Jump to content
mata7

Is this a FP or spyware

Recommended Posts

im trying SAS and today i did a full scan and found this

Avira and spyware doctor dint fiend anyting, so thas way i ask if is a FP

Trojan.DESKAdp

C:\$ISR\1\WINDOWS\SYSTEM32\DFRGUI.EXE

Trojan.Downloader-SNDREC/Fake

C:\$ISR\2\WINDOWS\SYSTEM32\DLLCACHE\SNDREC32.EXE

C:\$ISR\2\WINDOWS\SYSTEM32\SNDREC32.EXE

Thanks for you help

Share this post


Link to post
Share on other sites

Hi and welcome to the SAS Forums:)

Always good to verify before deleting stuff 8)

Upload the files for malware checking(versus 32 vendor databases)>>>

http://www.virustotal.com/

Can you then post back your findings:)

Share this post


Link to post
Share on other sites

mata7,

These are located in snapshots created by FirstDefense-ISR. They are located in two different snapshots and not the one you are using now. I'm not even sure that SAS could fix them if you wanted to. That would be interesting to know.

You will not be able to open these with windows explorer but can do so with XYplorer. I do not suggest changing things in a snapshot that you are not in though. :wink:

This one

" C:\$ISR\1\WINDOWS\SYSTEM32\DFRGUI.EXE"

I do not have but I have something similar

"C:\$ISR\1\WINDOWS\system32\dfrgui.dll - this dll's properties say Windows Disk Defragmenter.

The others seem to be associated XPize. I have lots of them.

So, are you using FD-ISR and XPize and a non-windows defragramenter? If so, you are probably ok. To submit files to Virustotal you may have to boot to each of your snapshots and run a custom SAS scan of C:WINDOWS\SYSTEM32 to be able to access the file. You will then have to look in C:WINDOWS\SYSTEM32 for each of your snapshots to find the files for submitting. This will be the quickest.

Share this post


Link to post
Share on other sites

Thanks nosirrah,

Thanks for the info on IceSword. Yes it does allow you to copy files from not-in-use-snapshots of FD-ISR. I just tried it. :wink: It is a very powerful tool to say the least.

"IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn't a "click-here-to-delete-rootkits" product but a sophisticated..."

Share this post


Link to post
Share on other sites

thanks for the help and for the welcome guys

i don't use XPize but i use Icon Packager and O&O Defrag Pro

i just copy/update my FDefense image back cause i just brought SAS Pro So now i will do custom scan

and i will let you guys know

i try Ice Sword on my Vista and went i opened i got BSOD

again thanks

Share this post


Link to post
Share on other sites

mata7,

I have SNDREC32.EXE but SAS is not detecting it using the latest definitions at these locations:

C:\WINDOWS\SYSTEM32\DLLCACHE\SNDREC32.EXE

C:\WINDOWS\SYSTEM32\SNDREC32.EXE

C:\WINDOWS\XPize\Resources\sndrec32.exe

In the SAS scan results window, on the right, there is a button to submit false positives. That may be the quickest solution but if it were me I would submit the files in question to Virustotal first, just because...

One thing you may want to do is exclude this C:\$ISR from your scans after this is sorted. I have excluded it just to speed up scans and like I said before I don't know if SAS will remove items from other snapshots. If someone has 10 snapshots, SAS is really scanning 10 complete system partitions. Even if SAS has the ability to fix problems in other snapshots, personally, I would not let it. I don't let any program delete or change anything in C:\$ISR.

The downside of excluding C:\$ISR is that you would not have found any of the possible false positives that you did find.:wink: So, it is best not to exclude it!

Can anyone shed some light on whether or not SAS can fix all detected items no matter where they are located? Particularly in FD-ISR snapshots or windows SystemRestore.

thanks

edit: In the help file :roll::oops: it says SAS can delete from SystemRestore. There is an option to scan it or not.

Share this post


Link to post
Share on other sites

I just check DFRGUI.EXE on virustotal and came clean, so this one is FP, I Will check the oder 2 tomorrow if i have time

AV.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...