For others who might experience this and are more open to the prospect that
Money didn't deliver this problem on its own, here's a possible scenario:

If you search TrendMicro for the TROJ_DORF family, you get the following
URL:
http://www.trendmicro.com/vinfo/viru...e=TROJ_DORF.AA

It is dropped by WORM_NUWAR.AOP, described at
http://www.trendmicro.com/vinfo/viru...WORM_NUWAR.AOP

This could be the source and might be what TrendMicro is not finding when
the OS looks like it is clean. The machine might also remain infected even
after getting rid of the current TROJ_DORF infection (.AL is probably just
the 12th variant of the listed Trojan). It arrives by email in a zip file,
but also uses a GIF file in the email to infect the system. So, a user who
just reads the email and does not try to open the zip can still be infected.

The infection is probably in IE, and that is the engine that Money uses for
accessing help. It is likely that no cleaning will completely guarantee that
the system will ever be clean short of FDISK and a clean install.

(repost of something posted last night but swallowed up by the spam filters
at msnews)

Sure. But of what? If M05 were distributing viruses, yours would not be the
first report of it and certainly not at this late date in the lifecycle of
M05. Could something have infected the executables involved in Money Help?
Sure. Did it get there because Money somehow went out and fetched it? Again,
yours would not be the first report.

If the AV-ware people can't find/fix it, what do you want/expect Cal or any
of us to do/be able to do? We just use the thing. And most of us don't even
use M05 any more.

Have you thought, even briefly, of trying a clean install of Money05 (and
NOT from some w_a_r_e_z files) on a known clean machine isolated from your
infected machine?

"David" <David[at]discussions.microsoft.com> wrote in message
news:747EB7BD-E457-481C-94FB-FBB637819594[at]microsoft.com...
- quote -

In microsoft.public.money, David wrote:

- quote -

I don't want to discourage your searching and study. The fact that
you had an infection that causes a symptom when you invoke Money
help does not indicate to me that the infection was caused by Money
Help.

A stronger case to me would be a new windows install and Money
install that showed that problem accessing help before opening other
applications that you did not reinstall, but were just left there
from before. I am certainly not expert in computer infections. A
very strong case would be to install everything fresh to a new
drive, and try to catch something.


If you don't have a Windows disk or lost your key, then I could
understand your not wanting to reinstall Windows. Many OEM machines
don't come with a Windows disk and come only with a disk that
restores an image of how the computer was when it was shipped. That
loses everything, unless applied to a new drive.


- quote -

I don't know what else I can say. I use the PC on a daily basis with no
issues, including major web/email use. I use MS Money on a daily basis with
no ill effects. The few times I launch help from MS Money I instantly get a
realtime detection of malware. I get new malware files--confirmed malicious
by Trend Micro after submission--under WINDOWS and SYSTEM32 with timestamps
exactly after the moment I launched help. I get outbound connections to bogus
URLs in my content filter log timestamped exactly after the moment I launched
help.

Last night TrendMicro alerted AND Windows Defender detected changes
immediately after I absentmindedly launched help. And when I attempted to
deny the changes Windows Defender failed to do so with an error (I can post
the HRESULT code later tonight.) TrendMicro has already confirmed one of the
files I submitted from last night is malicious and named the pattern
TROJ_DORF.AL, and provided me a link to an interim pattern release. They are
still analyzing the other files I cleaned.

I've cleaned everything up in safe mode, scanned clean and run normally. I
regularly use TrendMicro, Ad-Aware, and Windows Defender. I've repeated the
attack several times and can repeat it again on demand simply by launching MS
Money help. I'd say there's a strong circumstantial case here and you're just
not hearing it.

"Cal Learner-- MVP" wrote:

- quote -

In microsoft.public.money, David wrote:

- quote -

This statement stuck out: "This PC [...] has never been infected via
an email attachment.

That kinda led me to expect that you were not going believe that
reinstalling windows wasn't a big deal.

In microsoft.public.money, David wrote:

- quote -

If you can get somebody running 2005 premium to capture the output
of
dir "C:\Program Files\Microsoft Money 2006\MNYCoreFiles"

You could compare the dates and file sizes to look for
discrepancies.

If * represents your user name, consider moving the contents
:C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Money\14.0
to a different folder. I think Money would recreate the contents. If
not, reinstall Money or copy the contents back. Anyway, that's where
a lot of the stuff resides.

I am still skeptical of your belief that the Money help system was
the ingress for your worms.

"Cal Learner-- MVP" wrote:

- quote -

Wow, Cal. Having a bad day? What gave you that impression? Do you dispute
any of the facts I related regarding the nature of the infections and Trend
Micro's response? Do you dispute any of the other details I provided, such as
the existence of a NAT router, etc? Or do you only my theory that my MS Money
help is compromised?

What exactly did I say that caused you to dismiss me as unwilling to use
reason?

I repeat. Multiple times I have been infected with trojans immediately after
launching MS Money 2005 help. My AV detects some but not all of the threat.
Prior to running help the machine scans clean. After doing a manual clean I
can repeat the attack by launching help again.

I suspect that an ActiveX control or BHO used by MS Money help is
compromised on my machine. I'm asking for help identifying the components MS
Money 2005 help relies on so I can either find the culprit by elimination or
find out that I'm wrong.

Tell me what's missing from my argument and I'll try to supply it. Or ignore
me. But don't insult me.

In microsoft.public.money, David wrote:

- quote -

I am skeptical of your thesis, but I don't think that is going to
shake your beliefs.

Cal,

This PC is kept up to date with automatic downloads, is behind a NAT router
(where the aforementioned content filter logs are kept), and has never been
infected via an email attachment.

I'm not going to follow your advice to reinstall Windows, but if you'd care
to address my thesis that MS Money Help is the source of the problem I'd
appreciate your reply.

"Cal Learner-- MVP" wrote:

- quote -

In microsoft.public.money, David wrote:

- quote -

If you do not use a NAT router, I would add one-- even if you only
have one computer. Then I would reinstall Windows, preferably after
booting from the CD. You should be able to do that without
formatting the drive. The first thing you would do thereafter is to
do a Windows Update. I would also stop people using your computer
from launching any email attachments in the future, unless they are
expected from a known trusted source.

This is absolutely not a false positve. These are real infections with
consequences, such as bogus "You are infected with spyware!" balloon popups
and multiple malware files installed in C:\WINDOWS and C:\WINDOWS\SYSTEM32.
Last night's infection was clever enough to disable TaskManager completely.
Examining the content filter on my firewall after an attack reveals outgoing
connections to strange URLs or IP's, apparently to download the malware.

As I said, TrendMicro has created new detection patterns and made interim
releases based on files I have sent to them due to this exploit.

Whatever is exploiting MS Money 2005 Help is not getting detected by any of
the software I have available, such as TrendMicro or Ad-Aware, so it is able
to continue functioning as a source for more malware. I'd like to put a stop
to it wihthout affecting the performance of MS Money 2005 if I can.

"Mark" wrote:

- quote -

This is more likely a false positive from TrendMicro being too aggressive.
Does it say specifically what is the problem?
For example if it mentions surf.mar, that is a part of Money's navigation
code.

Most likely you will actually want to modify your AV to "allow" Money to do
what it needs to do.

-Mark



"David" <David[at]discussions.microsoft.com> wrote in message
news:EF9A0F15-63AE-4106-B224-B2C49226627D[at]microsoft.com...
- quote -

I'm having a serious problem with MS Money 2005 premium. Every time I launch
help (which appears to be browser-based), my antivirus (Trend Micro)
immediately warns of a realtime detection of various trojans. The trojans are
advanced enough to mostly get past Trend Micro and infect my PC anyway. It
happened again last night.

After I manually clean up I submit the files to Trend Micro for analysis and
each time this has resulted in new patterns being created. If I remember the
count right this has happened five times over the last two years. (I don't
launch help that much, and these days, only by mistake.)

Overall my systems are pretty secure and I am never troubled by trojans or
viruses during normal web browsing. I think the money help pages use an
activex control or some other binary that has been compromised or replaced
with an undetected malware version.

If you have any advanced knowledge about what binaries are related to Money
2005 premium help, please let me know so I can disable them.