Solved

A dll infection, False Positive?

Posted on 2011-02-11
14
888 Views
Last Modified: 2013-11-22
Dear Experts

“If a file is quarantined, the file goes to "safe vault". In other words you're "Clean" as the quarantined file cannot be accessed anymore which also means you're system is now clean from that infection”

I Installed Saitek Smart Technology Software (SST),
 
Prevx found a TREATH, I do not know if this is a FP

In C:\WINDOWS\Temp\Saitek\Saitek_Cyborg_V3_Pad_SD6_32_Software\00000010\
the dll setup_0a.dll is detected as malware, here is the Prevx Log:

Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 17:58, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 17:58:00 Mexico Standard Time. Number of Scans: 43. Last Scan Duration: 3 minutes 18 seconds.
 c:\windows\temp\saitek\saitek_cyborg_v3_pad_sd6_32_software\00000010\setup_0a.dll [PX5: 768B3E5600BCE94770130994AE1F5E0088C1AFAA] Malware Group: Medium Risk Malware
 (ACTIVE) c:\windows\system32\nvmccs.dll [PX5: 229758476891597A3CDC0463DC68D400BF05487E]
 (ACTIVE) c:\program files\agnitum\out

End of Prevx Scan Log - http://www.prevx.com

Please note I did not include all the log is very large

If I add manually the infected .dll to Quarantine, and run Prevx then my System Status is clean

At this Thread, The Prevx Moderator, Inform me he fixed the FP
 
http://www.wilderssecurity.com/showthread.php?t=292802
 
But my system status is still infected
 
I think i do not have a FP anyway
after the fix Here is my Prevx Log once again
 
Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 22:36, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 22:35:43 Mexico Standard Time. Number of Scans: 49. Last Scan Duration: 4 minutes 14 seconds.
c:\windows\temp\saitek\saitek_cyborg_v3_pad_sd6_32_software\00000010\setup_0a.dll [PX5: 768B3E5600BCE94770130994AE1F5E0088C1AFAA] Malware Group: Medium Risk Malware
(ACTIVE) c:\windows\system32\nvmccs.dll [P

End of Prevx Scan Log - http://www.prevx.com

As above I did not include all the log is very large

At this point I do know what to do; I sent another email to report@prevxresearch.com

Uninstall the SST
Hijackthis
Manually Quarantine the infected .dll
Online Scanner
Pray

Any suggestion, help, advice, ideas are more than welcome
0
Comment
Question by:rebelscum0000
  • 6
  • 3
  • 2
  • +3
14 Comments
 
LVL 6

Assisted Solution

by:KOTiS
KOTiS earned 50 total points
ID: 34871420
Always try more than one scanner on files you don't trust - try installing Malwarebytes and run a full system scan after updating...

http://www.malwarebytes.org/mbam-download.php
0
 
LVL 12
ID: 34871497
Upload the suspicious dll to virustotal to scan, they will scan it for you and let you know if it is a problem. If it comes back clean then you might be able to add the file to your AV exception list.

http://www.virustotal.com/
0
 
LVL 12

Assisted Solution

by:antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6--> earned 50 total points
ID: 34871517
It might also be being flagged as it is running an install from the Temp folder. Try extracting the setup files to another directory away from temp and running the install and see if you still get a notification of infection.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 27

Accepted Solution

by:
Thomas Zucker-Scharff earned 300 total points
ID: 34871857
Try using this portable utility to scan for any suspicious DLLs.  If the dll is the only problem it will clean it, but if it identifies it as a rootkit, it will delete the dll but the rootkit will generate another one (most likely with another name).  In that case use a few of the anti-rootkit scanners I reviewed in the article below.

Dll scanner: http://portableapps.com/apps/utilities/spydllremover_portable

Anti-Rootkit review: http://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Anti-rootkit-software.html
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 50 total points
ID: 34872074
Usually communication with prevx support is way to go.

report@prevxresearch.com

In the meantime you could whitelist the file yourself. Rightclick on it and select trust always.
0
 

Author Comment

by:rebelscum0000
ID: 34872347
REAL-TIME : Outpost Firewall Pro LIFETIME LICENSE, NOD 32, Shadow Defender, Sandboxie Paid Version
ON-DEMAND: MBAM Pro, SAS Pro Real Time Protection, Prevex
BACKUP : Acronis True Image 2011 Registered

@KOTiS
MBAM Pro did not find any Thread

@antony_kibble<!-8D58D5C3656518...
i did same result with VT

@Tolomir
!>..I sent another email to report@prevxresearch.com
I reported this issue at report@prevxresearch.com, thet have been reply me all night, they said they fix the FP 3 times until. now, my system status is still infected

Why do you suggest me to whitelist the file selecting  trust always, What about if is not a FP?

I will ty the tzucke solution I will let you know the results, BTW excelent article Anti-rootkit software Congrats

Please keep postimg

Regards
Antonio Macias
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 34872935
@rebelscum0000 Thanks.  I found that I was recommending Rootkit scanning quite often and so felt it was expedient to write an article with a more thorough explanation and some reviews.
0
 

Author Comment

by:rebelscum0000
ID: 34873143
@Tolomir

Why do you suggest me to whitelist the file selecting  trust always, What about if is not a FP?

@tzucker
SpyDLLRemover Portable Founds nothing, I did not install it into a USB i ran from my HD

@antony_kibble<!-8D58D5C3656518:
i did not understand your solution can you be more specific



01-spyscanner.JPG
02-spyscanner.JPG
03-spyscanner.JPG
04-spyscanner.JPG
05-spyscanner.JPG
06-spyscanner.JPG
0
 
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 300 total points
ID: 34873234
I personally trust ESET, so if NOD32 ID'd it than I would get rid of it.  SpyDLLRemover says you need to further analyze those results - which means it is possible the files are dangerous.  Have you tried using ProcessMonitor? http://technet.microsoft.com/en-us/sysinternals/bb896645

Process Monitor is a great app (I replaced task manager with it) and gives you a lot of info including the ability to see the publisher of the file and to a quick lookup on the web.
0
 
LVL 2

Assisted Solution

by:mail2divyesh
mail2divyesh earned 50 total points
ID: 34873440
I would suggest that you upload the suspicious file to VirusTotal.com as suggested by antony_kibble<!-8D58D5C3656518... :

Also, based on the logs that you had sent the hash: 768B3E5600BCE94770130994AE1F5E0088C1AFAA on both the scan logs looks to be the same. So may be the fix (The updated DAT or fix) was not applied properly? Since its same file(setup_0a.dll) again, try uploading to virustotal to see if its genuine detection if not, i would suggest contacting your AV Vendor for a possible fix.
0
 

Author Comment

by:rebelscum0000
ID: 34873660
@tzucker

Downloading ProcessMonitor II will let you know the results ASAP

@mail2divyesh

OK

0
 

Author Comment

by:rebelscum0000
ID: 34875262
I just received another mail from report@prevxresearch.com

Date: Fri, 11 Feb 2011 11:17:25 -0600
From: report@prevxresearch.com
To: me
Subject: Re: Saitek software Malware Detected

Hello,
Could you please right click on the file when shown in the "View Threats" screen of Prevx after the scan and select "Report as a false positive." This should prevent the detection on your PC.

Prevx Support Team

---

I did, ignore the .dll and of course the result of the scan is clean, but this is not the way for me to scan from malware (ignore files)

I will have to close this question in order to award points and I will open another, I hope you follow me

Thank you
Antonio Macias




0
 

Author Comment

by:rebelscum0000
ID: 34875437
I think I did something wrong I award points but I did not close the question I just advice that I will close this question because all the experts solution are excellent
0
 

Author Closing Comment

by:rebelscum0000
ID: 34875474
Thank you
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question