TDS-3 fails to find trojan found by McAfee

Discussion in 'Trojan Defence Suite' started by Trial User, Feb 14, 2005.

Thread Status:
Not open for further replies.
  1. Trial User

    Trial User Guest

    False Positives!?

    I am a trial user. I ran TDS-3 for first time (see scandump below). Firts ID is part of commercial shareware. Second ID is program from grc.com. Third ID cannot be found by conventional search.
    I believe the first two IDs are false positives. The third ID confuses me. What should I do now? Thanks in advance.

    Scan Control Dumped @ 08:18:25 15-02-05
    Positive identification <Adv>: Possible keylogger
    File: c:\program files\system utilities\advanced system optimizer\advanced system optimizer\spyware detective.exe

    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\program files\utilities\internet security\leaktest.exe

    Positive identification (DLL): Adware.WebEx (dll)
    File: c:\winnt\downloaded program files\ieatgpc.dll
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: False Positives!?

    Hi trial user, Please download the latest definitions (radius file) from here:
    http://tds.diamondcs.com.au/index.php?page=update
    Follow the installation instructions Close TDS3 and restart and then rescan - Re-post any findings.
    Thank you. Pilli
     
  3. Lynton

    Lynton Guest

    Re: False Positives!?

    Pilli, thanks for prompt reply. I am almost certain that I did a correct update before the first scan, but I am doing it again (as you suggest) just to be sure.
    While i am waiting for the current scan to complete, I have another observation.
    Why does TDS-3 continue to tell me to update when I have just done so. This is confusing. Surely a simple little date/time check routine could eliminate this confusion?! :)

    Lynton (Trial User)
     
  4. Lynton

    Lynton Guest

    Re: False Positives!?

    OK, The repeated scan is now complete.
    "Advanced System Organizer" is no longer identified but the other two still are...waht now?
     
  5. Lynton

    Lynton Guest

    Re: False Positives!?

    Present situation is this:

    Scan Control Dumped @ 10:23:12 15-02-05
    Positive identification: Demo.Leaktest 1.1 (Not a trojan)
    File: c:\program files\utilities\internet security\leaktest.exe

    Positive identification (DLL): Adware.WebEx (dll)
    File: c:\winnt\downloaded program files\ieatgpc.dll

    As indicated in my first post, I believe the first ID (Leaktest 1.1) is a false positive.

    The second ID is very confusing for me because Start > Search can't find the file.
     
  6. Lynton

    Lynton Guest

    I ran TDS-3 (with fully updated database) and it failed to find "qlowzones-7.gen" a defined trojan that was identified by McAfee's scan as existing in two files on my Hard drive. What gives?
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    For starters, if the antivirus monitor program detects something, the first thing it does is lock access to the file - so TDS couldn't read it to scan its contents anyway

    Also, thats a GEN detection, or generic. Have the file submitted for analysis to your AV, we would also appreciate a sample to submit@diamondcs.com.au

    If you have to, send the quarantined sample. You shouldn't disable your AV at any time unless you know what you are doing. To submit a file which is still sitting on disk being detected you would need to disable the AV, so quarantine it instead, and dont disable the AV
     
  8. Lynton

    Lynton Guest

    Gavin,

    I ran TDS before I ran the McAfee scan. TDS did not find the trojan. I did not run the antivrus monitor program before running TDS. The "lock access" argument does not hold.
    Unfortunately I cannot send you a sample because I trashed the files after McAfee identified them.
    The fact remains TDS did not identify the files. McAfee's scan did.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Does your mcafee or other program not have resident protection?
    Can you imagine it was a possible false positive from Mcafee? Pity you trashed the files so now the security community will never know if it was a valid detection in the first place? Always submit the files, like Gavin advised.
    Maybe you find them back in your system restore :)
    I trashed mcafee many years ago.

    Also make sure to scan with TDS with all scan options checked and wormslider on highest sensitivity.
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: False Positives!?

    the first is NOT a false positive but is as it clearly staes

    It's a demo leaktest that has exactly the same signatures as a trojan because it uses the same techniques as many trojans. It is right for TDS to warn you about it

    this Positive identification (DLL): Adware.WebEx (dll)
    File: c:\winnt\downloaded program files\ieatgpc.dll
    is unable to be found by a normal search on your computer because it is in a super-superhidden protected folder that windows will not let you see in normal use

    Let TDS fix it by right clicking the entry in the TDS bottom window and select delete

    if you really want to view that file it needs a few steps but the easiest way is

    to unlock the hidden files download and run
    http://mvps.org/winhelp2002/UnlockDPF.bat

    to lock them again afterwards downlaod and run

    http://mvps.org/winhelp2002/LockDPF.bat
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: False Positives!?

    Hi there!
    The leaktest is detected on user's request and as you say it does say it is a demo and not a trojan. Just to have users seeing TDS does detect things on your system but it's known innocent.
    the other file, make sure you have all hidden files showing windows explorer > tools > folder options > view, make sure to have the hidden files and extensions showing; and try to find it again. It is detected so it is there.
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Mcaffees detection for lowzones trojan frequently incorrectly identifies several security applications that are able to lock the internet zone settings to prevent that family of trojans from changing the internet zones settings
    I am not saying that this happened in your case but if it id's lowzones correctly then you almost certainly have at least one or more hard to remove adware trojans hidden away on the computer

    All of the known low zones trojans attempt to change the security settings to include unwanted entries in your safe zones security settings in IE and many attempt to remove sites from your restricted zones area as well

    I have seen mcaffee & several other AV's remove the IEspyad listing that adds the sites to the restricted zones

    I think in your case it might be interesting to see a HJT log to see whether there might be a problem on your computer and see what is there

    go to here and download 'Hijack This!' self extracter. double click on the file and it will self extract to C:\program files\hijackthis.
    Go to that folder then doubleclick the Hijackthis.exe
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    can you also look in mcaffee log and see the names of the files that Mcaffee removed as that would be a good indication and post them here for me please
     
  14. Lynton

    Lynton Guest

    ..on the other hand, TDS did make a "positive identification" of the following file:

    Positive identification (DLL): Adware.WebEx (dll)
    File: c:\winnt\downloaded program files\ieatgpc.dll

    which I submitted to you (see earlier post on "false positives") and which your support staff have now informed me is indeed an adware file. They recommend that I delete it.

    The interesting thing here is that while waiting for your response, and having pointed out that Start > Search could not find the file, I have run a whole battery of scans (McAfee,Symantec, Ad-Aware, Spybot, Microsoft) and none of them could find the file either.

    Since my original thread on this subject has not yet been answered, I will also ask the question here: Does this "positively identified" file actually exist? If it does why can none of the other scanners find it? And why can't I find it when I search for it?
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: False Positives!?

    Note to DVK01's post. the ieatgpc.dll or any other .dll for that matter, can be removed using the DCS free tool DelLater found here. Though I am not sure whether it needs to be unhidden first.
    DelLater can be found here:
    http://www.diamondcs.com.au/index.php?page=products

    Pilli
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Because it is hidden, see the other thread re. this pest :
    https://www.wilderssecurity.com/showthread.php?t=66419

    HTH Pilli
     
  17. Lynton

    Lynton Guest

    dvk01,

    Thankyou for your helpful suggestion to download HJT and post the log here. I will attempt to do so.

    To make it clear to all parties that the issue between TDS and McAfee had nothing to do with idiosyncratic behaviors (like "lock up" etc) I do not have MacAfee installed on my computer. I used the free scan on their website. I manually trashed the files. I was rather hasty in doing this because the identified files were downloaded from a Paltalk PC room and I was already suspicious. Once my suspicions were confirmed I couldn't get rid of them quick enough. If you can tell me how I can download them safely and package them to you I will see if I can refind them on Paltalk? But I am not keen to get involved in this sticky business without clear instructions.

    Note that I also have another problem (outlined above in Post #7) which has not been addressed yet.
     
  18. Lynton

    Lynton Guest

    wow, all your answers seem to come at once.

    Pilli, trhanks for reference back to original thread. dvk01, Jooske thanks for contributions. I will now read and learn.. ;-)
     
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    If they were downloaded from paltalk don't worry about them and don't try to find them again
    I'm sure copies will turn up soon enough now we know where to go looking and looking for the baddies is a job for someone with "special protection & knowledge" so you don't get unwittingly infected

    many offered files are suspect and normally should be avoided
     
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've merged both of these threads together so it makes it easier to understand for anyone else with a similar problem and so we can continue this help if needed
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    DVK, Thanks for merging the threads, I was just about to do it :)
     
  22. Lynton

    Lynton Guest

    dvk01, thanks for great response. I have downloaded "UnlockDPF.bat" but I need further instruction on where to place this file in order to run it. I am very interested to see this 'super-superhidden protected folder' .


    Jooske, I already have all hidden files and extensions displayed. ( windows explorer > tools > folder options > view).

    Pilli, I was hoping to use TDS to remove the file after I confirm its existence. What does "DelLater" do that TDS cannot?
     
  23. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    anywhere

    I tend to download then to desktop & then double click it, you will get a quick black screen flash up then that is it then using windows explorer go to C:\windows or winnt \ downloaded program files and you will see the diffference, you will see all the dll's and inf files etc in that folder whereas previoussly you only saw the cab files containing them

    when you have finished playing around then make sure you use the lockPDF.bat to put it back the way it was for safety reasons
     
  24. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    when a file can't be deleted by TDs or by you because it is in use then dellater can be set to delete it on a reboot before windows grabs it and locks it

    personally I prefer killbox rather than dellater, but that is just because I like the GUI rather than using command prompts and I'm lazy doing it so many times a day
     
  25. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, well as long as they do the job :)
     
Thread Status:
Not open for further replies.