False Positive or Delete Item Found

Discussion in 'Trojan Defence Suite' started by KM1, Jun 23, 2005.

Thread Status:
Not open for further replies.
  1. KM1

    KM1 Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    7
    I have the trial version of TDS-3 which I manually updated. I ran a scan in safe mode and it found 3 things. The first was a Positve for a Possible Keylogger in my C:\documents and settings\xxxxxxxx\desktop\spyware tools. This is a folder that I keep all my spyware scanners and tools. When I finished I did a right mouse click on it and clicked on more info. This identification was coming from the program CWshredder which is Intermute's (now owned by Trend Micro) scanner remover for CoolWebSearch. There was nothing suspicious in the information that I was being given about this supposed keylogger. Was this a false positive and should I rescan and delete this or leave it because it is needed for CWshredder to worko_O?

    KM1
     
  2. KM1

    KM1 Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    7
    Anyoneo_O
     
  3. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Try to check the file at Jotti's malware scan or VirusTotal

    It looks to be a false positive. I got no warnings on the version 2.15 .exe which was hosted at InterMute before, but after having downloaded the .exe that's now hosted (same version but different "look") at Trend Micro's web site, TDS reports the following:

    "Positive identification <Adv>: Possible keylogger
    File: c:\program files\intermute\spysubtract\cwshredder.exe"
     
  4. KM1

    KM1 Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    7
    Ok, I tried both. It came back as a "possible malware" but possible false positive because it was only identified due to heuristic techniques below is the results:

    POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

    AntiVir Found Heuristic/Trojan.Keylogger (probable variant)
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    VBA32 Found nothing


    Here are results from Virus Total:
    Antivirus Version Update Result
    AntiVir 6.31.0.7 06.23.2005 Heuristic/Trojan.Keylogger
    Avira 6.31.0.7 06.23.2005 Heuristic/Trojan.Keylogger
    BitDefender 7.0 06.23.2005 no virus found
    ClamAV devel-20050501 06.22.2005 no virus found
    DrWeb 4.32b 06.23.2005 no virus found
    eTrust-Iris 7.1.194.0 06.23.2005 no virus found
    eTrust-Vet 11.9.1.0 06.23.2005 no virus found
    Fortinet 2.36.0.0 06.23.2005 no virus found
    Ikarus 2.32 06.23.2005 no virus found
    Kaspersky 4.0.2.24 06.23.2005 no virus found
    McAfee 4520 06.23.2005 no virus found
    NOD32v2 1.1151 06.22.2005 no virus found
    Norman 5.70.10 06.23.2005 no virus found
    Panda 8.02.00 06.23.2005 no virus found
    Sybari 7.5.1314 06.23.2005 no virus found
    Symantec 8.0 06.22.2005 no virus found
    TheHacker 5.8.2.058 06.23.2005 no virus found
    VBA32 3.10.3 06.23.2005 no virus found


    Ok, now what. I still do not know whether this file is a false positive or not. Most all of the viruscan software came up with nothing. Does anyone know what I should do about this fielo_O
    --------------------------------------------------------------------------------
    www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com
     
  5. KM1

    KM1 Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    7
    Calling all TDS-3 Experts. Anyone out there helpo_O
     
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Us TDS-3 configuration (configuration is under TDS at the top left of the TDS gui) to set your SMTP server and email addy, then under "help" use "submit file" so the guys at TDS can take a look at it :cool:
     
  7. Carver

    Carver Guest

    I have CWshreadder too, TDS-3 doesn't react. I would submit it. Did you delete something and leave the backup copy.
     
  8. KM1

    KM1 Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    7
    If you look at kjempen's post he did not get it either when it was downloaded before Intermute was operated by trend micro, however, now it does come up with a positive reading with the new download.

    I could not figure out how to send this file through the program so I sent it through email help of the TDS-3 site itself. Hope this is OK.

    Anyone else notice this. I really need to know if this was a false positive.

    KM1
     
  9. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    The problem arises if you download and use the new Trend Micro version of CWShredder (try and see for yourself).

    It is only one AV engine (AntiVir <=> Avira) that detects it, by Heuristics, as a "possible malware", and I seriously doubt that Trend Micro makes spyware out of something that's supposed to be anti-spyware o_O

    I would bet my farm (if I had one :p ) on a false positive.
     
  10. FanJ

    FanJ Guest

    Hi,

    I just downloaded CWShredder version 2.15 from the Trend Micro site:
    http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
    Then I scanned the folder in which I store my CWShredder versions (I have several old versions stored in my archive).

    Yes, I can confirm that TDS-3 gives an alert about it:
    Scan Control Dumped @ 22:06:22 23-06-05
    Positive identification <Adv>: Possible keylogger
    File: d:\cwshredder\version 2_15 trend\cwshredder.exe

    For your info:
    I have now two versions of CWShredder, version 2.15.
    The alert coming from TDS-3 is about the one from the Trend Micro site.
    Here are the MD5 checksums for both the versions 2.15:
    ==========
    The file <D:\CWShredder\Version 2_15\CWShredder.exe> has the following Checksum(s)
    MD5 - 903058F9E7BCD0CE3317EA2FF80289F7
    ---------------------------------------------------
    The file <D:\CWShredder\Version 2_15 Trend\cwshredder.exe> has the following Checksum(s)
    MD5 - F8E6317AE55076FAE45BA0AA5D16D983
    ==========

    The definitions from TDS-3 with which I scanned:
    [58982 references - 31303 primaries/15379 traces/12300 variants/other]


    I will inform Gavin by email about this thread.
    Please give Gavin the time to look at it !

    Cheers, Jan.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Received this from Jan, thanks

    Its clean, you can safely ignore this detection. Interesting to see a couple of virus scanners were also very sensitive and detected a possible
     
Thread Status:
Not open for further replies.