2 Files - Possible Webdownloader -Positive identification?

Hi

I have been a registered user of TDS3 for about 1 year and to date have never had a positive identification of any nasties. Did a full system scan today (usually done every day) and got the following:

"Scan Control Dumped @ 22:26:56 12-02-05
Positive identification <Adv>: Possible WebDownloader
File: c:\program files\common files\microsoft shared\office11\msoxmled.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\program files\microsoft office\office11\msohtmed.exe"

This identification was not there when I did full scan yesterday and previously. These 2 files are an integral part of MS Office 2003 I assume. I have not used Office for weeks (only Word and Excel ever used).

I have searched the forum for reference to these files but have not been able to find an answer to my problem.

Am I to assume that the above results are false positives and if not, am I able to delete them without compromising the workings of Office 2003?. I have used repair Office 2003 facility and still get the same result as above. No system restore used on my Winxp as I image my system to backup HD approx 3-4 times weekly. Yes, I tried restoring image, but still the same result.

Any assistance/advice would be appreciated.

noel1947

 

Hi noel1947,

Got the same alert today as well. Found info on msoxmled.exe here . Couldnt find any info either on msohtmed.exe.

HTH

Darkmatter

 

darkmatter

Yes I found that reference during my searching of Google for a solution. I should have stated in my original post that I am using Firefox and Spysweeper/NAV show them as clean.

Regards

noel1947

 

Yes, there is also a report of this in the DCS private forums and the user has not changed anything in office since his last scan, so I believe these may well be FPs

Pilli

 

Re: where is the DCS private forum?

Sorry for posting out of the topic of this thread.

I dont find out where the DCS private forum for licensed/registered users? Is this you mean to "http://diamondcs.com.au/forum/"
.tia.

 

Many thanks everyone for their responses.

I had submitted them to Support before posting, so will await response from
Gavin or fix in Monday's update before deleting them again.

Regards and thanks again.

noel1947

 

Hi All,

I have been lurking on these message boards for several months now reading all of the interesting AV and AT info.

I finally thought I should go ahead and register now that I have an actual topic to post about

I got those same two Office 2003 hits today as well as a third: MSNBOOT.EXE. That file is supposedly a MSN setup file.

The two Office files TDS 3 found are dated July 14th 2003 and both have digital signatures.

It seems like all of the potential false positives are related to Microsoft files


Thanks,
Dave

 

You are correct Dave.

I posted here about MSNBOOT.EXE and believe it's a false positive.

 

Tough Microsoft Office trojan to remove - any ideas?

Hi guys,

TDS-3 found this trojan msohtmed.exe which is found in the Microsoft Office10 directory. Interestingly Ewido, TrojanHunter and BOClean missed it, but ProcessGuard stopped it dead in its tracks.

I deleted it, but every time I try to re-install Office, the little bugger comes back. Before I do an image restore, I would like to know if anyone has any ideas how this trojan keeps finding its way back onto my system. Thanks for any help.

Rich

 

Re: Tough Microsoft Office trojan to remove - any ideas?

Hello richrf,

You may want to take a look at this thread that has been posted here.

Regards,
hardyhar

 

Re: Tough Microsoft Office trojan to remove - any ideas?

Hi hardyhar,

Thanks for the link. More info:

1) I've been scanning with TDS-3 pretty regularly for the last year or so and this is the first time it came up with this nasty.

2) My son has the same .exe and TDS-3 does not have any problem with it on his machine.

3) When I delete the nasty, and start-up Word, he gives me a message whether I want to "repair" the feature (with no other message). I respond no.

4) It tries to start itself up if I don't delete it. ProcessGuard detects it and stop it, though it still lingers in memory. This only happens if I have not deleted it yet. After I have deleted it, it does not show its face.

5) The Windows Installer tries to start itself up when I reboot - presumably to fix the file. I am not sure this is normal behavior.

So something seems rotten. I'm still awaiting positive ID from DiamondCS. I sent it in on Fri.

Rich

 

Re: Tough Microsoft Office trojan to remove - any ideas?

richf, These are probably proper office files as stated in the other thread. Hopefully the new defs on Moday will sort the problem.

Pilli

 

Spy sweeper also says this is a Phishing Trojan - http://www.dslreports.com/forum/remark,11041049~mode=flat .

But when you look at msohtmed.exe it appears to be a official microsoft office file?

I am confused...

 

Re: Tough Microsoft Office trojan to remove - any ideas?

Thanks Pilli. Some of the bahavior is kind of odd though. The installer keeps trying to launch itself even when I am not accessing MS Office tools. It just seems kind of wierd.

Rich

 

Re: Tough Microsoft Office trojan to remove - any ideas?

Hi Rich, As you are concerned about this it may be as well to copy /zip and submit@diamondcs.com.au for analysis, even if it ia an FP it will help Gavin fine tune the definition.

Thanks. Pilli

 

Re: Tough Microsoft Office trojan to remove - any ideas?

Hi Pilli,

I am a bit concerned, especially since it tries to launch itself at startup. I don't remember seeing this behavior before. I already sent a copy to Gavin last Fri. but have not heard back from Diamond. So I sent another copy just in case it got lost in the mail.

Rich

 

Re: Tough Microsoft Office trojan to remove - any ideas?

Thanks Rich, I'm sure that Gavin will deal with it Monday as they have the weekend off

 

Re: Tough Microsoft Office trojan to remove - any ideas?

Oddly enough, my previous full install of MS Office never caused TDS to alarm. By coincidence, I did another full install with updates yesterday that later alarmed on the MSOHTMED.EXE file during a TDS scan. Should be no cause for alarm though as it is the Office *.htm editor. Have experienced no odd behavior with the file as in richrf's case though.

 

Hopefully the merging of the other thread concerning this same topic does not cause any heart burns. I suggest all concerned heed what dvk01 posted above.

 

I too have got these positive identifications together with:

Posative identification (embedded in file) TrojanClicker.Win32.Agent.ap3
c:\program files\palm\hswizardnotyfy.dll

This file still has its original date, owner etc. and I'm assuming this is also a false pasitive. It is part of my Palm PDA synchronising software.

 

You might like to submit that file too so it can be corrected in the detections.
submit@diamondcs.com.au

 

Don't I have to be a registered user to submit a file like this. I'm still evaluating this software.