Found a Trojan in PM directory

Support board for people running on (retail/OEM) Windows XP (32/64-bit).
Forum rules
This is a self-serve support board for our community. The development team can't provide any support for Windows XP (and compatible versions of Pale Moon for it) any longer.
John connor

Found a Trojan in PM directory

Unread post by John connor » 2016-12-27, 12:07

I am running PM version 26.5 atom version on a netbook with XP. I use the anti virus Immunet and it tried to quarantine a possible Trojan named Clam.Win.Toa.5370166-0 in the path

Code: Select all

Application data/Moonchild productions/Pale Moon/profiles/my profile/start up cache/startupcache.4.little
I did scan the computer with various scaners including Herdprotect. Herdprotect didn't really find anything that was out of the normal, but I have to wait 30 minutes to scan again.

This is the first time I seen this after over two years running PM and Immunet. Might be a false positive?


Edit-

Looks like a false positive. https://support.mozilla.org/en-US/questions/961786

hackerman1
Lunatic
Lunatic
Posts: 385
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Found a Trojan in PM directory

Unread post by hackerman1 » 2016-12-27, 12:44

You can use VirusTotal to verify that you have found a false positive.
If all / almost all of the wellknown antimalware programs says it´s OK, then it´s probably a false positive....
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

John connor

Re: Found a Trojan in PM directory

Unread post by John connor » 2016-12-27, 13:32

Don't really need to use VirusTotal. HerdProtect uses 68 anti-virus engines.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Found a Trojan in PM directory

Unread post by Moonchild » 2016-12-27, 18:36

John connor wrote:Don't really need to use VirusTotal. HerdProtect uses 68 anti-virus engines.
If it does, you can expect plenty of false positives :P
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: Found a Trojan in PM directory

Unread post by Moonraker » 2016-12-27, 23:51

Why does it only occur with palemoon and not other browsers.?.I think most users of palemoon will be quietly wondering this.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

Falna
Astronaut
Astronaut
Posts: 511
Joined: 2015-08-23, 17:56
Location: UK / France

Re: Found a Trojan in PM directory

Unread post by Falna » 2016-12-28, 11:37

Moonraker wrote:Why does it only occur with palemoon
Why does what only occur?

Forked extensions :
● Add-ons Inspector ● Auto Text Link ● Copy As Plain Text ● Copy Hyperlink Text ● FireFTP button replacement ● gSearch Bar ● Navigation Bar Enhancer ● New Tab Links ● Number Tabs ● Print Preview Button and Keyboard Shortcut 2 ● Scrollbar Search Marker ● Simple Marker ● Tabs To Portfolio ● Update Alert ● Web Developer's Toolbox ● Zap Anything

Hint: If you expect a reply to your PM, allow replies...

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Found a Trojan in PM directory

Unread post by Moonchild » 2016-12-28, 14:47

Moonraker wrote:Why does it only occur with palemoon and not other browsers.?
It does occur with other browsers.
Firefox too: https://support.mozilla.org/en-US/questions/961786
Other browsers will also hit this occasionally -- there are only so many different variations of similar traffic stored on disk, and when an AV suite scans for "signatures" (specific sequences of bytes) it can and will hit it eventually. The way the startup cache is stored apparently happens to have similarity to some of these signatures (probably because of its structure). Pale Moon had a false positive signature hit in the past on its icon, too, by chance. Since that was embedded in palemoon.exe, it was flagged as a virus :problem:

That's why I said you'll get plenty of false positives -- you're multiplying this chance by the number of engines it uses.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: Found a Trojan in PM directory

Unread post by Moonraker » 2016-12-28, 16:07

Thank you moonchild.Thats that mystery solved lol. :clap:
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

hackerman1
Lunatic
Lunatic
Posts: 385
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Found a Trojan in PM directory

Unread post by hackerman1 » 2016-12-28, 16:38

Moonchild wrote:
John connor wrote:Don't really need to use VirusTotal. HerdProtect uses 68 anti-virus engines.
If it does, you can expect plenty of false positives :P
It´s the same "problem" with VirusTotal and it´s 54 antimalwareprograms...
When i doublecheck a file with VirusTotal, i usually get a false positive or two.
And it´s usually from some "unknown" antimalware-program,
not from any of the "wellknown" programs like Avira, Emsisoft, ESET, Kaspersky, Symantec etc.
Which means it can be ignored...
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

John connor

Re: Found a Trojan in PM directory

Unread post by John connor » 2016-12-28, 23:57

Moonchild wrote:
John connor wrote:Don't really need to use VirusTotal. HerdProtect uses 68 anti-virus engines.
If it does, you can expect plenty of false positives :P

HerdProtect didn't didn't find anything except a few false hits from other legit shit.

d3v14n7

Re: Found a Trojan in PM directory

Unread post by d3v14n7 » 2017-03-05, 00:24

I have no idea why people use resident antivirus.
If I ever run a manual scan as precursor to troubleshooting - only intending to check for rootkits - I've only ever experienced false positives as it finds my firmware flashers and flags my collected scene prods due to archive packing methods.

John connor

Re: Found a Trojan in PM directory

Unread post by John connor » 2017-03-05, 05:40

I've just been using Sandboxie, NoScript and uBlock for my browser. I had Bitdefender Free, but it was messing around with Teamviewer so I got rid of BD. I don't use anti-virus software on my gaming computer either. Interferes with my game haxxs and mods. :twisted: But I do once in a while use a vast amount of scanners. Never seem to find anything though and if I do I can always reclone my computer from my back up image.

hackerman1
Lunatic
Lunatic
Posts: 385
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Found a Trojan in PM directory

Unread post by hackerman1 » 2017-03-05, 09:38

John connor wrote:I've just been using Sandboxie, NoScript and uBlock for my browser. I had Bitdefender Free, but it was messing around with Teamviewer so I got rid of BD. I don't use anti-virus software on my gaming computer either. Interferes with my game haxxs and mods. :twisted: But I do once in a while use a vast amount of scanners. Never seem to find anything though and if I do I can always reclone my computer from my back up image.
And ?
What has this to do with the subject of this thread...?
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

John connor

Re: Found a Trojan in PM directory

Unread post by John connor » 2017-03-05, 10:19

I was replying to the poster above me. I guess I should have used the quote feature, oh sire. My most humblest apologizes. :lol:

Locked