WDGC

Will do. .

I have done so. http://forum.avast.com/index.php?topic=186...w;topicseen#new

About a week ago I downloaded PsTools 2.24 from the Sysinternals website: http://www.sysinternals.com/index.html The latest avast! A-V update [0602-3, 13/01/06] reports Win32:Doomber-C [Wrm], which it calls a Virus/Worm, as being present in psinfo.exe, which is a component of PsTools 2.24. Prior to the 0602-3, 13/01/06 update, avast! did not detect this "virus/worm" and nor do any other scanning programs I use - Ad-Aware, Spybot, MSASW, ewido, Webroot Spy Sweeper, all with latest definitions. It seems highly unlikely a program from a site of the eminence and standing of Sysinternals would contain a virus/worm. Is this detection a false positive? Any information regarding this matter would be appreciated. .

Quite understandable. I must admit to having done the same on occasion. .

As Shark007 reported above some hours ago. .

Thank you for the notification. .

WMF FAQ from SANS. http://handlers.dshield.org/jullrich/wmffaq.html .

Thank you for the notification. .

So it does! Thank you. I took the "Systeminfo" of the post title - It was titled "Systeminfo in xp doesn't tell me my uptime" - to be an abreviation of "System Information" [With Win. XP, Run > winmsd > System Information System > Summary] not being aware Run > CMD > systeminfo gave various information about the OS - including that to which the writer referred.

Thank you for your reply. I' m not particularly interested in what the system uptime is, as such, but concerned a System Information entry which should be present is not, if such is the case.

With Win. XP at System Information [Run > winmsd], System Summary, should there be an entry "System Up Time:"? I've just read a post at another site which wonders why the entry reads "System Up Time: N/A", and what the remedy is. On my system - XP Pro SP2 - there isn't a "System Up Time:" entry at all. I hope someone can shed light on this matter. . Title Edited - Please follow new posting rules from now on. --Zxian

F-Secure Sunday, January 1, 2006 Bad behaviour Posted by Mikko @ 00:49 GMT http://www.f-secure.com/weblog/archives/ar...6.html#00000758 .

F-Secure weblog Saturday, December 31, 2005: http://www.f-secure.com/weblog/ .

The flaw might have been discovered then, but I understand it's only since 27-28th Dec. that there has been "Windows WMF 0-day exploit in the wild". I think this article makes interesting and possibly helpful reading: Anti-Virus Protection for WMF Flaw Still Inconsistent .

Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. http://www.microsoft.com/technet/security/...ory/912840.mspx The FAQ section of this MS Security Advisory has been updated (29 Dec-05). .

Appaently not. [Excerpt] Microsoft Security Advisory (912840) Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. Published: December 28, 2005 Suggested Actions Workarounds Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1 To un-register Shimgvw.dll, follow these steps: 1.Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. 2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks). http://http://www.microsoft.com/technet/security/advisory/912840.mspx .

F-SECURE Thursday, December 29, 2005 WMF, day 2 --- And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them. toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon. --- http://www.f-secure.com/weblog/archives/ar...5.html#00000754 .

There seems to be considerable concern about the recently discovered "Windows WMF 0-day exploit" as apparently "fully patched Windows XP SP2 machines machines are vulnerable, with no known patch." TechSpot At an Ars Technica forum I came across these 2 suggested solutions until an MS patch is avaiable: 1. Might be a good idea to go into Windows Explorer and disable all handling of WMF files. 2. Another solution until a patch comes out: regsvr32 /u \windows\system32\shimgvw.dll This will remove Windows Explorer's capability to display images (thumbnails of gif, jpg, and such, including WMF). Windows Picture and Fax Viewer won't work either, and some other stuff will break, like previewing desktop images in Display Properties... after a patch comes out, do this: regsvr32 \windows\system32\shimgvw.dll And things will be back to normal. Ars Technica Would either of these suggestions be effective and are they really necessary? . Title Edited - Please follow new posting rules from now on. --Zxian

Lavasoft acknowledged a false positive. http://castlecops.com/postlite141976-.html Latest Ad Aware definitions, SE1R84 28.12.2005, don't detect Spyware.AdvancedKeyLogger. Issue resolved. .

How is this done? .

Further to my other posts, yesterday I started another of my - mothballed - computers. This machine, Xp Home Edit. SP2, has not been used since mid-July - 5 months. I ran an Ad-Aware scan with the existing [old] definitions and nothing was found. I then applied all necessary MS updates from a CD, connected to the internet [dial-up], updated the A-V program, updated Ad-Aware [sE1R82 19.12.2005] and scanned the system with Ad-Aware. The result was exactly the same as with the every-day-used machine: Name:Spyware.AdvancedKeyLogger Category:Spyware Object Type:Process Size:- Location:C:\Program Files\Sygate\SPF\tse.dll Last Activity:25-12-2005 1:53:46 AM Relevance:High TAC index:10 Comment:(CSI MATCH) Description:Spyware.AdvancedKey is a keylogger that monoitors clipboard contents, and takes desktop screenshots. Last Activity:25-12-2005 1:53:46 AM is interesting - the system hadn't been running for 5 months until 9:30:01 AM, 25/12/2005 [Event Viewer, System entry] Event Type: Information Event Source: EventLog Event Category: None Event ID: 6005 Date: 25/12/2005 Time: 9:30:01 AM User: N/A Computer: WDGR Description: The Event log service was started. I then subjected the system and tse.dll to the same tests and scans as reported before, with the same results - all clear. The 2 computers referred to have never been connected or linked in any way. The Sygate installation on each is exactly the same - installed from the same CD to which I had written a copy of Sygate 5.5.2525 on 25/01/2004. Whilst these results don't prove the Spyware.AdvancedKeyLogger detection is a false positive, I believe they further stregthen the evidence that such is the case. .

I also posted to an existing thread at CastleCops where a couple of similar instances have been reported. CastleCops have informed Lavasoft of the issue.

I notice in my Firefox 1.5 profile folder there is a file, bookmarks.html.sbsd.bak. After a search with Google and a search of Mozillazine Forums I understand this to be a Spybot Search & Destroy backup file of my Firefox bookmarks. I posted on the Spybot forum 5 days ago but have not elicited a response. When I delete the file it is recreated after ANY deletion made with Spybot SD 1.4. What is the reason for this file as I've never used Spybot SD to delete a Firefox bookmark? Why is this backup file placed in the profile folder of another application and not - if it need be created at all - in the Spybot SD Recovery folder, or some such similar? I hope at least someone has knowledge of this matter as, thus far, I've had a singular lack of success in finding out anything at all. .

Since my last message I have sent the "1 New Critical Objects found" file - Location:C:\Program Files\Sygate\SPF\tse.dll - for online scanning at Virusscan and Virustotal. Each reported tse.dll to be uninfected. Ad-Aware continues to give the notification " Scan Complete, Summary: 1 New Critical Objects found", but I think this is almost certainly a false positive. Your assertion "the software is known to flag legitimate applications as viruses and spyware." seems highly likely in this case. Virusscan Virustotal .

Since my previous message I have run the ewido anti-malware online scanner and it was completely clear. http://www.ewido.net/en/ The tse.dll file present has the VeriSign digital signature and certificate. Still, to be on the safe side, I suppose it is best to uninstall and re-install Sygate? .