TDS3 false alarm !?

Discussion in 'Trojan Defence Suite' started by MEGAFREAK, Jul 8, 2003.

Thread Status:
Not open for further replies.
  1. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    :rolleyes:

    I assume to get a false alarm from TDS concerning the Program Hacker Eliminator: When I make a process memory scan TDS-3 tells me that Hacker Eliminator is RAT.Netbus.1.70.

    I think that can´t be true, because Hacker Eliminator seems to be an official Tools. o_O!?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Megafreak,
    welcome at DCS in the Wilders forum.
    Which filename is it exactly?
    Does it say positive id or suspicious?
    I think Gavin will like a sample to refine the detection and avoid next alarms in case it is a false alarm indeed, submit@diamondcs.com.au so you see TDS finds really lots!
    Best zip the file, btw.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    It does sound like a false alarm, but send the file in just in case. Another program keeps a Netbus detection signature inside its main EXE, which means when it is running it looks like Netbus. Surprising that a second program would use the same signature as TDS-3, and have it embedded inside its program while running !

    That of course is a bad practice, all of the TDS databases are external and are loaded when TDS starts. The process space of TDS-3.EXE does not contain trojan signatures of course :)
     
  4. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    TDS-3 tells me following:

    Live trojan found: RAT.Netbus 1.70
    File: C:\Program Files\Hacker Eliminator\HackerEliminator.exe

    Tell me if you want the file nevertheless then I can send it, but I think it is the standard version of HackerEliminator so you just have to download from the webside to see the message.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If you dont mind sending a copy in then I'll take a look at it :) Best to get the file directly from you I feel, thanks
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I installed the trial version today, no alarm :)

    Had a look at the EXE, theres no reason for it to alarm, and it doesn't so how can you be getting an alarm if you are using the same program as me ? I would download again perhaps :)
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Better get Megafreaks's copy, maybe something slipped in from elsewhere? Think the developer will be interested to know as well of course.
    Or could it be there is a difference between the trial and a registered version? More reason to get the exact alarm to check what is happening, in name of the internet community we will all be very grateful for this!
     
  8. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    I sent the copy to you via email, maybe the problem is really focussed on the trial, but like you told it doesn´t occur on your system, but why does it occur on my system? I hope you will find a solution for that false alarm.

    No matter on what time I installed hacker eliminator always the same, I loaded it from the original webside, but always the same: RAT.Netbus.170 was shown for the exe of Hacker Eliminator, but you have to do a process memory scan to see this alarm.
     
Thread Status:
Not open for further replies.