False Positive or Delete Item Found

I have the trial version of TDS-3 which I manually updated. I ran a scan in safe mode and it found 3 things. The first was a Positve for a Possible Keylogger in my C:\documents and settings\xxxxxxxx\desktop\spyware tools. This is a folder that I keep all my spyware scanners and tools. When I finished I did a right mouse click on it and clicked on more info. This identification was coming from the program CWshredder which is Intermute's (now owned by Trend Micro) scanner remover for CoolWebSearch. There was nothing suspicious in the information that I was being given about this supposed keylogger. Was this a false positive and should I rescan and delete this or leave it because it is needed for CWshredder to work?

KM1

 

Anyone

 

Try to check the file at Jotti's malware scan or VirusTotal

It looks to be a false positive. I got no warnings on the version 2.15 .exe which was hosted at InterMute before, but after having downloaded the .exe that's now hosted (same version but different "look") at Trend Micro's web site, TDS reports the following:

"Positive identification <Adv>: Possible keylogger
File: c:\program files\intermute\spysubtract\cwshredder.exe"

 

Ok, I tried both. It came back as a "possible malware" but possible false positive because it was only identified due to heuristic techniques below is the results:

POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

AntiVir Found Heuristic/Trojan.Keylogger (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing


Here are results from Virus Total:
Antivirus Version Update Result
AntiVir 6.31.0.7 06.23.2005 Heuristic/Trojan.Keylogger
Avira 6.31.0.7 06.23.2005 Heuristic/Trojan.Keylogger
BitDefender 7.0 06.23.2005 no virus found
ClamAV devel-20050501 06.22.2005 no virus found
DrWeb 4.32b 06.23.2005 no virus found
eTrust-Iris 7.1.194.0 06.23.2005 no virus found
eTrust-Vet 11.9.1.0 06.23.2005 no virus found
Fortinet 2.36.0.0 06.23.2005 no virus found
Ikarus 2.32 06.23.2005 no virus found
Kaspersky 4.0.2.24 06.23.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1151 06.22.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.23.2005 no virus found
Sybari 7.5.1314 06.23.2005 no virus found
Symantec 8.0 06.22.2005 no virus found
TheHacker 5.8.2.058 06.23.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found


Ok, now what. I still do not know whether this file is a false positive or not. Most all of the viruscan software came up with nothing. Does anyone know what I should do about this fiel
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com

 

Calling all TDS-3 Experts. Anyone out there help

 

Us TDS-3 configuration (configuration is under TDS at the top left of the TDS gui) to set your SMTP server and email addy, then under "help" use "submit file" so the guys at TDS can take a look at it

 

I have CWshreadder too, TDS-3 doesn't react. I would submit it. Did you delete something and leave the backup copy.

 

If you look at kjempen's post he did not get it either when it was downloaded before Intermute was operated by trend micro, however, now it does come up with a positive reading with the new download.

I could not figure out how to send this file through the program so I sent it through email help of the TDS-3 site itself. Hope this is OK.

Anyone else notice this. I really need to know if this was a false positive.

KM1

 

The problem arises if you download and use the new Trend Micro version of CWShredder (try and see for yourself).

It is only one AV engine (AntiVir <=> Avira) that detects it, by Heuristics, as a "possible malware", and I seriously doubt that Trend Micro makes spyware out of something that's supposed to be anti-spyware

I would bet my farm (if I had one ) on a false positive.

 

Hi,

I just downloaded CWShredder version 2.15 from the Trend Micro site:
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
Then I scanned the folder in which I store my CWShredder versions (I have several old versions stored in my archive).

Yes, I can confirm that TDS-3 gives an alert about it:
Scan Control Dumped @ 22:06:22 23-06-05
Positive identification <Adv>: Possible keylogger
File: d:\cwshredder\version 2_15 trend\cwshredder.exe

For your info:
I have now two versions of CWShredder, version 2.15.
The alert coming from TDS-3 is about the one from the Trend Micro site.
Here are the MD5 checksums for both the versions 2.15:
==========
The file <D:\CWShredder\Version 2_15\CWShredder.exe> has the following Checksum(s)
MD5 - 903058F9E7BCD0CE3317EA2FF80289F7
---------------------------------------------------
The file <D:\CWShredder\Version 2_15 Trend\cwshredder.exe> has the following Checksum(s)
MD5 - F8E6317AE55076FAE45BA0AA5D16D983
==========

The definitions from TDS-3 with which I scanned:
[58982 references - 31303 primaries/15379 traces/12300 variants/other]


I will inform Gavin by email about this thread.
Please give Gavin the time to look at it !

Cheers, Jan.

 

Received this from Jan, thanks

Its clean, you can safely ignore this detection. Interesting to see a couple of virus scanners were also very sensitive and detected a possible