positive id,s but no trojan listed

[Kentish]

After catching a trojan on my pc a little while ago, I now sometimes get list of positive identifications, all appear to be in memory, but no trojan listed. However, if I close TDS3 down and restart it I dont get any position id,s. A full system scan reveals nothing untoward, the scan settings being the most paranoid and deepest.

Any ideas anyone as to why I am now getting this?

[Jooske]

Hello Kentish and welcome!
Where do you see the positives indicated then and is that with TDS?
Can you post what you see, from a console log maybe or the scandump?
Can you locate the files mentioned and please submit them (zipped if possible) to submit@diamondcs.com.au ?

Which is your windows version?
For instance:
you might have installed TDS as an administrator account and run it from a user account; if so those things might happen, and if you under a user account hunt for TDS and "run as" admin the problem should be solved, if this is the situation.

[Kentish]

OK, after reloading TDS3 5 times, the 6th showed it again..

Scan Control Dumped @ 21:50:13 03-03-04
Positive identification:
File: c:\windows\system32\smss.exe

Positive identification:
File: c:\windows\system32\csrss.exe

Positive identification:
File: c:\windows\system32\winlogon.exe

Positive identification:
File: c:\windows\system32\services.exe

Positive identification:
File: c:\windows\system32\lsass.exe

Positive identification:
File: c:\windows\system32\ati2evxx.exe

Positive identification:
File: c:\windows\system32\svchost.exe

Positive identification:
File: c:\windows\system32\svchost.exe

Positive identification:
File: c:\program files\sygate\spf\smc.exe

Positive identification:
File: c:\windows\system32\ati2evxx.exe

Positive identification:
File: c:\windows\explorer.exe

Positive identification:
File: c:\windows\system32\svchost.exe

Positive identification:
File: c:\windows\system32\svchost.exe

Positive identification:
File: c:\windows\system32\spoolsv.exe

Positive identification:
File: c:\windows\soundman.exe

Positive identification:
File: c:\program files\logitech\itouch\itouch.exe

Positive identification:
File: c:\windows\downloaded program files\esigiltray.exe

Positive identification:
File: c:\program files\eset\nod32kui.exe

Positive identification:
File: c:\windows\system32\ctfmon.exe

Positive identification:
File: c:\windows\system32\gearsec.exe

Positive identification:
File: c:\program files\common files\microsoft shared\vs7debug\mdm.exe

Positive identification:
File: c:\program files\eset\nod32krn.exe

Positive identification:
File: c:\program files\processguard\pg_msgprot.exe

Positive identification:
File: c:\windows\system32\svchost.exe

Positive identification:
File: c:\windows\msagent\agentsvr.exe

Does this help?

Forgot to add, I m running XP home, and only have the one account set up so its an administrator. This never happened before I had a trojan (now deleted but dont ask which 1 it was.)

[Jooske]

By the looks all legal files, and this could happen if running from a users account in some cases, although i don't remember to have seen valid files then, mostly other names if i remember well.
Not sure what is wrong here.
Could help to uninstall and reinstall TDS from a fresh download, as maybe the trojan (pity you don't remember which it was) could have overwritten valid files or in the removal something too much might have been "fixed".
Did you try a AutoStartViewer log and did that show anything wierd? Feel free to post that or a Hijackthis log in the HJT forum for specialists eyes to look over it if you think it might help too.

[puff-m-d]

I have situations like this happen to me before also.... Usually, it was a corrupt radius.tds database.....

Try manually updating your radius file and see if that helps.... http://tds.diamondcs.com.au/index.php?page=update

HTH....

Regards,
Kent

[halcyon]

In addition to the above, there is a bug in the TDS-3 scanning routine, triggering "positive idenfication" without any naming for all large files. This positive identification is false.

I've already have this happen to me four times with different large size installer files (latest being inside fh-release0.6-via-donkey-pass.rar - trojan/virus-free free-modification for an online-game).

I've already reported two such incidents, but all they DiamondCS apparently does is remove those false positives one-by-one, instead of fixing the scanning routine (?).

Ah well, I guess they are busy on TDS-4...

[Jooske]

Hi i'm sure the best possible option is used, -- could be large file, could be something with the rar, not sure, anyway please be patient and keep sending in such alerts please, thanks!