Infected file

Discussion in 'Trojan Defence Suite' started by JimmieC, Feb 13, 2005.

Thread Status:
Not open for further replies.
  1. JimmieC

    JimmieC Registered Member

    Joined:
    May 8, 2004
    Posts:
    11
    Housecall indicates I have an infected file on my machine. The information they offered is as follows:

    TROJ WINSHOWL Non-cleanable c:\m00.exe

    I ran Avast, Spybot, and Ad-aware, and they came up clean. Any help in this matter would be appreciated. Thanks,
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And what says TDS about it?
     
  3. JimmieC

    JimmieC Registered Member

    Joined:
    May 8, 2004
    Posts:
    11
    Jooske;

    I am guessing "TDS" refers to Trojan Defense Suite, and so far you are the only one to comment as I am sure you are aware. I searched the TDS forum prior to posting, and did not find any help. If I am misinterpreting what you meant in your response, kindly correct me. Thanks,
     
  4. JimmieC

    JimmieC Registered Member

    Joined:
    May 8, 2004
    Posts:
    11
    Jooske;

    I understand the reference you made to TDS. "Welcome to DiamondCS TDS-3." I didn't realize it cost $49 to get a question answered. I am sure it is a very good program, and I may consider purchasing it. I was under the false impression that the forum may offer some input prior to the forced sell. Thank you,
     
  5. timnicebutdim

    timnicebutdim Registered Member

    Joined:
    Jan 24, 2005
    Posts:
    66
    Jimmie... this is the support forum for TDS3, that is why Jooske asked if tds spotted this file?

    I would suggest downloading TDS3 which is free for 30 days and scan to see if anything comes up, otherwise if your refering to the scan results of other trojan programs then you would be better posting in the "other trojans section" - https://www.wilderssecurity.com/forumdisplay.php?f=33 .
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I supposed since you post in the TDS forum you are a TDS user, hence my question about scan results with TDS. TDS has a free evaluation version on the site www.diamondcs.com.au -- after installing get back there to grab the latest definitions, reboot and start TDS and let it do it's job in the full system scan swith all the options checked (under system testing > scan control)
    In the end in the bottom console you can rightclick on one of the files to save to TXT and thios scandump.txt you can paste in your next posting.
    Looking forward to your scan results.
     
  7. JimmieC

    JimmieC Registered Member

    Joined:
    May 8, 2004
    Posts:
    11
    timnicebutdim & Jooske;

    Thank you both for responding. In retrospect I feel I did post in the wrong forum. Not having run the TDS program beforehand. Appreciate the clearification. I did mention in my initial post that the infection was disclosed by "Housecall", an anti-virus scanning program. I will follow the instructions that you were good enough to offer. Thanks again for your help.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome! and please post the scan results so we can try to help you adequately! Of course i could move this thread to another location in the forums if needed.
     
  9. JimmieC

    JimmieC Registered Member

    Joined:
    May 8, 2004
    Posts:
    11
    Jooske;

    As you suggested, I ran TDS-3 and this is what was found:

    Scan Control Dumped @ 10:51:51 14-02-05

    Positive identification: TrojanDownloader.Win32.WinShow.aq
    File: c:\m00.exe

    Generic Detection: Possible trojan with password-stealing capability
    File: c:\options\tools\reskit\netadmin\pwledit\pwledit.exe

    Positive identification <Adv>: Possible WebDownloader
    File: c:\program files\online services\msn50\msnboot.exe

    Positive identification: Riskware.ProcessRestart
    File: c:\program files\kodak\kodak software updater\7288971\6.1.4.37-7288971l\program\restart.exe

    Positive identification (DLL): Adware.MiniBug (dll)
    File: c:\program files\aws\weatherbug\minibugtransporter.dll

    If you would be so kind as to direct me further, I would be most grateful.

    Thank you,
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    fix these 2

    Positive identification: TrojanDownloader.Win32.WinShow.aq
    File: c:\m00.exe

    Positive identification (DLL): Adware.MiniBug (dll)
    File: c:\program files\aws\weatherbug\minibugtransporter.dll


    right click their entry in the tds window and select delete

    this one is a legitimate file that can be used for bad purposes, but where it is on your cpomputer it's likely to be legitimate
    Generic Detection: Possible trojan with password-stealing capability
    File: c:\options\tools\reskit\netadmin\pwledit\pwledit.exe

    Ignore the other 2, they are false alarms that were fixed in todays update
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    However

    You don't NEED the kodak software updater at all so I would uninstall that from add/remove programs in control panel
     
  12. JimmieC

    JimmieC Registered Member

    Joined:
    May 8, 2004
    Posts:
    11
    dvk01;

    The entry you questioned (Generic Detection: Possible trojan with password-stealing capability
    File: c:\options\tools\reskit\netadmin\pwledit\pwledit.exe) is located in a folder c:\options\tools\reskit\netadmin\pwledit. Named "pwledit.exe".
    Is that what you mean when asking "but where it is on your computer"? Do you feel it should be left alone?

    The rest of your post will be followed as directed.

    Thank you very much.
     
  13. timnicebutdim

    timnicebutdim Registered Member

    Joined:
    Jan 24, 2005
    Posts:
    66
    Since you found some password stealing trojans, i would also recommend downloading security task manager ( http://www.neuber.com/taskmanager/ ), its free for 30 days.

    It can look at your processes and will point out things that it feels are dangerous, including keylogging programs.
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes Jimmy

    that folder is a legitimate folder in mnay installations or windows

    TDS is right in flagging it as pwledit.exe can be used to steal passwords, but it is designed to allow the user to change and alter passwords

    http://www.infoworld.com/cgi-bin/displayNew.pl?/livingst/990111bl.htm

    if you didn't knowingly install it then by all means delete it

    some installations copy the entire Windows CD to disc & it looks like that is what has happened in your case and it's your choice of whether you want it to be there or not along with the remainder of the tools in the reskit folder. All are useful, but all also can be used maliciously as can most windows tools
     
  15. JimmieC

    JimmieC Registered Member

    Joined:
    May 8, 2004
    Posts:
    11
    dvk01;

    Thank you and everyone else that was so thoughtful offering help. It was very much appreciated. Jim,
     
Thread Status:
Not open for further replies.