not-a-virus:RiskWare.Tool.Madtol.c, How to delete? Options

[christophs]

Hello, I have this
not-a-virus:RiskWare.Tool.Madtol.c
on my compi.
KAC cannot delete it.
If I boot.
KAV shows me. that I have this on my compi.
How can I delete it?

Thanks in advance!

And what is it.
Does someone knows more details?
KAV-scy doesnt know more details.

[Clrav]

not-a-virus:RiskWare.Tool.Madtol.c

This driver was detected because it allows integrate application to another process. It was going with Backdoor.Win32.Hupigon.f trojan program. But it could be used in other applications, so we added it to RiskWare base (extended bases).

As for deleting, could you specify what happen, when you try to delete this file through KAV or manually?

[christophs]

"KAV cannot delete this file."
It is in the folder:
C: Documents-1/Admini-1/Local-1/Temp&mc26.tmp

[Don Pelotas]

I also have this riskware alert, mine's in Windows tempfolder, it's only deletable in safemode, but not with Kav! I use Window Washer for this, but the file is there upon startup again.

It's not detected by Kav on-demand btw, and most of the files in the tempfolder is 0 bytes (incl, the file detected as madtool).

[christophs]

I delete the temporary internetfiles and after a reboot KAV didnt show me the warning again.
How can I controll, if it is now on my compi or not?

[Don Pelotas]

I delete the temporary internetfiles and after a reboot KAV didnt show me the warning again.
How can I controll, if it is now on my compi or not?

Christophs, i think it may be a false positive, we wil have to wait for the experts word.

Have you got Spy Sweeper installed, btw?

I am not concerned with this riskware alert (i have seen it for some days actually!), the file is 0 bytes, so it can't be all that bad.

Edit: I actually have a couple of screenshots, but can't attach any files in this thread, weird.

[ShadoWalker]

Hi, I also received this message when I activated my trojanhunter guard. I got popups can't remember the exact wording- clicked ignore a few times then was able to delete what it asked me to delete. I will try to replicate this. SW.

[christophs]

I use a² and Spysweeper.
I heard, that some of the elements included in them are added to KAVs riskware.
Is it true?
http://www.rokop-security.de/index.php?sho...indpost&p=90825

[Manu]

Developer of A2, Andreas Haak, described that components of the "Madshi Collection" can be used for injecting into new processes. "Madshi" uses the temporary folder to do this during/in runtime.
These components are used by several security related programs, such as A2 or Spysweeper, but could also be used by malware or Rootkits (such as AFX) he wrote.

[Don Pelotas]

Thank you for the link, christophs. It just "confirms" what i suspected, i think it's the shields of Spy Sweeper, Spy Sweeper does use "Madshi", there was a little discussion about this in the Process Guard forum some time ago, i don't use A2, btw.

[richardvannie]

I have not-a-virus:RiskWare.Tool.madTol.c in the temp directory under an entry that follows the format mc2*.tmp where * is a number from 0 - 9.

I tried deleting it myself and it always reappears on startup. I even programmed a deletion using a cleaner set to wipe it every 10 minutes. This alleviates it somewhat. Setting the cleaner to wipe at startup is too slow. The file(s) show up in the temp directory anyway and the wipe is too late.

The detection still appears at startup, sometimes with a pop-up alert, sometimes with no alert.

This virus is detectable by the string "madTools" in a file. I found the madTools kit in three files:

tuBasic.bpl Tune-up Utilities
SpySweeper.exe Spy Sweeper
sis.dll Spy Sweeper

Yes, it is true that Spy Sweeper uses it. Tune-up Utilities 2004 is also using it. The purpose of this kit is for pop-up and text display. Even though it can be used for good, it also can be used for evil (as a Trojan, spyware, ad-ware, etc.).

[richardvannie]

Problem corrected! This is how I managed to delete it:

1) I removed Spy Sweeper from the startup program list at HKEY\CURRENT_USER\Software\Microsoft\Windows\Run, HKEY\LOCAL_MACHINE\Software\Microsoft\Windows\Run, etc., so that it doesn't start.
2) I deleted the relevant temporary files in C:\Documents and Settings\<User>\Local Settings\Temp in the user profileswhile in Safe Mode.
3) Upon restarting in Normal Boot, not-a-virus:RiskWare.Tool.Madtol.c is not detected anymore (it is removed).

I am fine running Spy Sweeper for only on-demand scans because it uses up a lot of memory.

The next steps are precautionary:

1) The cleaner is set to delete the related .tmp files every 10 minutes (if found)
2) Dark Files is set to completely hide these .tmp files when running Spy Sweeper or during Internet access, just in case Spy Sweeper rewrites the .tmp file.
3) In the firewall, Spy Sweeper's internet access is set to "prompt" and no server nor mail rights are granted to it. Rights are set to "prompt" for the services/components. Access is only granted for definition updates.

When the definitions for Spy Sweeper are updated, and Dark Files is hiding the .tmp files, the Spy Sweeper server might or might not write the .tmp file. It will get a "file not found" type error when it tries to execute the Trojan due to the files being completely hidden to all processes and threads. The updates will continue normally.

I hope this helps.

[christophs]

I dont want to remove spysweeper.
But I am irritaded from the popup "found not a virus madtoolc"
I do not want to see this popup.
How can I delete it without deactivating the avvanced samples?

[Don Pelotas]

I dont want to remove spysweeper.

You don't have to.

But I am irritaded from the popup "found not a virus madtoolc"
I do not want to see this popup.
How can I delete it without deactivating the avvanced samples?

By upgrading to the MP3 beta2:http://downloads1.kaspersky-labs.com/beta/...rsonal/english/, the next time Kav finds madtool after you install MP3, it will give you the option to exclude it from scanning.

[christophs]

Thanks!

[richardvannie]

I dont want to remove spysweeper.
But I am irritaded from the popup "found not a virus madtoolc"
I do not want to see this popup.
How can I delete it without deactivating the avvanced samples?

Christophs, if you would please look at the post above, and reread. I am not suggesting removing Spy Sweeper at all, except from startups. I had it removed because of problems with memory management and conflicts with Zone Alarm Pro.

Excluding it is an option, if there was a false alarm. I am afraid not. I did have tangible problems from this one. If Spy Sweeper is not removed from the startups and allowed to run; then it would be fine to hide the *mc2*.tmp in the Temp directory. That doesn't affect Spy Sweeper's operation. What good programmer would use temporary files as permanents? Please do what you need to. I hope someone at Webroot will correct this.

[simlet]

I had a window pop up with exactly the same message when installing Spyware Doctor yesterday.
Madtol.c was in Temp file mc293. The log showed there being an error when trying to remove the file to back up and the next message says 'Cannot be deleted, file not found'!
I immediately removed Spyware Doctor as I believed it had a trojan hidden in it somewhere. So, it looks like this was most probably a false alarm caused by a component in Spyware Doctor?

[richardvannie]

I had a window pop up with exactly the same message when installing Spyware Doctor yesterday.
Madtol.c was in Temp file mc293. The log showed there being an error when trying to remove the file to back up and the next message says 'Cannot be deleted, file not found'!
I immediately removed Spyware Doctor as I believed it had a trojan hidden in it somewhere. So, it looks like this was most probably a false alarm caused by a component in Spyware Doctor?

Perhaps. It won't really be clear whether there is a false alarm until someone fully analyzes the madtool kit for viruses, spyware, malware, etc. I wonder if anybody is checking this now?

I found that with Spy Sweeper, I can block the temporary file and Spy Sweeper still works fully. I admit that I don't know if this is true for Spy Doctor.

[Peggy]

A computer at my school also got not-a-virus:Tool.Win32.HideWindows .
I can delete it, but that computer was intruded for a long time.
And it was found at "C:/RECYCLER".
I have deleted all files in "C:RECYCLER" ,made a copy of them, and storage them on my mail on the internet.

However, I don't know whether DISK E of that computer can't see any file on it but got no more space is because that "Tool.Win32.HideWindows." or not.
Right clicked at DISK E to scan it for virus, I have seen many files were scanned.
That means E did got a lot of files in it, but invisible as I checked DISK E.
I've tried to format DISK E, then an alert came out "There are still other programs are running with this disk's files. You may try it again, after shut them down."
OK shut them down? But I don't know which service or program was running with E or F's files. (DISK F also got the same problem) I have shutted down service of "Removable Storage". Ya, DISK E is successful format. DISK F still can't format.
The system still alert me with "Ther are still other programs are running with this disk's files......".

Anyone can help me solve this huge problem?
(Invisible files occupied all space, of course I did check the option "Reveal both visible and invisible files, but those files are still real "Invisible")

[Defenestration]

I've had exactly this same problem with KAV detecting a temporary file of the form mc21.tmp as being either "not-a-virus:Riskware.Win32.Madtol.c" or "not-a-virus:Tool.Win32.Madtol.c". This is indeed used by Madshi's tools and in my case it is created by a-squared.

To counteract the alert on startup, I created two exclusion rules (one for each Threat) with a file mask of "mc2?.tmp" and a Scope of Real-Time File Protection.

BTW, what is the difference between "not-a-virus:Riskware.Win32.Madtol.c" and "not-a-virus:Tool.Win32.Madtol.c" ?

Why are there two entries for the same threat ?


PS. For a while I couldn't understand why my first exclusion rule was not always working, and thought there was a problem with the ? wildcard. Then I realised it was being flagged as two slightly different threats.