Solved

A dll infection, False Positive?

Posted on 2011-02-11
14
878 Views
Last Modified: 2013-11-22
Dear Experts

“If a file is quarantined, the file goes to "safe vault". In other words you're "Clean" as the quarantined file cannot be accessed anymore which also means you're system is now clean from that infection”

I Installed Saitek Smart Technology Software (SST),
 
Prevx found a TREATH, I do not know if this is a FP

In C:\WINDOWS\Temp\Saitek\Saitek_Cyborg_V3_Pad_SD6_32_Software\00000010\
the dll setup_0a.dll is detected as malware, here is the Prevx Log:

Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 17:58, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 17:58:00 Mexico Standard Time. Number of Scans: 43. Last Scan Duration: 3 minutes 18 seconds.
 c:\windows\temp\saitek\saitek_cyborg_v3_pad_sd6_32_software\00000010\setup_0a.dll [PX5: 768B3E5600BCE94770130994AE1F5E0088C1AFAA] Malware Group: Medium Risk Malware
 (ACTIVE) c:\windows\system32\nvmccs.dll [PX5: 229758476891597A3CDC0463DC68D400BF05487E]
 (ACTIVE) c:\program files\agnitum\out

End of Prevx Scan Log - http://www.prevx.com

Please note I did not include all the log is very large

If I add manually the infected .dll to Quarantine, and run Prevx then my System Status is clean

At this Thread, The Prevx Moderator, Inform me he fixed the FP
 
http://www.wilderssecurity.com/showthread.php?t=292802
 
But my system status is still infected
 
I think i do not have a FP anyway
after the fix Here is my Prevx Log once again
 
Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 22:36, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 22:35:43 Mexico Standard Time. Number of Scans: 49. Last Scan Duration: 4 minutes 14 seconds.
c:\windows\temp\saitek\saitek_cyborg_v3_pad_sd6_32_software\00000010\setup_0a.dll [PX5: 768B3E5600BCE94770130994AE1F5E0088C1AFAA] Malware Group: Medium Risk Malware
(ACTIVE) c:\windows\system32\nvmccs.dll [P

End of Prevx Scan Log - http://www.prevx.com

As above I did not include all the log is very large

At this point I do know what to do; I sent another email to report@prevxresearch.com

Uninstall the SST
Hijackthis
Manually Quarantine the infected .dll
Online Scanner
Pray

Any suggestion, help, advice, ideas are more than welcome
0
Comment
Question by:rebelscum0000
  • 6
  • 3
  • 2
  • +3
14 Comments
 
LVL 6

Assisted Solution

by:KOTiS
KOTiS earned 50 total points
Comment Utility
Always try more than one scanner on files you don't trust - try installing Malwarebytes and run a full system scan after updating...

http://www.malwarebytes.org/mbam-download.php
0
 
LVL 12
Comment Utility
Upload the suspicious dll to virustotal to scan, they will scan it for you and let you know if it is a problem. If it comes back clean then you might be able to add the file to your AV exception list.

http://www.virustotal.com/
0
 
LVL 12

Assisted Solution

by:antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6-->
antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6--> earned 50 total points
Comment Utility
It might also be being flagged as it is running an install from the Temp folder. Try extracting the setup files to another directory away from temp and running the install and see if you still get a notification of infection.
0
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 300 total points
Comment Utility
Try using this portable utility to scan for any suspicious DLLs.  If the dll is the only problem it will clean it, but if it identifies it as a rootkit, it will delete the dll but the rootkit will generate another one (most likely with another name).  In that case use a few of the anti-rootkit scanners I reviewed in the article below.

Dll scanner: http://portableapps.com/apps/utilities/spydllremover_portable

Anti-Rootkit review: http://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Anti-rootkit-software.html
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 50 total points
Comment Utility
Usually communication with prevx support is way to go.

report@prevxresearch.com

In the meantime you could whitelist the file yourself. Rightclick on it and select trust always.
0
 

Author Comment

by:rebelscum0000
Comment Utility
REAL-TIME : Outpost Firewall Pro LIFETIME LICENSE, NOD 32, Shadow Defender, Sandboxie Paid Version
ON-DEMAND: MBAM Pro, SAS Pro Real Time Protection, Prevex
BACKUP : Acronis True Image 2011 Registered

@KOTiS
MBAM Pro did not find any Thread

@antony_kibble<!-8D58D5C3656518...
i did same result with VT

@Tolomir
!>..I sent another email to report@prevxresearch.com
I reported this issue at report@prevxresearch.com, thet have been reply me all night, they said they fix the FP 3 times until. now, my system status is still infected

Why do you suggest me to whitelist the file selecting  trust always, What about if is not a FP?

I will ty the tzucke solution I will let you know the results, BTW excelent article Anti-rootkit software Congrats

Please keep postimg

Regards
Antonio Macias
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
@rebelscum0000 Thanks.  I found that I was recommending Rootkit scanning quite often and so felt it was expedient to write an article with a more thorough explanation and some reviews.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:rebelscum0000
Comment Utility
@Tolomir

Why do you suggest me to whitelist the file selecting  trust always, What about if is not a FP?

@tzucker
SpyDLLRemover Portable Founds nothing, I did not install it into a USB i ran from my HD

@antony_kibble<!-8D58D5C3656518:
i did not understand your solution can you be more specific



01-spyscanner.JPG
02-spyscanner.JPG
03-spyscanner.JPG
04-spyscanner.JPG
05-spyscanner.JPG
06-spyscanner.JPG
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 300 total points
Comment Utility
I personally trust ESET, so if NOD32 ID'd it than I would get rid of it.  SpyDLLRemover says you need to further analyze those results - which means it is possible the files are dangerous.  Have you tried using ProcessMonitor? http://technet.microsoft.com/en-us/sysinternals/bb896645

Process Monitor is a great app (I replaced task manager with it) and gives you a lot of info including the ability to see the publisher of the file and to a quick lookup on the web.
0
 
LVL 2

Assisted Solution

by:mail2divyesh
mail2divyesh earned 50 total points
Comment Utility
I would suggest that you upload the suspicious file to VirusTotal.com as suggested by antony_kibble<!-8D58D5C3656518... :

Also, based on the logs that you had sent the hash: 768B3E5600BCE94770130994AE1F5E0088C1AFAA on both the scan logs looks to be the same. So may be the fix (The updated DAT or fix) was not applied properly? Since its same file(setup_0a.dll) again, try uploading to virustotal to see if its genuine detection if not, i would suggest contacting your AV Vendor for a possible fix.
0
 

Author Comment

by:rebelscum0000
Comment Utility
@tzucker

Downloading ProcessMonitor II will let you know the results ASAP

@mail2divyesh

OK

0
 

Author Comment

by:rebelscum0000
Comment Utility
I just received another mail from report@prevxresearch.com

Date: Fri, 11 Feb 2011 11:17:25 -0600
From: report@prevxresearch.com
To: me
Subject: Re: Saitek software Malware Detected

Hello,
Could you please right click on the file when shown in the "View Threats" screen of Prevx after the scan and select "Report as a false positive." This should prevent the detection on your PC.

Prevx Support Team

---

I did, ignore the .dll and of course the result of the scan is clean, but this is not the way for me to scan from malware (ignore files)

I will have to close this question in order to award points and I will open another, I hope you follow me

Thank you
Antonio Macias




0
 

Author Comment

by:rebelscum0000
Comment Utility
I think I did something wrong I award points but I did not close the question I just advice that I will close this question because all the experts solution are excellent
0
 

Author Closing Comment

by:rebelscum0000
Comment Utility
Thank you
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now