False Positive - Google Toolbar

Discussion in 'Trojan Defence Suite' started by gorgelink, Aug 28, 2004.

Thread Status:
Not open for further replies.
  1. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Hi,

    I am getting a false positive on GoogleToolbarInstall.exe.

    It is being misidentified by TDS-3 as TrojanDropper.Win32.VB.s

    Anyone else with the same experience?

    Thank you for a great product and a useful forum.

    Gorgelink
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi georgelink, No other reports of this being an FP, would you please ZIP a copy up and send it to: submit@diamondcs.com.au for analysis.

    Thanks. Pilli
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes

    the latest google toolbar installer 2.0.113.0 is giving an alert in TDS today

    I will send a copy to gavin with a note
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks Derek, If there is a problem Gavin will have it sorted for Monday's update :)
     
  5. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Thanks, everyone.

    Indeed, I am referring to oogle Toolbar 2.0-113 (en).

    Gorgelink.
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thanks for the info everyone, definitely a false alarm and will correct this first thing tomorrow
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yep it's fixed in todays update

    Thanks Gavin and good service listening to customers

    It just shows though how similar trojan and bad adware downloaders are to a genuine good one like google (mind you many people are convinced that google & every other search engine is spying on them, but that is a topic for elsewhere and another time)
     
  8. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thank goodness as I found this last night and it worried me. I knew it was a false positive before but when I didn't se any other posts I was :'( I was just about to scan again but am so relieved I read this first :)
     
  9. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,040
    I just did a scan and got a positive id on "trojan dropper.Win32.inflator.a1" referring to googletoolbar installer.exe. :( - found in ...update\autopatcher xp\progfiles\googletoolbar installer.exe
    I submitted the file but was wondering if anyone else has this?

    Did a jotti scan and the result was inconclusive:
    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Which toolbar-version do you have? There were some changes recently, so it might be not all false, maybe risky, anything. Waiting for Gavin's opinion.
     
  11. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,040
    Jooske,

    I am not actually using the google toolbar, nor on that computer access the web regularly. Obviously IE is installed but I prefer to use Opera and Firefox. I think the file would have come onto the pc via the latest xp patch - is that possible?
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Don't know! As far as i know you install it yourself manually, it has auto-update settings. In Port Explorer you can see google connecting to internet even with the browser closed, i suppose?
    Even if you added it to IE and disable the bar, you'll see it connecting.
    So open your browser / googlebar and look in Google > help > about for the version.
    I have it installed and no alarms on my older installer.
     
  13. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,040
    Sorry Jooske if some of my comments are too basic :oops:

    I did not install the toolbar. As I don't have port explorer, is there any other way to check on that?

    How does the toolbar actually look or rather, how can I see whether it has been installed? Sorry again, as I said I am not using IE often. :D
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Another one ? ok will fix this shortly. Thanks for letting me know
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks Gavin!

    Beethoven:
    where is your file located?
    I have a separate download folder and there is the installer file, there i got this same warning on the file you did.
    But after installing the google toolbar default you get a separate google directory where the only file there is not alarmed on.
    So i don't know your system how it got there.

    If you do have IE, in the View see the various taskbars of which the googlebar is one.
    (I have a dutch system so it's really hard for me to say the proper names for your maybe not english system)
    Do some searches on your system to find out.
    And hey, google toolbar is not a bad thing to have, it's rather handy!
    Only these days yahoo toolbar is rather aggressive in competition and you might find more search results with that one.
     
  16. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,040
    Jooske,

    given Gavin's comment I feel already pretty relaxed. :D

    edit: Just got the confirmation from Gavin that the file was not a trojan.
    Thanks Gavin :) for the quick response

    The file is in c\ document & settings\admin\my documents\update\autopatcher xp\progfiles with a size of 468kb.
    The file was created 27/3/04 and I still suspect it was not really downloaded from Google but came via an XP patch being in that folder.

    I checked IE to see the toolbar but I don't think it's even installed, probably was never executed for installation. As I said before, while I don't have anything against Google, I hardly ever use IE but prefer Opera and Firefox.
    So, as long as this is a false positive and will be removed with one of the next updates, I don't mind.

    Thanks for your assistance :)
     
    Last edited: May 17, 2005
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, i see it now in your pathname, strange, must come from somewhere :cool:
    If the thing is trying to connect and autoupdating one should expect it to be installed.
    In your windows do a search/find for "google" and in that case it should be in quite a few locations.

    You do know how to get Port Explorer from the DiamondCS site (free trial) to find out about it.
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Um - guys? I've been noticing here recently that just about all aspects of Google have been having issues lately ( The Register article - including the four "Related stories" there at the bottom of the page).

    So hopefully, all theses "F/P's" that are being "fixed" are only being fixed after having done a really thorough examination of all files submitted that pertain to the detections?

    IOW, with all the vulnerabilites/problems being found in all the different aspects of Google's offerings, it is within the bounds of possibility that something may have crept in to the toolbar that's not supposed to be there, isn't it?

    Anyway, I'm running a scan here with TDS-3 (latest defs) and if I get any results on the Google toolbar (Version 2.0.114.9-big/en (GGLD) ) I'll submit them for analysis. Pete
     
  19. gorgelink

    gorgelink Registered Member

    Joined:
    Aug 28, 2004
    Posts:
    49
    Hi, guys,

    This time I received (on the same googletoolbarinstaller.exe file that started this thread) a false positive (?) for:

    TrojanDropper.Win32.ExeBinder.e

    Checked it with NAV, Adaware, and AVP - nada. It's clean.

    Also clean using this online service:

    http://www.kaspersky.com/scanforvirus

    So, I guess like last time, it is a FP.

    Be well, everyone, and stay clean ...:eek:))

    Gorgelink
     
  20. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Exact the same here.I've send the file to diamondcs for analysis.

    EDITED:I already got a reply (isn' that real service or isn't it ;-) ). DiamondCS Support say it is a false alarm!They will fix it with the next update!
     
    Last edited: May 18, 2005
  21. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all, I also got a false positive on googletoolbarinstaller.exe mine said it was a trojan dropper Win32.inflator.a1 (at least I hope that it is a false positive. I am going to update and rescan.
     
  22. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all again,
    I have updated and rescanned the google toolbarinstaller.exe no reports now, so I think it was a false positive.
     
Thread Status:
Not open for further replies.