False Positive ??

Discussion in 'other anti-malware software' started by SamSpade, Dec 1, 2006.

Thread Status:
Not open for further replies.
  1. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Greetings one and all,

    I just ran a scan by Spyware Doctor which turned up a nasty trojan, called <trojan.popuper.downloader.> in my system volume information folder, a totally hidden system folder that took me a trip to MS to find out how to open.

    At first NOD didn't scan it, said the folder was "invalid"; but when I finally got access to it, it did a scan and found nothing. (The file Spyware Doctor had cited was a back-up of a CCleaner setup file). I ran scans by Spy Sweeper, AVG anti-spy, and A-Squared, just for good measure, and the all came up with zilch, nada.

    Then I ran Spyware Doctor again, and it now says "zero infections" are on my HD.

    My concern is that the description of Trojan.Popuper.Downloader was especially nasty, doing terrible things that would make Atilla the Hun blush. Of course, SD also said they could easily "fix" my "problem" if I only purchased their (lovely) software..

    Is there a chance this scan may have been a false positive ?? Perhaps an overzealous reading that just coincidentally suggested the "only cure" was to purchase the scanning company's product ?? Hm-m. IF anyone has had any dealings with this particular bad guy (the trojan, that is), would you speak up ?


    //
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since this is more a Spyware Doctor issue as it relates to a possible False positive by that program....I have taken the liberty to move your thread to a more appropriate forum. Here you can have a better chance of SD users dropping by with the latest FP's of this program.

    Bubba
     
  3. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    Yes...it is more than likly a false positive,

    Just yesterday, I ran a Spyware Doctor Scan and it came up with the same traojan (trojan.popuper.donloader). It was labeliong the uninstall file from CCleaner as a this trojan.

    CCleaner does not have any trojans in it. I am certain that Spyware Doctor has made a mistake. They also labeled the unisntall file from edido 4 as this same trojan. Somehow, I doubt that Ewido has a trojan in it.

    Spywae Doctor takes a pretty aggressive stance against Spyware, which I like. But that policy leads to a few false positives.
     
  4. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    Bingo! That's exactly the same file SD flagged on my box: CCleaner uninstall (under a different name, and as an .exe file, of course).

    But then it's even more Twilight Zone: I got a positive from my SpySweeper but not on the same file, but some other (sorry I didn't write down the name; it was ~4:30 AM when all this was occurring), and yet another (and yet a different file) from SuperSpyware, which I am trialling. The latter two were not described as big problems -- as opposed the nasty baddie that SD alleged to have found -- but still makes one wonder.

    Maybe it was the too many anti-malware apps running in so short a time the gods decided they had to give me *something* to worry about !!

    Btw, I've had NOD32 running on my computer for about six weeks now and it has yet to find anything even suspicious even though I've done a full scan every other day. If NOD doesn't find anything, the drive must be clean, right ?
     
  5. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi SamSpade

    If the SAS detection was possibly f/p could you report this using the software function(report f/p) or post in their f/p's forum for review.The relevent information will be contained in the software logs and the file should be restorable from quarantine to allow for uploading/rechecking.

    http://forums.superantispyware.com/

    This one has got my curiosity going since one software with f/p is the norm but to have 3 softwares throwing up suspected f/p's in a short space of time is puzzling with some underlying cause.

    TIA:)
     
  6. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    No, you can't assume that your drive is clean simply because NOD doesn't find anything. If that were the case, why have any antispyware at all? NOD is a world class product, and is going to catch and stop most of the nasties, but it's not sufficient to be your stand alone catch all for all malware (no product can do this).

    Pretty much, the safe thing to do is to run NOD in conjuction with a top notch firewall and a top notch antispyware. I consider Spyware to be top notch. But you must be willing to put up with an occassional false positive with Spyware Doctor. They take an aggressive stance against spyware and this results in more fp's than with some other options.
     
  7. Scott000001

    Scott000001 Registered Member

    Joined:
    Dec 3, 2006
    Posts:
    1
    Signed up just to respond to this thread.

    I have Trend Micro Anti-Virus and SpySweeper. Both (especially Trend) have been finding a nasty virus that has been impossible for me to get rid of. It is a worm RBot.ERA (the p2pnetworking.exe virus) that seems to have a associated installer in it too. When I boot up the system and quickly open Task Manager, there it sits in the processes . . . INSTALLER. Most of the time the Trend Anti-Virus quarantines a file called b.exe. I think that I've finally gotten rid of p2pnetworking.exe, but this INSTALLER is still there. As long as the INSTALLER is listed as an active application in Task Manager, I cannot open Regedit from the Run program. It says another program is using the application. Basically it blocks access to the Registry.

    I too have just now run Spyware Doctor and it found the same trojan installer. It is there for me for sure, so it may be true positive for you as well.

    Merry CHRISTmas,

    scott
     
Loading...
Thread Status:
Not open for further replies.