Jump to content
nissi1

fALSE Positives in AOL and Microsoft Works

Recommended Posts

Good morning,

I have McAfee Security Center but I also use SuperAntiSpyware (SAS) at least once a month as a backup.

This morning I scanned my computer with SAS and to my surprise/horror besides the usual tracking cookies there were as 4 Vondo trojans.

C:\PROGRAMFILES\AOL INSTALL\AOL90\COMPS\TPSPD\DACLDLL.DLL

C:\Program Files/MicrosoftWorks\HASPI.DLL

C:\PROGRAMDATA\AOLDOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

C:\USERS\ALLUSERS\AOLDOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

This also surprised me because I had uninstalled AOL 9.0 and installed 9.1 months ago. Also, I had not used Works since 9/2007. Since I am a member of the Dell Community Forum, I posted my findings immediately.

My first reply ndicated it may be a false positive and suggested a site, Jotti virusscan or Virustotal.com, to scan each line. They were all clean.

Another reply suggested another site, Malewarebytes, to perform a quick scan. It was this scan results that showed a Rogue, Adware Alert in the registry.

After the removal of Adware Alert, I ran SAS again. This time the result was the always existant tracking cookies.

It was suggested I inform this forum of my experience; someone may have the same experience.

Thank you,

Nissi1

[/i]

Share this post


Link to post
Share on other sites

Did you submit these from within the SAS scan if you thought that they were false positives? Do you have the SAS logs? Submit them to samples AT superantispyware.com :)

Share this post


Link to post
Share on other sites
Good morning,

I have McAfee Security Center but I also use SuperAntiSpyware (SAS) at least once a month as a backup.

This morning I scanned my computer with SAS and to my surprise/horror besides the usual tracking cookies there were as 4 Vondo trojans.

C:\PROGRAMFILES\AOL INSTALL\AOL90\COMPS\TPSPD\DACLDLL.DLL

C:\Program Files/MicrosoftWorks\HASPI.DLL

C:\PROGRAMDATA\AOLDOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

C:\USERS\ALLUSERS\AOLDOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

This also surprised me because I had uninstalled AOL 9.0 and installed 9.1 months ago. Also, I had not used Works since 9/2007. Since I am a member of the Dell Community Forum, I posted my findings immediately.

My first reply ndicated it may be a false positive and suggested a site, Jotti virusscan or Virustotal.com, to scan each line. They were all clean.

Another reply suggested another site, Malewarebytes, to perform a quick scan. It was this scan results that showed a Rogue, Adware Alert in the registry.

After the removal of Adware Alert, I ran SAS again. This time the result was the always existant tracking cookies.

It was suggested I inform this forum of my experience; someone may have the same experience.

Thank you,

Nissi1

[/i]

You are scanning with older definitions, make sure you are scanning with the versions that match those here:

https://www.superantispyware.com/definitions.html

Share this post


Link to post
Share on other sites

Good morning Pandato,

As I wrote, it was not I that thought it was a FP, it was the subsequent scans that indicated they were false positives.

What I posted in this forum was copied onto a notepad directly from SAS's log.

Thank you for your reply and have a Blessed Day,

Nissi1

Share this post


Link to post
Share on other sites

Good morning,

Regarding the false positive scan, below is a copy of the results taken from the SAS log.

Thank you.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 04/10/2008 at 03:11 AM

Application Version : 3.9.1008

Core Rules Database Version : 3435

Trace Rules Database Version: 1427

Scan type : Complete Scan

Total Scan Time : 00:52:51

Memory items scanned : 550

Memory threats detected : 0

Registry items scanned : 7433

Registry threats detected : 0

File items scanned : 74990

File threats detected : 12

Adware.Tracking Cookie

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\zandra_jones@tribalfusion[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\zandra_jones@mediaplex[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@ad.yieldmanager[2].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@adrevolver[2].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@advertising[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@casalemedia[2].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@doubleclick[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@media.adrevolver[1].txt

Trojan.Vundo-Variant/F

C:\PROGRAM FILES\AOL INSTALL\AOL90\COMPS\TPSPD\DACLDLL.DLL

C:\PROGRAM FILES\MICROSOFT WORKS\HSAPI.DLL

C:\PROGRAMDATA\AOL DOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

C:\USERS\ALL USERS\AOL DOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

Share this post


Link to post
Share on other sites

It appears that you are scanning with the old version of SAS, the current version is 4.0.1154, also update the definitions to core 3436 or later and trace 1428 or later. Please post back if that resolves the problem. :) If not submit a customer service request for assistance.

Share this post


Link to post
Share on other sites
Good morning,

Regarding the false positive scan, below is a copy of the results taken from the SAS log.

Thank you.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 04/10/2008 at 03:11 AM

Application Version : 3.9.1008

Core Rules Database Version : 3435

Trace Rules Database Version: 1427

Scan type : Complete Scan

Total Scan Time : 00:52:51

Memory items scanned : 550

Memory threats detected : 0

Registry items scanned : 7433

Registry threats detected : 0

File items scanned : 74990

File threats detected : 12

Adware.Tracking Cookie

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\zandra_jones@tribalfusion[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\zandra_jones@mediaplex[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@ad.yieldmanager[2].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@adrevolver[2].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@advertising[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@casalemedia[2].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@doubleclick[1].txt

C:\Users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Cookies\Low\zandra_jones@media.adrevolver[1].txt

Trojan.Vundo-Variant/F

C:\PROGRAM FILES\AOL INSTALL\AOL90\COMPS\TPSPD\DACLDLL.DLL

C:\PROGRAM FILES\MICROSOFT WORKS\HSAPI.DLL

C:\PROGRAMDATA\AOL DOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

C:\USERS\ALL USERS\AOL DOWNLOADS\WAOL\0.4334.30.2\COMPS\TPSPD\DACLDLL.DLL

You need to update your definitions - you are scanning with OLD DEFINITIONS.

Share this post


Link to post
Share on other sites

Hello Pandato,

I maintain an icon for SAS on my desktop and I always update before a scan. I did not think it was necessary to uninstall and reinstall the entire application on a regular basis to keep it up to date.

I checked further and noticed Vundo-threat/F was among the updates yesterday. Someone who posted in Bleeping Computer may have had the same experience as I, also yesterday.

http://www.bleepingcomputer.com/forums/topic141167.html

I will definitely do as you suggested since I like and depend on SAS as a backup to my resident security center.

Thank you again and may you continue to be richly blessed,

Nissi1

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...