I am concerned that TDS might not be doing the job. I recently obtained a copy of the new Ad-aware SE Professional and scanned my computer. Right away it detected an item called "Win32.Delf.Trojan.A" Here is a link to the "Threat Assessment Chart" of the trojan according to Lavasoft: Threat Assessment Chart Why was this item overlooked by TDS-3 many times? TDS-3 is being touted as the best anti-trojan software on the market (and I believe it is), but it's discouraging to see an anti-spyware software catching trojans that TDS-3 is missing. __________________ "Threat Assessment Chart" is taken from Lavasoft's website. Lavasoft's home page can be found HERE ***Lavasoft reserves all rights to the material on their website***
There have been many reports of similar findings on various security forums since the new Ad-aware came out. For example... http://www.lavasoftsupport.com/index.php?showtopic=41101 Search that thread for the malware you found, "Win32.Delf.Trojan.A", and you'll see what this is and what they say about it. Lavasoft states: "The people that have been saved from this really appreciate the fact that we detect them as "Possible's". If you know they are there and have put them there intentionally, the word possible comes into play here and therefore they are not false positives." Over at DSLR there is this about the findings on Hosts files (so far)... http://www.dslreports.com/forum/remark,11020464~mode=flat You'll have to decide for yourself if you want TDS-3 to "find" things like this and tell DCS what you think.
gerardwil, This is what I've found out about it: So I think to answer your question: I think the answer is yes, but I'm not sure. LowWaterMark, I am about to read over the information you sent me and I'll comment on it soon, but thanks ahead of time.
Dallen, I don't think TDS-3 has missed anything in this case, and if you scan with your anti-virus scanner I'm sure you'd get the same results (no alarms), because like TDS-3, your virus scanner wouldn't tell you about your Hosts file having a particular line in it, so this isn't a TDS-specific issue. We could add Hosts file monitoring to TDS4 but haven't had any requests for it. Can you please check your Hosts file for me - can you see an entry for "127.0.0.1 only-virgins.com", or ... ? If you really were infected with Delf, then yes TDS-3 would definately detect the file (and that's the main issue) - but I note that the scanner you used seemingly hasn't detected the Delf file on your disk, so all you're going on is 1 alert by 1 scanner which hasn't even identified a file, just a possible line in a file - not really enough information to go on to say "Yes that's definately an infection that all scanners should detect", wouldnt you agree? Regards, Wayne PS. If I'm not mistaken, TDS3 detect more variants of Delf than any other scanner: Code: Adware.Delfin.a Adware.Delfin.b Adware.DelfinMediaViewer.a Adware.DelfinMediaViewer.a Dropper Binded.Delf.aa Binded.Delf.ab Binded.Delf.ac Binded.Delf.ao Binded.Delf.l DLL.Adware.Delfin.a (dll) DLL.Adware.DelfinMediaViewer (dll) DLL.Adware.DelfinMediaViewer.a (dll) DLL.RAT.Delf.co (dll) DLL.Trojan.Win32.Delf.cf (dll) DLL.TrojanClicker.Win32.Delf.ab (dll) DLL.TrojanDownloader.Win32.Delf.bn (dll) DLL.TrojanDownloader.Win32.Delf.df (dll) PSW.Delf.at PSW.Delf.cf PSW.Delf.ck PSW.Delf.ct PSW.Delf.do PSW.Delf.l1 RAT.Delf.ag RAT.Delf.c RAT.Delf.cc RAT.Delf.cu RAT.Delf.cu Dropper RAT.Delf.ii RAT.Delf.mm RAT.Delf.n RAT.Delf.nj RAT.Delf.nj (Unpacked) RAT.Delf.oy RAT.Delf.ps Trojan.Win32.Delf.aj Trojan.Win32.Delf.av Trojan.Win32.Delf.ba Trojan.Win32.Delf.bg Trojan.Win32.Delf.by Trojan.Win32.Delf.ca Trojan.Win32.Delf.cf Trojan.Win32.Delf.dq TrojanClicker.Win32.Delf.f TrojanClicker.Win32.Delf.r TrojanClicker.Win32.Delf.v TrojanClicker.Win32.Delf.x TrojanDownloader.Win32.Delf.br TrojanDownloader.Win32.Delf.ch TrojanDownloader.Win32.Delf.dd TrojanDropper.Win32.Delf.bo TrojanDropper.Win32.Delf.br TrojanProxy.Win32.Delf.a TrojanSpy.Win32.Delf.bc TrojanSpy.Win32.Delf.i Worm.P2P.Delf.t
I have only begun sifting through the information that you sent me, LowWaterMark. It has become apparant to me that this wasn't nearly as bad as I had originally thought. Thank you. Wayne - DiamondCS, Don't forget this part of my statement: That belief is what caused me to be so surprised when AAW detected the "trojan." However, now it is obvious that it was essentially detecting the name of a trojan that was contained within a "hosts" file. I'm still a little confused about what the host files do. Yes, I agree. Actually, I restored all the files I've deleted with Ad-aware. Then I checked the Hosts file and found that item present. The odd thing is that it's the only item that comes after the "# End of entries inserted by Spybot-Search & Destroy" TDS-3 and its makers, Please accept my appology. Thankfully, I was wrong in thinking for a moment that your software missed something.
Here's a good introduction to the hosts file: Blocking Unwanted Parasites with a Hosts File. A well-managed (meaning updated) hosts file provides an additional layer of security. Since I use MVPS's hosts file, I have set Ad-Aware to ignore the hosts file when scanning. Nick
Well, thats a bad detection to begin with - since the HOSTS file entry points to 127.0.0.1 ! So its placed there to make sure you dont get to the REAL website, thats why it was added. Seems like a detection which could be prevented if the HOSTS entry is 127.0.0.*
I can confirm that the latest AA SE Pro Defs do not show the false positive: Reference Number : SE1R3 12.08.2004 Internal build : 3 HTH Pilli