All my processes are infected?!?

[Konyntje]

A very weird thing just happened... I updated my radius, then went directly into Configuration to stopping loading my plugins. I saved and answered 'Yes' to have TDS reload immediately. On re-load, when scanning my processes, each of them got a 'Positive Identification' message; no trojan named just the name of the file. I uploaded the 'Outlook' file to TDS just to be sure, then rebooted. The system came up clean - no messages about anything being infected. Very strange.

[Patrice]

Hi Konyntje,

did you already do a full system scan after that these messages appeared? What was the result of it? And do you know all the processes which are running in the background? Is there an unusual one?

Regards,

Patrice

[Pilli]

Konymtje, Do you have TDS3 to start when windows start? I only ask as there may have been a minor corruption during start up. In XP I start TDS3 manually after everything else has loaded.
What Operating system are you using?
Have you closed TDS down completely & do you have Exec protection enabled?

Sorry more questions than answers

[Patrice]

Hi Pilli,

Quote:

quoting: Pilli link=board=5;threadid=9148;start=0#59707 date=1052647549]In XP I start TDS3 manually after everything else has loaded.

Ever thought about using Startup Delayer? I'm using Windows XP Pro as well and this little tool helps me out, that TDS-3 is starting automatically as the last application.

http://www.webattack.com/get/startdelay.shtml

Best regards,

Patrice

[Jooske]

"All my processes" ?? Do you mean all those in the Process List? but not Outlook file?
Are you using an evaluation version of TDS or a registered one (because of the possibility to use exec protection or not)

Is this the first time you ran it?
At installing TDS, did you close all av/at scanners and maybe even rebooted to make sure nothing was still in use by other programs at all?
Why would you close the plugins? they don't eat resources till used.
If you scan with the current Radius database and every scan option checked, do you still get those alerts?

I would indeed recommend at the moment to start TDS manually after reboot and see if this solves the problems.
If there are still alerts, you might like to rightclick on one of the alerts in the console, save them to Scandump.txt in the TDS-3 directory and include that in a posting here for us to look with you. (you can edit sensitive info away, but we might like in some cases pathnames)
Looking ward for your next part to help you further.

[Pilli]

Patrice, XP has it's own scheduler Agreed, not as flexible as some

[Patrice]

Hi Pilli,

which one are you talking about? I just know the setting for the memory priority...

Regards,

Patrice

[Pilli]

This one

[Patrice]

Ahh.. so this is what you call a Startup Delayer!?! LOL
Not bad, actually I never thought about this possibility...

Greetings,

Patrice

[Pilli]

Patrice, We must stay on topic so I shall remove my posted gif as it is not really relevant

[Konyntje]

Hi all,
Sorry for the delay in getting back to you, you know how it is....

Jooske (et al): I'm a registered user and have been using TDS for about 4 months now. All processes listed in Task Manager were the ones flagged. All scan options are marked for checking at startup. This is the way I've been running for quite a while. I've since done several warm and cold restarts (WinXP), and haven't had any problems. Haven't done a full system scan yet but will one just to be sure. I'm sure everything is OK; probably some kind of weird initialization bug. I just thought I should mention it to the group in case others had the same problem.

[LowWaterMark]

Quote:

quoting: Konyntje link=board=5;threadid=9148;start=0#60563 date=1052959165]... I've since done several warm and cold restarts (WinXP), and haven't had any problems. ... I'm sure everything is OK; probably some kind of weird initialization bug. I just thought I should mention it to the group in case others had the same problem.

Yes, it certainly seems like it was "just one of those things". But, I agree with you, it's better to post about it than not, just in case it ends up being something important. You never know for sure unless you post about it.

[Jooske]

Thanks for coming back with your reaction, as you see it caused some puzzling and discussions among us too!
Now Pilli can put his startup delayer screenshot back (can you please ?) as extra instruction for TDS delayed startup which seems to help lots of XP users.
Please do your full system scan with every option checked and look if there is any alert.
Suppose all is well this time when you look at the process list and everything?

[Pilli]

OK Jooske, Here's the info' again

Notes

To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.
If you want to configure advanced settings for the task, select the Open advanced properties for this task when I click Finish check box on the final page of the wizard.
Confirm that the system date and time on your computer are accurate, because Scheduled Tasks relies on this information to run scheduled tasks. To verify or change this information, double-click the time indicator on the taskbar.
You must supply the password for the account on which you want the the scehduled task to run. The password cannot be blank.

[Konyntje]

Well I did a full system scan - nothing came up except for those pesky ADS Hidden Data Streams - so I guess it was just some kind of twitch in the software. Thanks to all for your help and concern.

Just to switch gears slightly.. is it OK to delete the Alternate Data Streams? I had about 25 of 'em; one was 88 bytes, the rest were zero.

[Patrice]

Hi Konyntje,

yeah you can delete them. You find more information about this issue on the homepage of DCS.

Best regards,

Patrice

[Gavin - DiamondCS]

Streams are generally OK, and since they are being used a bit by legitimate software we now recommend you go to Scan Control, ADS Stream Options, and ignore streams smaller than 256 bytes

[Konyntje]

Thanks! I'll adjust the size now.