2 Files - Possible Webdownloader -Positive identification?

Discussion in 'Trojan Defence Suite' started by noel1947, Feb 12, 2005.

Thread Status:
Not open for further replies.
  1. noel1947

    noel1947 Registered Member

    Joined:
    May 13, 2003
    Posts:
    41
    Location:
    Australia
    Hi

    I have been a registered user of TDS3 for about 1 year and to date have never had a positive identification of any nasties. Did a full system scan today (usually done every day) and got the following:

    "Scan Control Dumped @ 22:26:56 12-02-05
    Positive identification <Adv>: Possible WebDownloader
    File: c:\program files\common files\microsoft shared\office11\msoxmled.exe

    Positive identification <Adv>: Possible WebDownloader
    File: c:\program files\microsoft office\office11\msohtmed.exe"


    This identification was not there when I did full scan yesterday and previously. These 2 files are an integral part of MS Office 2003 I assume. I have not used Office for weeks (only Word and Excel ever used).

    I have searched the forum for reference to these files but have not been able to find an answer to my problem.

    Am I to assume that the above results are false positives and if not, am I able to delete them without compromising the workings of Office 2003?. I have used repair Office 2003 facility and still get the same result as above. No system restore used on my Winxp as I image my system to backup HD approx 3-4 times weekly. Yes, I tried restoring image, but still the same result.

    Any assistance/advice would be appreciated.

    noel1947
     
    Last edited: Feb 12, 2005
  2. darkmatter

    darkmatter Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    25
    Hi noel1947,

    Got the same alert today as well. Found info on msoxmled.exe here . Couldnt find any info either on msohtmed.exe.

    HTH

    Darkmatter
     
  3. noel1947

    noel1947 Registered Member

    Joined:
    May 13, 2003
    Posts:
    41
    Location:
    Australia
    darkmatter

    Yes I found that reference during my searching of Google for a solution. I should have stated in my original post that I am using Firefox and Spysweeper/NAV show them as clean.

    Regards

    noel1947
     
    Last edited: Feb 12, 2005
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I would assume that it's a false positive due to an over sensitive detection being set by Gavin to atempt to catch some of the new baddies who are causing major problems

    I'm sure that he will fix it on Monday's update but it would be wise to email support@diamondcs.com.au to alert them to the problem
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, there is also a report of this in the DCS private forums and the user has not changed anything in office since his last scan, so I believe these may well be FPs :eek:

    Pilli
     
  6. ding

    ding Guest

    Re: where is the DCS private forum?

    Sorry for posting out of the topic of this thread.
    I dont find out where the DCS private forum for licensed/registered users? Is this you mean to "http://diamondcs.com.au/forum/"
    .tia.
     
  7. noel1947

    noel1947 Registered Member

    Joined:
    May 13, 2003
    Posts:
    41
    Location:
    Australia
    Many thanks everyone for their responses.

    I had submitted them to Support before posting, so will await response from
    Gavin or fix in Monday's update before deleting them again.

    Regards and thanks again.

    noel1947
     
  8. bokdave

    bokdave Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    1
    Hi All,

    I have been lurking on these message boards for several months now reading all of the interesting AV and AT info.

    I finally thought I should go ahead and register now that I have an actual topic to post about :cool:

    I got those same two Office 2003 hits today as well as a third: MSNBOOT.EXE. That file is supposedly a MSN setup file.

    The two Office files TDS 3 found are dated July 14th 2003 and both have digital signatures.

    It seems like all of the potential false positives are related to Microsoft files :)


    Thanks,
    Dave
     
  9. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    You are correct Dave. :D

    I posted here about MSNBOOT.EXE and believe it's a false positive.
     
  10. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Tough Microsoft Office trojan to remove - any ideas?

    Hi guys,

    TDS-3 found this trojan msohtmed.exe which is found in the Microsoft Office10 directory. Interestingly Ewido, TrojanHunter and BOClean missed it, but ProcessGuard stopped it dead in its tracks.

    I deleted it, but every time I try to re-install Office, the little bugger comes back. Before I do an image restore, I would like to know if anyone has any ideas how this trojan keeps finding its way back onto my system. Thanks for any help.

    Rich
     
  11. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Re: Tough Microsoft Office trojan to remove - any ideas?

    Hello richrf,

    You may want to take a look at this thread that has been posted here.

    Regards,
    hardyhar
     
  12. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: Tough Microsoft Office trojan to remove - any ideas?

    Hi hardyhar,

    Thanks for the link. More info:

    1) I've been scanning with TDS-3 pretty regularly for the last year or so and this is the first time it came up with this nasty.

    2) My son has the same .exe and TDS-3 does not have any problem with it on his machine.

    3) When I delete the nasty, and start-up Word, he gives me a message whether I want to "repair" the feature (with no other message). I respond no.

    4) It tries to start itself up if I don't delete it. ProcessGuard detects it and stop it, though it still lingers in memory. This only happens if I have not deleted it yet. After I have deleted it, it does not show its face.

    5) The Windows Installer tries to start itself up when I reboot - presumably to fix the file. I am not sure this is normal behavior.

    So something seems rotten. I'm still awaiting positive ID from DiamondCS. I sent it in on Fri.

    Rich
     
    Last edited: Feb 13, 2005
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    AS I said in my previous post

    there are several new web downloaders that are causing tremendous problems at the moment, they really infect the computers very badly and removal of them and their passengers are extremely difficult if not almost impossible without very specialised help

    Gavin has obviously tried to set a generic detection to block them downloading or running on a TDS protected computer.

    The problem with generic detections is that if they are set wide enough and sensitive enough some genuine files will always come under suspicion.

    The code for the downloaders would have enough similar points to the genuine M$ files that a mistaken identity is possible

    I think I would rather be warned that a genuine file is a "POSSIBLE" downloader than have an infected computer

    Unfortunately it's a catch up game with the evil scum who invent these viruses/trojans etc and any defensive program will make a couple of errors when looking for them

    luckily enough because TDS puts you in the driving seat and lets you decide what is bad and good and doesn't automatically delete or fix anything unlike many other security programs false positives are not the problem they would be with those other programs

    just leave the files alone for now and I'm sure that Monday's definition files will fix the problem
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tough Microsoft Office trojan to remove - any ideas?

    richf, These are probably proper office files as stated in the other thread. Hopefully the new defs on Moday will sort the problem.

    Pilli
     
  15. timnicebutdim

    timnicebutdim Registered Member

    Joined:
    Jan 24, 2005
    Posts:
    66
    Last edited: Feb 13, 2005
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    TDS is finding the office 10 version as a possible webdown loader on my computer as well so I can 100% guarantee that it's a false positive so just stop panicking and wait till it's fixed in the next update

    DO NOT delete the file or do anythng with it
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: Tough Microsoft Office trojan to remove - any ideas?

    Thanks Pilli. Some of the bahavior is kind of odd though. The installer keeps trying to launch itself even when I am not accessing MS Office tools. It just seems kind of wierd.

    Rich
     
    Last edited: Feb 13, 2005
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tough Microsoft Office trojan to remove - any ideas?

    Hi Rich, As you are concerned about this it may be as well to copy /zip and submit@diamondcs.com.au for analysis, even if it ia an FP it will help Gavin fine tune the definition.

    Thanks. Pilli
     
  19. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Re: Tough Microsoft Office trojan to remove - any ideas?

    Hi Pilli,

    I am a bit concerned, especially since it tries to launch itself at startup. I don't remember seeing this behavior before. I already sent a copy to Gavin last Fri. but have not heard back from Diamond. So I sent another copy just in case it got lost in the mail.

    Rich
     
    Last edited: Feb 13, 2005
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tough Microsoft Office trojan to remove - any ideas?

    Thanks Rich, I'm sure that Gavin will deal with it Monday as they have the weekend off :)
     
  21. BourgePD

    BourgePD Registered Member

    Joined:
    Sep 5, 2004
    Posts:
    75
    Re: Tough Microsoft Office trojan to remove - any ideas?

    Oddly enough, my previous full install of MS Office never caused TDS to alarm. By coincidence, I did another full install with updates yesterday that later alarmed on the MSOHTMED.EXE file during a TDS scan. Should be no cause for alarm though as it is the Office *.htm editor. Have experienced no odd behavior with the file as in richrf's case though.
     
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hopefully the merging of the other thread concerning this same topic does not cause any heart burns. I suggest all concerned heed what dvk01 posted above.

     
  23. razzmataz

    razzmataz Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    3
    I too have got these positive identifications together with:

    Posative identification (embedded in file) TrojanClicker.Win32.Agent.ap3
    c:\program files\palm\hswizardnotyfy.dll

    This file still has its original date, owner etc. and I'm assuming this is also a false pasitive. It is part of my Palm PDA synchronising software.
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  25. razzmataz

    razzmataz Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    3
    Don't I have to be a registered user to submit a file like this. I'm still evaluating this software.
     
Thread Status:
Not open for further replies.