I ran TrojanHunter v5.0 and my computer is infected with these 5 trojans.
IZArc, Script Defender, File Defender and PortBlocker are all TROJANS or FALSE POSITIVES.
What do you think ?

Found trojan file: C:\Program Files\IZArc\SFXS\IZArcRAR.dat (Generic.RarDrop.B)
Found trojan file: D:\Software5 - To Keep\Script Defender\sdefendi.exe (Generic.Trojan.A)
Found possible trojan file: D:\Software9 - To Try\File Defender\FileDefender\Activate.exe (SDBot)
Found possible trojan file: D:\Software9 - To Try\File Defender\FileDefender.zip/Activate.exe (SDBot)
Found trojan file: D:\Software9 - To Try\PortBlocker\pblocki.exe (Generic.Trojan.A)

OMG all these poor users of IZArc, Script Defender, File Defender and PortBlocker are also infected, just like me. That's life. :'(

-{ Quote: "I ran TrojanHunter v5.0 and my computer is infected with these 5 trojans.
IZArc, Script Defender, File Defender and PortBlocker are all TROJANS or FALSE POSITIVES.
What do you think ?

OMG all these poor users of IZArc, Script Defender, File Defender and PortBlocker are also infected, just like me. That's life. :'(" }-

Have you ruled out the possibility that you have a trojanized copy of these programs? Hackers have actually gained control of servers and put up subverted versions of well known "safe" programs for others to download..


PS I'm sure it's a FP, but for someone as paranoid as you, you should check out the possibility that you actually have a trojanised copy of a "safe" program. I'm sure you know how to rule out that possibility right?

-{ Quote: "Have you ruled out the possibility that you have a trojanized copy of these programs? Hackers have actually gained control of servers and put up subverted versions of well known "safe" programs for others to download..


PS I'm sure it's a FP, but for someone as paranoid as you, you should check out the possibility that you actually have a trojanised copy of a "safe" program. I'm sure you know how to rule out that possibility right?" }-
Yes, I know they are FP's. I only wanted to show Wilders how good TrojanHunter is : too good IMO.
My theory was : if a scanner ever finds a malware on my computer, it must be a false positive. Well TrojanHunter confirmed that theory 5 times. ;D

-{ Quote: "Yes, I know they are FP's.
" }-

How do you know? For the sake of our less knowledgable users, could you tell them how you can tell if some program you downloaded is the actual real version and not a trojanised copy?

-{ Quote: "
My theory was : if a scanner ever finds a malware on my computer, it must be a false positive. Well TrojanHunter confirmed that theory 5 times. ;D" }-

Nice theory. Might even be right most of the time. But what's the evidence?

I know you can wipe out malware anytime and go to your "safe" config aBut how do you know your "safe" config is safe? Could your safe config actually be unsafe because you got fooled into thinking you are using a real copy of izarc?

And yes I know you got your backups offline. But if you keep thinking your safe config is safe (but it isn't), you could continue to be fooled... so you won't think to go back to your offlines....

-{ Quote: "How do you know? For the sake of our less knowledgable users, could you tell them how you can tell if some program you downloaded is the actual real version and not a trojanised copy?



Nice theory. Might even be right most of the time. But what's the evidence?

I know you can wipe out malware anytime and go to your "safe" config aBut how do you know your "safe" config is safe? Could your safe config actually be unsafe because you got fooled into thinking you are using a real copy of izarc?

And yes I know you got your backups offline. But if you keep thinking your safe config is safe (but it isn't), you could continue to be fooled... so you won't think to go back to your offlines...." }-
If you are trying to scare me, try someone else and you call me paranoid ? ;D

-{ Quote: "I ran TrojanHunter v5.0 and my computer is infected with these 5 trojans.
IZArc, Script Defender, File Defender and PortBlocker are all TROJANS or FALSE POSITIVES.
What do you think ?

Found trojan file: C:\Program Files\IZArc\SFXS\IZArcRAR.dat (Generic.RarDrop.B)
Found trojan file: D:\Software5 - To Keep\Script Defender\sdefendi.exe (Generic.Trojan.A)
Found possible trojan file: D:\Software9 - To Try\File Defender\FileDefender\Activate.exe (SDBot)
Found possible trojan file: D:\Software9 - To Try\File Defender\FileDefender.zip/Activate.exe (SDBot)
Found trojan file: D:\Software9 - To Try\PortBlocker\pblocki.exe (Generic.Trojan.A)

OMG all these poor users of IZArc, Script Defender, File Defender and PortBlocker are also infected, just like me. That's life. :'(" }-

Hi ErikAlbert,

Please submit those files to the TH-company.
See here for instructions:
http://www.misec.net/forum/board/FAQ/1139308293

PS:
I suppose you were using the latest version of TH and the latest defs? ;)

-{ Quote: "Hi ErikAlbert,

Please submit those files to the TH-company.
See here for instructions:
http://www.misec.net/forum/board/FAQ/1139308293

PS:
I suppose you were using the latest version of TH and the latest defs? ;)" }-

http://www.misec.net/forum/board/TrojanHunter/1196278772

-{ Quote: "http://www.misec.net/forum/board/TrojanHunter/1196278772" }-
I've sent an email to the support with these 5 false positives. If they care about their product, they will care about these false positives too.

Instead of creating such a complicated procedure for simple users, they better provide a function in TrojanHunter to report false positives via the program itself, just like SUPERAntiSpyware did.

I'm not interested in TrojanHunter or any other kind of scanner and I'm not going to join that forum for ONE job.

It works like this : occasionally, while I'm reading posts at Wilders, I see sometimes a name of a scanner.
If I'm in the right mood, I search for the homepage, download and install the trial version of that scanner.
Then I run it and they always report nothing.
Then I boot-to-restore and everything is gone, including the scanner.
My choice is always at random, I never keep the scanner, just one scan and that's it.
I do this since my reinstallation of September, just to see how good (or bad) my security works.

TrojanHunter was the first one that detected something : 5 false positives. That is the same as nothing.

Scanners are not supposed to find anything on my system partition, because there is nothing to find, not if my theory is right.
I remove ANY malware during each reboot in less than 2 minuts and that's the way I like it, because I don't like to spend time on bad things or bad guys.
I don't even know, if I was infected, I just want my clean system back, that's all.
I do the same with my spam-emails, no opening, no reading, immediately removed.

-{ Quote: "If you are trying to scare me, try someone else and you call me paranoid ? ;D" }-

trying to scare you?

It's a simple , basic and fair question, how do you know what you really have is really a copy of Izarc or whatever application you think is safe?

People have indeed being fooled into running software that isn't what they think it is. whether it is because they got it from the wrong source, or the site got hacked (there's a famous case involving a open source, security related piece of software but i forgot the name).... it happens.

Of course other people at least have a chance of being warned by scanners because they aren't **** sure that they are 100% clean.

There's a equally simple answer to the question I was looking for, but it seems you don't know the answer?

Hint, it has nothing to do with FDISR or boot to restore or offline backups...
Nor scanners for that matter.

-{ Quote: "trying to scare you?

It's a simple , basic and fair question, how do you know what you really have is really a copy of Izarc or whatever application you think is safe?

People have indeed being fooled into running software that isn't what they think it is. whether it is because they got it from the wrong source, or the site got hacked (there's a famous case involving a open source, security related piece of software but i forgot the name).... it happens.

Of course other people at least have a chance of being warned by scanners because they aren't **** sure that they are 100% clean.

There's a equally simple answer to the question I was looking for, but it seems you don't know the answer?

Hint, it has nothing to do with FDISR or boot to restore or offline backups...
Nor scanners for that matter." }-
I understand you very well and thank you for your concern.
I'm convinced that my system, snapshots, archives, images are clean after my last installation, because they are full of legitimate softwares and they have been hardly on-line.
If my actual system has been on-line for several months, I don't trust it anymore no matter how strong my security is.
I just replace it with clean archives or images.
I like to keep my harddisk under control and nothing changes in my system partition, unless I want it myself.

You are right regarding modified installation files and I always download them from the homepage and if they are modified, then I have indeed bad luck. I ran regulary scanners on my clean images, KAV, NOD32, SAS, ... but they can't find anything and I only need to run them ONE time, because these clean images hardly go on-line.
I have TWO system partitions : a clean one and a daily one and the clean one keeps the daily one clean.

You can do a simple test : install IZArc and run TrojanHunter, if you have the same false positives, the chance is very big that I don't have a modified installation file of IZArc.

ErikAlbert,

At least one of those FP's (the one on the Script Defender installation file) is already fixed.
The other ones might too be fixed already or will be fixed.
See:
http://www.misec.net/forum/board/TrojanHunter/1196278772

-{ Quote: "ErikAlbert,

At least one of those FP's (the one on the Script Defender installation file) is already fixed.
The other ones might too be fixed already or will be fixed.
See:
http://www.misec.net/forum/board/TrojanHunter/1196278772" }-
That's fast and good for the average users, who might delete them and damage their own system partition.

BTW. : I don't use Script Defender anymore, because it has a serious uninstalling bug and the bug report website of SD is dead. I assume the developper isn't interested anymore.

-{ Quote: "There's a equally simple answer to the question I was looking for, but it seems you don't know the answer?" }-
Searching the hash/checksum in Google, looking at the digital certificate (?)

Oh that hash thingy. Wasn't there a poll about this recently, where I said "I don't know what it is" ?
Yes I should learn this, but I can't learn everything at once. I was very lucky to have all the right installation files without hash and the most advanced+ scanners don't seem to find anything in these installation files, isn't that weird ?

ErikAlbert,

after reading this thread I've decided to let TH scan my system. I also must have a trojanised version of IZArc, it found exactly the same file, but only one, not five! As far as FPs (or maybe trojanised FPs) my system is definitely cleaner than yours!

One thing for sure in 2 years that I've been running my system virtualized, this is the second time (first time was SuperAntiSpyware) that I get one FP (if it is a trojan it must be a very friendly one). It's also worth noting that Kaspersky, Eset, and Avira never reported anything.

I think TH like BOClean and the others are fine for average users, but with a little bit of knowledge, a sandbox and a firewall are enough to keep you clean most of the time.

-{ Quote: "Oh that hash thingy. Wasn't there a poll about this recently, where I said "I don't know what it is" ?
Yes I should learn this, but I can't learn everything at once." }-

Well it isn't rocket science. Just spend less time here posting the same thing over and over again and boasting you know more than experts and spending more time learning the basics maybe?

-{ Quote: "
I was very lucky to have all the right installation files without hash
" }-

Just because you are lucky now, doesn't mean you will be in the future...

Besides given your concerns about other even more far sketched possibilities, downloading trojanized versions of software, isn't really such an impossibility is it?

I would say it is even more critical for you to cover this hole, because you are absolutely sure that you have a "safe" setup...

-{ Quote: "
and the most advanced+ scanners don't seem to find anything in these installation files, isn't that weird ?" }-

Isn't that weird, that you come here boasting to all and sundry you have a near perfect defense, having all types of contigency plans and fail to cover something as simple as basic as that?

Makes you wonder what other obvious holes there are in your defenses, that you don't know about doesnt it? Nah, it's always Erikalbert 1, Security expert 0 right? :)

-{ Quote: "

You can do a simple test : install IZArc and run TrojanHunter, if you have the same false positives, the chance is very big that I don't have a modified installation file of IZArc." }-

That only works if there are clean copies of izarc out there and you was just unlucky enough to get the wrong one.

If the main server was subverted, all users of Izarc would have the same bad copy.... So yeah, maybe Osaban might indeed have the same trojan... :)

Or another scenario, the author turns bad and starts installing keylogging functions in there....

Everyone else trusts the scanner and terminates izarc, everyone except the overconfident ones who are sure by *definition* it's HAS to be FP....

-{ Quote: "ErikAlbert,

after reading this thread I've decided to let TH scan my system. I also must have a trojanised version of IZArc, it found exactly the same file, but only one, not five! As far as FPs (or maybe trojanised FPs) my system is definitely cleaner than yours!" }-
No, your system isn't cleaner than mine, because you don't have what I have.
Regarding the trojans, it wasn't only IZArc, 3 other legitimate applications were involved who caused 4 other false positives.
Besides, TrojanHunter wasn't updated before the scan.
You can't even update the trial version of TrojanHunter, unless you buy it.
No wonder this scanner has false positives. Also a very good trick to make you buy TrojanHunter.

-{ Quote: "

-snip-

You can't even update the trial version of TrojanHunter, unless you buy it.

-snip-

" }-

Wrong.

How to Manually Update TH Rulesets?
http://www.misec.net/forum/board/FAQ/1142067076

-{ Quote: "Wrong.

How to Manually Update TH Rulesets?
http://www.misec.net/forum/board/FAQ/1142067076" }-
Manually ? Which scanner is still doing this in 2007 ? The Dark Ages are over.
The more I learn from TrojanHunter, the more I don't like it.

-{ Quote: "Manually ? Which scanner is still doing this in 2007 ? The Dark Ages are over.
The more I learn from TrojanHunter, the more I don't like it." }-

I'm sorry that you don't understand the difference between the trial version and the payed-for version.

-{ Quote: "No, your system isn't cleaner than mine, because you don't have what I have.
Regarding the trojans, it wasn't only IZArc, 3 other legitimate applications were involved who caused 4 other false positives.
" }-

I hope you didn't think I was seriously boasting about how good my system is compared to yours. As for the FPs, they were really FPs (as far as my file is concerned, it was checked by Virus Total, and only Previx found a 'suspicious behaviour'). The 3 other legitimate applications were in your computer not mine, that's the reason I only found 1.

Even though TH has been updated, I still think it was a bit too trigger happy finding 5 FPs in one computer.

:D I have the full version of TH .... In over two years now the program has only produced FP's. The latest ones were related to Dell's Musicmatch (now fixed) and another tbhook.dll related to Netscape 8.0.

I have sent Misec Support two emails about the tbhook.dll with the file attached .... they never even responded. I am now using TH5.

This tbhook.dll has been scanned with every other security program I could find access to .... including Kaspersky online file scanner and McAfee online scan. They all say this file is clean. This detection goes back at least 6 weeks now. As new definitions come out I continue to check and yet TH5 remains the only program to detect this file.

HR 8)

-{ Quote: ":D I have the full version of TH .... In over two years now the program has only produced FP's. The latest ones were related to Dell's Musicmatch (now fixed) and another tbhook.dll related to Netscape 8.0.

I have sent Misec Support two emails about the tbhook.dll with the file attached .... they never even responded. I am now using TH5.

This tbhook.dll has been scanned with every other security program I could find access to .... including Kaspersky online file scanner and McAfee online scan. They all say this file is clean. This detection goes back at least 6 weeks now. As new definitions come out I continue to check and yet TH5 remains the only program to detect this file.

HR 8)" }-
Try VirusTotal and Jotti, your file will be scanned by more than 30 scanners.
http://www.virustotal.com/
http://virusscan.jotti.org/
The maximum volume = 10 MB.

;D Thanks for the response and the links Erik Albert. It's greatly appreciated !!

BTW .... I know we have crossed paths before at Wilders .... but it was quite some time ago. :thumb:

HR 8)

Erik Albert .... Both Virus Total and Jotti make no detection on the tbhook.dll :thumb:

Quite a few good scanners on both sites .... It was great to see Nod32 there .... Very impressive !!

As for Trojan Hunter, I most likely will not be renewing my license. :(

Thx ....
HR

-{ Quote: "Erik Albert .... Both Virus Total and Jotti make no detection on the tbhook.dll :thumb:

Quite a few good scanners on both sites .... It was great to see Nod32 there .... Very impressive !!

As for Trojan Hunter, I most likely will not be renewing my license. :(

Thx ....
HR" }-
I had the same experience with TH on a clean system partition, that :
- has only legitimate softwares with a good reputation.
- has hardly been on-line
- has never been used, except for installing software
Nevertheless, TH reported 3 softwares having a trojan and some of them were reported twice because the installation file was still on my data partition, so I had 5 so called trojans in total on my system. IZArc, ScriptDefender were two of them, I don't remember the other one.
These f/p's scare you to death about nothing. 4 years back I would have deleted these f/p's and damage my own system. :)

These f/p's scare you to death about nothing. 4 years back I would have deleted these f/p's and damage my own system


>:( Exactly .... not to mention wasting time doing research and trying to convince yourself that they are indeed f/p's :-\

Every scanner can give a FP (false positive); we all know that.

As for TH FP's:
1.
For submitting see here:
http://www.misec.net/forum/board/FAQ/1139308293
2.
It might also be a good idea to post a FP on the TH-forum:
http://www.misec.net/forum/
in particular in this forum section:
http://www.misec.net/forum/board/TrojanHunter
or here:
http://www.misec.net/forum/board/THGuard

-{ Quote: "Every scanner can give a FP (false positive); we all know that.

As for TH FP's:
1.
For submitting see here:
http://www.misec.net/forum/board/FAQ/1139308293
2.
It might also be a good idea to post a FP on the TH-forum:
http://www.misec.net/forum/
in particular in this forum section:
http://www.misec.net/forum/board/TrojanHunter
or here:
http://www.misec.net/forum/board/THGuard" }-

Yes ..... absolutely ..... I agree, but speaking from my experience TH has only produced f/p's in the over 2 years plus since I first purchased it. :(

As well, I sent Misec Support 2 emails on the latest f/p ..... which have both gone unanswered.

I have been using AVG (as an example of another anti malware program on my PC) for quite some time now ..... The results are no f/p's and a few minor detections. :)

I'm not trying to be confrontational here ..... just voicing my experience with TH.

Thanks for the links. ;D