PDA

View Full Version : Twister AV.

Badcompany
July 25th, 2008, 11:50 AM
Hello Forum,
Today Twister classified this as a Trojan ( KB8908 Trojan.Patched.bi.nuel.dll.) I think it could be a FB,But can't find any info on it.Does anyone have any info on this.
Badcompany.
3DFireStarteR
July 25th, 2008, 02:20 PM
Would be more helpfull if you could post what file it detected ^^
Badcompany
July 25th, 2008, 02:44 PM
{QUOTE-> Would be more helpfull if you could post what file it detected ^^ <-QUOTE}

Here is a screenshot :is this helpful.
Badcompany.
ronjor
July 25th, 2008, 02:51 PM
Can't you submit that file to Twister for examination Badcompany?

virus -a-t- filseclab.com
Bubba
July 25th, 2008, 02:53 PM
Having user32.dll in the "My Documents" folder needs to be treated as suspicious unless you placed a known good MS user32.dll file there. Normal location as you may know is the System32 folder.
Johnny123
July 25th, 2008, 03:01 PM
Check if you also have user32.dll in Windows\System32, which is where it should be. If you have one in System32, then this one in your My Documents directory could be a malware.

BTW, Avast and GData had this file as an FP back in January, as you can see in this article (http://www.heise.de/security/Falscher-Alarm-von-avast-und-Gdata-in-user32-dll-Update--/news/meldung/101723) at heise online.
Badcompany
July 25th, 2008, 03:07 PM
{QUOTE-> Can't you submit that file to Twister for examination Badcompany?

virus -a-t- filseclab.com <-QUOTE}

Have sent the file to filseclab.Going to check in system32.
Badcompany.
Badcompany
July 25th, 2008, 03:21 PM
{QUOTE-> Check if you also have user32.dll in Windows\System32, which is where it should be. If you have one in System32, then this one in your My Documents directory could be a malware.

BTW, Avast and GData had this file as an FP back in January, as you can see in this article (http://www.heise.de/security/Falscher-Alarm-von-avast-und-Gdata-in-user32-dll-Update--/news/meldung/101723) at heise online. <-QUOTE}

I have user32.dll in windows/system32.The screenshot is from the original scan.So I think it must be a FP.
Badcompany.
likuidkewl
July 25th, 2008, 03:55 PM
I'm with Bubba on this one.

I say submit it to Virustotal and get a better idea. Also, comparing the sizes of the files(b not kb) or MD5's are also a good idea. Since I don't know your localization I cannot for sure say the file size is wrong but it is not the same as mine(Eng. XP SP3)

HTH