Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 29th, 2008, 5:44pm
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Guard (Moderators: Helena, Gavin_Coe, Magnus)
   False Pos?		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: False Pos?  (Read 855 times)
valleyman
Newbie
*





   


Gender: male
 Posts: 5
False Pos?
« on: Oct 27th, 2006, 10:02am »		 Quote Quote  Modify Modify
After today's update, notepad is being flagged by ThGuard as the Worm.VB.134 when notepad is loaded.  A rightclick scan of notpad by Thunter Scanner shows nothing.
 
Anybody else find this to be true?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: False Pos?
« Reply #1 on: Oct 27th, 2006, 3:26pm »		 Quote Quote  Modify Modify
On my XP-SP2 Home Edition system, Notepad is not being flagged by the latest rulesets...
 
+-- General ---------------------------------
Ruleset datestamp    : 2006-10-27
Scan kernel     : 4.0 (Cobra)
Ruleset entries      : 89766
Trojan definitions   : 33844
Detection rules      : 55922
 
Try updating again.  Perhaps there was an FP that Gavin quickly fixed.   Wink
 
If it still flags it on your system, please submit NotePad to Mischel IS for analysis per the link instructions below.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
zaxfri
Newbie
*





   


Posts: 1
Re: False Pos?
« Reply #2 on: Oct 28th, 2006, 7:43am »		 Quote Quote  Modify Modify
Same problem
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: False Pos?
« Reply #3 on: Oct 28th, 2006, 8:48am »		 Quote Quote  Modify Modify
zaxfri, Welcome to the forum  Cheesy
 
Would you please submit your NotePad for analysis.  The link below shows how to manually submit a file.  
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Be sure to submit the NotePad that TH scanner is flagging.  There may be more than one NotePad on your system.
« Last Edit: Oct 28th, 2006, 8:52am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: False Pos?
« Reply #4 on: Oct 28th, 2006, 9:11am »		 Quote Quote  Modify Modify
Please do not assume that this is a False Positive just yet.
 
Here is relatively new (08-Oct-06) write-up where NotePad is involved.
 
http://www.mwti.net/virus_info/virusalertd.asp?vid=903
 
Please run your updated Anti-Virus scanner to see if it picks up anything.  You can also run a remote scan of say Kaspersky and/or Bit Defender to see if they show up anything.
 
http://www.misec.net/forum/board/FAQ/1141894786
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: False Pos?
« Reply #5 on: Oct 28th, 2006, 12:43pm »		 Quote Quote  Modify Modify
As siliconman said this could be malware so to make sure, scan the file {notepad.exe} with some online file scanners:
 
Dr.Web:
http://www.dials.ru/english/www_av/home.htm
 
Kaspersky:
http://kaspersky.com/remoteviruschk.html
 
As well as the several online-scan links given in the FAQ that siliconman linked to -- Good Luck!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: False Pos?
« Reply #6 on: Oct 28th, 2006, 3:39pm »		 Quote Quote  Modify Modify
Are those of you who are getting this NotePad incident all using Windows XP Professional or 2000?
 
Also, please be sure you are running TH V4.6, Build 930.
« Last Edit: Oct 28th, 2006, 4:07pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
billbrine
Newbie
*





   


Posts: 1
Re: False Pos?
« Reply #7 on: Oct 28th, 2006, 7:40pm »		 Quote Quote  Modify Modify
I am running Windows 2000 Professional with the latest updates.  I am running TH version 4.6 build 930.  I ran the Notepad file through a number of the virus scanners suggested: BitDefender, Kaspersky and Dr. Web, as well as my own (AVG).  All reported nothing wrong.
 
I've sent the Notepad.exe file off to be analyzed.
 
IP Logged
The_Ghost
Newbie
*





   


Posts: 4
Re: False Pos?
« Reply #8 on: Oct 28th, 2006, 7:55pm »		 Quote Quote  Modify Modify
Hi Siliconman01 et al,
 
TH 4.6 bld 930 win2kpro
 
point 1.
I too am recieving these fp's re note pad. At first I thought it was due to the fact that I was editing my host files............. but!.... when I opened a blank note pad the actions from TH  were the same.
I ran through the list of of located points in regedit as per the link  
 
http://www.mwti.net/virus_info/virusalertd.asp?vid=903
 
However I was unable to find anything beyond the default settings.
I also ran updated anti x 2:- spy,AV and malware checkers all report negative. Sad
 
The funny thing is that when I ran TH scanner - full - it did not bring up or report anything out of the ordinary so therefore I cannot put it on the ignore list (temporarily of course)!  
 
I have a tight control over note pad and help files via GSS HIPS and only give permission per app basis so would be aware if this was an ongoing situation.
It appears (though I could be wrong) that this is a false positive at least on here.
 
point 2. (IMPORTANT!!!!!!!!!!!)
 
As an aside where has my interface gone?! In v.4.5 and earlier I had the ability to define custom trojans files this has now gone in 4.6 so I'm paying for less question is why? On many occcasions I have wanted to enter spyware and trojans picked up from apps,host,bho,surfing on the dark side and security lists but have been unable to do so. That was one of the beauties of TH but now it's gone!!Huh??
 
point 3.
Have updated TH 29/10 situation's the same, still reporting note pad as a virus.
 
Ghost
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 1973
Re: False Pos?
« Reply #9 on: Oct 28th, 2006, 9:39pm »		 Quote Quote  Modify Modify
Hi, please let me know if this is fixed ?
IP Logged
The_Ghost
Newbie
*





   


Posts: 4
Re: False Pos?
« Reply #10 on: Oct 28th, 2006, 10:31pm »		 Quote Quote  Modify Modify
Hey Gavin,
 
Sorry for the delay!
 
Tried host files, tried proxo list, tried blank note pad all seem to be working now Smiley Thanks for the update!
 
The headsup for the note pad was valid but TH does not seem to handle it that well. First fp I have seen for TH on this sys. Appart from old archived apps.
 
Any views on the return of custom trojan?spyware interface?
 
Ghost
IP Logged
valleyman
Newbie
*





   


Gender: male
 Posts: 5
Re: False Pos?
« Reply #11 on: Oct 29th, 2006, 10:25am »		 Quote Quote  Modify Modify
Running W2K Pro SP4, fully updated and patched.  After running every check on Notepad that I could come up with (all negative, by the way)  I just decided to say the heck with it and deleted notepad after booting into Safe Mode.
 
From Gavin's post I am guessing that this was a FP?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: False Pos?
« Reply #12 on: Oct 29th, 2006, 10:42am »		 Quote Quote  Modify Modify
Yes, it was a false positive.  Sorry for the inconvenience and trouble it put you through.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
lzyatchina
Newbie
*





   


Posts: 1
Re: False Pos?
« Reply #13 on: Oct 31st, 2006, 7:03pm »		 Quote Quote  Modify Modify
Same problem.
IP Logged
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: False Pos?
« Reply #14 on: Oct 31st, 2006, 8:29pm »		 Quote Quote  Modify Modify
lzyatchina, welcome to the forums -- do you have up-to-date ruleset?  As, I thought our trojan analyst had fixed the f.p.
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register