False positive ?? (ntsmod.exe )

Discussion in 'Trojan Defence Suite' started by Hurricanetracker, Jan 26, 2005.

Thread Status:
Not open for further replies.
  1. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    got this in TDS:
    Scan Control Dumped @ 14:27:58 26-01-05
    Positive identification: Trojan.Win32.VB.rl
    File: c:\windows\system32\ntsmod.exe

    however ; there are no indications of anything " fishy " going on and TDS didn't ring any alarm-bells before ( even though ntsmod was present- I even think this is a system-file )
    Submitted this file to Diamondcs for scrutiny.
    Anything known about this alert ??
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  3. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    yes, same size here . I can't delete it though - it's in use . Going to try deleting it on reboot ( if that's safe - but condsidering this is a true positive it is likely to be safe for removal ).

    Odd regrun didn't report this file was altered - it doesn't miss much in terms of alterations ( or AVG, Spybot etc. got about 8 programs running :D )
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    It's probably running.
    Check for the presence of the other files that are related.
    I posted an install-report here:
    http://www.geekstogo.com/forum/index.php?automodule=blog&blogid=43&cmd=showentry&eid=8

    If you have blocked it with your firewall it can do no real harm and it won't install the others.

    Get a second opinion here:
    http://virusscan.jotti.org/
    before you do anything drastic. ;)

    Regards,

    Pieter
     
  5. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    odd though : I scanned with all th stuff I have present on system:
    - MS anti spyware
    -Adaware
    -TDS-which gave the alert
    -AVG
    -regrun
    -Spybot S&D

    have spyware blaster ad spywareguard running as well and all of them came up with nothing .

    Been looking around on net and it's unclear what the status of this file is ( if I remember correctly I scanned this file at the online-scan of KAV as well , came up with no alarms ) . I'm a bit cautious with removing it before I know for sure what it is - going to check what's running and to which processes-if any - this file has attached itself .

    going to search for those files you mentioned .

    If those are present is it safe to assume it's malware ot a trojan ??

    In which case I'll report it to the guys at regrun ( with explanation which other files need to be present )
     
  6. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    differing opinions.

    don't know what to think of this one.
     
  7. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    of the three mentioned only this one is present :
    sysdebug32.exe

    but this was last modified in 2003 ( don't think this was installed by whatever is causing this positive - alarmbells would have gone off long ago then ) .
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Hurricanetracker, You could re-name ntsmod.exe to something like ntsmod.bak for now until you have the result from DCS. If you cannot rename it in normal mode, reboot ito safe mode and re-name there.

    Pilli
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    In case of malware the date of creation and/or last modified are to be taken with a grain of salt. They are possibly falsified.

    I think your file is the trojan, but wait for the answer to your submission, while following Pilli's advice.

    Regards,

    Pieter
     
  10. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    Just renamed the file to a .bak extension and restarted and ccan tell you this much : it isn't a vital system-file .Windows started up normally after that .

    simply going to leave it for now until TDS comes up with analysis .Noticed NOD32 ( best tested anti virus software ) didn't show any positive .

    scanned renamed file with AVG - definitions are from 25-1 - and it says NO VIRUS detected . We'll see :)

    anyway thanks for the input,guys.
     
  11. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    From some searching on google it seems to related to VX2/Look2Me.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yep, It could be an inert part of the installer for instance - Probably TDS flagged it as part of a failed installation. Hopefully Gavin will have the answer. :)

    Pilli
     
  13. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    seems is the one which struck me . There's still no advice on what to do with it or what it is on castlecops ( to name but one site - all the others are the same ) . The guys at REGRUN - one of the best purchases I made in recent memory ( together with TDS of course :D ) don't have it on record .Some further analysis is required . Also because some of the major anti-virus programs draw up a blank when you scan it ( KAV,NOD32 to name two major ones ) .
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    KAV draw a blank? But you posted:

    And if you had followed the link to my blog you would have seen it is indeed related to VX2

    Regards,

    Pieter
     
  15. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    Well, yes : I followed that link and read your blog - that's why I immediately was suspicious of this file . However it's not exactly classified yet on the sites mentioned and the mere fact so many programs don't recognize it yet as being a VX2- component ( also not with latest updates installed ) suggests to me there's still a lot of uncertainty .

    Hopefully the analysis by TDS-team will shed some light on this and either positively prove or disprove this is indeed a trojan or a malware component .But again: I took no chances and renamed the file :)
     
  16. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    pretty much says it all ;)

    deleted that file ..
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Hurricanetracker, I am pleased that your machine is now "clean" - Although you did not see any effects from this malware and not knowing what it does, perhaps it was dormant just waiting for a certain event before activating?

    Very sketchy info' when googling for ntsmod.exe :(

    Best gone anyway :) Pilli
     
  18. Hurricanetracker

    Hurricanetracker Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    46
    Yes , I am now wondering though : does TDS consider VX2 a trojan ??

    I wouldn't be opposed to it as such because this particular malware behaves like a virus or trojan in that it affects system-files , services etc.

    And there is no easy way to remove it . I suffered from this pest a couple of weeks ago and now think this file was a remnant of this " infection " ( all others I managed to remove as a result of seeking help with this on security-forums and a little improvisation on my part ) . How would we report this to - example - regrun ?? Don't know if ntsmod.exe is always malicious , but I have become a staunch believer in alerting as many software-developers as possible about any new threats so they can produce necessary updates for their programs . Don't know how to report this though .
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    TDS3 covers a lot things apart from normal Trojans, including some spyware, keyloggers & dialers.

    Pieter probably is the best one to ask but we are glad that you submitted to DCS and although TDS3 caught it, double checking cannot be a bad thing.
     
Thread Status:
Not open for further replies.