RAV online AV says shadow.exe is a trojan. Is it?

Discussion in 'malware problems & news' started by trew, Feb 9, 2005.

Thread Status:
Not open for further replies.
  1. trew

    trew Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    5
    Typical of me to forget my username, a kind of early dementia? I fail to remember paswords to take out money and such. Very embarrassing.

    Ok I joined today to ask for help with an alleged virus.

    RAV online says that it is a trojan but to me it look like an old windows file.

    Could it be a false positive?

    shadow.exe and it has the same Date and Time stamp as the others in
    C:\windows/system32/shadow.exe

    I have winxp and is it really possible to put a file there that imitate the others date stamp?

    Trew

    should this be moved to another forum?
    I practice here.
     
    Last edited: Feb 9, 2005
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Re: Have been member but forgot username

    Welcome trew.

    We'll try the viruses and worms forum.
     
  3. trew

    trew Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    5
    Re: Have been member but forgot username

    oups that is very wise. thanks for moving me.

    I checked with both RAV online and Panda AV online and only RAV told me I had this Trojan.

    but I have been using RAV for a year or so and they barked at it now and not b4 and the file says it is many years old and have same date as all the others so could it be that the owner of the Coputer Shop put it there hoping I never found out?

    Anybody having had this one b4? I searched the forum but none seem to have mention it b4. Could it be that RAV has updated their signatures and made an error.

    AntiVir Guard didn't detect it.

    Trew
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Re: Have been member but forgot username

    It's here already.
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I've confirmed that this is a false positive, it is part of Windows XP.
    Here are the properties of:

    the file located at C:/windows/system32/shadow.exe
    The properties of this shadow.exe file are stated in the picture below here:
     

    Attached Files:

    Last edited: Feb 9, 2005
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    So, RAV made a false positive on that file. ;)
    RAV online AV says shadow.exe is a trojan. Is it?

    NO.
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Here's a full description of what shadow.exe really is, its NOT a trojan. Its a case of mistaken identity by RAV.

    Description of shadow.exe:
    Shadow.exe: Shadow

    Category: This tool is included in all Windows Server 2003 operating systems and in all Windows XP operating systems.

    Version compatibility:
    This tool will run on all Windows Server 2003 operating systems and on all Windows XP operating systems.

    Shadow enables you to remotely control an active session of another user. You can either view or actively control the session. If you choose to actively control a user’s session, you will be able to input keyboard and mouse actions to the session.

    You can always remotely control your own sessions (except the current session), but you must have Full Control access permission to remotely control another session. You can also initiate remote control using Terminal Services Manager.

    Before monitoring begins, the server warns the user that the session is about to be remotely controlled, unless this warning is disabled. Your session might appear to be frozen for a few seconds while it waits for a response from the user.

    Your session must be capable of supporting the video resolution used at the session you are remotely controlling or the operation fails.

    The console session can neither remotely control another session nor can it be remotely controlled by another session.
     
    Last edited: Feb 9, 2005
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Others are having the same problem with this one at the moment. C:\WINDOWS\SYSTEM32\DLLCACHE\SHADOW.EXE is a legitimate file, called 'Session Remote Control Utility', which is part of the Microsoft Windows Operating System. However with a slight variance in name and/or file path it could be malware.

    Some AVs are associating it with backdoor:irc/sdbot. What is RAV calling it? Do you perhaps have more than one file of this name on your system? Why not run a search, being sure to tick 'Search Hidden Files and Folders' in the 'More Advanced Options' section.
     
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    The virus could be using its own shadow.exe, or it may be hijacking shadow.exe, that's why some AVs are associating shadow.exe with this virus.
     
  10. trew

    trew Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    5
    Thanks indeed for such a fast and considerate answer.

    Yes RAV pointed out to files. The other has same date stamp.
    C:\i386\shadow.ex_

    could that one be kind of inwaded then.

    I use Sygate Firewall and it says that I am scanned by ip 81.9.225.35 with MAC address 00-30-88-00-55-12 and that one scanend me at 14 hours local time and now at 21 hours local time so it seems to have locked on my ip and as soon as I power up my ADSL it is aware fo me active. What could it be?

    I used ID serve o it and it says cm-81-9-225-35.telecable.es

    Is that Spain or Estland? Maybe Spain has EA?

    Maybe totally unrelated these RAV false alarm and the warning from Sygate Firewall me beign Scanned?

    RAV had a very new signature cause I used it jsut some day or two ago and it had a new one today. So maybe they forgot to correct teh false positives.
    I looked fo any Forum discussing their updating quality but found nothing.

    trew

    PS I used A2 Squared to search for trojans too and nothing showed up.

    adAware show nothing either.
     
    Last edited: Feb 9, 2005
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The FW messages are probably coincidental. If you are still concerned about the file you can upload it to Jotti's here:- http://virusscan.jotti.org/
    where it will be scanned by a range of AVs.
     
  12. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I just uploaded my own C:\windows/system32/shadow.exe to Jotti's and no viruses or trojans were found at all.
    Mine is clean.
     
Loading...
Thread Status:
Not open for further replies.