I'm new user of TDS3 - Possible false positive! Is there any way to check?

Discussion in 'Trojan Defence Suite' started by zoril, Jun 7, 2005.

Thread Status:
Not open for further replies.
  1. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi everyone:)

    I have just purchased TDS3, registered and completed a full scan. It seems to have come up with a possible Trojan, although I do feel that it may well be a false positive?

    I checked out the file at VirusTotal Scan, Jotti online malware scan, + with Trojan Hunter, Webroot SpySweeper, NOD32, and TrendMicro (Java online scan), none of which indicated a problem. I also read somewhere that a few people had seen the same message when heuristics were set high using different virus scanners. The exact TDS message I got is:-

    Scan Control Dumped @ 15:10:59 07-06-05
    Positive identification <Adv>: Possible ICQ-notifying trojan
    File: c:\program files\icqlite\icqliteuninstall.exe

    My initial reaction was to right click the reference in TDS, and submit it, but I was unable to do so! I am sure that I have my Outlook settings correct re my server requires authentication.

    I have no problem sending or receiving mail, yet when I use the email test facility in TDS it comes up with an error, suggesting that my server authentication settings are not correctly configured?

    I did double check them. In addition to having the "my server requires authentication" box ticked, I tried under the next page - settings firstly "use same settings as my incoming mail server", then secondly "log on using account/ name password". Neither worked, as I got the same error with both settings in the email test window (with a suggestion to contact Yahoo re configuration)...

    Is there anywhere I should submit this file, or should I disregard it as a false positive based on the checks that I have done? Advice appreciated...

    I should maybe add that I did configure TDS from the original 127.0.0.1, admin@localhost to my correct email address etc from configuration, servers, email set-up. I guess that I must be making some or other mistake? I didn't change the internet service provider for ip retrieval. Maybe I should have? It is currently set to tds.diamondcs.com.au

    Kind regards,

    Howard
     
    Last edited: Jun 7, 2005
  2. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    I trialled today TDS-e and i have the same alert that is possibly a FP.
     
  3. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    That is encouraging. My gut reaction is that it was a false positive!
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  5. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi there Pilli:)

    Many thanks for the reply. I have zipped, encrypted and sent the file to the address you mentioned (along with the encryption password).

    That configuration page looks brilliant. I have bookmarked it, as it is something that I want to read slowly and digest, rather then just glance at...

    I have a lot to learn. Not being technically orientated, it will probably take me a lot longer then most in this forum to achieve.

    Someone told me to install execution protection with TDS. That is something else that I will need to learn about. I have installed it, but have not used it yet - at least not knowingly...

    Best wishes,

    Howard:)
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Execution protection kooks opening processes to ensure that they are not infected, once installed it is only active when TDS3 is running either as a window or iconised to the systray.

    Pilli :)
     
  7. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    That is handy to know. It can't do any harm leaving it enabled, in that I may well leave it minimised to the tray when surfing. I just finished reading the other page. It was very useful re settings...

    I think that I will need to find out the exact address of my ISP for the purpose of the TDS email test. I am with BT Broadband as my main telephone provider, yet my Outlook Express email address is with btinternet.com, for which I pay a small monthly subscription.

    Even after reading that page, I am unable to configure it correctly re the email test...

    Howard:)
     
  8. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    You just need to use your pop and smtp setting for your mail. That`s all I used.
     
  9. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    The thing is I know my pop and smtp from outlook express account/ properties/servers. I have my server requires authentication ticked and also the settings.

    Internet service provider for ip retrieval on the left hand side of TDS3 (I tried entering the address for btinternet.com, then tried leaving it blank). Neither worked!.........Howard:)
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, untick the authentification and try again.
     
  11. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi there Jooske:)

    I hope that things are going well for you?

    I tried what you suggested but sadly no joy. I get the same smtp error message everytime:-

    [SMTP error] Failed MAIL from ERROR: 530 authentication required. Your email could not be sent. To fix this you must make a simple change to your email (known as smtp authentication). For advice visit btyahoo.com/smtp or call a specific 0800 telephone number...

    I never have had any problems with Outlook Express. It probably is something really simple that I missed. I should maybe add that I have only one email account, which is my default one.

    I can send emails ok using plugins smtp, but not via test email!

    Thanks for helping.

    Howard
     
    Last edited: Jun 7, 2005
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    By the sound it seems really simple then, if you can send via the test email. Did you configure it in the sockets as well to send yourself an alert email? That should be the same as in the test email and SMTP plugin.
    No typo of some kind?
    btinternet sounds different from btyahoo ....

    Best to zip your samples anyway and attach them to an email to submit them these days.
     
  13. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi Jooske,

    As long as Outlook Express works ok that is the most important thing. I guess that it is not important if test email works, as long as the plugin SMTP does..
    I don't think that I configured sockets - I don't remember doing so...

    I got an email back from support. They confirmed that the possible trojan was in fact a false positive. I thought it best to mention that in this post, for the benefit of anyone who has followed the thread...

    I have never fully understood the way that BT and Yahoo work together. The one thing I am certain is that my Outlook Express configuration is correct, as it was tech support that helped me to configure it originally...

    All the best,

    Howard
     
    Last edited: Jun 8, 2005
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for the updating!
    Maybe your Outlook needs allowance in the trusted zone as well, in stead of the internet zone if that is where you have it, could be such a thing.
    You'll need the test email to work properly if you would like to be able to submit samples with the rightclick from the alerts console.

    The sockets configuration you can see with one blink of an eye if you look at the TDS console and see upper right corner if you ever clicked on the sockets button and all squares are there nicely colored green.
    It's an extra protection. Switch them on (automated) and select alerts emails sending to you and beep alarm, then in the plugins do some of the port testing and see if you get any alarms and emails alerts.

    Have fun trying it all! :)
     
  15. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    you might be right re Outlook Express and trusted zone. Is there an easy way to put it there?

    I had a look at sockets. I definitely hadn't configured that earlier. I have loads to learn... o_O

    Howard:)
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In Outlook Express Tools > Options > Security.
    I put mine temporary in the Internet Zone when needed changing that choice on top.

    Yeah, the forum is rather educative :)
    See the Important sticky thread and the links, that's why they are important! :cool:
     
  17. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Thanks again Jooske:)

    Your replies have been most appreciated

    Howard:)
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome!

    Outlook Express is needed in the internet zone if you want more functionallity like playing scripts (msagents for instance) from your inbox, but i can't remember it to have any impact in sending alerts emails or submits from TDS. It is really strange, as the SMTP plugin should use the same smtp settings as the configuration which are used for the settings in the sockets too.
     
Thread Status:
Not open for further replies.