Ewido&THGuard&Backdoor.GNotify.10

I advised a friend to try out several antitrojanscanners which she did. But she contacted me in panic.Every time she ran Trojan Hunter guard and scanned the memory with Ewido, Ewido found Backdoor.GNotify.10.
I tried to reproduce this on my comp ,but i don't get this backdoor trojan .
It is weird because she has TDS-3 (trial) and BoClean on her system before she installed TrojanHunter( trial) and Ewido( trial).
What can we do now...
O yes, when we did a full system test with several scanners (including Ewido), they all found nothing.

 

Maybe trojan Hunter is really infected on het system and Ewido is the only one to find it?

I would try out NOD32 and KAV also to see what they will come up with!

 

So, are Trojanhunter Guard and Ewido realtime active simultaneously when this was seen? Could this be due to the protection scheme used by TH, see here? There are probably better links out there - and it's sort of a contentious subject - but I wonder if the TH protection scheme looks like a notifier backdoor to Ewido? I don't use TH, are their TH user's out there who can comment?

Blue

Blue

 

Thanks BlueZannetti
Yes they are but they were also on my system and there i didn't have any problems.

@Edwin : Thanks!
She did all the available onlinescans and scanned with her bought etrust: nothing detected.
Should she install a trial of NOD or Kaspersky? But isn't that gonna cause problems with her eTrust? I think it will, no?

 

Well, if you haven't already, try the MKS online scanner. It's a slow download (I can't seem to get a decent connection right now) and you must use Internet Explorer to get the page rendered, but it's a decent secondary scanner that's thorough.

I wouldn't load up a second installed AV, that's just going to add complications at this point - especially since everything is coming up negative thus far. Are there any other obvious infections signs? System drag? Instability? Anything else?

How do the lists of running processes compare between the two systems? Accounting, naturally, for known differences in applications installed. SysInternals ProcessExplorer is a good option to check this out - make sure you show the image path (View>Select Columns), that helps guide you.
Blue

 

Most likely the system is not infected. The ewido mem-scanner simply detects the binary signatures from TH in the memory space of the TH-Guard.
Unfortunately they seem to be held completely in memory which leads to false positives like hits.

 

Well, I fired up TH Guard here and scanned with EWIDO, but didn't have any alerts.

You could check the following:

TH version: v.4.0 build:877 (trojan defs 7116, Rules 17971)

EWIDO: v.3.0

Version of DB: #774 ( Known threats in database: 67,52

THGuard.exe has an MD5 value of: a171fbe85203c67fc35fc43f2f57a0f3 here - is hers the same?

When you go into the folder and right-click on THGuard.exe and select "Properties", do you have the same info I have? (See screenshots).

Have you tried simply shutting down TH Guard - and THEN scanning with EWIDO to see if you still get the alert?

Did she get her copy of TH directly from here - or somewhere else?

Have either she or you tried submitting a copy of THGuard to either http://www.misec.net/support/ or submit@misec.net so that they can have a look at it? Or posted this situation on the TH forum? http://forum.misec.net/board/TrojanHunter

I wouldn't install anything else (and I definitely wouldn't be running multiple active - resident - guards) until you verify some of this stuff.

 

Hi, fish! How come I'm not seeing it here, then? Pete

 

Just tested it with the latest version of TrojanHunter and was able to reproduce it

 

Yeah, it would help if I got the right version/build of TH, wouldn't it?
Pete

 

Hey Spy1,

You're still a step closer than I was , it's all relative. Nice to see it definitively figured out in the end.

Blue

 

What a relief :a false positive !
Thank you all!Blue, Fish and Spy1.
O do we hate those false positives! I lost (and we all ) so much time, not talking about the emotional discomfort & distress, but i guess they are inevitable.

 

That hasn't been a usual false positive, at least not from ewido

 

She has version 4.0. build: 890 so the MD5 value is different. The Ewido is the same version and database.

Yes

We did and then she doesn't get the alert.

Yes

Indeed, it seems you at ewido are very hard working and passionate people, and the support is great too (getting an answer in a few hours is fantastic )

 

Good News, Ewido solved the problem yesterday with new update.
No more "false positive"!

 

So, fish - you want to clue us in on what happened there? First you say it wasn't a "usual false positive, at least not from ewido" - then, you fix the problem by an update to EWIDO?? Hello? Pete

 

Hehe, calm down please We didn't change or fix ANYTHING and I can still reproduce it on my test mashine. Perhaps TrojanHunter got updated?

 

O i apologize .I thought Ewido had fixed it because my friend told me (and i saw it) no more warnings on her system.
Yes indeed there was a def.update from TrojanHunter.
Again sorry, but we wanted to inform you (not keeping it to ourselves only) and we sincerely thought that the Ewido update had fixed it. Our mistake!