Spy Sweeper detecting TrojanHunter LiveUpdate as masked Rootkit

siliconman01 · #1 April 6th, 2006, 02:21 AM

The latest definitions 650 for Spy Sweeper is detecting the files in the TH LiveUpdate folder as a potentially masked rootkit. This is obviously a FALSE POSITIVE in Spy Sweeper.

Do not let SS remove these files in your TH LiveUpdate folder.

Spy Sweeper log shown below.

10:00 PM: | Start of Session, Wednesday, April 05, 2006 |
10:00 PM: Spy Sweeper started
10:00 PM: Sweep initiated using definitions version 650
10:00 PM: Starting Memory Sweep
10:05 PM: Memory Sweep Complete, Elapsed Time: 00:04:59
10:05 PM: Starting Registry Sweep
10:05 PM: Registry Sweep Complete, Elapsed Time:00:00:31
10:05 PM: Starting Cookie Sweep
10:05 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:05 PM: Starting File Sweep
10:19 PM: Found System Monitor: potentially rootkit-masked files
10:19 PM: g20060322_0800.trf (ID = 0)
10:19 PM: g20060331_0444.trf (ID = 0)
10:19 PM: gen.dll (ID = 0)
10:19 PM: liveupdate.exe (ID = 0)
10:19 PM: cumulative20060322.trf (ID = 0)
10:20 PM: settings.ini (ID = 0)
10:20 PM: updatelist.txt (ID = 0)
10:20 PM: updatelist.txt (ID = 0)
10:20 PM: liveupdate.ini (ID = 0)
10:20 PM: m20060322_0800.trf (ID = 0)
10:20 PM: 29. liveupdate.lnk (ID = 0)
10:20 PM: liveupdate.lnk (ID = 0)
10:20 PM: File Sweep Complete, Elapsed Time: 00:14:29
10:20 PM: Full Sweep has completed. Elapsed time 00:20:01
10:20 PM: Traces Found: 12
1:35 AM: Updating spyware definitions
1:35 AM: Your definitions are up to date.
2:01 AM: Updating spyware definitions
2:01 AM: Your definitions are up to date.

Don Pelotas · #2 April 6th, 2006, 09:55 AM

Why is this posted in the Ewido forum?

Ranger Bob · #3 April 6th, 2006, 11:10 AM

I ran a Spy Sweeper scan this morning after your post and Spy Sweeper found nothing on TrojanHunter 4.5 build 920 on my system.

fax · #4 April 6th, 2006, 02:20 PM

Quote:

Originally Posted by Ranger Bob

I ran a Spy Sweeper scan this morning after your post and Spy Sweeper found nothing on TrojanHunter 4.5 build 920 on my system.

The option of scanning for rootkits is not selected by default.
Did you set SS to sweep for rootkits? (under sweep options).

Fax

siliconman01 · #5 April 6th, 2006, 04:02 PM

Quote:

Why is this posted in the Ewido forum?

This is not the Ewido forum. It's the Other anti-trojan software section.

Quote:

I ran a Spy Sweeper scan this morning after your post and Spy Sweeper found nothing on TrojanHunter 4.5 build 920 on my system.

I'm running the latest Build 922 of TH...released on 05-Apr-2006. Changes were made in LiveUpdate for allowing LiveUpdate to run on Limited User Accounts, so maybe this is why SS is detecting it.

Quote:

Did you set SS to sweep for rootkits? (under sweep options).

Yes, I would prefer it to do so. But not in TrojanHunter's LiveUpdate

Ranger Bob · #6 April 6th, 2006, 04:07 PM

Quote:

Originally Posted by fax

The option of scanning for rootkits is not selected by default.
Did you set SS to sweep for rootkits? (under sweep options).

Fax

Yes the option is selected, in fact I have all the options selected for my scans.

fax · #7 April 6th, 2006, 05:18 PM

Quote:

Originally Posted by Ranger Bob

Yes the option is selected, in fact I have all the options selected for my scans.

Than as suggested by Siliconman it is a problem of build 922. Or better to say: its a problem of SS 4.5 with build 922 of TH!

Fax

fax · #8 April 7th, 2006, 05:01 AM

Quote:

Originally Posted by siliconman01

This is obviously a FALSE POSITIVE in Spy Sweeper.

Better explanation by SS staff here: Castelcops SS forum

Cheers,
Fax

siliconman01 · #9 April 7th, 2006, 09:49 AM

Magnus's response on Castlecops

"TrojanHunter removes the ACL for everyone except the Users group for the RuleFiles folder. Apparently that is causing the problem. If Spy Sweeper runs under the System account it will get access denied errors trying to read the folder contents. Then again, any folder to which Spy Sweeper doesn't have access would be flagged as a potential rootkit-masked folder...

I will make sure the ACL gets edited instead in the next release."

Don Pelotas · #10 April 7th, 2006, 02:12 PM

Quote:

Originally Posted by siliconman01

This is not the Ewido forum. It's the Other anti-trojan software section.

I can see that, but wasn't it posted first in the Ewido section last night before being moved?

siliconman01 · #11 April 7th, 2006, 03:06 PM

Quote:

I can see that, but wasn't it posted first in the Ewido section last night before being moved?

If it was in the Ewido section, that certainly was not my intent !!

JRCATES · #12 April 7th, 2006, 03:23 PM

This thread isn't designated with a "Moved" sticky, and I remember reading it when it was first posted and noone else had replied. I also remember seeing it in the "Other Anti-Trojan" forum because I rarely check the ewido forum since they haven't released anything new to even check into lately (cough, cough....ahem, ahem....) and I'm not currently using ewido. Anyway, no biggie...just wanted to point out that I believe it was in the right place to begin with

Detox · #13 April 7th, 2006, 04:48 PM

Quote:

Originally Posted by Don Pelotas

I can see that, but wasn't it posted first in the Ewido section last night before being moved?

Nope, it has not been moved - I just checked.

Don Pelotas · #14 April 8th, 2006, 08:53 AM

Quote:

Originally Posted by Detox

Nope, it has not been moved - I just checked.

But, it does say removed, if you access it from the Other anti-trojan software section.

Ok, ok, i stand corrected.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search