PC Tools Spyware Doctor
Date Status
3/17/2009 5:08:11 PM:781 Immunizer Results
ActiveX section has been immunized. No items were processed.
3/17/2009 5:14:14 PM:140 IntelliGuard: System Event Blocked
Threat Name - HeurEngine.Packed.Themida.RGa
Details - Spyware Doctor has blocked an application attempting to access a file.
Risk Level - Suspicious
Infection - C:\PROGRAM FILES\CYBERLINK\POWERDVD8\CLDSHOWX.DLL


Product version 6.0.1.440
Database 6.11980

Running on Windows XP, SP3 on a Dell D620 notebook. CyberLink PowerDVD 8 is at level 8.0.2521.50

I've put the file into the GAL, of course -- but, needless to say, it really shouldn't do this...

Hi Rjbeilstein,

Is it possible to attach the file being detected to this thread? and we'll check this out further.

Hi Rjbeilstein,

Is it possible to attach the file being detected to this thread? and we'll check this out further.

I have just downloaded the latest Spyware Doctor update and it seems that all of my AVS software suite has now been disabled! I get the following for each when I try to open it:

C:\PROGRAM FILES\AVSMEDIA\COVEREDITOR\AVSCOVEREDITOR.EXE IS NOT A VALID WIN32 APPLICATION

Threat Name -HeurEngine.Packed.Themida.RGa
Details - Spyware Doctor has has blocked an application trying to access a file
Risk level - Suspicious
Infection - C:\PROGRAM FILES\AVSMEDIA\COVEREDITOR\AVSCOVEREDITOR.EXE

Intelliguard does exactly the same with all the other AVS applications:

AVSAUDIOEDITOR.EXE
AVSAUDIORECORDER.EXE
AVSVIDEOEDITOR.EXE
AVSAUDIOTOOL.EXE
AVSVIDEOREMAKER.EXE
AVSDVDCOPY.EXE
AVSVIDEOTOGO.EXE
AVSVIDEOCONVERTER.EXE
AVSCAPTUREWIZZARD.EXE

All this software was working perfrectly well before, so would you confirm that I can just overide the message and stop this in future (or do I need to do something else)?

Thanks

I just got this the other day myself but clicked block just to be safe. I've been using the AVS programs for awhile with no problems.

Hi Guys,

I've been able to recreate the problem with the AVS detections and have escalated this to the MRC team to review :D Thanks for the info.

Just purchased and setup HP 6830s. First thing I did was go to PC Tools and downloaded AV 6.0.0.18. I ran smart update and started a full scan. It detected virus listed in subject. I selected quarantine. Searched Google and found a couple things I did not understand. Rebooted system ran scan again, scanned clean.

Started MS critical updates XP Pro SP3. Got message about halfway through regarding virus found by Intelliguard. I think file was disk1.cab, but not sure it was late. Guessed it may be okay since it was from MS and selected ignore. Finished update, rebooted and tried to view log/report. Did not know to change settings so as not to clear log so I have no details, but my bad memory.

Have rerun scan and comes up clean. Cannot find quarantine location so I am not sure which file it is but think it was from Cyberlink PowerDVD.

I am new to forums and have not read about using them, yet. So I hope this is the correct way to find a solution. Any assistance will be appreciated.

Did not know what to select in Additional Options, so if I selected the wrong option.

Dsprague, please see email sent.

After installing AVS Video Editor, PC Tools Spyware Doctor detected HeurEngine.Packed.Themida.RGa malware in AVSMOBILEUPLOADER.EXE, REGISTRATION.EXE, and AVSVIDEOEDITO.EXE.

Similar problem also hapens with AVSVideoCapture.exe, AVSVideoConverter.exe, AVSVideotoFlash.exe and AVSAudioEditor.exe.

Could you help me? Is it a false-positive? :confused:
Thanks.
Leon.

After installing AVS Video Editor, PC Tools Spyware Doctor detected HeurEngine.Packed.Themida.RGa malware in AVSMOBILEUPLOADER.EXE, REGISTRATION.EXE, and AVSVIDEOEDITO.EXE.

Similar problem also hapens with AVSVideoCapture.exe, AVSVideoConverter.exe, AVSVideotoFlash.exe and AVSAudioEditor.exe.

Could you help me? Is it a false-positive? :confused:
Thanks.
Leon.

This does appear to be a FP. We released a fix earlier this week. Could you make sure you have the latest DB version. If SD is still detecting ASV once you've updated, could you send the DB version that you are on and we'll check this out further.

I am also having a problem with this "suspicious threat". I am not sure what it is, but from the info after a scan it appears to be a code error or something.

I am a Forex Trader and it is playing havoc whenever I re-load my charts and is affecting the performance of my Automatic Trading Programs that I use, though not all of them.

What I don't understand is why I am getting this threat for some and not all of them and then why, even when click "allow" that Spyware Doctor will still not allow the software to work properly.

What it is doing is taking a a program written in MQ4, and not allowing the trading platform to compile it into an .exe file for it to run on my charts. Sometimes when I upload the straight .exe file it will work, but other times it will not.

Incidentally, when I ran a full system scan I found 19 of these same threats and they are not all realted to my trading files, in fact most were not.

I guess I am wondering what to do, as this is becoming a major source of frustration for me and my charts, if indeed this is the problem.

Thanks in advance and I hope this makes some semblance of sense......

It is still happening

Product Version: 6.0.1.440
Database Version: 6.12110
Intelli-Signatures: 1,621,795
Antivirus Engine: 6.1.0.47

PowerDVD 9.1530

Damonl, could you please follow the instructions in this thread: http://www.pctools.com/forum/showthread.php?t=55575.

Studeggle, I installed PowerDVD 9 and did a scan with SDv6.0.1.440 (DBv 6.12110) and could not recreate the problem. Could you zip up the file/s that SD is detecting and we'll check this out further.

I have a new Sony Laptop with a blu-ray disk R/W drive. WinDVD has a file that is triggering the same suspicious result. I have attached a screen shot of the scan result.

I have a new Sony Laptop with a blu-ray disk R/W drive. WinDVD has a file that is triggering the same suspicious result. I have attached a screen shot of the scan result.

I have this same issue, I think this is a false positive with the Heur Engine. Thanks and hopefully this gets resolved.

Themida is a common packer used by infections, removing this signature might increase the infection rates of malware that uses this same packer.
In order for us to eliminate specific False positive reports I suggest you to contact Pc Tools support so we can track and address similar problems as soon as possible.

was this ever solved? I am in the middle of a scan right now that's giving me the same alert ...16 HeurEngine infections!?!?

running WinVista 64 bit....just dloaded PCTools and running my first scan

was this ever solved? I am in the middle of a scan right now that's giving me the same alert ...16 HeurEngine infections!?!?

running WinVista 64 bit....just dloaded PCTools and running my first scan

Post a history file of these detections and the mods can check this out.

Edit: before doing the above, make sure you have the latest version of SD and also the latest signature database.

I recently started getting this error too , don't know if the update went out yet , but I re-downloaded the latest version and did a manual update but I'm STILL getting this FP.

I recently started getting this error too , don't know if the update went out yet , but I re-downloaded the latest version and did a manual update but I'm STILL getting this FP.

Can you please post a history file of the new detections to this thread.

Hi all, my Spyware Doctor has just completed a full scan and this HeurEngine.Packed.Themida.RGa has just come up again - second time for me in as many days. The program that appears to be "Suspicious" is CyberLink PowerDVD, and has only been coming up in these scans since I updated PowerDVD to the latest version (v7.3). PowerDVD also crashes every time I try to watch a blu-ray dvd on it (even though the program starts up fine and operates OK as long as I'm not trying to watch anything on it), although I don't know if this is as a result of SD's classifying it as suspicious or just that there is in fact an error with the program (as I haven't quarantined it in SD or anything).

I have attached a screenshot of the scan result, as well as the history file for the scan that 'found' PowerDVD. I have the latest database version for SD (to the best of my knowledge - it does a Smart Update as soon as the PC starts up, before doing any scans), which is 6.13010, and the (SD) product version is 6.0.1.441.

I have just updated PowerDVD to the latest version (updated build of v7.3) so I will run another full scan tomorrow and let you know if anything changes. Meanwhile, good luck deciphering this post (it's pretty late), I hope I have included everything necessary to help you get to the bottom of this problem!

Best wishes :)

For the HeurEngine.Packed.Themida detections you are experiencing. Please be aware that these are files recognized by the Heuristics Engine as highly suspicious because they are packed with the same run-time compression that is commonly used by malware, so they could be threats. Unless you know these files to be legitimate you should quarantine and remove them. I have escalated to have this issue looked into as others have pointed this out.

In the meantime, if you wish to allow any HeurEngine.Packed.Themida detections on your system, simply add them into the Spyware Doctor Global Action List.

1. Open Spyware Doctor and select the 'Settings' button >> 'History'

2. Locate the HeurEngine.Packed.Themida detections. You should be able to see the detailed description of the infection at the bottom of the screen.

3. Once you have located the items you wish to allow, right click on the item and select 'Add to Global Action list'

The file is now added and will be ignored by all IntelliGuard Tools and Spyware Doctor scans.

Yep this happens with most AVs KIS got this on the AVS as well as dells own prog files who have used this packer silly dell....:eek::eek:

Thanks for your help AChen, have just done as you said re the Global Action List and will keep an eye on this forum for the result of you guys having looked into this issue. Good luck!

This positive reading is heuristically derived. When a heuristic anti-virus software like threatfire sees programs like Nero acting like a trojan it reports it as a trojan. I sure wish it would pick up the new internet explorers. Nero likes to see and report whats on your computer. Things will get worse on the internet now that the media has their guy in. Dont use bing search either as it is an NSA product

I'm not sure what is happening, but my DB is current, I am trying out threatfire Vista 64 bit beta and my Spyware Dr is GOING NUTS with this.


I've uninstalled the WinDVD BD that same with the PC, now it wants to block/remove part of my Nero 9, and this thing will just NOT go away... NOTHING I DO is letting anything work.

Not sure if it's the latest executeable/db update combination of SD or TF.

If anyone who knows what to do can suggest / let tech support know as well (I've gotten no reply.... I suspect email is getting impacted (Outlook))

Please ask them to look me up (and see what I have/how to contact me) and what I should do...


With thanks,
C
:mad: