Ewido SS false positive?

Discussion in 'other anti-trojan software' started by PeterVO, Apr 6, 2004.

Thread Status:
Not open for further replies.
  1. PeterVO

    PeterVO Registered Member

    Joined:
    Aug 25, 2003
    Posts:
    87
    Location:
    Belgium, Leuven
    o_O

    Hello,

    while scanning with the latest update, get the following (I hope) false positive:

    "c:\windows\system\HH.exe ----> TrojanSpy. Dwkeylogger "

    Scanning with TrojanHunter & NOD don't give anything suspicious.

    Kind regards,

    PeterVO
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi PeterVO,

    What OS do you have? hh.exe is a legitimate windows file and on Windows XP it is located both in C:\Windows and C:\Windows\System32. If you have a different OS then I am not sure of its location. Sounds like a probable false positive. I would go to the Ewido site and submit it and see what they have to say.

    Regards,
    Kent
     
  3. PeterVO

    PeterVO Registered Member

    Joined:
    Aug 25, 2003
    Posts:
    87
    Location:
    Belgium, Leuven
    Hello Kent,

    I've a dual boot config: on the C-drive is Win98 Second Edition and on the E-drive Win XP Professional.
    ESS only falsly detect the Win98 "HH.exe" version. It doesn't stumble over the XP version.
    Strange, isn't it?

    Kind regards,

    PeterVO
     
  4. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Ewido is not supposed to work with 98. At least that is what their web site says.
     
  5. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    True, but I imagine he was scanning his 98 partition from his xp partition ;) .....

    Regards,
    Kent
     
  7. PeterVO

    PeterVO Registered Member

    Joined:
    Aug 25, 2003
    Posts:
    87
    Location:
    Belgium, Leuven
    Hello,

    Peter the HH.exe file has just been e-mailed as you asked me to do.
    True, the 98-partition (FAT32) was scanned from the XP-partition (NTFS).

    Kind regards from a rainy Belgium,

    PeterVO
     
  8. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Last edited by a moderator: Apr 10, 2004
  9. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Hmm, unfortunately we didn't receive anything yet :(
     
  10. PeterVO

    PeterVO Registered Member

    Joined:
    Aug 25, 2003
    Posts:
    87
    Location:
    Belgium, Leuven
    Hello Peter,

    did you receive my mail with attachment? I'v sent it two times with two different E-mail adresses.


    Kind regards,

    PeterVO

    ps: maybe it arrived in your Spam folder?
     
  11. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Last edited by a moderator: Apr 10, 2004
  12. PeterVO

    PeterVO Registered Member

    Joined:
    Aug 25, 2003
    Posts:
    87
    Location:
    Belgium, Leuven
    "Unfortunately not.:( Could you please try to upload it on this page?
    http://www.ewido.net/de/?section=malware
    Just add the file and leave the other fields blank :) "


    Hello Peter,

    uploaded the file a few days ago using your web-form as asked.
    Scanned my dual-boot notebook within WinXP Pro with the definitions dated 10/04 but still the same "false" positive.
    When "HH.exe" is scanned within Win98 Sec Edition or Win Xp Pro using Kaspersky, NOD32, TDS3 & TrojanHunter, nothing suspicious is found.

    Kind regards,

    PeterVO
     
  13. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    I really can't get it reproduced o_O
     
  14. Greetings,
    Just done a virus check using ewido SS and it gave me the following information:

    Filename: hh.exe
    Path: C:\WINNT\system32
    Infection: TrojanSpy.Dwkeylogger

    The system's dual booted with Windows NT Workstation (Doesn'tworkstation -HAHAHAHAHA!) and Windows XP Home Edition. I know dad would wring my neck if there were any viruses, but this might be a false alarm. Dad accuses me of course, telling me I'm a hopeless techie. Please help a desperate techie before dad wrings me neck! I don't want a broken system!
    Now logged out!
    windowsxp_rules
     
  15. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
  16. Greetings,
    Which file do I have to send to ewido? Is it the scan report? Anyway, I was safe from dad wringing my neck! he didn't blame me. he blamed ewido. I have posted comments on www.windowscrash.com, a Windows crash submission site!
    If anyone could provide the information, post it on the forum! I'll look as soon as poss!
    Thank you,
    windowsxp_rules :)
     
  17. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
  18. Greetings,
    Are you sure? I'm not sending viruses over the net. Dad would not permit it! He'd wring my neck! Any replies on the forum would be useful. I'll check as soon as poss!
    Thank you,
    windowsxp_rules
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, Just zip it up to send it, it is quite safe to send such files to AV AT companies.
     
  20. Hi,
    I use windows xp so zipping the file should be no problem. It has built-in compression, which techie here should make use of. Dad will be sending the email, so he will wring my neck for that!
    Then i'll be in serious trouble!

    It's now safe to turn off your computer!!!
    --windowsxp_rules
     
Thread Status:
Not open for further replies.