Jump to content
techmonkey

Trojan.Agent/Gen MSFake False Postive?

Recommended Posts

Hey all Im new to forumns so be nice :-)

Anyway after running a scan with SUPERAntiSpyware Free Edition it found Trojan.Agent/Gen MSFake. I think it was in a microsoft update uninstall file (I can find the exact file if it makes a difference) Can this be a false postive? I left it in quarantine for now and also turned off system restore. Along with SUPERAntiSpyware I am running: Norton Internet Security 2010, Malwarebytes free edition & Spyware blaster. I am runing windows XP with the latest updates. No other security program installed indicated I was infected and the PC is not showing any other signs of being infected.

Share this post


Link to post
Share on other sites

First, if your NIS 2010 has a current subscription, you can update free-of-charge to NIS 2011 to utilize the latest Symantec security technology. See the link below.

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Internet-Security-2011-and-Norton-AntiVirus-2011-Have/td-p/285962

It does sound like you may have hit a false positive in SAS. I suggest that you unquarantine the file, rescan and submit the file as a False Positive per the instructions in the link below.

https://www.superantispyware.com/supportfaqdisplay.html?faq=28

Share this post


Link to post
Share on other sites

First, if your NIS 2010 has a current subscription, you can update free-of-charge to NIS 2011 to utilize the latest Symantec security technology. See the link below.

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Internet-Security-2011-and-Norton-AntiVirus-2011-Have/td-p/285962

It does sound like you may have hit a false positive in SAS. I suggest that you unquarantine the file, rescan and submit the file as a False Positive per the instructions in the link below.

https://www.superantispyware.com/supportfaqdisplay.html?faq=28

Thanks for the advice siliconman01.

I will update my NIS I still have about 60 days on my current 2010 subcription. I will probably take your advice and unquarantine the file and submit but I really wish there was a way to submit the file FROM quarantine. I just would really hate to re infect the computer by removing from the quarantined section. I wonder if it would just be ok to fully remove the file? It has only been a day but the PC does not seem to be affected by the file being in quarantine and since it was just in windows update uninstall file I guess the worst that would happen from the removal in I could not uninstall that specfic update?

Share this post


Link to post
Share on other sites

Would you post the SAS scan log that shows the file name (the scan log that was generated when SAS quarantined the suspect file). Just copy/paste the scan log here in this forum thread. I'd like to see the file name and the directory path of the file which will show up in the scan log. I may be able to make a pretty sound judgement whether it is a false positive from that info.

If C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NETFXUPDATE.EXE is the false positive you are seeing, then you do not want to delete the file NETFXUPDATE.EXE from quarantine. You can restore the file and then submit the file as a false positive...which it is.

The 60 days you have left on NIS 2010 will carry over to NIS 2011 when you update to NIS 2011. 8)

Share this post


Link to post
Share on other sites

Would you post the SAS scan log that shows the file name (the scan log that was generated when SAS quarantined the suspect file). Just copy/paste the scan log here in this forum thread. I'd like to see the file name and the directory path of the file which will show up in the scan log. I may be able to make a pretty sound judgement whether it is a false positive from that info.

If C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NETFXUPDATE.EXE is the false positive you are seeing, then you do not want to delete the file NETFXUPDATE.EXE from quarantine. You can restore the file and then submit the file as a false positive...which it is.

The 60 days you have left on NIS 2010 will carry over to NIS 2011 when you update to NIS 2011. 8)

1st Scan log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/08/2010 at 01:43 PM

Application Version : 4.44.1000

Core Rules Database Version : 5658

Trace Rules Database Version: 3470

Scan type : Complete Scan

Total Scan Time : 00:58:56

Memory items scanned : 733

Memory threats detected : 0

Registry items scanned : 8081

Registry threats detected : 0

File items scanned : 34666

File threats detected : 4

Adware.Tracking Cookie

C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@richmedia.yahoo[2].txt

cdn2.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\8RT3AFB7 ]

content.yieldmanager.edgesuite.net [ C:\Documents and Settings\HP_Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\8RT3AFB7 ]

Trojan.Agent/Gen-MSFake

C:\WINDOWS\$NTUNINSTALLKB930494$\NETFXUPDATE.EXE

2nd Scan Log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/08/2010 at 03:56 PM

Application Version : 4.44.1000

Core Rules Database Version : 5659

Trace Rules Database Version: 3471

Scan type : Complete Scan

Total Scan Time : 00:58:37

Memory items scanned : 724

Memory threats detected : 0

Registry items scanned : 8087

Registry threats detected : 0

File items scanned : 34671

File threats detected : 8

Adware.Tracking Cookie

.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n8e8zzar.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n8e8zzar.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n8e8zzar.default\cookies.sqlite ]

.collective-media.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n8e8zzar.default\cookies.sqlite ]

.collective-media.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n8e8zzar.default\cookies.sqlite ]

.collective-media.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n8e8zzar.default\cookies.sqlite ]

.collective-media.net [ C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\n8e8zzar.default\cookies.sqlite ]

Trojan.Agent/Gen-MSFake

C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109\A0014587.EXE

2nd scan found it in system volume, I have turned off system restore for now

Share this post


Link to post
Share on other sites

Trojan.Agent/Gen-MSFake

C:\WINDOWS\$NTUNINSTALLKB930494$\NETFXUPDATE.EXE

The above is definitely a false positive. You can restore NETFXUPDATE.EXE from the SAS Quarantine. Then rescan and submit the file as False Positive so that SAS can repair their detection algorithms for everyone who has XP with that specific fix.

As an aside, the $NTUNINSTALLKB930494$ is the directory that permits you to uninstall this specific hotfix if you find something wrong with the hotfix itself. In fact, if you navigate to C:\Windows you find a multitude of similar BLUE directories starting with $NTUNINSTALL....$. Each time a Windows XP hotfix is installed on your system, an uninstall $NTUNINSTALL.....$ BLUE directory is created to allow to uninstall it if something goes wrong. If you never want to be able to uninstall these hotfixes, you can just delete these BLUE directories and save yourself many, many megabytes of disk space. When I was running XP on my computers, I always waited about a week after a hotfix was installed. If the hotfix seemed solid, I deleted the $NTUNINSTALL....$ BLUE directory which in effect makes the hotfix permanent. The link below below discusses this further.

http://forums.techarena.in/windows-update/548808.htm

In fact, if you use CCleaner, it has an option under the Advanced section that permits you to automatically remove these hotfix uninstallers.

Share this post


Link to post
Share on other sites

Great thanks so much siliconman01! I will infact restore and submit these files to SAS so they can fix this false positive for those of us still running XP. Thanks again!

Share this post


Link to post
Share on other sites

Great thanks so much siliconman01! I will infact restore and submit these files to SAS so they can fix this false positive for those of us still running XP. Thanks again!

You are most welcome. :wink:

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...