers still use BAT files ( DOS )LOL

Unlock PDF

cd\"WINDOWS\Downloaded Program Files"
attrib -h -r desktop.ini
ren desktop.ini desktop.nul
exit

Lock PDF

cd\"WINDOWS\Downloaded Program Files"
ren desktop.nul desktop.ini
attrib +h +r desktop.ini
exit

Simply changing the ATTRIBS on desktop.ini and renaming it again.

Bruce

The alternative way to view the DPF files is

go to Start | Run
Paste in this command and press enter:

regsvr32 /u occache.dll

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
To get back to normal mode just restart the computer as you normally would.

Now go to the C:\WINDOWS\Downloaded Program Files Folder and find the offending file and delete it .

When you finish go back to:
Start | Run
Paste in this command:

regsvr32 occache.dll

but a double click on a bat file on the desktop is easier