False positive ?? (ntsmod.exe )

Discussion in 'Trojan Defence Suite' started by Hurricanetracker, Jan 26, 2005.

Thread Status:
Not open for further replies.
  1. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    got this in TDS:
    Scan Control Dumped @ 14:27:58 26-01-05
    Positive identification: Trojan.Win32.VB.rl
    File: c:\windows\system32\ntsmod.exe

    however ; there are no indications of anything " fishy " going on and TDS didn't ring any alarm-bells before ( even though ntsmod was present- I even think this is a system-file )
    Submitted this file to Diamondcs for scrutiny.
    Anything known about this alert ??
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
  3. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    yes, same size here . I can't delete it though - it's in use . Going to try deleting it on reboot ( if that's safe - but condsidering this is a true positive it is likely to be safe for removal ).

    Odd regrun didn't report this file was altered - it doesn't miss much in terms of alterations ( or AVG, Spybot etc. got about 8 programs running :D )
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    It's probably running.
    Check for the presence of the other files that are related.
    I posted an install-report here:
    http://www.geekstogo.com/forum/index.php?automodule=blog&blogid=43&cmd=showentry&eid=8

    If you have blocked it with your firewall it can do no real harm and it won't install the others.

    Get a second opinion here:
    http://virusscan.jotti.org/
    before you do anything drastic. ;)

    Regards,

    Pieter
     
  5. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    odd though : I scanned with all th stuff I have present on system:
    - MS anti spyware
    -Adaware
    -TDS-which gave the alert
    -AVG
    -regrun
    -Spybot S&D

    have spyware blaster ad spywareguard running as well and all of them came up with nothing .

    Been looking around on net and it's unclear what the status of this file is ( if I remember correctly I scanned this file at the online-scan of KAV as well , came up with no alarms ) . I'm a bit cautious with removing it before I know for sure what it is - going to check what's running and to which processes-if any - this file has attached itself .

    going to search for those files you mentioned .

    If those are present is it safe to assume it's malware ot a trojan ??

    In which case I'll report it to the guys at regrun ( with explanation which other files need to be present )
     
  6. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    differing opinions.

    don't know what to think of this one.
     
  7. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    of the three mentioned only this one is present :
    sysdebug32.exe

    but this was last modified in 2003 ( don't think this was installed by whatever is causing this positive - alarmbells would have gone off long ago then ) .
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Hurricanetracker, You could re-name ntsmod.exe to something like ntsmod.bak for now until you have the result from DCS. If you cannot rename it in normal mode, reboot ito safe mode and re-name there.

    Pilli
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    In case of malware the date of creation and/or last modified are to be taken with a grain of salt. They are possibly falsified.

    I think your file is the trojan, but wait for the answer to your submission, while following Pilli's advice.

    Regards,

    Pieter
     
  10. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    Just renamed the file to a .bak extension and restarted and ccan tell you this much : it isn't a vital system-file .Windows started up normally after that .

    simply going to leave it for now until TDS comes up with analysis .Noticed NOD32 ( best tested anti virus software ) didn't show any positive .

    scanned renamed file with AVG - definitions are from 25-1 - and it says NO VIRUS detected . We'll see :)

    anyway thanks for the input,guys.
     
  11. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    From some searching on google it seems to related to VX2/Look2Me.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yep, It could be an inert part of the installer for instance - Probably TDS flagged it as part of a failed installation. Hopefully Gavin will have the answer. :)

    Pilli
     
  13. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    seems is the one which struck me . There's still no advice on what to do with it or what it is on castlecops ( to name but one site - all the others are the same ) . The guys at REGRUN - one of the best purchases I made in recent memory ( together with TDS of course :D ) don't have it on record .Some further analysis is required . Also because some of the major anti-virus programs draw up a blank when you scan it ( KAV,NOD32 to name two major ones ) .
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    KAV draw a blank? But you posted:

    And if you had followed the link to my blog you would have seen it is indeed related to VX2

    Regards,

    Pieter
     
  15. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    Well, yes : I followed that link and read your blog - that's why I immediately was suspicious of this file . However it's not exactly classified yet on the sites mentioned and the mere fact so many programs don't recognize it yet as being a VX2- component ( also not with latest updates installed ) suggests to me there's still a lot of uncertainty .

    Hopefully the analysis by TDS-team will shed some light on this and either positively prove or disprove this is indeed a trojan or a malware component .But again: I took no chances and renamed the file :)
     
  16. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    pretty much says it all ;)

    deleted that file ..
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Hurricanetracker, I am pleased that your machine is now "clean" - Although you did not see any effects from this malware and not knowing what it does, perhaps it was dormant just waiting for a certain event before activating?

    Very sketchy info' when googling for ntsmod.exe :(

    Best gone anyway :) Pilli
     
  18. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    Yes , I am now wondering though : does TDS consider VX2 a trojan ??

    I wouldn't be opposed to it as such because this particular malware behaves like a virus or trojan in that it affects system-files , services etc.

    And there is no easy way to remove it . I suffered from this pest a couple of weeks ago and now think this file was a remnant of this " infection " ( all others I managed to remove as a result of seeking help with this on security-forums and a little improvisation on my part ) . How would we report this to - example - regrun ?? Don't know if ntsmod.exe is always malicious , but I have become a staunch believer in alerting as many software-developers as possible about any new threats so they can produce necessary updates for their programs . Don't know how to report this though .
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    TDS3 covers a lot things apart from normal Trojans, including some spyware, keyloggers & dialers.

    Pieter probably is the best one to ask but we are glad that you submitted to DCS and although TDS3 caught it, double checking cannot be a bad thing.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.