On two of my machines in my home in the last few days, Clamwin is reporting updates in the Spybot update directory as trojans. Is this a false positive or has malware replaced the detection files?

Here's the log from Clamwin:

C:\Program Files\Spybot - Search & Destroy\Updates\advcheck162.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\sdhelper161.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\teatimer161.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\teatimer162.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\tools216.exe: Trojan.Agent-65253 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 474535
Engine version: 0.94.1
Scanned directories: 54185
Scanned files: 258368
Infected files: 5
Data scanned: 12403.43 MB
Time: 6105.982 sec (101 m 45 s)

Here's the update directory listing:

Volume in drive C has no label.
Volume Serial Number is 8E15-FD12

Directory of c:\Program Files\Spybot - Search & Destroy\Updates

12/17/2008 06:39 AM <DIR> .
12/17/2008 06:39 AM <DIR> ..
10/22/2008 12:37 PM 651,144 advcheck162.exe
10/22/2008 09:00 PM 621,326 advcheck162.zip
11/05/2008 09:01 PM 559,133 clsid.zip
09/10/2008 08:00 PM 288,516 desc.english.zip
12/17/2008 06:39 AM 7,492 downloaded.ini
12/10/2008 09:01 PM 2,905 fpfix.zip
09/03/2008 04:43 PM 123,836 includes.dialer.zip
11/19/2008 09:00 PM 153,142 includes.hijackers.zip
12/10/2008 09:00 PM 76,923 includes.keyloggers.zip
11/19/2008 09:00 PM 435,016 includes.malware.zip
12/17/2008 06:38 AM 93,074 includes.pups.zip
12/10/2008 09:00 PM 186,270 includes.spybots.zip
11/05/2008 09:01 PM 536,538 includes.trojans.zip
12/17/2008 06:38 AM 1,519,373 includes.zip
10/08/2008 08:00 PM 25,803 lang.english.zip
12/17/2008 06:39 AM 81,555 online.ini
12/17/2008 06:39 AM 7,642 online.ini.uiz
09/15/2008 01:38 PM 843,168 sdhelper161.exe
09/24/2008 08:01 PM 813,416 sdhelper161.zip
12/17/2008 06:38 AM 648,084 supplemental.zip
08/20/2008 08:36 AM 937,696 teatimer161.exe
08/20/2008 08:01 PM 908,195 teatimer161.zip
09/16/2008 11:19 AM 937,696 teatimer162.exe
09/24/2008 08:01 PM 908,027 teatimer162.zip
10/22/2008 12:57 PM 650,472 tools216.exe
10/22/2008 09:01 PM 620,925 tools216.zip
26 File(s) 12,637,367 bytes
2 Dir(s) 306,697,658,368 bytes free

I'm getting the same thing


Scan Started Wed Dec 17 00:30:00 2008
-------------------------------------------------------------------------------

*** Scanning Programs in Computer Memory ***
*** Memory Scan: using ToolHelp ***


*** Scanned 48 processes - 622 modules ***
*** Computer Memory Scan Completed ***

...
C:\downloads\regalyz.exe: Trojan.Agent-65253 FOUND
C:\downloads\spybotsd160.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\sdhelper161.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\sdhelper161.zip: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\teatimer161.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\teatimer161.zip: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\teatimer162.exe: Trojan.Agent-65253 FOUND
C:\Program Files\Spybot - Search & Destroy\Updates\teatimer162.zip: Trojan.Agent-65253 FOUND
...


----------- SCAN SUMMARY -----------
Known viruses: 474548
Engine version: 0.94.1
Scanned directories: 18129
Scanned files: 151479
Infected files: 12
Data scanned: 50914.79 MB
Time: 18604.094 sec (310 m 4 s)

and running sdhelper161.exe through VirusTotal yielded no problems.

Here at barracuda we're getting reports of this as well...

Trojan.Agent-65253 -- teatimer162.zip

Trojan.Agent-65253 -- tools216.zip

Trojan.Agent-65253 -- sdhelper161.zip

Trojan.Agent-65253 -- advcheck162.zip

Trojan.Agent-65253 -- sdhelper161.zip


all from clamav. I'll contact them, you should too.

Sounds a bit like their heuristics are a bit high, flagging all InnoSetup installers. If they were infected, they would not execute, since they're codesigned. You could right-click one of those files, choose Properties and check the signature - if its unbroken (and signed by us), the file is original and clean.

I just updated ClamAV and let it scan a full archive of present and past updates. It even identified a few many-year old versions, basically every installer created with InnoSetup (either plain or zipped). So its probably a generic installer engine false positive.