McAfee VirusScan has now been (incorrectly) flagging a file installed with TrojanHunter as malware for several weeks. We have contacted McAfee to get them to fix this false positive, but so far to no avail. One has to wonder if McAfee are doing a little creative “competition control” as they haven’t bothered replying to or taking action on our false positive report. No doubt several of their users must have contacted them about this as well by now.

People, if you’re emailing the technical support address because you have a problem with some software, here is a great example of what not to write:

I’m having a problem with the program.

While I’m sure some support technicians love Zen koans as much as the next guy, you might want to clarify exactly what problem you have running the program. All the above will lead to is another email where the support technician has to get back to you and ask what exactly the problem is.

Total Secure 2009 is a rogue anti-malware product (meaning it floods you with fake alerts about malware that you don’t actually have on your system). While analyzing the product for inclusion in the TrojanHunter detection database I experienced the annoying effects of this program first-hand.

There are lots of removal guides out there, but most of them miss a crucial file. This is a DLL file that is loaded into explorer.exe and causes incredibly annoying “warning” messages to appear when you browse folders in Windows Explorer. For all practical purposes it makes Windows Explorer useless.

The latest variants place the offending DLL file in C:\Windows\system32\ with the name sysbase32.dll. Note that it is difficult to remove this file manually while loaded into explorer.exe. I recommend booting into Safe Mode and removing the entire Total Secure 2009 folder from there, as well as the DLL file. The DLL file also changes names between releases, so use a signature-based scanning product like TrojanHunter to detect and remove it. Note that TrojanHunter is able to unload and remove the DLL file from a running system which is something that no other program is able to do at the moment.

Apparently you can’t get away forever with fooling users into thinking they have malware on their system when they really don’t, and then offering to sell them a “removal tool” that does absolutely nothing but remove the fake alerts.

The creators of such programs as Antivirus XP, Registry Cleaner XP and WinDefender are getting sued by Microsoft and the state of Washington under the state’s Computer Spyware Act which prohibits making false claims of spyware or malware on a system. The penalty is actual damages incurred or a punitive damage of $100,000 per offense, whichever is greater.