Jump to content

Nirsoft flagged as Trojan.PassThief


Recommended Posts

Malwarebytes' Anti-Malware 1.34

Database version: 1831

Windows 5.1.2600 Service Pack 2

11/03/2009 1:31:31 AM

mbam-log-2009-03-11 (01-31-31).txt

Scan type: Quick Scan

Objects scanned: 63634

Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\NirSoft (Trojan.PassThief) -> Not selected for removal. [3857535134304144385864365451513847536454523851615248395356345138614774835280718

5]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Those certainly look like legit entries to me. It's possible that at some point certain trojans were bundling with legit tools from Nirsoft to grab keys and/or passwords, otherwise I would say that this is a full blown FP. Either way in your case, since you're using tools from Nirsoft, I would just ignore the detection.

Link to post
Share on other sites
It's possible that at some point certain trojans were bundling with legit tools from Nirsoft to grab keys and/or passwords...

Eggzactly; in fact you'll find that a variety of AVs, ATs and the like detect (certain) Nirsoft tools for precisely that reason.

Link to post
Share on other sites

You're very welcome, exile360 :D

To quote (formerly BOClean's, now COMODO's) Kevin McAleavey already a couple of years ago:

We've reluctantly had to add *ALL* of Nirsoft's tools for detection as a result of a nasty new "USB system thief" package made up of all their stuff since it's all automated and hidden by Nirsoft's NIRCMD module into a nice little kit that will grab ALL of the information off a machine (passwords, you name it) and uses THAT module to spread the infection to any removable media plugged into an infected machine. No choice but to cover it.
Link to post
Share on other sites

Cool. I didn't know about that. I'm a BoClean user myself and haven't had any hits with it thus far (perhaps because it's since been removed from detection), but I don't use NIRCMD either, and it itself may still be flagged.

Link to post
Share on other sites

I also saw the FP. I use Current Ports. I ignored it on the first pass, read the post concerning delvelopers mode but the second pass run clean. Here's the log from the first detection:

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.0.2195 Service Pack 4

3/10/2009 4:24:22 PM

mbam-log-2009-03-10 (16-24-00).txt

Scan type: Quick Scan

Objects scanned: 56852

Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\NirSoft (Trojan.PassThief) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

All clear........

Malwarebytes' Anti-Malware 1.34

Database version: 1833

Windows 5.1.2600 Service Pack 2

11/03/2009 12:01:08 PM

mbam-log-2009-03-11 (12-01-08).txt

Scan type: Quick Scan

Objects scanned: 63839

Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.