Jump to content


False positive???

  • Please log in to reply
3 replies to this topic

#1 jasper


    Advanced Member

  • Full Member
  • PipPipPip
  • 170 posts

Posted 28 June 2004 - 03:09 PM

Last night I did an on-line scan with McAffee and it came up with the "Exploit-URLSpoof.gen" trojan, it is located in C:\Documents and Settings\.....\index[7].htm. The question is this.
I performed a search for index[7].htm. and found nothing. I run a Norton scan daily - nothing, following this I ran scans by Trend Micro, Bit Defender, Panda Active Scan, and TDS they all came up clear.
The point is how can I be sure it is a false alarm if I cannot find the file and delete it? and what is next? I am open to any suggestions.

:wtf: :wtf:
Member of ASAP

#2 cnm


    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 28 June 2004 - 07:05 PM

Possibility 1: MacAfee removed it.

Possibility 2: It's a hidden file. See HERE for how to show hidden files.

Possibility 3: It has changed its name after a reboot, malware does that quite often.

Possibility 4: It was a false positive and the file was never there.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here

#3 Trilobite


    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 713 posts

Posted 28 June 2004 - 07:49 PM

I have recently run several tests of antivirus software on how well they detect viruses/Trojans. The results can be found here.

From my experience and from these tests, I would say that McAfee is a little on the sensitive side when it comes to detection.

As for deleting the file, I agree with cnm. Either McAfee removed it or it is still hidden from explorer. If you still cant find the file using explorer and cnms suggestion of showing hidden files, try to obtain the full path to the file from McAfee and attempt to delete it from a command prompt.


You could also try the command-line version of McAfee antivirus to remove the file, which I believe is still freeware/shareware. Download the Windows superdat file (ie: sdat4370.exe or similar filename) from here.

Save this file to a permanent location on your hard disk, such as c:\mcafeeav.
Next go to the start menu and click on run.
Type (you may need to change this to suit the filename) c:\mcafeeav\sdat4370.exe /e
Wait a few minutes for McAfee to unpack.
Then go to the start menu and click on run.
Type or cut and paste (with the quotation marks) c:\mcafeeav\scan.exe C:\Documents and Settings" /sub /all /clean /report c:\mcafeeav\results.txt

The results of this scan should now be in c:\mcafeeav\results.txt
If the file could not be cleaned, add /del to the run command.

Edited by Trilobite, 28 June 2004 - 08:23 PM.

ASAP Member since 2006

"Knowledge does not equal wisdom"
Guide to posting HijackThis logs to this forum

#4 jasper


    Advanced Member

  • Full Member
  • PipPipPip
  • 170 posts

Posted 29 June 2004 - 05:02 PM

I have done it!!!
I tried, Etrust, TrojanHunter, and Ewido to no avail. So I went back to Mcafee's and downloaded their free trial version, and removed it fom their. I had to remove Norton though to do it, temporary though. The annoying thing is that the offensive file was in Temp internet folders. I cleaned them out on Saturday, but I think I remember a suspect E-mail on Sunday but I did not open it. just deleted it.
Thank you for the input.

Member of ASAP

Member of UNITE
Support SpywareInfo Forum - click the button