Hi. :) I'm new to this program and have become pretty confused, so hopefully someone can answer my questions ;)

I've just bought Spyware Doctor and done a complete scan. It found 5 threats of the type "Trojan.Packed.***" and 1 threat of the type "Hidden Files". (13 infections total)

Packed Trojans:

The threats of type "Trojan.Packed.***" are:


Trojan.Packed.PeX
Trojan.Packed.BeRo
Trojan.Packed.FSG
Trojan.Packed.MEW
Trojan.Packed.FRBR

As you can see, spyware doctor says these are trojans, but there is no description avaliable on the pctools.com site about them. After having searched the net, it seems these are just exe-packers and that spyware doctor flags any file packed with those packers no matter if they are infected or not. (seems a bit discriminative)

Is this true? (if so, why?)
How do i determine if they are in fact trojans or just regular compressed exe-files?

(Note: most of these "packed trojan" infections were found in demoscene productions. It seems that some of the packers (like FSG) were made specifically for small demos, such as 4K intros))

Hidden Files

Also, i don't understand the "hidden files" detection. There are 3 files detected as "hidden files" and it is marked as a high threat. These 3 files are all part of cygwin:


X:\cygwin\var\cache\fonts\pk\ljfour\jknappen\ec\ec rm1000.600pk
X:\cygwin\var\cache\fonts\source\jknappen\ec\ecrm1 000.mf
X:\cygwin\var\cache\tfm\source\jknappen\ec\ecrm100 0.tfm

When i navigate to these files in windows explorer, they are in no way hidden. None of the folders in the path are hidden and the files themselves are not hidden. Again, there is no information available on what spyware doctor means by "hidden files", when i click "Learn more about this Thread". (on the search result page it says "Detailed description unavaliable").

So what does "hidden files" mean? Do they indicate a real infection?


Hope someone can help. Thanx!

Hi
The Trojan.Packed.*** infections are detected to prevent malware from using those packers to run. They are generic detections of the packers themselves, so your files are unlikely to be infected. You can add those files to your allow list under Settings for Spyware Doctor to ignore.

The Hidden files are files using rootkit techniques and are detected by heuristics. This would make sense as cygwin makes Windows accept Linux-like software so it would need kernel access. Again these files can be added to your allow list.
Hope that helps

Thank you very much for your explaination! I will follow your advice and add them to the allow list. :)

Are there any other infection-types like this in Spyware Doctor i should be aware of?
(is this explained somewhere on the website? haven't been able to find it)

(I don't know if you are involved in the developement, but perhaps it would be a good idea to make users aware of this, when these types of "infections" are detected? If it wasn't because i had some time to google around a bit, i would probably just have wiped them out (and i guess most other users would). I mean, i think it's a good idea to inform the user of possible threats, but only if it tells the user that it might just as well be a perfectly valid program. I.e. it should be marked as a warning and not as a detection, imo. At least i would like to be told if it actually detected a trojan or just detected some packed exe.)

Hi
There are a few. Most detections with Application.*** are so called "Possibly Unwanted Applications" and can be things like admin tools or VNC, etc.
Unfortunately I am not a staff member of PC Tools, I just help on the forum as a volunteer. I suggest that you send a private message to AChen here on the board describing this and he will forward your request to the Malware Research Team to have those detections downgraded.
Hope that helps

As long as any file uses a a known bad packer SD will detect it as an infection. If we are detecting files from a legitimate application send us the history file and we may be able to exclude specific files.

To add to what mjq424 has mentioned, because root kit scanner is enabled, it uses heuristic scans and there is a high possibility that false positives are generated. You should not enable this option unless advised by support :)