Ewido SS false positive?

[PeterVO]

Hello,

while scanning with the latest update, get the following (I hope) false positive:

"c:\windows\system\HH.exe ----> TrojanSpy. Dwkeylogger "

Scanning with TrojanHunter & NOD don't give anything suspicious.

Kind regards,

PeterVO

[puff-m-d]

Hi PeterVO,

What OS do you have? hh.exe is a legitimate windows file and on Windows XP it is located both in C:\Windows and C:\Windows\System32. If you have a different OS then I am not sure of its location. Sounds like a probable false positive. I would go to the Ewido site and submit it and see what they have to say.

Regards,
Kent

[PeterVO]

Hello Kent,

I've a dual boot config: on the C-drive is Win98 Second Edition and on the E-drive Win XP Professional.
ESS only falsly detect the Win98 "HH.exe" version. It doesn't stumble over the XP version.
Strange, isn't it?

Kind regards,

PeterVO

[WilliamP]

Ewido is not supposed to work with 98. At least that is what their web site says.

[peter.ewido]

Could you please mail that file to submit@ewido.net? Thanks!

[puff-m-d]

Quote:

quoting: WilliamP link=board=25;threadid=27212;start=0#msg156660 date=1081280710]Ewido is not supposed to work with 98. At least that is what their web site says.

True, but I imagine he was scanning his 98 partition from his xp partition .....

Regards,
Kent

[PeterVO]

Hello,

Peter the HH.exe file has just been e-mailed as you asked me to do.
True, the 98-partition (FAT32) was scanned from the XP-partition (NTFS).

Kind regards from a rainy Belgium,

PeterVO

[Slovak]

submit the file here to make sure what it is
http://www.kaspersky.com/scanforvirus.html






url repaired==bigc

[peter.ewido]

Hmm, unfortunately we didn't receive anything yet

[PeterVO]

Hello Peter,

did you receive my mail with attachment? I'v sent it two times with two different E-mail adresses.


Kind regards,

PeterVO

ps: maybe it arrived in your Spam folder?

[peter.ewido]

Unfortunately not. Could you please try to upload it on this page?
http://www.ewido.net/de/?section=malware
Just add the file and leave the other fields blank




url repaired==bigc

[PeterVO]

"Unfortunately not. Could you please try to upload it on this page?
http://www.ewido.net/de/?section=malware
Just add the file and leave the other fields blank "


Hello Peter,

uploaded the file a few days ago using your web-form as asked.
Scanned my dual-boot notebook within WinXP Pro with the definitions dated 10/04 but still the same "false" positive.
When "HH.exe" is scanned within Win98 Sec Edition or Win Xp Pro using Kaspersky, NOD32, TDS3 & TrojanHunter, nothing suspicious is found.

Kind regards,

PeterVO

[peter.ewido]

Quote:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:07:42, 08.04.2004
+ Report-Checksum: C55198EA

+ Date of database: 08.04.2004
+ Version of scan engine: v1.1

+ Duration: 27 ms
+ Scanned Files: 1
+ Speed: 37.04 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be removed: 0

+ Ignore extension: Yes
+ Binder: Yes
+ Crypter: Yes
+ Memory: No
+ Archives: No
+ Heuristic: No

+ Scanned items:
X:\incoming\08_04_04\15_15_47\hh.exe

+ Scan result:
No infected files found!


::Report End

I really can't get it reproduced

Greetings,
Just done a virus check using ewido SS and it gave me the following information:

Filename: hh.exe
Path: C:\WINNT\system32
Infection: TrojanSpy.Dwkeylogger

The system's dual booted with Windows NT Workstation (Doesn'tworkstation -HAHAHAHAHA!) and Windows XP Home Edition. I know dad would wring my neck if there were any viruses, but this might be a false alarm. Dad accuses me of course, telling me I'm a hopeless techie. Please help a desperate techie before dad wrings me neck! I don't want a broken system!
Now logged out!
windowsxp_rules

[peter.ewido]

Could you please send the file to submit@ewido.net? Thanks

Greetings,
Which file do I have to send to ewido? Is it the scan report? Anyway, I was safe from dad wringing my neck! he didn't blame me. he blamed ewido. I have posted comments on www.windowscrash.com, a Windows crash submission site!
If anyone could provide the information, post it on the forum! I'll look as soon as poss!
Thank you,
windowsxp_rules

[peter.ewido]

HH.exe

Greetings,
Are you sure? I'm not sending viruses over the net. Dad would not permit it! He'd wring my neck! Any replies on the forum would be useful. I'll check as soon as poss!
Thank you,
windowsxp_rules

[Pilli]

Hi, Just zip it up to send it, it is quite safe to send such files to AV AT companies.

Hi,
I use windows xp so zipping the file should be no problem. It has built-in compression, which techie here should make use of. Dad will be sending the email, so he will wring my neck for that!
Then i'll be in serious trouble!

It's now safe to turn off your computer!!!
--windowsxp_rules