Jump to content
Sign in to follow this  
jwsrcp

Are These Infections Or FP's?

Recommended Posts

I am running Win 7 Pro 64 bit, and I just downloaded the pre-release version 4.90 for 64 bit. I ran it and it found Trojan.Vundo-Variant/F and Trojan.Unclassified/Dropper. Are these real infections or FP's? Thanks.

Share this post


Link to post
Share on other sites

I am running Win 7 Pro 64 bit, and I just downloaded the pre-release version 4.90 for 64 bit. I ran it and it found Trojan.Vundo-Variant/F and Trojan.Unclassified/Dropper. Are these real infections of FP's? Thanks.

You need to post the scan log so we can see which files it is detecting as malicious trojans.

Share this post


Link to post
Share on other sites

You need to post the scan log so we can see which files it is detecting as malicious trojans.

Thanks....Here is the log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 01/31/2010 at 08:57 AM

Application Version : 4.90.1014

Core Rules Database Version : 4541

Trace Rules Database Version: 2353

Scan type : Complete Scan

Total Scan Time : 00:23:53

Memory items scanned : 682

Memory threats detected : 0

Registry items scanned : 11264

Registry threats detected : 0

File items scanned : 24096

File threats detected : 2

Trojan.Vundo-Variant/F

C:\WINDOWS\SYSWOW64\ASUS_CAMERA_SCREENSAVER DIR\SAVER1.DLL

Trojan.Unclassified/Dropper

C:\WINDOWS\SYSWOW64\FAST BOOT\RUN.EXE

Share this post


Link to post
Share on other sites
Trojan.Vundo-Variant/F

C:\WINDOWS\SYSWOW64\ASUS_CAMERA_SCREENSAVER DIR\SAVER1.DLL

Trojan.Unclassified/Dropper

C:\WINDOWS\SYSWOW64\FAST BOOT\RUN.EXE

These look like they may be false positives. To check SAVER1.DLL and RUN.EXE, go to the link below and run each file through VirusTotal to see if any of the virus scanners flag them as malicious.

http://www.virustotal.com/

Post back here the VirusTotal results for each file scan.

Share this post


Link to post
Share on other sites

These look like they may be false positives. To check SAVER1.DLL and RUN.EXE, go to the link below and run each file through VirusTotal to see if any of the virus scanners flag them as malicious.

http://www.virustotal.com/

Post back here the VirusTotal results for each file scan.

Thanks....I restored them for now....Here is the result for the first one:

File SAVER1.DLL received on 2010.01.31 18:48:11 (UTC)

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.31 -

AhnLab-V3 5.0.0.2 2010.01.31 -

AntiVir 7.9.1.154 2010.01.31 -

Antiy-AVL 2.0.3.7 2010.01.28 -

Authentium 5.2.0.5 2010.01.30 -

Avast 4.8.1351.0 2010.01.31 -

AVG 9.0.0.730 2010.01.31 -

BitDefender 7.2 2010.01.31 -

CAT-QuickHeal 10.00 2010.01.30 -

ClamAV 0.96.0.0-git 2010.01.31 -

Comodo 3774 2010.01.31 -

DrWeb 5.0.1.12222 2010.01.31 -

eSafe 7.0.17.0 2010.01.31 -

eTrust-Vet 35.2.7271 2010.01.29 -

F-Prot 4.5.1.85 2010.01.30 -

F-Secure 9.0.15370.0 2010.01.31 -

Fortinet 4.0.14.0 2010.01.31 -

GData 19 2010.01.31 -

Ikarus T3.1.1.80.0 2010.01.31 -

Jiangmin 13.0.900 2010.01.28 Backdoor/PcClient.jkx

K7AntiVirus 7.10.960 2010.01.29 -

Kaspersky 7.0.0.125 2010.01.31 -

McAfee 5878 2010.01.31 -

McAfee+Artemis 5878 2010.01.31 -

McAfee-GW-Edition 6.8.5 2010.01.31 -

Microsoft 1.5406 2010.01.31 -

NOD32 4822 2010.01.31 -

Norman 6.04.03 2010.01.31 -

nProtect 2009.1.8.0 2010.01.31 -

Panda 10.0.2.2 2010.01.31 -

PCTools 7.0.3.5 2010.01.31 -

Rising 22.32.06.04 2010.01.31 -

Sophos 4.50.0 2010.01.31 -

Sunbelt 3.2.1858.2 2010.01.31 -

Symantec 20091.2.0.41 2010.01.31 Suspicious.Insight

TheHacker 6.5.1.0.174 2010.01.31 -

TrendMicro 9.120.0.1004 2010.01.31 -

VBA32 3.12.12.1 2010.01.29 -

ViRobot 2010.1.30.2164 2010.01.30 -

VirusBuster 5.0.21.0 2010.01.31 -

Additional information

File size: 34292 bytes

MD5...: f6a9efba3e1b681a070426743f4b63a3

SHA1..: 402269ad84e821296b16a358e36c681a610bdfc6

SHA256: 5d93d8c46bd34d504fbb68edc633e0edaae507a7c317b2245a576e350b8b3f90

ssdeep: 768:uORyLEOc5xrsSL8eorktNQ75rLJCkqcB3ye3hWUjx/ZCB:u/YOc5hsKorktC<br>acZFF<br>

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x13001<br>timedatestamp.....: 0x42bb64e4 (Fri Jun 24 01:41:56 2005)<br>machinetype.......: 0x14c (I386)<br><br>( 7 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x8000 0x3c00 7.95 05c52d560a89587ef80b9259617d93eb<br>.rdata 0x9000 0x1000 0x1000 4.63 937065407a4c6645954a761e57402082<br>.data 0xa000 0x6000 0x800 7.72 0c9d7c3a1c562db4028af6a425c748d3<br>.Shared 0x10000 0x1000 0x1000 0.01 92bcd9bbfdde401c9af11cb2ef0e6e55<br>.reloc 0x11000 0x2000 0xa00 7.46 c4b7fbf0af3cd1562b7a8f8dd1e621b1<br>.aspack 0x13000 0x2000 0x1200 5.62 3244f2c30356ff050d180bddd02f1d39<br>.adata 0x15000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br><br>( 2 imports ) <br>> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA<br>> user32.dll: SendMessageA<br><br>( 5 exports ) <br>RemoveKbHook, RemoveMouseHook, SetKbHook, SetMouseHook, SetShellHook<br>

RDS...: NSRL Reference Data Set<br>-

pdfid.: -

trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)

packers (Kaspersky): ASPack

packers (F-Prot): Aspack

sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

Here is the result for the second one:

File RUN.EXE received on 2010.01.31 18:52:36 (UTC)

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.31 -

AhnLab-V3 5.0.0.2 2010.01.31 -

AntiVir 7.9.1.154 2010.01.31 -

Antiy-AVL 2.0.3.7 2010.01.28 -

Authentium 5.2.0.5 2010.01.30 -

Avast 4.8.1351.0 2010.01.31 -

AVG 9.0.0.730 2010.01.31 -

BitDefender 7.2 2010.01.31 -

CAT-QuickHeal 10.00 2010.01.30 -

ClamAV 0.96.0.0-git 2010.01.31 -

Comodo 3774 2010.01.31 -

DrWeb 5.0.1.12222 2010.01.31 -

eSafe 7.0.17.0 2010.01.31 -

eTrust-Vet 35.2.7271 2010.01.29 -

F-Prot 4.5.1.85 2010.01.30 -

F-Secure 9.0.15370.0 2010.01.31 -

Fortinet 4.0.14.0 2010.01.31 -

GData 19 2010.01.31 -

Ikarus T3.1.1.80.0 2010.01.31 -

Jiangmin 13.0.900 2010.01.28 -

K7AntiVirus 7.10.960 2010.01.29 -

Kaspersky 7.0.0.125 2010.01.31 -

McAfee 5878 2010.01.31 -

McAfee+Artemis 5878 2010.01.31 -

McAfee-GW-Edition 6.8.5 2010.01.31 -

Microsoft 1.5406 2010.01.31 -

NOD32 4822 2010.01.31 -

Norman 6.04.03 2010.01.31 -

nProtect 2009.1.8.0 2010.01.31 -

Panda 10.0.2.2 2010.01.31 -

PCTools 7.0.3.5 2010.01.31 -

Prevx 3.0 2010.01.31 -

Rising 22.32.06.04 2010.01.31 -

Sophos 4.50.0 2010.01.31 -

Sunbelt 3.2.1858.2 2010.01.31 -

Symantec 20091.2.0.41 2010.01.31 Suspicious.Insight

TheHacker 6.5.1.0.174 2010.01.31 -

TrendMicro 9.120.0.1004 2010.01.31 -

VBA32 3.12.12.1 2010.01.29 -

ViRobot 2010.1.30.2164 2010.01.30 -

VirusBuster 5.0.21.0 2010.01.31 -

Additional information

File size: 47660 bytes

MD5...: fee2fa7c4f1732dc24056b76560072bc

SHA1..: 6de14dffbc6ad989a9299dcbae75719988e168ca

SHA256: 4d103041608d1955b24bc9221f9c942cedfe430e53e4604d9cba9a2a9d06ee4e

ssdeep: 768:AGgyEKw1pLmewo1j3kbGyThdK8fs186V7KJC6Rrr1bwZLAmfb/:AGBEKsLJ/<br>d8TfKosZaRrVwZLz/<br>

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x12c9<br>timedatestamp.....: 0x4a6823ab (Thu Jul 23 08:47:39 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x61d4 0x6200 6.61 37dbd8d721edcff10d1371bec3d03bf4<br>.rdata 0x8000 0x1b14 0x1c00 5.41 a6c01985b15a2dabf6cd0b2c00c2815d<br>.data 0xa000 0x18dc 0xe00 2.29 4d665c2859d2ce60c66f7b6047d95329<br>.rsrc 0xc000 0x1b4 0x200 5.10 c52ee9fcdbbff3ba2f8da39a1bd23689<br>.reloc 0xd000 0xc26 0xe00 3.96 3fa8ccf21269d1f111828dcc235a3120<br><br>( 2 imports ) <br>> SHELL32.dll: ShellExecuteExW<br>> KERNEL32.dll: GetTickCount, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, GetLocaleInfoA, WideCharToMultiByte, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW<br><br>( 0 exports ) <br>

RDS...: NSRL Reference Data Set<br>-

sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)

pdfid.: -

Does it matter if I accidentally restored each one twice? Thanks.

Share this post


Link to post
Share on other sites
Does it matter if I accidentally restored each one twice? Thanks

No, the second restore would just overwrite the first restore.

I think these are false positives based on the VirusTotal results. I recommend that you report them as false positives. You can do this by running another scan with SAS. After the scan completes and detects them again, check mark the first one and then select the "Report False Positive" button. Fill in the little form (you should reference this forum link as well in the comment area) and submit. Repeat for the second one. Then just cancel the scan without letting SAS quarantine them.

Share this post


Link to post
Share on other sites

No, the second restore would just overwrite the first restore.

I think these are false positives based on the VirusTotal results. I recommend that you report them as false positives. You can do this by running another scan with SAS. After the scan completes and detects them again, check mark the first one and then select the "Report False Positive" button. Fill in the little form (you should reference this forum link as well in the comment area) and submit. Repeat for the second one. Then just cancel the scan without letting SAS quarantine them.

Thanks so much for your help.....I'll do that.

Share this post


Link to post
Share on other sites

You are most welcome. It'll be interesting to see if SAS accepts these as false positives and corrects the core/trace definitions.

BTW for issues concerning the SAS Pre-Release V4.90.1014, forum posts should be down in the SuperAntiSpyware Pre-Release section of the main forum. You just have to be signed in to the main forum to gain access to that section.

Share this post


Link to post
Share on other sites

Hi! These false positives were addressed shortly after they were submitted. Thank you for taking the time to post here/file a false positive report!

Geoff

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...