cws item in tds-3

Discussion in 'Trojan Defence Suite' started by norwegian1968, Mar 23, 2005.

Thread Status:
Not open for further replies.
  1. norwegian1968

    norwegian1968 Registered Member

    Joined:
    Mar 22, 2005
    Posts:
    20
    i did a run of counterspy and it picked up a cws in tds-3, yet the cws tool didnt detect a thing, is this been heard of elsewhere
     
  2. Mephisto

    Mephisto Guest

    Yea i got it too ... Counterspy has more F/P's than any scanner i have ever used including Pest Patrol. The file targetted by CS is: UPX
    C/Program Files/TDS 3/Ext.Unpk/upx.exe
     
  3. norwegian1968

    norwegian1968 Registered Member

    Joined:
    Mar 22, 2005
    Posts:
    20
    yep, maphisto,
    you have the same file log as here....ill leave it as it is then....ill just check both programs just for peace of mind every now and then, if it changes ill let you know
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    The upx.exe is a tool since many years in TDS, -- you might like to check if it is still the original from your installation or if there was recently tampered with. It is a packer file for executables as you can read in the additional txt file in that same folder.
    You could --for that peace of mind-- submit that file zipped with the txt to that scanner developer so they can correct detection.
    Maybe the developer of that tool likes to be informed as well.
    DiamondCS would never use any tool if it would be suspicious in any way.

    These days there are so many malwares to be detected that more false positives can happen in detection software, so the developers can certainly use our help with submitting the files.

    Thanks a lot! :)
     
  5. norwegian1968

    norwegian1968 Registered Member

    Joined:
    Mar 22, 2005
    Posts:
    20
    jooske, i am presently chatting about a security issue in broadbandreports, but i will endevour to send some info off, as whateva it is in here doesnt care what the program is it uses, has me stumped but a program at grc.com about UpNp i think it was called helped a bit but ive been told most of the problem is inside getting out, just where do i isolate is out of my knowledge, im using the same name minus 1968 in their site if you wish to read about my predicament
    thankyou for the advice as all these so good programs are looking bad to me because of a hidden agenda making life hard
     
  6. norwegian1968

    norwegian1968 Registered Member

    Joined:
    Mar 22, 2005
    Posts:
    20
    all i could find was an unpack.cfg and upx text doc, is this what you were refering tooo_O
    im only new in the computing game so just keep that in mind please, i will help out with everything i can from my limited knowledge
    thanks
    i have just sent both files to the link you had under your message, hopefully the team will know a bit more

    i have a funny feeling the team might not find anything with them as ive been told that it could be a stability issue as hjt log showed nothing and all the links are traffic,i guess im still at this computers mercy :(
    just understand my intentions arent that of undermining companies, i guess ill have to stick with my own inadiquacies
    but im sure i can fly
     
    Last edited: Mar 24, 2005
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thank you for submitting.
    The counterspy developer should get a copy though :) as they are the guys telling TDS would have unpackers or packers inside. Of course it has, as part of the detection possibilities, to unpack executables to be able to scan them for possible malware. Packers and unpackers are not in al cases malicious!
    The file is located here: C:\Program Files\TDS-3\Ext.Unpk\upx.exe
    I don't know counterspy. You see Mephisto commenting it has more false positives then any other he ever used, so better get rid of that scanner as soon as possible.
    If you would delete that file in question you would cripple TDS of an important part.
    Nothing with unstability, just a bad scanner with false positives, that counterspy i mean.
    www.kaspersky.com/remoteviruschk upload the files on line and see they are clean.

    TDS and the other DiamondCS programs have no hidden agendas and are there to enhance quality of life, joy, computer security etc.
    Since you love games you say, make sure you install the TDS scripts pack and speech, look in the threads here how to deal with the msagent stuff and load the innerpeace script in TDS. Enjoy!
    I might ever write you a flying norwegian script if ever time and inspiration come together.
     
  8. Mephisto

    Mephisto Guest

    I knew as soon as i seen it flagged that CS was wrong ... it almost always is after updating to a new reference file. I used to use it as my main defence (active protection) until it proved to be most unreliable (IMO) - i went back to Spysweeper. Although i did just update CS and it is still flagging the TDS file - which is unusual as CS usually fixes these targetting errors pretty fast.

    I did have 2 versions of CoolWebSearch last week that shredder got rid of (i hope) and during the time those 2 variants were on my system Pest Patrol kept listing my motherboards hardware monitor as an unknown trojan ... the second i removed the CWS variants Pest Patrol no longer flagged my motherboard monitor.

    Maybe i have a 3rd variant that shredder doesn't detect yet and it's making the TDS file appear to be contaminated? Can spyware make other programs exe's or files look bad to potential scanners?
     
  9. FanJ

    FanJ Guest

    For your info:
    on my W98SE machine the MD5 is:

    The file <C:\<deleted by me>\Ext.Unpk\upx.exe> has the following Checksum(s)
    MD5 - 6EF20E56D1F5EB53882E71A29701138E

    and that file is most definitely clean on my machine ;)
     
  10. norwegian1968

    norwegian1968 Registered Member

    Joined:
    Mar 22, 2005
    Posts:
    20
    thanks for some insight there jooske, i had some problems but after going to grcs site and turning off uPuP i think the microsoft unit is, things settled down a bit ,so it must have been the issue,i will send counterspy a copy of the file

    maphisto, its funny as it was picked up in a scan straight after program update(not its mini update), and as far as i have seen i had no cws on my computer prior to this scan, and cws program scan is still not finding a thing

    fanj, thank you for looking into that for me, as im a home user with the one computer...

    thankyou all
     
    Last edited: Mar 24, 2005
  11. FanJ

    FanJ Guest

    You're welcome norwegian1968 :D

    Some side-notes:

    You can always check a certain file at several online scanners, like the KAV online scanner and Jotti's online scanner for example.

    As for that MD5 checksum I posted:
    Comparing those checksums gives you also a very good impression whether something has happened to that file.
    There are lots of free and not-free tools on the internet that can calculate those checksums for you.
    Too many to name them all.
    So only two examples:
    1.
    CryptoSuite from Jason.
    Not free.
    See dedicated forum for it here on the Wilders board.
    Very nice !!!
    I used it for that posting.
    2.
    Karen's Hasher
    Free.
    http://www.karenware.com/powertools/pthasher.asp
     
  12. norwegian1968

    norwegian1968 Registered Member

    Joined:
    Mar 22, 2005
    Posts:
    20
    thanks for that,fanJ, but i think my homework has just tripled, but at least it will help project"am i secure"
    seems a good tool
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Last edited: Mar 26, 2005
  14. FanJ

    FanJ Guest

  15. Mephisto

    Mephisto Guest

    Wow,
    Updated CS again today and it is still flagging the TDS file ... only now it has no description (was listed as CoolWebSearch) now it just shows "()" as the entry.

    I am just about done with this Antispyware app ... If i had removed all of the items CS suggests so far i would be re-installing Windows about now. Get it together Sunbelt.
     
  16. FanJ

    FanJ Guest

    Another hint about that file upx.exe

    Put it in your TDS-3 file crcfiles.txt so the CRC32 test of TDS-3 will warn you in case that file has been changed.
    I myself have put long ago all my important TDS-3 files in it ;)

    For guidelines about the CRC32 test see:
    https://www.wilderssecurity.com/showthread.php?t=13740
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Surfing through the forums and digging in my own memory i see the strangest things:
    i experienced an AV on the loose many years ago which left little in place from a normal uninfected windows system, turning it into a complete nightmare more after each scan, deleting all normal fonts and lots of stuff.
    In the DiamondCS pages we just have a discussion about another AV on the loose with it's spyware detection, blacklisting normal windows files because some trojans use them too and even concurrent protection software doing exactly what it should do: alerting users on programs intending to make registry changes, that kind of stuff.
    One of the reasons why TDS keeps the users in the driver's seat to decide what can stay and what has to be deleted after investigation about the alarms. TDS doesn't leave you with a crippled system in no way!

    From what i read from you guys about the counterspy i wouldn't keep it on my system, keep to the known programs, spysweeper is mentioned a lot, spybotS&D, ad-aware, spycop, etc.

    Prevention shoudl be the main way to go now, sandboxing, whatever.

    Jan, i thought Wayne ever provided you with another MD5 tool as well, but i couldn't find it back in the forum threads. Maybe it was that SHA160, not sure at this moment.
     
  18. FanJ

    FanJ Guest

    Yep, I too thought that Jooske, maybe a script; I have to look for it.
     
  19. Oddbod

    Oddbod Guest

    Counterspy does have a few F/P's, but then so does Giant Antispyware & M$ Antispyware as they are all the same prog with just a few subtle changes.

    Counterspy even finds a keylogger in Mailwasher Pro's summery logfile lol, not that long ago, M$ version said IE was spyware & removed it lol
     
  20. controler

    controler Guest

    & Spycatcher claims that TDS-3's update.exe is a Japanese Keylogger.
    Wrote to them twice about this matter but they are sticking by their detection. They say they will continue to find software that phones home behind your back even if it is for ligit uses.

    Bruce
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So it will be with every update set to automatic? LifeUpdate, windows update, etc?
    Strange guys. No "exclude" list either?
    Just found a review about it here http://www.technewsworld.com/story/40987.html
    I will not even touch it when paid for it. We would name that false positives.

    It's getting more clear by the day spyware detection/fighting is a specialist job. Ugly to make money fom unexpected users with crippling their system deleting legitimate files.
     
    Last edited: Mar 27, 2005
  22. Mephisto

    Mephisto Guest

    I agree Jooske ...
    Suddenly everyone is a spy expert ... i don't recall these guys all being so interested in the consumers welfare a few years ago.

    Spyware has become such a catch-phrase nowdays and a big money-maker. You have individuals and company's getting involved that really shouldn't be involved at all.

    It's amazing since the PC World article came out and said CS was the best the amount of people asking about it. PC World is about as unreliable as it gets. They don't even do their own testing.

    Just about 3 yrs ago there was a problem with their AV reviews using AV Test (http://www.av-test.org/) as it's outside tester. AV-Test a site that was on the rise then, has sank into almost nothingness now. It seems for the right price the test results could have whichever AV you prefer appear as the winner (especially the ones that buy advertising from PC Magazine) and that's exactly what they did.

    Don't believe everything you read compadres ... charts, graphs, and percentages can be faked as easy as anything else for the right price.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  24. controler

    controler Guest

    Jooske HI

    Spycatcher is not detecting all auto-updaters
    It tags one of Processguards DLL's also.
    they tag files as either FOUND spyware or SUSPICIOUS.
    Yes they pretty much call all files Spyware. They could be trojans or keyloggers. I use GhostSurf Platinum 2005 & I use SpySweeper.
    Been using GhostSurf for years. I have also used SpySweeper before those
    test results came out.
    I DO aggree that we should not believe all the test results we see. Instead
    I say go get the nasties online and do your own tests. Why do you think I preach reformating ? LOL
    I have been looking into VMwear along with Ramdisk. Running a virtual
    OS on RAM.
    I also aggree just because some of us were here at Wilders before there was even 1000 members, that doesn't make us security experts by any means.
    I learn from all the posters everytime I come here. ;)

    Happy Easter

    Bruce
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Ah, the virtual environment, interesting!
    Using it for testing or can you do more from there?

    We always need to keep using common sense and being very critical on alerts from scanners. Do we know the file, do we trust it, why, is it still the original we installed ourselves, has there been tampered with since, does the same file name appear in any known malware, are there more files / registry keys changes on our system belonging to that possible infection? etc etc

    And here we see the urgency of prevention and hammering our systems tight layer after layer....

    And we gather our education along the road, adding new items each step, all of us (i hope).
     
Thread Status:
Not open for further replies.