PSW-Banker Trojan?

[vbwyrde]

Hi McAfee reports that our setup.exe as a PSW-Banker trojan in it as well as in the screensaver setup file that I created. It removed the setup.exe file so that I can not compile setups with the application now. Any clue as to what's going on with this? I'm pretty sure your not really stealing passwords, so the question is - what's going on with McAfee? Is it possible that someone else (cracker) infected your setup.exe on my machine? Any insight would be appreciated. Thank you.

[Karlis]

Most likely it is another bug with McAfee. The McAfee anti-virus engine is pretty porrly designed, many developers often get false alarms.

What you should do is:
1) Remove/disable Mcafee or use another PC without McAfee installed to...
2) Create a sample setup file causing the problem
3) Send it to McAfee support and explain the problem with false alarm

I'd recommend to bug/annoy them a lot, so if they do not reply/correct the problem within a couple of days, bug them again. This is the only way to deal with them.

[vbwyrde]

Most likely it is another bug with McAfee. The McAfee anti-virus engine is pretty porrly designed, many developers often get false alarms.

What you should do is:
1) Remove/disable Mcafee or use another PC without McAfee installed to...
2) Create a sample setup file causing the problem
3) Send it to McAfee support and explain the problem with false alarm

I'd recommend to bug/annoy them a lot, so if they do not reply/correct the problem within a couple of days, bug them again. This is the only way to deal with them.

Unfortunately this does not resolve the issue very well. The problem is that any setup that is created by your program gets tagged by McAfee as having the Trojan in it. If this occurs for me, it will also occur for my customers who download the screensaver setup and also happen to use McAfee.

I hope I don't come across as contrary, but as your customer I rather expect you to go to bat with McAfee, not leave it to me to argue with them about it. For one thing, based on what would I be able to argue that there can not possibly be a Trojan in your software, considering I do not have the source code? The fact that you say so is hardly an argument that would make much sense. My suggestion is that you argue with McAfee about it, and let us know the results. I can wait a few days for them to fix their virus definition. As it is, I have removed your screensaver from my site to spare my clients the confusion of having to deal with this issue. I have notified them via the website that there is a possible Trojan in the application that developed the screensaver, and how to detect and remove it if it exists.

I realise you must find it frustrating that McAfee has again targetted your software - however, asking your customers to deal with it is not the best business practice, if I might say so. I suggest you contact McAfee and have the problem resolved and notify your customers via your website, and the forum. This would be the best way to build confidence in your company and products.

That said, I will say that I very much like the screensaver factory 4. So far it is the best one of its kind that I've found. So it would please me if I can use it going forward. I hope you can resolve the issue quickly.

Thank you.

[Karlis]

I'm afraid, you do not understand. We will contact McAfee, of course, it is by default, but we want *everybody* else to contact them as well. If we are the only person contacting them, they may dismiss our requests, but if they receive requests from multiple sources, they are more likely to resolve the problem quickly.

I have notified them via the website that there is a possible Trojan in the application that developed the screensaver, and how to detect and remove it if it exists.

This is completely false information. There can not be any trojan. Do you know what a "trojan" is?

[Karlis]

Ok, here is an update. We tested Screensaver Factory 4 with McAfee VirusScan (the latest available from their website) and it did not detect any problems at all. Also other customers have not reported this, so it could be one of following:

1) Your McAfee VirusScan is malfunctioning and it is an isolated case
2) You were right and there is a virus in your particular PC
3) There is something unusual or specific about your screensaver file (please provide a download link, so that we can check) that causes the false alarm.
4) Your McAfee or Sreensaver Factory version is out of date (we tested current versions).

[buzzcramp]

I ran across this site due to my "Zone Alarm" program notifying me that I have a Trojan on my system and these are the related entries in my registry:


File: C:\Documents and Settings\davis\Local Settings\temp\bassmod.dll
RegistryKey: HKEY_CURRENT_USER\Software\Karlis Blumentals
RegistryKey: HKEY_CURRENT_USER\Software\Karlis Blumentals\Easy GIF Animator
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

I googled your name and came up with this post.. I decided to reply to let you know that these detectors are obviously having some sort of problem with your application. I'm not sure how aware you are of these issues now since this posting above is quite old, but thought I should inform you of what I had found regardless. I trust that you and/or your applications have no malicious intent, therefore it's quite an unfortunate situation. When I get home from work later I'm going to investigate these accusations further and contact Zone Alarm to find out what their side is of this obviously false positive. If you have any further information on this I'd appreciate it if you'd link me to where it's been discussed..

davis

EDIT: btw.. I am aware that bassmod.dll is likely a trojan, my questions surround the registry entries.

[Karlis]

Of the listed, only these two are generated by our software:

RegistryKey: HKEY_CURRENT_USER\Software\Karlis Blumentals
RegistryKey: HKEY_CURRENT_USER\Software\Karlis Blumentals\Easy GIF Animator

And they are legitimate entries. I would appreciate if you would share any info regarding this that you can come across.

[paolari]

Why do i keep getting a trojan virus when i visit my friends Myspace page? Everytime i visit my one friends myspace page my McAfee Anti-Virus tells me i just got JS/Spacestalk trojan. However, even though McAfee finds this virus it cant remove quarantine or delete it? Does anyone know what needs to be done to get rid of this trojan!?

[MikeyB]

Why do i keep getting a trojan virus when i visit my friends Myspace page? Everytime i visit my one friends myspace page my McAfee Anti-Virus tells me i just got JS/Spacestalk trojan. However, even though McAfee finds this virus it cant remove quarantine or delete it? Does anyone know what needs to be done to get rid of this trojan!?

Not really sure this has anything to do with Screensaver Factory?

I would ask your friend to remove the dodgy code from his Myspage page.

[pukaleya]

How do I remove Renos trojan from my computer? Random ads keep popping up everywhere, despite the efforts of my Windows Security Essentials. I am trying to remove Renos trojan completely, so can anyone help out, if they can?
______________________________

[Aivars]

How do I remove Renos trojan from my computer? Random ads keep popping up everywhere, despite the efforts of my Windows Security Essentials. I am trying to remove Renos trojan completely, so can anyone help out, if they can?

I don't know how this question fits here
But anyway, after a quick googling I found this: http://answers.yahoo.com/question/index ... 017AA3mSAp

I hope that helps

[Aivars]

I realise you must find it frustrating that McAfee has again targeted your software - however, asking your customers to deal with it is not the best business practice, if I might say so. I suggest you contact McAfee and have the problem resolved and notify your customers via your website, and the forum. This would be the best way to build confidence in your company and products.

This is from 2007 and had you read the whole thread, you would see that we did contact McAffee. But thanks for your input.

[kevinjose356]

Yeah I know its almost 4 years old thread but its still helpful for me & many more peoples, keep updated it !

[flogger123]

It should be possible to whitelist this exe file so Mcafee could just ignore this. Security softwares always have false positives.