EWIDO found something, can I delete it, or is it false?

Discussion in 'other anti-trojan software' started by Slovak, Mar 12, 2004.

Thread Status:
Not open for further replies.
  1. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Backdoor.Connection.1.1 located in C:\winnt\system32\mswinsck.ocx

    I quaranteed it for now, can I delete this? I have three identical setups here, and it was found on two of the three computers.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Slovak,

    By all means: no. Please follow instructions as mentioned in my post over on this thread double check first. This might well be a false positive.

    Post results after performing the free online scan please.

    regards.

    paul
     
  3. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Current object: quaraFile0.ess


    quaraFile0.ess Archive: GZIP
    quaraFile0.ess/1079097497 Ok

    Statistics:

    --------------------------------------------------------------------------------
    Known viruses: 83836 Updated: 12.03.2004
    File size (Kb): 54 Scan time: 00:00:01
    Speed (Kb/sec): 54 Virus bodies: 0
    Archives: 1 Packed: 0
    Folders: 0 Files: 2
    Suspicious: 0 Warnings: 0
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ..so it's a false positive eg a perfectly safe and sound file.

    Before deleting, it's recommended to perform a double check here.

    regards.

    paul
     
  5. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    I restored it on one, but accidently deleted it on the other :oops: any ideas how to get it back?
     
  6. hokhost

    hokhost Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    25
    Location:
    France, Paris
    I quarantined mswinck.ocx after a scan with ESS.

    After a reboot:
    - TDS3 could not update its database anymore,
    - and the TDS3 GUI would not load.

    ... I then restored the suspected file, all is OK now ...
     
  7. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Hokhost,this is a FALSE positive. I already contacted ESS and they said they will fix it with the next update!

    Look here:

    http://www.wilderssecurity.com/showthread.php?t=24295
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Good for ESS ;)

    Gents, please take care here - one can easily delete a vital system file as a result of such a false positive. Testing and playing around with relatively new software can come with risks.

    regards.

    paul
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Can you transfer it from one box to another?
    Place it in the proper directory
    Click Start > run > type or copy&paste regsvr32 "C:\winnt\system32\mswinsck.ocx"

    Regards,

    Pieter
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Pieter,

    That's exactly who the problem has been solved ;)

    regards,

    paul
     
  11. hokhost

    hokhost Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    25
    Location:
    France, Paris
    It's because I thought it was a FP that I quarantined and not deleted ...
    Still, I like Ewido SS :)

    Anyone knows when the commercial version will be out ?

    Thx
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    What, where, how did I miss? o_O

    Pieter
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    You didn't miss anything - this has been discussed off-board ;)

    regards.

    paul
     
  14. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    I have learned my lesson to always quarantee instead of deleting files no matter what trojan or AV software you use, because none of them are 100% accurate and foolproof.
     
  15. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    mswinsck.ocx is really a common part of trojans ( a runtime needed by visual basic backdoors) so to make sure that the server runs on the target( the attacker don't know which OS) machine it's often included in the server package.. examples are mosucker and rewind, or COF

    most of the time it's a legit file
     
  16. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Btw. you can't scan ess-quarantine-files because they're not just zipped, they're also encrypted.
     
Thread Status:
Not open for further replies.