Claudio Herrera
asked on
A dll infection, False Positive?
Dear Experts
“If a file is quarantined, the file goes to "safe vault". In other words you're "Clean" as the quarantined file cannot be accessed anymore which also means you're system is now clean from that infection”
I Installed Saitek Smart Technology Software (SST),
Prevx found a TREATH, I do not know if this is a FP
In C:\WINDOWS\Temp\Saitek\Sai tek_Cyborg _V3_Pad_SD 6_32_Softw are\000000 10\
the dll setup_0a.dll is detected as malware, here is the Prevx Log:
Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 17:58, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 17:58:00 Mexico Standard Time. Number of Scans: 43. Last Scan Duration: 3 minutes 18 seconds.
c:\windows\temp\saitek\sai tek_cyborg _v3_pad_sd 6_32_softw are\000000 10\setup_0 a.dll [PX5: 768B3E5600BCE94770130994AE 1F5E0088C1 AFAA] Malware Group: Medium Risk Malware
(ACTIVE) c:\windows\system32\nvmccs .dll [PX5: 229758476891597A3CDC0463DC 68D400BF05 487E]
(ACTIVE) c:\program files\agnitum\out
End of Prevx Scan Log - http://www.prevx.com
Please note I did not include all the log is very large
If I add manually the infected .dll to Quarantine, and run Prevx then my System Status is clean
At this Thread, The Prevx Moderator, Inform me he fixed the FP
http://www.wilderssecurity.com/showthread.php?t=292802
But my system status is still infected
I think i do not have a FP anyway
after the fix Here is my Prevx Log once again
Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 22:36, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 22:35:43 Mexico Standard Time. Number of Scans: 49. Last Scan Duration: 4 minutes 14 seconds.
c:\windows\temp\saitek\sai tek_cyborg _v3_pad_sd 6_32_softw are\000000 10\setup_0 a.dll [PX5: 768B3E5600BCE94770130994AE 1F5E0088C1 AFAA] Malware Group: Medium Risk Malware
(ACTIVE) c:\windows\system32\nvmccs .dll [P
End of Prevx Scan Log - http://www.prevx.com
As above I did not include all the log is very large
At this point I do know what to do; I sent another email to report@prevxresearch.com
Uninstall the SST
Hijackthis
Manually Quarantine the infected .dll
Online Scanner
Pray
Any suggestion, help, advice, ideas are more than welcome
“If a file is quarantined, the file goes to "safe vault". In other words you're "Clean" as the quarantined file cannot be accessed anymore which also means you're system is now clean from that infection”
I Installed Saitek Smart Technology Software (SST),
Prevx found a TREATH, I do not know if this is a FP
In C:\WINDOWS\Temp\Saitek\Sai
the dll setup_0a.dll is detected as malware, here is the Prevx Log:
Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 17:58, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 17:58:00 Mexico Standard Time. Number of Scans: 43. Last Scan Duration: 3 minutes 18 seconds.
c:\windows\temp\saitek\sai
(ACTIVE) c:\windows\system32\nvmccs
(ACTIVE) c:\program files\agnitum\out
End of Prevx Scan Log - http://www.prevx.com
Please note I did not include all the log is very large
If I add manually the infected .dll to Quarantine, and run Prevx then my System Status is clean
At this Thread, The Prevx Moderator, Inform me he fixed the FP
http://www.wilderssecurity.com/showthread.php?t=292802
But my system status is still infected
I think i do not have a FP anyway
after the fix Here is my Prevx Log once again
Prevx Scan Log - Version v3.0.5.220
Log Generated: 10/2/2011 22:36, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1033
Hostname: User
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2011-02-10 22:35:43 Mexico Standard Time. Number of Scans: 49. Last Scan Duration: 4 minutes 14 seconds.
c:\windows\temp\saitek\sai
(ACTIVE) c:\windows\system32\nvmccs
End of Prevx Scan Log - http://www.prevx.com
As above I did not include all the log is very large
At this point I do know what to do; I sent another email to report@prevxresearch.com
Uninstall the SST
Hijackthis
Manually Quarantine the infected .dll
Online Scanner
Pray
Any suggestion, help, advice, ideas are more than welcome
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
REAL-TIME : Outpost Firewall Pro LIFETIME LICENSE, NOD 32, Shadow Defender, Sandboxie Paid Version
ON-DEMAND: MBAM Pro, SAS Pro Real Time Protection, Prevex
BACKUP : Acronis True Image 2011 Registered
@KOTiS
MBAM Pro did not find any Thread
@antony_kibble<!-8D58D5C36 56518...
i did same result with VT
@Tolomir
!>..I sent another email to report@prevxresearch.com
I reported this issue at report@prevxresearch.com, thet have been reply me all night, they said they fix the FP 3 times until. now, my system status is still infected
Why do you suggest me to whitelist the file selecting trust always, What about if is not a FP?
I will ty the tzucke solution I will let you know the results, BTW excelent article Anti-rootkit software Congrats
Please keep postimg
Regards
Antonio Macias
ON-DEMAND: MBAM Pro, SAS Pro Real Time Protection, Prevex
BACKUP : Acronis True Image 2011 Registered
@KOTiS
MBAM Pro did not find any Thread
@antony_kibble<!-8D58D5C36
i did same result with VT
@Tolomir
!>..I sent another email to report@prevxresearch.com
I reported this issue at report@prevxresearch.com, thet have been reply me all night, they said they fix the FP 3 times until. now, my system status is still infected
Why do you suggest me to whitelist the file selecting trust always, What about if is not a FP?
I will ty the tzucke solution I will let you know the results, BTW excelent article Anti-rootkit software Congrats
Please keep postimg
Regards
Antonio Macias
@rebelscum0000 Thanks. I found that I was recommending Rootkit scanning quite often and so felt it was expedient to write an article with a more thorough explanation and some reviews.
ASKER
@Tolomir
Why do you suggest me to whitelist the file selecting trust always, What about if is not a FP?
@tzucker
SpyDLLRemover Portable Founds nothing, I did not install it into a USB i ran from my HD
@antony_kibble<!-8D58D5C36 56518:
i did not understand your solution can you be more specific
01-spyscanner.JPG
02-spyscanner.JPG
03-spyscanner.JPG
04-spyscanner.JPG
05-spyscanner.JPG
06-spyscanner.JPG
Why do you suggest me to whitelist the file selecting trust always, What about if is not a FP?
@tzucker
SpyDLLRemover Portable Founds nothing, I did not install it into a USB i ran from my HD
@antony_kibble<!-8D58D5C36
i did not understand your solution can you be more specific
01-spyscanner.JPG
02-spyscanner.JPG
03-spyscanner.JPG
04-spyscanner.JPG
05-spyscanner.JPG
06-spyscanner.JPG
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@tzucker
Downloading ProcessMonitor II will let you know the results ASAP
@mail2divyesh
OK
Downloading ProcessMonitor II will let you know the results ASAP
@mail2divyesh
OK
ASKER
I just received another mail from report@prevxresearch.com
Date: Fri, 11 Feb 2011 11:17:25 -0600
From: report@prevxresearch.com
To: me
Subject: Re: Saitek software Malware Detected
Hello,
Could you please right click on the file when shown in the "View Threats" screen of Prevx after the scan and select "Report as a false positive." This should prevent the detection on your PC.
Prevx Support Team
---
I did, ignore the .dll and of course the result of the scan is clean, but this is not the way for me to scan from malware (ignore files)
I will have to close this question in order to award points and I will open another, I hope you follow me
Thank you
Antonio Macias
Date: Fri, 11 Feb 2011 11:17:25 -0600
From: report@prevxresearch.com
To: me
Subject: Re: Saitek software Malware Detected
Hello,
Could you please right click on the file when shown in the "View Threats" screen of Prevx after the scan and select "Report as a false positive." This should prevent the detection on your PC.
Prevx Support Team
---
I did, ignore the .dll and of course the result of the scan is clean, but this is not the way for me to scan from malware (ignore files)
I will have to close this question in order to award points and I will open another, I hope you follow me
Thank you
Antonio Macias
ASKER
I think I did something wrong I award points but I did not close the question I just advice that I will close this question because all the experts solution are excellent
ASKER
Thank you
http://www.virustotal.com/