TDS-3 fails to find trojan found by McAfee

False Positives!?

I am a trial user. I ran TDS-3 for first time (see scandump below). Firts ID is part of commercial shareware. Second ID is program from grc.com. Third ID cannot be found by conventional search.
I believe the first two IDs are false positives. The third ID confuses me. What should I do now? Thanks in advance.

Scan Control Dumped @ 08:18:25 15-02-05
Positive identification <Adv>: Possible keylogger
File: c:\program files\system utilities\advanced system optimizer\advanced system optimizer\spyware detective.exe

Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\program files\utilities\internet security\leaktest.exe

Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll

 

Re: False Positives!?

Hi trial user, Please download the latest definitions (radius file) from here:
http://tds.diamondcs.com.au/index.php?page=update
Follow the installation instructions Close TDS3 and restart and then rescan - Re-post any findings.
Thank you. Pilli

 

Re: False Positives!?

Pilli, thanks for prompt reply. I am almost certain that I did a correct update before the first scan, but I am doing it again (as you suggest) just to be sure.
While i am waiting for the current scan to complete, I have another observation.
Why does TDS-3 continue to tell me to update when I have just done so. This is confusing. Surely a simple little date/time check routine could eliminate this confusion?!

Lynton (Trial User)

 

Re: False Positives!?

OK, The repeated scan is now complete.
"Advanced System Organizer" is no longer identified but the other two still are...waht now?

 

Re: False Positives!?

Present situation is this:

Scan Control Dumped @ 10:23:12 15-02-05
Positive identification: Demo.Leaktest 1.1 (Not a trojan)
File: c:\program files\utilities\internet security\leaktest.exe

Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll

As indicated in my first post, I believe the first ID (Leaktest 1.1) is a false positive.

The second ID is very confusing for me because Start > Search can't find the file.

 

I ran TDS-3 (with fully updated database) and it failed to find "qlowzones-7.gen" a defined trojan that was identified by McAfee's scan as existing in two files on my Hard drive. What gives?

 

Hi,

For starters, if the antivirus monitor program detects something, the first thing it does is lock access to the file - so TDS couldn't read it to scan its contents anyway

Also, thats a GEN detection, or generic. Have the file submitted for analysis to your AV, we would also appreciate a sample to submit@diamondcs.com.au

If you have to, send the quarantined sample. You shouldn't disable your AV at any time unless you know what you are doing. To submit a file which is still sitting on disk being detected you would need to disable the AV, so quarantine it instead, and dont disable the AV

 

Gavin,

I ran TDS before I ran the McAfee scan. TDS did not find the trojan. I did not run the antivrus monitor program before running TDS. The "lock access" argument does not hold.
Unfortunately I cannot send you a sample because I trashed the files after McAfee identified them.
The fact remains TDS did not identify the files. McAfee's scan did.

 

Does your mcafee or other program not have resident protection?
Can you imagine it was a possible false positive from Mcafee? Pity you trashed the files so now the security community will never know if it was a valid detection in the first place? Always submit the files, like Gavin advised.
Maybe you find them back in your system restore
I trashed mcafee many years ago.

Also make sure to scan with TDS with all scan options checked and wormslider on highest sensitivity.

 

Re: False Positives!?

Hi there!
The leaktest is detected on user's request and as you say it does say it is a demo and not a trojan. Just to have users seeing TDS does detect things on your system but it's known innocent.
the other file, make sure you have all hidden files showing windows explorer > tools > folder options > view, make sure to have the hidden files and extensions showing; and try to find it again. It is detected so it is there.

 

..on the other hand, TDS did make a "positive identification" of the following file:

Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll

which I submitted to you (see earlier post on "false positives") and which your support staff have now informed me is indeed an adware file. They recommend that I delete it.

The interesting thing here is that while waiting for your response, and having pointed out that Start > Search could not find the file, I have run a whole battery of scans (McAfee,Symantec, Ad-Aware, Spybot, Microsoft) and none of them could find the file either.

Since my original thread on this subject has not yet been answered, I will also ask the question here: Does this "positively identified" file actually exist? If it does why can none of the other scanners find it? And why can't I find it when I search for it?

 

Re: False Positives!?

Note to DVK01's post. the ieatgpc.dll or any other .dll for that matter, can be removed using the DCS free tool DelLater found here. Though I am not sure whether it needs to be unhidden first.
DelLater can be found here:
http://www.diamondcs.com.au/index.php?page=products

Pilli

 

Because it is hidden, see the other thread re. this pest :
https://www.wilderssecurity.com/showthread.php?t=66419

HTH Pilli

 

dvk01,

Thankyou for your helpful suggestion to download HJT and post the log here. I will attempt to do so.

To make it clear to all parties that the issue between TDS and McAfee had nothing to do with idiosyncratic behaviors (like "lock up" etc) I do not have MacAfee installed on my computer. I used the free scan on their website. I manually trashed the files. I was rather hasty in doing this because the identified files were downloaded from a Paltalk PC room and I was already suspicious. Once my suspicions were confirmed I couldn't get rid of them quick enough. If you can tell me how I can download them safely and package them to you I will see if I can refind them on Paltalk? But I am not keen to get involved in this sticky business without clear instructions.

Note that I also have another problem (outlined above in Post #7) which has not been addressed yet.

 

wow, all your answers seem to come at once.

Pilli, trhanks for reference back to original thread. dvk01, Jooske thanks for contributions. I will now read and learn.. ;-)

 

DVK, Thanks for merging the threads, I was just about to do it

 

dvk01, thanks for great response. I have downloaded "UnlockDPF.bat" but I need further instruction on where to place this file in order to run it. I am very interested to see this 'super-superhidden protected folder' .


Jooske, I already have all hidden files and extensions displayed. ( windows explorer > tools > folder options > view).

Pilli, I was hoping to use TDS to remove the file after I confirm its existence. What does "DelLater" do that TDS cannot?

 

Yes, well as long as they do the job