Hello,

if you have encountered a false positive or Prevx is not detecting a malicious file, please follow the instructions listed inside the thread HowTo: reporting false positives / missing detections (http://www.wilderssecurity.com/showthread.php?t=245129).

Moreover, if you want you can write in this thread what you're going to report by e-mail.

Please use only this thread for false positive or missing detection reports, this will help us to get everything more organized.

Thank you and enjoy Prevx :)

Marco

I couldn't ask in the other thread so I'll ask here, anything in specific wrong with zip files? :P

They are filtered by the mail service :)

{QUOTE-> They are filtered by the mail service :) <-QUOTE}

You should add that to the post.

That's why password protected RAR archive is underlined ;D I'll add this note too :)

Thank you! :)

Prevx detected portable spiderplayer.exe medium risk malware.I think this is a false positive.I ran a virustotal scan and only prevx marks it as malware.Also there is an oggenc.exe in spider player file,it is marked as malware too.

{QUOTE-> Prevx detected portable spiderplayer.exe medium risk malware.I think this is a false positive.I ran a virustotal scan and only prevx marks it as malware.Also there is an oggenc.exe in spider player file,it is marked as malware too. <-QUOTE}

Hello,
Can you send both of these files in a RAR archive with a password to report@prevxresearch.com ?

We will analyze them and correct the determinations ASAP :)

I sent the log and immediately got a reply from Prevx.Yes it is a false positive and will be corrected soon.Thanks for such a quick response.

PrevX detects Vista Firwall Control Set 2.5 while boot up.
http://www.sphinx-soft.com/download/VistaFirewallControl-Setup-i386.exe
Heuristic Settings at maximum.

{QUOTE-> PrevX detects Vista Firwall Control Set 2.5 while boot up.
http://www.sphinx-soft.com/download/VistaFirewallControl-Setup-i386.exe
Heuristic Settings at maximum. <-QUOTE}

Fixed :) This was a pure-heuristic FP thanks to the file modifying firewall settings :)

{QUOTE-> Fixed :) This was a pure-heuristic FP thanks to the file modifying firewall settings :) <-QUOTE}

Thanks. :thumb:

I did not send an e-mail cause i am not sure whether this is a FP or not.

VirusTotal link removed per forum Policy. (http://www.wilderssecurity.com/showthread.php?t=180057)

File is attached. Passwort is "infected" as normal.
http://www.file-upload.net/download-1724212/win2log.rar.html

I'm not sure why you attached the file, as stated all that's needed is the file's PX code from the log.

Hi,
Prevx detected operatorres.dll as medium risk malware.
I have emailed the log as requested here (http://www.wilderssecurity.com/showthread.php?t=245129)

Undetected file submitted last night re: fraudulent security program from errorfix.com.

Because of missing reply to my Post #12 i sent the win2log at avira research lab. They could not find a virus or virulent components in the file so it is a FP.

So plz fix this: {QUOTE-> [BP] c:\program files\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\win2log.exe [PX5: 4607E20C16C9D8D85F4901ECD0C0F00019A94A5E] Malware Group: Medium Risk Malware <-QUOTE}

In the same log Prevx marked this:
{QUOTE->
[D] c:\program files\internet explorer\iecompat.dll [PX5: 8EC1CFB40057D87A92D401FD3A1BEF0071563FCD] Malware Group: Community.OuterEdge <-QUOTE}
But i dont get an infection message showing up by Prevx.
Why?

greetz

Just checking your submissions :) Sorry for the delay, I've been a bit busy :doubt:

{QUOTE-> Because of missing reply to my Post #12 i sent the win2log at avira research lab. They could not find a virus or virulent components in the file so it is a FP.

So plz fix this:

In the same log Prevx marked this:

But i dont get an infection message showing up by Prevx.
Why?

greetz <-QUOTE}

Yes, I was going to reply to your e-mail right now :)

First one is a false positive, I've just fixed it. Try again a scan, the second has been automatically marked as good by the database. So, you should not receive any other notification now.

Best regards,

Marco

{QUOTE-> Yes, I was going to reply to your e-mail right now :)

First one is a false positive, I've just fixed it. Try again a scan, the second has been automatically marked as good by the database. So, you should not receive any other notification now.

Best regards,

Marco <-QUOTE}

=) Thank you very much.

{QUOTE-> Just checking your submissions :) Sorry for the delay, I've been a bit busy :doubt: <-QUOTE}

And no problem about that! ;)

best regards.

{QUOTE-> Undetected file submitted last night re: fraudulent security program from errorfix.com. <-QUOTE}Has this been checked? The executable is still undetected.

{QUOTE-> Has this been checked? The executable is still undetected. <-QUOTE}

Sorry for the delayed response :) We added protection a few minutes after you sent in the email - often it takes longer to send the response back than add protection ;D

I'll make sure that we reply faster in the future :)

{QUOTE-> Hi,
Prevx detected operatorres.dll as medium risk malware.
I have emailed the log as requested here (http://www.wilderssecurity.com/showthread.php?t=245129) <-QUOTE}

thanks for fix :)

We're simply not meant to be together... (for now? :D) ;D First time that I run Prevx now, four entries in the results are all FPs as it seems. :D I'm sure you can clarify the middle-ones, cause the other two - bottom and top - I know about.

See attached image.

The one at top is a part of GameGuard. Now this thing is kinda tricky... I got it explained elsewhere that it uses something like rootkit-techniques, even if it indeed should be completely harmless. It's very, very common for free online-games, and even more for the "manga-type" ones.

The one at bottom is, as can be seen on the directory, a part of Vista Codec Pack. I too think it's suspicious with something like settings32.exe for a prog. like that, but neither Avira (which, BTW, is running with heur. set to High) or MSE is detecting it as malware. To be sure I also uploaded it to VirusTotal, which only showed some lame heuristical detections. ;) :P

BTW, the same goes for gameguard.des, which would indeed trigger at any time as I run the game often (named Dragonica). ;D


Please see what you can find out what's up with the two with same name, different locations in the registry, and just tell me if you need a scan-log for the entries in your db.


EDIT: Nah, WTH - I attach that too while I'm still on it. ;D

{QUOTE-> Sorry for the delayed response :) We added protection a few minutes after you sent in the email - often it takes longer to send the response back than add protection ;D <-QUOTE}Thanks for adding protection for this fraudulent program.

What I don't understand is since you added this to the database soon after I sent the email why wasn't it detected when I did an on-demand scan of the file a few times during the day, including at the time of post #21.

{QUOTE-> We're simply not meant to be together... (for now? :D) ;D First time that I run Prevx now, four entries in the results are all FPs as it seems. :D I'm sure you can clarify the middle-ones, cause the other two - bottom and top - I know about. <-QUOTE}

The middle two are service entries from the GameGuard file, not unique infections by themselves, but we detect those pieces as well and report them.

I've fixed the FP on your version and a handful of other versions which were detected as FPs, but indeed GameGuard uses rootkit techniques and also a plethora of other strange/suspicious behaviors and is also packed by Themida - a technology primarily used by malware authors (and detected by 9/41 vendors on VT). In my opinion, it would be irresponsible to not detect this ;D

settings32.exe is a bit more of a genuine FP which crops up periodically because they use AutoIt - a scripting tool which is often used by malware - and we had a signature generically detecting some specific types of AutoIt executables as malicious (which is now fixed :))

Hi.

Just started using Prevx Free 3.0 sometime back. I have it on my vista x64 OS and my W7 x86 OS.
Upon first scan it detected a few Avira files as infections. But i'm guessing they'r definitely FP's.

Cheers!
Arjun Ned.

Hello,
Can you please click Tools > Save Scan Results and email us a scan log to report@prevxresearch.com? We will fix them from there ASAP :)

Thanks!

That's strange because I was testing AVIRA yesterday, and none of their files were flagged.

The Avira module aeskript changed. I got an Outpost-HIPS warning and a PrevX flag after that.

Security Center Reset is flaged as malicious:
http://my.opera.com/rejzor/blog/security-center-reset-1-0-released

I think it is a FP.
Virustotal 0% and a2 doesnt found anything.

Posted this in a wrong thread, but here goes anyway:
http://i40.tinypic.com/29ghn2o.png

{QUOTE-> Posted this in a wrong thread, but here goes anyway:
http://i40.tinypic.com/29ghn2o.png <-QUOTE}

Based on the small graphical excerpt, it looks like the system is "infected" with a couple DOS viruses. We don't detect DOS viruses as they are not a threat to users (and haven't been for 20 years ;D) We also do not focus on detecting scripts on demand as they are only threatening on execution.

However, if there are samples which you think we should detect, please send a scan log to report@prevxresearch.com and we will analyze it from there :)

{QUOTE-> Security Center Reset is flaged as malicious:
http://my.opera.com/rejzor/blog/security-center-reset-1-0-released

I think it is a FP.
Virustotal 0% and a2 doesnt found anything. <-QUOTE}

Check again :) It should be now fixed ;)

Thanks! :)

Already reported. Just want to share these confirmed FP:
Combofix.exe (already referred to but included FYI),
unregdll.exe (FAS Common File from Peachtree),
gspawn-win32-helper-console.exe (GnuCash Bin file), and
Fontzoom.exe (system32 font).

Awaiting confirmation of FP:
Awatch.exe (Adapter watch),
autounbreak.exe (Auto Unbreak, a clipboard editor),
kvmosd.exe (onboard display for KVM switch),
avsdvdplayer.exe (free DVD player),
ipscan.exe (IP Scan),
webvideocap.exe (Web Video Capture)

Also, mentioned in report as malware but I believe is FP:
fwmanager.dll and opswatavcommon.dll (both from an online Sophos test).

Best wishes,
Dawn

{QUOTE-> Already reported. Just want to share these confirmed FP: <-QUOTE}

Hello,
Just to ensure that we handle each one of your files properly, could you send a scan log by clicking Tools > Save Scan Results and email it to report@prevxresearch.com ?

Thanks! :)

Hi Joe, the italian spaghetti english spoken is come back ;D
I think eraser is flying around the world 'cause don't reply on email so..i'm here.
I have a FP for you
Is about this program http://www.winmend.com/folder-hidden/ and for prevx is a malware, I think is FP
The log is that:

Prevx Scan Log - Version v3.0.1.65
Log Generated: 8/7/2009 14:29, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1040
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 2 (Dir: 1)
Last Scan: Wed 2009-07-08 14:28:45 ora solare Europa occidentale. Number of Scans: 135. Last Scan Duration: 2 minutes 2 seconds.
[B] (ACTIVE) c:\programmi\winmend\folder hidden\helpus.dll [PX5: 8570A62B00EEB8916697224E22AD72009AB301B5] Malware Group: Medium Risk Malware
[UP] (ACTIVE) c:\programmi\iolo\common\lib\carina.dll [PX5: 238BF06A006B3049D8230065AF3CBA00962E8423]
[UP] (ACTIVE) c:\programmi\iolo\common\lib\iolosearchfunctions.dll [PX5: 5301E285002A345AD20E00DEFED7FF005D32E1F2]
[U] (ACTIVE) c:\windows\system32\rpcrt4.dll [PX5: 93D4D4E7002892DCEEEB0824BD83A8003E98BD43]
...........................

Thanks

{QUOTE-> Hi Joe, the italian spaghetti english spoken is come back ;D
I think eraser is flying around the world 'cause don't reply on email so..i'm here.
I have a FP for you
Is about this program http://www.winmend.com/folder-hidden/ and for prevx is a malware, I think is FP
The log is that:

Prevx Scan Log - Version v3.0.1.65
Log Generated: 8/7/2009 14:29, Type: 0,1
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1040
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 2 (Dir: 1)
Last Scan: Wed 2009-07-08 14:28:45 ora solare Europa occidentale. Number of Scans: 135. Last Scan Duration: 2 minutes 2 seconds.
[B] (ACTIVE) c:\programmi\winmend\folder hidden\helpus.dll [PX5: 8570A62B00EEB8916697224E22AD72009AB301B5] Malware Group: Medium Risk Malware
[UP] (ACTIVE) c:\programmi\iolo\common\lib\carina.dll [PX5: 238BF06A006B3049D8230065AF3CBA00962E8423]
[UP] (ACTIVE) c:\programmi\iolo\common\lib\iolosearchfunctions.dll [PX5: 5301E285002A345AD20E00DEFED7FF005D32E1F2]
[U] (ACTIVE) c:\windows\system32\rpcrt4.dll [PX5: 93D4D4E7002892DCEEEB0824BD83A8003E98BD43]
...........................

Thanks <-QUOTE}

Quale e-mail? Probabilmente mi è sfuggita :wacko:

Ora controllo :)

Edit: fixato ;)

{QUOTE-> Quale e-mail? Probabilmente mi è sfuggita :wacko:

Ora controllo :) <-QUOTE}
un collega di HWUpgrade, dice di avertela inviata
Comunque l'importante è risolvergli il FP
Su quel forum ti ho fatto una domanda su un dubbio relativo all'uso o meno in ambito commerciale della trial se puoi illuminarmi ....
Grazie

{QUOTE-> un collega di HWUpgrade, dice di avertela inviata
Comunque l'importante è risolvergli il FP
Su quel forum ti ho fatto una domanda su un dubbio relativo all'uso o meno in ambito commerciale della trial se puoi illuminarmi ....
Grazie <-QUOTE}

risolto ;)

{QUOTE-> un collega di HWUpgrade, dice di avertela inviata
Comunque l'importante è risolvergli il FP
Su quel forum ti ho fatto una domanda su un dubbio relativo all'uso o meno in ambito commerciale della trial se puoi illuminarmi ....
Grazie <-QUOTE}

Ti ho risposto anche su hwupgrade, comunque il link è sbagliato sul sito web :)

Il link corretto è: http://info.prevx.com/downloadcsibusiness.asp

Sorry about some italian posts written above :)

We've just found a mistake on our website. When you try to download trial business version of Prevx 3.0 you could be redirected to the home version of Prevx 3.0. Link is wrong, correct address is: http://info.prevx.com/downloadcsibusiness.asp

We are going to fix the problem on the website :)

Another FP with Kaspersky, this time with the 2010 version. Is:

c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\ievkbd.dll

{QUOTE-> Another FP with Kaspersky, this time with the 2010 version. Is:

c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\ievkbd.dll <-QUOTE}

We can't tell by just the filename :) Can you send a log to report@prevxresearch.com?

Thanks ;D

{QUOTE-> We can't tell by just the filename :) Can you send a log to report@prevxresearch.com?

Thanks ;D <-QUOTE}

I told it to ignore, and now it is in the log, but not as detected. Would the log still help?

Nessun problema sulla italiano post scritti sopra

{QUOTE-> Nessun problema sulla italiano post scritti sopra <-QUOTE}

eheheh, perfetto! ;D

utmwmzg5.sys Malware or FP ?

Almost half the vendors on VirusTotal showed this as Malware when i again uploaded it a few hours ago. I also scanned it locally with several Apps including MBAM.

Malwarebytes' Anti-Malware 1.38 Database version: 2397 09/07/2009

Files Infected:
c:\Users\ \Desktop\U\utmwmzg5.sys (Rootkit.Bagle) -> No action taken.

If this a FP then it's a major ooops from all of them, if not lots of vendors have been caught with their pants down. Either way, not good.

Please can you send your scan log to report@prevxresearch.com?

Thank you :)

It is a false positive ;) It's AVZ driver. I've fixed it

EraserHW

Thank you Sir.

See here for more background to this http://www.wilderssecurity.com/showthread.php?t=246938

{QUOTE-> EraserHW

Thank you Sir.

See here for more background to this http://www.wilderssecurity.com/showthread.php?t=246938 <-QUOTE}

Just a big misunderstanding. Probably it has been reported as Bagle by one company and everyone else started detecting it as Bagle :)

Prevx detects WirelessKeyView (http://www.nirsoft.net/utils/wireless_key.html), SparkleXP (http://download.cnet.com/SparkleXP/3000-2094_4-10730157.html) and SmitFraudFix (http://www.bleepingcomputer.com/files/smitfraudfix.php) as Medium Risk Malware, I believe they are FPs.

{QUOTE-> Prevx detects WirelessKeyView (http://www.nirsoft.net/utils/wireless_key.html), SparkleXP (http://download.cnet.com/SparkleXP/3000-2094_4-10730157.html) and SmitFraudFix (http://www.bleepingcomputer.com/files/smitfraudfix.php) as Medium Risk Malware, I believe they are FPs. <-QUOTE}

Can you check again? They should be now fixed :)

Thank you :)

PrevX3 identifies Unibet Poker client´s OperatorRes.dll as High Risk Worm

Prevx Scan Log - Version v3.0.1.65
Log Generated: 11/7/2009 00:11, Type: 0,1
Windows Vista Home Premium Service Pack 2 (Build 6002) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Sat 2009-07-11 00:10:30 FLE Daylight Time. Number of Scans: 156. Last Scan Duration: 4 minutes 2 seconds.
[B] (ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\en\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270004B2972A] Malware Group: High Risk Worm
[B] c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\de\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700697A291B] Malware Group: High Risk Worm
[B] c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\es\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700A450220E] Malware Group: High Risk Worm
[B] c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\nl\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270009329DB9] Malware Group: High Risk Worm

Hate to beat on a dead horse, but PrevxE is not picking up any of these on a production machine.
http://i31.tinypic.com/33o6rfn.png
I can send the scan log privately, if needed.

{QUOTE-> Hate to beat on a dead horse, but PrevxE is not picking up any of these on a production machine.
http://i31.tinypic.com/33o6rfn.png
I can send the scan log privately, if needed. <-QUOTE}

If you could please send a scan log, that would be very useful :) Most of the entries are just registry entries and are not malicious by themselves but there does appear to be some missed files here.

{QUOTE-> PrevX3 identifies Unibet Poker client´s OperatorRes.dll as High Risk Worm <-QUOTE}

Fixed :) Thanks for the report!

{QUOTE-> If you could please send a scan log, that would be very useful :) Most of the entries are just registry entries and are not malicious by themselves but there does appear to be some missed files here. <-QUOTE}

Joe,
In an enterprise mode, is there a log stored locally somewhere, or is it server-side only?
Thanks!

{QUOTE-> Joe,
In an enterprise mode, is there a log stored locally somewhere, or is it server-side only?
Thanks! <-QUOTE}

The logs exist only within the server console and it might be easier to diagnose a missed detection by using our consumer product on the local PC (as it lets you save/view scan logs easier on that PC itself).

Joe,
Is this what you need? This is the only log I could find on the server:

The following bad PX5's have ever been seen
(bad at the time of encounter)


File
c:\windows\system32\drivers\hjgruiiimpuirj.sys
Do you disagree?

PX5
01dc6a330038997204ac018aa9adae00e5a7e609
Read more about this malware
File
c:\documents and settings\administrator\xwjtgj.exe
Do you disagree?

PX5
409a7a9400789f49309f017dab7ad6004425bf5a
Read more about this malware
File
c:\documents and settings\administrator\local settings\application data\opera\opera 10 beta\temporary_downloads\install_flash_player.exe
Do you disagree?

PX5
547c7d4800d2dcdf823600f21473ce00e3063b0d
Read more about this malware
File
c:\documents and settings\administrator\winlogon.exe
Do you disagree?

PX5
547c7d4800d2dcdf823600f21473ce00e3063b0d
Read more about this malware
File
c:\documents and settings\administrator\administrator.exe
Do you disagree?

PX5
8383cbd00093f326ca9300b80a669c00b4294746
Read more about this malware
File
c:\documents and settings\administrator\administrator.exe-vir
Do you disagree?

PX5
8383cbd00093f326ca9300b80a669c00b4294746
Read more about this malware
File
c:\documents and settings\administrator\swooic.exe
Do you disagree?

PX5
b547c93200a58ff58a5f00ada21a2c0059621db3
Read more about this malware
File
c:\windows\system32\hjgruiqjtpuxai.dll
Do you disagree?

PX5
d6cb3d1c002667344c28003b3c2e0700fb8e0a9e
Read more about this malware
File
c:\windows\system32\hjgruikcgqfqmw.dll
Do you disagree?

PX5
e25fd966009c4244a60300ec1651d100cc2656b5
Read more about this malware

Those look like the known bads - I'm looking for the files which are currently unknown. I'm not sure if the enterprise console can dump the unknown files, however. It would probably be easier to use the consumer product and email the scan log to report@prevxresearch.com

Joe,
I just PMed you the link to actual exploit and malware. This should make things easier.
:-)

3 hour malware, gotta sleep sometime :(

Prevx detects Newsleecher.exe as medium level malware. It's a binary news reader and not malware. :) Panda Cloud AV had the same FP... i obtained NewsLeecher from http://www.newsleecher.com//?id=download. It's the beta 7 version on the bottom part. Installs fine but when i run the program, Prevx jumps in.

{QUOTE-> Prevx detects Newsleecher.exe as medium level malware. It's a binary news reader and not malware. :) Panda Cloud AV had the same FP... i obtained NewsLeecher from http://www.newsleecher.com//?id=download. It's the beta 7 version on the bottom part. Installs fine but when i run the program, Prevx jumps in. <-QUOTE}

Assuming I got the same file as you when I downloaded it, I believe I've fixed the FP but it didn't warn for me (granted, my heuristic settings are at default which may produce different results than yours).

If you run a scan, could you let me know if you receive any warnings again? Thanks!

{QUOTE-> Assuming I got the same file as you when I downloaded it, I believe I've fixed the FP but it didn't warn for me (granted, my heuristic settings are at default which may produce different results than yours).

If you run a scan, could you let me know if you receive any warnings again? Thanks! <-QUOTE}

That's odd, my settings are all on default (still using the detect-only free version) and it alerted me on both Beta6 yesterday, and today Beta7 which was just released.

At any rate, i removed newsleecher.exe from Detection overrides, re-scanned my system and launched the .exe and got no alerts this time.

Thanks. :)

Joe, can you fix the following FPs. They are on my sons computer for a game he plays called Crossfire. thanks


Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Wed 2009-07-15 14:25:01 Eastern Daylight Time. Number of Scans: 4. Last Scan Duration: 2 minutes.

Previously Detected Files:
[BP] c:\windows\system32\gamemon.des [PX5: 35F62B302E18710F81F62A5B5065BD00FA319465] Malware Group: Medium Risk Malware
[BP] (ACTIVE) c:\program files\subagames\crossfire\gameguard\gamemon.des [PX5: 35F62B302E18710F81F62A5B5065BD00FA319465] Malware Group: Medium Risk Malware


Prevx 3.0 v3.0.1.65 Cleanup Log for 15/7/2009 14:25
(0) Remove File: \DosDevices\c:\windows\system32\gamemon.des
(1) Remove File: \DosDevices\c:\program files\subagames\crossfire\gameguard\gamemon.des
(0) Remove Reg Key: \REGISTRY\Machine\system\ControlSet001\Services\npggsvc
(0) Remove Reg Value: ImagePath
(1) Remove Reg Key: \REGISTRY\Machine\System\CurrentControlSet\Services\npggsvc
(1) Remove Reg Value: ImagePath
(0) Remove Service: \REGISTRY\Machine\system\ControlSet001\Services\npggsvc
(1) Remove Service: \REGISTRY\Machine\System\CurrentControlSet\Services\npggsvc

Cleanup Complete

Fixed - gamemon.des is essentially a rootkit which protects games. I have added a rule which should prevent FPs on future versions now.

as always, you are the best. Thank you:thumb:

{QUOTE-> {QUOTE-> PrevX3 identifies Unibet Poker client´s OperatorRes.dll as High Risk Worm <-QUOTE} Fixed :) Thanks for the report! <-QUOTE}

Still have 3 different false detections of OperatorRes.dll in 3 subdirectories. Seems only 1 of 4 false detections was fixed.

[B] (ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\en\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270004B2972A] Malware Group: High Risk Worm
[B] (ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\es\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700A450220E] Malware Group: High Risk Worm
[B] (ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\nl\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270009329DB9] Malware Group: High Risk Worm

Fixed one seems to be this:
[G] (ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\de\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700697A291B]

I must be going blind... I thought I read all four files as the same identity but apparently not :-[

Fixed now with a more intelligent signature. Thanks :)

Just installed PrevX on my new system with Windows Vista Ultimate 64 Bit.

PrevX 3.0 found an infection, but I think it is a FP:

Status: THREAT
Name: startup.exe in c:\windows\system32\
Threat Identified: Medium Riskware

My PC is totally fresh and untouched, it is very unlikely that I've already catched a threat.

Thx!

I've never seen a program named "startup.exe" in the System32 folder but could you send us a scan log by clicking Tools > Save Scan Results to report@prevxresearch.com ? We will analyze it there and report back :)

I'm doing it now! Thx for this super fast answer =)

EDiT: Sorry, didn't know I had to add a password!

2nd EDit: Done =D

Thank you for the log... however, I still think that the file is malicious :-\ It is referenced by a registry HKLM\...\run entry named "WinSys2" and pointing to a file named C:\Windows\System32\startup.exe

Could you send us the file itself in a rar archive with a password to report@prevxresearch.com so we can analyze the file itself to make sure it is really malicious?

Of course, I'm on it!

EDIT: Done!

{QUOTE-> Of course, I'm on it!

EDIT: Done! <-QUOTE}

Thank you for the file - we've analyzed it and indeed it is a FP, but a strange one! :) Thank you for your patience, if you run another scan it should be fixed now.

:thumb: Thanks alot! It is now a clean file, this is what I call cooperation!

Hi Joe,
I been using 'Hard Disk Sentinel' software for a long time, but today Prevx started detecting it as a malware. Is this false positive or real malware?

I have send the scanned log to Prevx.

{QUOTE-> Hi Joe,
I been using 'Hard Disk Sentinel' software for a long time, but today Prevx started detecting it as a malware. Is this false positive or real malware?

I have send the scanned log to Prevx. <-QUOTE}

Hello,
This is indeed a FP and has been fixed now - thanks for the report! :)

{QUOTE-> Hello,
This is indeed a FP and has been fixed now - thanks for the report! :) <-QUOTE}

Thanks!

{QUOTE-> Hello,
This is indeed a FP and has been fixed now - thanks for the report! :) <-QUOTE}

Out of curiousity (probably since I'm even running your software right now in evaluation ;D), what could be reason that a legit program is suddenly detected on your end - if at all? ???

{QUOTE-> Out of curiousity (probably since I'm even running your software right now in evaluation ;D), what could be reason that a legit program is suddenly detected on your end - if at all? ??? <-QUOTE}

Every time we add or tune a rule to detect a new variation of a threat, that rule is applied to every other piece of software globally to detect variants which we may have missed previously.

When dealing with some rules that detect 500,000+ samples at a time, it is hard to track down the one false positive caused by it :)

{QUOTE-> Every time we add or tune a rule to detect a new variation of a threat, that rule is applied to every other piece of software globally to detect variants which we may have missed previously.

When dealing with some rules that detect 500,000+ samples at a time, it is hard to track down the one false positive caused by it :) <-QUOTE}

Only because I can see a possibility of trouble, like seen here (and especially for the average Joe) - is this kind of thing "solved" somehow through the technologies released in v4.0?

I completely understand the reason, but one can't avoid the fact that it does give high probability for trouble and/or FPs - I would suspect still higher than other products, since I've indeed witnessed and experienced this personally with the software. It's one of the reasons I "had" to stop using the software, simply because I always want to go a no-FP, automatic way - something which I've without a doubt accomplished without sacrificing the effectivity of my protection.

{QUOTE-> Only because I can see a possibility of trouble, like seen here (and especially for the average Joe) - is this kind of thing "solved" somehow through the technologies released in v4.0? <-QUOTE}

4.0 will have additional measures to prevent FPs, however, the exact same "problem" occurs with conventional AVs. Every new signature created scans every file, which is why conventional AVs have FPs as well. Our systems automatically track possible FPs and prevent signatures from being created which would cause additional FPs but nothing is perfect and everything is a balance between FP/detection.

{QUOTE-> I completely understand the reason, but one can't avoid the fact that it does give high probability for trouble and/or FPs - I would suspect still higher than other products, since I've indeed witnessed and experienced this personally with the software. It's one of the reasons I "had" to stop using the software, simply because I always want to go a no-FP, automatic way - something which I've without a doubt accomplished without sacrificing the effectivity of my protection. <-QUOTE}

I highly doubt that Prevx has more FPs than other products, being that we have only around 5 FPs reported by the entire Prevx community every day. We also don't have a submission form on our website so most of all of the FPs either get publicly reported here or just sent via email (and to the report@prevxresearch.com email address, we have had only 2 FPs reported in the last two weeks).

With over 30,000+ new infections blocked the first time they're seen every day (not counting older infections which is much higher), I think that is a reasonable rate to have, especially because FPs tend to only happen on odd, little-used software.

I don't know if I can stress this enough... the software that I use doesn't have FPs through signatures or other automatic, proactive features - atleast not stable software. That's a reason I stopped using NOD32. It was giving simple FPs that caused me a lot of trouble. No offence, but that's actually true, and that's why I'm atleast trying to stress this point.

{QUOTE-> I don't know if I can stress this enough... the software that I use doesn't have FPs through signatures or other automatic, proactive features - atleast not stable software. That's a reason I stopped using NOD32. It was giving simple FPs that caused me a lot of trouble. No offence, but that's actually true, and that's why I'm atleast trying to stress this point. <-QUOTE}

The goal of every AV is to have 0 FPs, which is of course what we're trying to do. However, it is logically and mathematically impossible to produce 0 FPs if a program has any degree of heuristic detection.

{QUOTE-> The goal of every AV is to have 0 FPs, which is of course what we're trying to do. However, it is logically and mathematically impossible to produce 0 FPs if a program has any degree of heuristic detection. <-QUOTE}

Point taken. I'll try to ignore what's reported here as it could be looked at like a fast reporting-system. I'll continue to run Prevx in evaluation mode as that will let me know if MSE, which I'm running now, is missing something - completely free - and see how I like the software's operation as it's today. :)

If you look at the FPs reported by AV-Comparatives in recent tests, many of the applications don't appear to be as well known to the average user. When I looked at the list, I hardly knew most of them, let alone have them installed on my system. Obviously if I had any one of them on my rig at the same time of the test with the same AV flagging the FP alert, I would have got the warning.

In all the years I've used conventional AVs I've never had FPs against programs I have installed, but have seen some script heuristic FPs by those AVs that run script emulators as part of their web scanning.

In testing Prevx, I've not seen any FPs yet.

Frankly, any vendor with a high level of false positives would have gone out of business years ago. Periodically we hear of some highly publicized cases when an AV detects a system file and corrupts thousands of systems. There really should be measures in place in every company to prevent this (akin to our automated rule testing - if a rule flags a system component, it is dropped). Outside of that, however, it really becomes a question of the software which the individuals use. I don't have exact numbers but I've heard people say that more than 95% of the software on 95% of user's PCs is the same. The remaining 5% is where things get difficult and to deviate from the "standard" software set, a user would need to be at least marginally technically inclined - many of whom are participants in various forums like this one. On the other side of the spectrum, my parents have absolutely no idea how to install software or how to even go about finding new software - a case which I suspect is seen pretty widely.

The problem with forums is that various vendors are frequently berated for having "low detection" or "high false positives" and whichever user can "yell" the loudest ends up getting their point across when in all actuality, forum users are off many standard deviations from the average user in their browsing habits and system use and therefore don't have a representative view on what a vendor actually does provide.

We had a nice "case-in-point" false positive ages ago on an extremely obscure program which not only sent out emails to everyone in the user's address book but it also did not have any graphical interface, it was unsigned, encrypted/packed, and it added a registry run key to perform the message sending on bootup. Whether this was a software vendor just being cruel to AV developers we will never know but we did not bother changing any rules we had in place to detect the file and we just whitelisted that one version.

Software is incredibly diverse, as is malware (logically as it is a subset of software). There is no way to prevent all false positives unless you want to write signatures which detect only single programs and have no level of heuristic/generic signatures. I know that vendors today are working hard to write signatures that cover as many variants as possible and this may cause an uptick in false positives just because of the literally exploding volumes of malware. There are many measures which can be put in place to help reduce false positives, including whitelisting and reputation checking, but none of them are perfect because some user, somewhere, is going to want to run a mass mailing, encrypted, hidden program on bootup :)

{QUOTE-> Joe,
I just PMed you the link to actual exploit and malware. This should make things easier.
:-) <-QUOTE}

Joe,
Did you get my PM and had a chance to analyze what I sent? This one seemed to have been a nasty little bugger, it was a bit of work cleaning it off of my test VM. Neither Prevx nor Malwarebytes or anything else I could throw at it was able to clean it 100%; A-2 in paranoid mode was the only thing that stopped it in its tracks, after which I cleaned it by hand.

P.S. This was a true 0-day at the time of submission, 0% detection on virustotal.com and few other ~Jotti scan results removed per policy.~

{QUOTE-> Joe,
Did you get my PM and had a chance to analyze what I sent? This one seemed to have been a nasty little bugger, it was a bit of work cleaning it off of my test VM. Neither Prevx nor Malwarebytes or anything else I could throw at it was able to clean it 100%; A-2 in paranoid mode was the only thing that stopped it in its tracks, after which I cleaned it by hand.

P.S. This was a true 0-day at the time of submission, 0% detection on virustotal.com and few other sites. <-QUOTE}

I forwarded it onto one of our researchers (EraserHW). I'll ping him to respond here in the morning as to what he found :)

{QUOTE-> Joe,
Did you get my PM and had a chance to analyze what I sent? This one seemed to have been a nasty little bugger, it was a bit of work cleaning it off of my test VM. Neither Prevx nor Malwarebytes or anything else I could throw at it was able to clean it 100%; A-2 in paranoid mode was the only thing that stopped it in its tracks, after which I cleaned it by hand.

P.S. This was a true 0-day at the time of submission, 0% detection on virustotal.com and few other . <-QUOTE}

We shortly added detection for it after your submission:

http://www.virustotal.com/analisis/80f0b51b1153675c5a111db83d1a409c3730a67f73273368197a35440fdfc7f6-1247740317

We didn't have problems in cleaning it up, but if you have had any kind of problem, please report us them so we can further investigate on it :)

Thank you :)

e_fbagaea.dll

Hello,

I've got an alert from Prevx 3 (High Risk Cloacked Malware) and the file name is e_fbagaea.dll. I am not sure if it is a false positive or is a real malware. I've send a scan log to Prevx in the morning. Here is a link to VirusTotal
~VirusTotal screenshot removed per Policy (http://www.wilderssecurity.com/showthread.php?t=180057).~
What should I do, ignore it, delete the file?
Thanks,
Jedi_m

Hi PrevxHelp,

I bought Prevx 3.0 on Friday after running it in trial mode for about a week. During the trial I never ran the Full Scan but I ran it once it was purchased.

It found about 17 files that I think are FPs so I added them to the detection overides by click "Report as false positive". I sent my scan log to the email address posted so you guys can determine if they are all FPs or not.

One example is d3dx9_39.dll which you detect as riskware. Virustotal link below:

~VirusTotal screenshot removed per Policy (http://www.wilderssecurity.com/showthread.php?t=180057).~

I am also running MSE 1.0 beta and none of these have been detected by it.
Thanks

{QUOTE-> Hi PrevxHelp <-QUOTE}

Hello,
I've checked out the log and only see two false positives in it, but the last scan shows as "aborted". Can you please try running another "Scan Now" scan and save another scan log to ensure that we have everything to fix? In the meantime, I've fixed the two FPs :) Thanks!

Wow that was quick! Thanks for checking them out. So some of them are legit? :o

I'm running another scan right now, I also removed most of them. I'll submit when the scan is complete. Thanks

{QUOTE-> Wow that was quick! Thanks for checking them out. So some of them are legit? :o

I'm running another scan right now, I also removed most of them. I'll submit when the scan is complete. Thanks <-QUOTE}

Some of the files in your log are indeed malicious but it will be clearer once I see the whole thing :)

Hi PrevxHelp,

I sent a new logfile. I cleaned most of the files listed. I see some of them are no longer detected as threats. There are only 2 that are listed that seem to be weird.

Can you take another look? Thanks

{QUOTE-> Hi PrevxHelp,

I sent a new logfile. I cleaned most of the files listed. I see some of them are no longer detected as threats. There are only 2 that are listed that seem to be weird.

Can you take another look? Thanks <-QUOTE}

Hello,
Thank you for the new log - the remaining two are false positives, the handful that you had before were indeed malicious but are cleaned now and everything else looks fine :)

If you run another scan, the files won't be detected anymore.

Looks like everything is good now. Thank you

I'm testing Windows 7 (RC 64-bit version) and because my regular software firewall isn't, as yet, compatible, I'm checking out Kaspersky AV 8.0 Technical Preview for Windows 7 which has the "Anti-Hacker" module that acts as firewall. For roughly a day now, the free version of PrevX I have running on my machine flags the Kaspersky driver klif.sys as "Medium Risk Malware". An earlier submission to VirusTotal confirmed that PrevX identified the file as malware. Interestingly, I wasn't the first person to submit this file, but the previous submission was named differently and had an .exe extension. Here's that previous result.
~VirusTotal screenshot removed per Policy (http://www.wilderssecurity.com/showthread.php?t=180057).~

I still assumed this would probably be a false positive, and being busy with other things, and because I wasn't yet registered at Wilders Security and haven't submitted a sample to PrevX yet, I decided to wait a bit and see what happened. I expected the alerts would go away soon as many other PrevX users would be running the same technical preview and this would be looked at sooner rather than later. However, much time passed without resolution. I had previously already submitted a few suspected malware sample to Kaspersky, a few examples from a constant stream of new malware pouring into certain usenet groups, and the fact it wouldn't cost much time to just follow the same protocol and submit to them a sample of kilf.sys, I quickly did that when I found a little time. Very soon I received the reply that the sample was malware free. I then submitted the same file VirusTotal again and found that, this time, PrevX didn't seem to find anything wrong with it anymore. The online scan, that is, because on my system, nothing appears to have changed. PrevX still identifies two instances of klif.sys, and a related registry entry, as malware. I've rescanned a few times since then, but no change, I still get red alert. Don't know what's amiss here, but something obviously doesn't work the way its supposed to, so now, at long last, I've decided this has to end, one way or the other, and took the time to register with Wilders and write this message, so I can submit the file plus scanresults. I still hope its a false positive, of course, but have also braced myself for worse scenarios. Oh, I just realize the forum doesn't accept the submission, so I'll send it separately by email (it'll take a couple of minutes). Here's just a screenshot showing the alert:

210563

Hello elations,
Thank you for taking the time to register and report the detection :) This is indeed a false positive and is caused because of the changes which Kaspersky's driver makes to the system. Most antivirus/firewall drivers modify the system in ways identical to rootkits and other malware so it is common for one vendor to detect another vendor's drivers/components as malicious (Kaspersky does it to us but we aren't trying to be vindictive with this false positive ;))

I've corrected the FP and am adding a signature to prevent similar FPs in the future.

You should now be able to scan your system and it will show a clean status.

Thank you again for the report and let me know if you need anything else!

{QUOTE->

~link removed as per-policy, but a note made that the file was detected only by Prevx~ <-QUOTE}
just a quick off topic question...
Posts 95, 96, 104 and more have virus total links posted why was this removed and the others not???
Could someone please post a link where this policy is outlined?

It is a general part of the forum's policy to remove VirusTotal links (just because of how flawed comparisons via VirusTotal are), however, I'm going to be asking the moderators if there is a need to remove a link when it isn't trying to compare AVs.

The link the policy is here: http://www.wilderssecurity.com/showthread.php?t=180057

{QUOTE-> It is a general part of the forum's policy to remove VirusTotal links (just because of how flawed comparisons via VirusTotal are), however, I'm going to be asking the moderators if there is a need to remove a link when it isn't trying to compare AVs.

The link the policy is here: http://www.wilderssecurity.com/showthread.php?t=180057 <-QUOTE}
Thanks for the clarification and the provided link;D

Same FPs another time - that's enough reason to get Prevx off my system once more. :dry:

{QUOTE-> Same FPs another time - that's enough reason to get Prevx off my system once more. :dry: <-QUOTE}

:gack: They just released an update (the files you had before are still marked good). gamemon.des does heavily use rootkit technology which is why we flag it.

I've searched through and fixed a few gamemon.des', hopefully yours included.

{QUOTE-> :gack: They just released an update (the files you had before are still marked good). gamemon.des does heavily use rootkit technology which is why we flag it.

I've searched through and fixed a few gamemon.des', hopefully yours included. <-QUOTE}

Yeah, thanks - I probably won't use Prevx till v4, UNLESS the bridge is what's also featuring the FP-reductions. Is that so, and would these be avoided?

{QUOTE-> Yeah, thanks - I probably won't use Prevx till v4, UNLESS the bridge is what's also featuring the FP-reductions. Is that so, and would these be avoided? <-QUOTE}

Now they would be avoided regardless of the version used (via a rule in place to detect these specifically) but there is little we can do to not detect software like this which is so heavily guarded by rootkit technology.

{QUOTE-> Now they would be avoided regardless of the version used (via a rule in place to detect these specifically) but there is little we can do to not detect software like this which is so heavily guarded by rootkit technology. <-QUOTE}

Okay, I just recalled that something similar was applied before, maybe in this very same topic I guess - what was that? What you're saying is anyways that from now on the files that I'd pictured in that window won't happen again, correct?

{QUOTE-> Okay, I just recalled that something similar was applied before, maybe in this very same topic I guess - what was that? What you're saying is anyways that from now on the files that I'd pictured in that window won't happen again, correct? <-QUOTE}

I hadn't made a more complex routine to prevent this particular FP, but now under all reasonable circumstances we won't produce a FP on gamemon.des (or the associated remnant components which were also detected).

{QUOTE-> I hadn't made a more complex routine to prevent this particular FP, but now under all reasonable circumstances we won't produce a FP on gamemon.des (or the associated remnant components which were also detected). <-QUOTE}

Okay, Joe - thank you very much. ;)

Hello Joe

Looks like the GUI (http://www.paehl.com/open_source/?MyDefrag_GUI_wrapper) written for MyDefrag is a little too new...?

[BP] c:\users\philbyv\desktop\mydefrag gui\gui_mydefrag.exe
[PX5: DADB776600C4C8D67E73028ED7FDD50022AF8D90]
Malware Group: Medium Risk Malware

[DN] c:\users\philbyv\desktop\mydefrag gui\mydefrag.exe
[PX5: A99DFC150090DFF9E0B70C5015BA46004B6256CE]
Malware Group: Community.OuterEdge

I've already flagged this through MyPrevx to Claudia, Jessica, Victoria et al :P

I understand you only need the PX codes - hope that's right.

philby

Fixed ;D Thanks!

Once again, you set a new rapid-response record...

Thank you.

philby

Hi Joe or Marco, I have this warning on my pc about BitCHE a program for searching Utorrent Files
It is on my pc since 2007 and today I receave the Prevx warning so I think is a FP
Here the log:

Prevx Scan Log - Version v3.0.1.65
Log Generated: 22/7/2009 19:57, Type: 1,8192
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1040
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 3 (Dir: 1)
Last Scan: Wed 2009-07-22 19:56:17 ora legale Europa occidentale. Number of Scans: 239. Last Scan Duration: 5 minutes 49 seconds.
[BP] (ACTIVE) c:\documents and settings\...\dati applicazioni\convivea\bit_che\scripts\special.exe [PX5: 0232CF09ED0CBD8D5F8400196D8EAF0049FB89B8] Malware Group: Medium Risk Malware

Hi Romagnolo1973,
I've looked at it and 17/43 vendors find it on VT :-\ Could you send the file to report@prevxresearch.com so we can analyze it directly?

It is a false positive, tho the way it acts is really way suspicious ::)

I get the following FP for a newer version of UpdateStar again:

[22/7/2009 21:52] The file [C:\Users\<user>\AppData\Roaming\UpdateStar\UpdateStar.exe] has been blocked because it contains a threat of type [Low Risk Adware] - Identity: C46E9A16F0327F1EE0AD47FA54DDE500D643273C

{QUOTE-> I get the following FP for a newer version of UpdateStar again:

[22/7/2009 21:52] The file [C:\Users\<user>\AppData\Roaming\UpdateStar\UpdateStar.exe] has been blocked because it contains a threat of type [Low Risk Adware] - Identity: C46E9A16F0327F1EE0AD47FA54DDE500D643273C <-QUOTE}

Thanks for the report - I've corrected it, however, it was an age/popularity false positive so you may want to lower your heuristic/age/popularity settings if you get too many of them :)

{QUOTE-> Thanks for the report - I've corrected it, however, it was an age/popularity false positive so you may want to lower your heuristic/age/popularity settings if you get too many of them :) <-QUOTE}
UpdateStar is the only one PrevX detects (every time the application is updated though).

I don't know if the following two fall into the same category, I doubt since MyPrevX lists them as I-Worm/Stration.DTP:

c:\program files\rainmeter\skins\hud.vision\black\util\fileexec.exe [PX5: 37DCBFFB00C2C9106EC1005C49AD1D00C0353F40]
c:\program files\rainmeter\skins\hud.vision\white\util\fileexec.exe [PX5: 37DCBFFB00C2C9106EC1005C49AD1D00C0353F40]

{QUOTE-> UpdateStar is the only one PrevX detects (every time the application is updated though).

I don't know if the following two fall into the same category, I doubt since MyPrevX lists them as I-Worm/Stration.DTP <-QUOTE}

This is unrelated to the other detection - 11 products find the file on VT but it is indeed a FP (most likely detected by others also because it is used/dropped by infections to execute other files... lazy malware authors ::))

Joe, you and Marcos and PWD are to continued to be commended for all you do for Prevx. Anyone that ever steals you 3 away will have to fork over big bucks.

Mel, you listening.;)

Hi, i'm back on XP now and i've done a fresh install of Prevx which found these 2 as threats -

c:\windows\system32\drivers\rkd.sys [PX5: 68EC60E2001AE922DEA800F5AA74D5009172B053] Malware Group: Medium Risk Malware

c:\windows\gendel32.exe [PX5: FC4A0195009B0798DC5800C90DC6C70066776FED Malware Group: High Risk Worm

Above from the log.

I'm sure rkd.sys is from one of my ARK's. Properties says, Chinese (PRC) KAVBC.exe

gendel32.exe Properties says nothing.

TIA

Hello,
I've corrected the rkd.sys FP (indeed a component of an antirootkit program) but the gendel file seems to be malicious (or at least quite a few vendors do, Panda calling it with a name of HackTool/Gendel.A which may give some credence to the detection) so for now I've left that in place pending further review :)

Let me know if you have any thoughts on it or where it came from!

Good and not good lol.

Shall i send you the gendel32.exe ?

{QUOTE-> Good and not good lol.

Shall i send you the gendel32.exe ? <-QUOTE}

Yes :) If you can email it to report@prevxresearch.com, we'll take a look at it to see what its trying to do.

I'll send it now

TIA

{QUOTE-> I'll send it now

TIA <-QUOTE}

The file is indeed a FP, by us and ~10 vendors but it is caused (at least from us) because the file has come primarily from malware installers. It looks to be a component of an install package, albeit, done quite suspiciously :-\

I've corrected it now :) Thanks for the report!

Jeepers talk about fast responses !

I hoped it would be a FP, i don't mind them at all, better than no detects on real Malware. In the meantime i renamed it.

I found this " As far as I know, gendel32.exe is put in by the third party installer we use " on http://forums.http-tunnel.com/showthread.php?t=1800

-

I don't remember installing http-tunnel, but it could have been from something similar at sometime ?

As you say, a number of other vendors are detecting it as Malware too. I'll try and alert them as well.

Thanx again,

S

Today for some reason i suddenly got threat alerts on these 2 - ole2plgin.dll and madchook.dll both in System32

madchook.dll SH1 = B9AA426CE405969B2EC64E4A2CE2BFFCB65BA2D9 MD5 = 83DDA547DA1248E2EAAE8133B79C24F7 = api hooking for 9x/nt = www.madshi.net = SAFE Been in there for ages, OA uses it.

ole2plgin.dll SH1 = B9AA426CE405969B2EC64E4A2CE2BFFCB65BA2D9 MD5 = 83DDA547DA1248E2EAAE8133B79C24F7

FileAlyzer analysis mentions network and sockets etc ! Also, Characteristics: A18E - Executable, Line Numbers Stripped, Local Symbols Stripped, Bytes Reversed Lo, Bytes Reversed Hi, 32bit Machine Expected, DLL

No info in Properties ? Name is similar to MS etc .dll's, but of course that could be deliberate if it's a baddie ! Not loaded according to Autoruns, and not running according to Process Explorer. Your www says it's dodgy so ?

TIA

Hello,
I believe I've fixed them - we don't use MD5/SHA1 so I can't be sure but can you run a scan to see if they're found again?

Madchook.dll is unfortunately very heavily used by malware but it is a good and useful utility, definitely not malicious by itself.

You don't use MD5/SHA1, ooh, why not if i may be so bold as to ask ?

Yep, just did a scan and the've diskapeared lol.

I don't know what you guys are on, but i want some lol.

Thanx

{QUOTE-> You don't use MD5/SHA1, ooh, why not if i may be so bold as to ask ?

Yep, just did a scan and the've diskapeared lol.

I don't know what you guys are on, but i want some lol.

Thanx <-QUOTE}

MD5/SHA1 are only useful for detecting a single file and both have exploits against them which are growing in computational feasibility quickly. We use our own algorithms which are much more generic than MD5/SHA1 :)

Prevx at al, Hope this is the right thread to use for my query.

I finally found your Prevx product after trying a bunch of the other top rated anti-spyware/malwarerootkit products. When I took my personal laptop to work and hooked it in to our network via DHCP it was found to be generating lots of Port 25 (SMTP) spam and caused my works ISP to blacklist our company, ouch! At work on their router, for a test we blocked Port 25 and could see my laptop banging against it with constant spambot activity. The ISP said they had identified it as Cutwail, but who really knows. So, I ran every major tool (anti-virus, anti-spyware, anti-rootkit) I could find on the net and they found nothing! I deleted all those and my laptop is still sending SMTP spam. I also tried your free Prevx 3.0 version and it's scan also found absolutely nothing. I am very puzzled by this. There is what seems like a spambot on my laptop and no software tool can find it. Is it too new I was hoping that since your product is cutting edge I would finally solve my problem, but no luck so far. You are the first anti-malware company I've contacted since it seems like a cool product. Your help would be much appreciated and I would be glad to buy the product if it could find and (after I paid) remove this active spambot on my laptop.
Thanks!

Hello cyb_2009,
We'd be glad to help :) If you could run a scan with Prevx 3.0 and then click Tools > Save Scan Results and email us that log to report@prevxresearch.com, we'll report back with our results if we see anything unusual.

Let me know if you have any questions!

Hi cyb_2009,

Here is some info that you probably like to see about Cutwail!

http://www.youtube.com/watch?v=Ap0KIT4etZ0&feature=channel_page

TH

{QUOTE-> Hello cyb_2009,
We'd be glad to help :) If you could run a scan with Prevx 3.0 and then click Tools > Save Scan Results and email us that log to report@prevxresearch.com, we'll report back with our results if we see anything unusual.

Let me know if you have any questions! <-QUOTE}

Thanks. I just sent the scan per your instructions.

{QUOTE-> Hi cyb_2009,

Here is some info that you probably like to see about Cutwail!

http://www.youtube.com/watch?v=Ap0KIT4etZ0&feature=channel_page

TH <-QUOTE}

Thanks Triple Helix. After watching that I downloaded the latest GMER and ran it. On first scan of C: it found nothing, but my drive is partitioned C/D and when I checked both drives, C & D it found something in the next scan. While I didn't really know what to look for, GMER reported the following lines in red as rootkit activity:

---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [900] 0x10000000
Library C:\Documents (*** hidden *** ) @ C:\Documents [2292] 0x00400000

---- EOF - GMER 1.0.15 --

I did another Prevx scan right after and nothing reported. I assume Prevx scans all drives and attached devices automatically?

{QUOTE-> Thanks. I just sent the scan per your instructions. <-QUOTE}

Hello,
We couldn't find anything malicious in your log :-\ Could you try installing a firewall to warn on any traffic outbound or inbound to try and see what process it is coming from?

{QUOTE-> Thanks Triple Helix. After watching that I downloaded the latest GMER and ran it. On first scan of C: it found nothing, but my drive is partitioned C/D and when I checked both drives, C & D it found something in the next scan. While I didn't really know what to look for, GMER reported the following lines in red as rootkit activity:

---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [900] 0x10000000
Library C:\Documents (*** hidden *** ) @ C:\Documents [2292] 0x00400000

---- EOF - GMER 1.0.15 --

I did another Prevx scan right after and nothing reported. I assume Prevx scans all drives and attached devices automatically? <-QUOTE}

That is indeed strange. If you're interested, would you like one of our researchers to help you remotely during the week to try and diagnose this more accurately?

{QUOTE-> Hello,
We couldn't find anything malicious in your log :-\ Could you try installing a firewall to warn on any traffic outbound or inbound to try and see what process it is coming from? <-QUOTE}


I am a running just the Windows XP firewall (I know, useless). What firewall would you suggest, if you can. I was trying to find some kind of tool to log Port 25 but short of Wireshark (which I have but not sure how to use it:-\ ) I couldn't find anything handy. I suppose that's what firewalls do, but I'm hesitant to load one of the bloatware apps out there that infiltrate the whole PC worse than malware...::)

{QUOTE-> That is indeed strange. If you're interested, would you like one of our researchers to help you remotely during the week to try and diagnose this more accurately? <-QUOTE}

Sure, that would be fine. I'll email you my contact info since I see I can't PM here.

Also, I am still running just the unregistered scan version of Prevx 3.0, does it look at my D: drive too or does that take a full (paid) scan?

{QUOTE-> Sure, that would be fine. I'll PM you my contact info.

Also, I am still running just the unregistered scan version of Prevx 3.0, does it look at my D: drive too or does that take a full (paid) scan? <-QUOTE}

It looks at any programs which are active or can become active but doesn't perform an on-demand scan of every file (as they aren't threatening to your system if they aren't active/able to become active).

I'm surprised GMER would perform differently between the two scans depending on what you scanned as the detections were still just from your C:\ drive.

We'll uncover the cause soon :)

{QUOTE-> It looks at any programs which are active or can become active but doesn't perform an on-demand scan of every file (as they aren't threatening to your system if they aren't active/able to become active).

I'm surprised GMER would perform differently between the two scans depending on what you scanned as the detections were still just from your C:\ drive.

We'll uncover the cause soon :) <-QUOTE}


I see what happened. When I fire up GMER it starts what looks like a scan and lists a few items, but no problems. I have to press the SCAN button and then it runs a full scan and found the issue on C: with just C: selected. I was confused by how it works originally.

Thanks

{QUOTE-> Thanks Triple Helix. After watching that I downloaded the latest GMER and ran it. On first scan of C: it found nothing, but my drive is partitioned C/D and when I checked both drives, C & D it found something in the next scan. While I didn't really know what to look for, GMER reported the following lines in red as rootkit activity:

---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [900] 0x10000000
Library C:\Documents (*** hidden *** ) @ C:\Documents [2292] 0x00400000

---- EOF - GMER 1.0.15 --

I did another Prevx scan right after and nothing reported. I assume Prevx scans all drives and attached devices automatically? <-QUOTE}

I know Joe is helping you but in the mean time you can try this tool to see if it shows up!

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight

TH

{QUOTE-> I know Joe is helping you but in the mean time you can try this tool to see if it shows up!

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight

TH <-QUOTE}

Thanks TH. I grabbed it and ran it, and it found nothing. Ran GMER again as a check and it found the same items I listed above.

{QUOTE-> Thanks TH. I grabbed it and ran it, and it found nothing. Ran GMER again as a check and it found the same items I listed above. <-QUOTE}

Well it's best to let the Prevx team help you out to find the cause of this problem and you are in great hands!

TH

Hi, just got back and booted up, Prevx scanned automatically and found the following, which where ALL there earlier, and all FP's as far as i'm concerned !


c:\documents and settings\\desktop\t\555\combofix\combofix.exe [PX5: 66767783413728499C032D344B708A0073F3D1D8] Malware Group: Medium Risk Malware

[B]combofix.exe = Lol


c:\documents and settings\\desktop\\zemana spy tests\screenlogger.exe [PX5: 144FE21D983C2A4DD18704BB2E6D1E0086982798] Malware Group: Low Risk Test Virus

[BP] c:\documents and settings\\desktop\\zemana spy tests\webcamlogger.exe [PX5: 327A08DB98A59BC2DF5804E4B63BD100386B8CF1] Malware Group: Low Risk Test Virus

[BP] c:\documents and settings\\desktop\\zemana spy tests\clipboardlogger.exe [PX5: 88EA1C59981E05E4DB000489ADB5C7009B7FAE31] Malware Group: Low Risk Test Virus

[B]All zemana spy tests = SAFE


c:\documents and settings\\desktop\\sysprot\sysprot v1.0.0.7.exe [PX5: 16F4EF06005319B57CC2029901514C009E6BA296] Malware Group: Medium Risk Malware

[B]sysprot v1.0.0.7.exe = SAFE


c:\documents and settings\\desktop\\hidetoolz_v2.1\hidetoolz v2.1.exe [PX5: 7E3CD74700A3C8717E4F01DBDF274700F4D5CEA2] Malware Group: High Risk Worm

[B]hidetoolz v2.1.exe = SAFE


c:\documents and settings\\desktop\\detect virtual pc or vmware\host detection.exe [PX5: D7308F2E004FCC9BA0EF00D269FA5500C5678C14] Malware Group: High Risk Worm

[B]host detection.exe = SAFE


c:\documents and settings\\desktop\\new text document-txt.exe [PX5: D42EA513E6111EB116E1018702195C0006D60EEF] Malware Group: Low Risk Adware

[B]new text document-txt.exe = SAFE Something renamed by me.


c:\documents and settings\\desktop\\through-the-eyes-of-a-keylogger_v1_0_0.exe [PX5: 36EE70E600414CCE102A017BA4FF19005F2F77F5] Malware Group: Low Risk Test Virus

[B]through-the-eyes-of-a-keylogger_v1_0_0.exe = SAFE = Tests


c:\documents and settings\\desktop\\aklt\aklt.exe [PX5: 5ACA58B200076A56A4DA025E8AF7A700CA7BF5B1] Malware Group: Medium Risk Malware

[B]aklt.exe = SAFE = Firewall Leak Tests


c:\documents and settings\\desktop\\cmcark_cw0.2.4.500\cmcark.exe [PX5: 14EBA34257AB4F83133F2682478F36005D5F163C] Malware Group: High Risk Worm

[B]cmcark.exe = SAFE = ARK


c:\documents and settings\\desktop\\samurai version 2.7\imagehooks.dll [PX5: D89CCAC3001EBDB0702A02FC42433F00583407C7] Malware Group: High Risk System Back Door

[B] c:\documents and settings\\desktop\\samurai version 2.7\userhooks.dll [PX5: A20AACBF0091FEAAA0A602E4A2FAEC00B016B7AD] Malware Group: Low Risk Adware

[B]samurai version 2.7 = SAFE = Security App, never seen any ads, but don't use it anymore

TIA

S

Hi SteveO,
We detect some of these files intentionally (like the leaktests) but there are some FPs in here which I'll be fixing shortly :) Thank you for the report(s) :)

EDIT: The only actual false positives here are your "new text document exe" (but caught because the tool used to make it is used frequently to make malware), combofix (which is caught by a number of other AVs because it uses tools like NirCmd which are used very heavily by malware), and cmcark.exe.

The rest of them are adware or riskware - hidetoolz.exe may not be malicious by itself but it is used to hide processes and is found by 23/41 vendors on VT (most explicitly as "HideProc"). The samauri dlls do appear to be adware as well :-\

{QUOTE-> Well it's best to let the Prevx team help you out to find the cause of this problem and you are in great hands!

TH <-QUOTE}


Thanks TH and I loaded up Look'n'Stop Firewall 2.06p4 I saw on your sig. Now I have to answer all the "Authorize" questions :P . Wish I knew how to make it log Port 25 SMTP.

{QUOTE-> Thanks TH and I loaded up Look'n'Stop Firewall 2.06p4 I saw on your sig. Now I have to answer all the "Authorize" questions :P . Wish I knew how to make it log Port 25 SMTP. <-QUOTE}

Feel free ask questions about Look'n'Stop in their forum Frederic would be happy to assist you!!

http://www.wilderssecurity.com/forumdisplay.php?f=28

TH

Please see this log the most thinks are FP(the first is a autoit script or something like that) the rest are zoom shortcuts and pidgin plugins.

{QUOTE-> Please see this log the most thinks are FP(the first is a autoit script or something like that) the rest are zoom shortcuts and pidgin plugins. <-QUOTE}

Hello,
The pidgin plugin is clean but the other file is an autorun worm and registers itself quite maliciously in the registry. You should be able to remove the file but ensure that you remove the system service named:

.1247270467sstr

and any associated entries in there as well.

Let me know if you have any questions or find anything else! :)

Hi,
i have deleted the file but the new scan says pidgin-musictracker is maleware but it is also a plugin and where is the system32.exe from yesterday i cant find it anymore.

{QUOTE-> It looks at any programs which are active or can become active but doesn't perform an on-demand scan of every file (as they aren't threatening to your system if they aren't active/able to become active).

I'm surprised GMER would perform differently between the two scans depending on what you scanned as the detections were still just from your C:\ drive.

We'll uncover the cause soon :) <-QUOTE}

Latest update. When I ran a GMER today it found nothing. When I went to the GMER site in IE8 to see if I could get more info on it, the www.gmer.net page was turned into a page of hex gibberish. Repeatable. Other sites were OK. I could bring up the www.gmer.net just fine in Safari or Opera, so it seems like a IE thing, and an obvious infection. When I ran GMER again I was unable to press the SCAN buttion in the rootkits area, so something is blocking it now. I emailed GMER about that. Prevx still shows nothing, while spams were being actively sent on Port 25/SMTP.

I used the firewall to selectively turn off my "allow" apps in LnS and the spam stopped being generated when Outlook was blocked. Whatever it is, it seems pretty sophisticated, watching webpages, blocking functions, etc...

{QUOTE-> Hi,
i have deleted the file but the new scan says pidgin-musictracker is maleware but it is also a plugin and where is the system32.exe from yesterday i cant find it anymore. <-QUOTE}

Now its fixed :) Thanks again - I'm not sure with the system32.exe file, it may have changed into the other filename ??? It definitely isn't there anymore in your log.

Hi,

I noticed today some of my earlier detects have now gone, great ! These are still showing though.


new text document exe

(but caught because the tool used to make it is used frequently to make malware) Actually i encrypted it with Axcrypt, not a baddie. Might be due to the encryption ?

c:\documents and settings\\desktop\\sysprot\[B]sysprot v1.0.0.7.exe [PX5: 16F4EF06005319B57CC2029901514C009E6BA296] Malware Group: Medium Risk Malware

Sysprot = ARK = SAFE so ?

c:\documents and settings\\desktop\\installed onxp\[B]samurai version 2.7\imagehooks.dll [PX5: D89CCAC3001EBDB0702A02FC42433F00583407C7] Malware Group: High Risk System

Why Back Door ?

c:\documents and settings\\desktop\\[B]samurai version 2.7\userhooks.dll [PX5: A20AACBF0091FEAAA0A602E4A2FAEC00B016B7AD] Malware Group: Low Risk Adware

No adware i've ever seen so ?

c:\documents and settings\\desktop\\[B]detect virtual pc or vmware\host detection.exe [PX5: [PX5: 36EE70E600414CCE102A017BA4FF19005F2F77F5] Malware Group: Low Risk Test Virus

It only checks for VM or not so ?



Also strangely enough, Avira has now alerting me that the earlier detect Combofix is Malware, but it wasn't before ? I'll send it to them as a FP too.

TIA

Previously Detected Files:
[B] c:\windows\syswow64\system32.exe [PX5: 2B160C6D00691F2AC0C505345FFFFE0004AD73A2] Malware Group: High Risk Cloaked Malware

End of Prevx Scan Log - http://www.prevx.com

but now i cant find it ???

Is ther anyway you could send the file to Agnitum and A-Squared?(if you have a database from maleware)
Because when it is disapered(maybe a update to the virus code)
http://www.emsisoft.de/de/support/submit/
http://www.agnitum.de/support/submit_files.php

{QUOTE->
new text document exe

(but caught because the tool used to make it is used frequently to make malware) Actually i encrypted it with Axcrypt, not a baddie. Might be due to the encryption ? <-QUOTE}

This is indeed the case - I'll see what we can do to update the signature to prevent some FPs on Axcrypt files but it will have to be done carefully to prevent loss of detection. I should have this updated in 15 mins or so :)

{QUOTE-> c:\documents and settings\\desktop\\installed onxp\[B]samurai version 2.7\imagehooks.dll [PX5: D89CCAC3001EBDB0702A02FC42433F00583407C7] Malware Group: High Risk System

c:\documents and settings\\desktop\\[B]samurai version 2.7\userhooks.dll [PX5: A20AACBF0091FEAAA0A602E4A2FAEC00B016B7AD] Malware Group: Low Risk Adware <-QUOTE}

This program does appear to contain adware - a variant of the "TopSearch" adware (which is most likely a bundled DLL rather than unique adware). A number of other vendors detect it as well and I think it does need to remain there.

{QUOTE-> c:\documents and settings\\desktop\\[B]detect virtual pc or vmware\host detection.exe [PX5: [PX5: 36EE70E600414CCE102A017BA4FF19005F2F77F5] Malware Group: Low Risk Test Virus

It only checks for VM or not so ? <-QUOTE}

This tool is used almost exclusively by malware and I don't really see how it could be used outside of malware really :-\ It's been used in a few dozen different infections so IMO it is more worthwhile to detect it than not.


{QUOTE-> Also strangely enough, Avira has now alerting me that the earlier detect Combofix is Malware, but it wasn't before ? I'll send it to them as a FP too. <-QUOTE}

I wouldn't blame them :) Most AVs find Combofix (ironically) because of all of the tools they have bundled inside the archive - a lot of them are also used heavily by malware :-\

Axcrypt = Good news

samurai = If you say so boss ! Even though i havn't used it for ages, i never saw ANY adware, strange ?

host detection.exe = Ooh err, really ! I think i'll send it to you so you can examine it in detail. I'm sure i DL'd from an OK place, but can't remember now, but any info i find i'll send with it.

Re Avira. I've had Combofix in for a while, but only today it detects it lol.

Fanx

{QUOTE->
samurai = If you say so boss ! Even though i havn't used it for ages, i never saw ANY adware, strange ? <-QUOTE}

Not sure :-\ It may not be outwardly malicious - but it is adware (or at least a Possibly Unwanted Program via McAfee's terminology).

{QUOTE-> host detection.exe = Ooh err, really ! I think i'll send it to you so you can examine it in detail. I'm sure i DL'd from an OK place, but can't remember now, but any info i find i'll send with it. <-QUOTE}

The file itself is legitimate but the way that its used isn't - its very easy to latch onto a file being malicious if you detect that it performs different behavior when under a virtual machine or not. This way, they're putting the virtual machine detection in a separate program to evade detection. Sneaky, but still malicious (which is why us and a number of other AVs block this file).

{QUOTE-> Previously Detected Files:
[B] c:\windows\syswow64\system32.exe [PX5: 2B160C6D00691F2AC0C505345FFFFE0004AD73A2] Malware Group: High Risk Cloaked Malware

End of Prevx Scan Log - http://www.prevx.com

but now i cant find it ???

Is ther anyway you could send the file to Agnitum and A-Squared?(if you have a database from maleware)
Because when it is disapered(maybe a update to the virus code)
http://www.emsisoft.de/de/support/submit/
http://www.agnitum.de/support/submit_files.php <-QUOTE}

We don't harvest all malware samples so we don't have a copy of it but it doesn't look like it is in your log anymore so you should be safe (Previously Detected Files means that they used to be there but aren't anymore :))

{QUOTE->
[B]Re Avira. I've had Combofix in for a while, but only today it detects it lol.

Fanx <-QUOTE}

That's the thing that bothers me most... it's one thing with totally new software, e.g. betas or new versions - even if not good, it's understandable that at least Age/Spread heuristics might throw up something - but when it comes to software which has not changed at all and Prevx suddenly goes *poof* "Aha! I think I found something!", then it's getting really bothersome. I dunno why it should at all. What's the reason it connects something that hasn't changed with malware because of new rules or whatever?

I won't throw up "my own software blahblahblah" once again since I know that would bring the same answer which doesn't make sense to me anyway, simply because that answer is not the truth to me.

Okey dokey, you d man !

Thanx

{QUOTE-> That's the thing that bothers me most... it's one thing with totally new software, e.g. betas or new versions - even if not good, it's understandable that at least Age/Spread heuristics might throw up something - but when it comes to software which has not changed at all and Prevx suddenly goes *poof* "Aha! I think I found something!", then it's getting really bothersome. I dunno why it should at all. What's the reason it connects something that hasn't changed with malware because of new rules or whatever?

I won't throw up "my own software blahblahblah" once again since I know that would bring the same answer which doesn't make sense to me anyway, simply because that answer is not the truth to me. <-QUOTE}

Every time an AV adds a signature (Avira included as they had the same FP as us, as well as 10+ other companies that also FP on the combofix file), it has to be applied to every other program in existence, regardless of if it was allowed past before. So, FPs are very dynamic and change with every additional signature added for every company.

Here again lol

I just tried to exclude those detects and got this, which i havn't before when i've had to do it.

1 - Is this new ?

2 - Where am i supposed to put them, and why won't the Prevx App do this automatically as before ?

TIA

{QUOTE-> Here again lol

I just tried to exclude those detects and got this, which i havn't before when i've had to do it.

1 - Is this new ?

2 - Where am i supposed to put them, and why won't the Prevx App do this automatically as before ?

TIA <-QUOTE}

You can use that dialog to pick a file, or you can right click on the file in the detection list and click "Report as a false positive" which will automatically add it to the exclusion list :)

Let me know if you have any other questions with it :)

Ahhh, but if you try and right click from the Detection Overides panel to do that as i just did, it won't let you. As it seems this option is only avaialable from the Scan results panel ! I must have done it like that before.

Might be nice if we could do it from within the Detection Overides panel in future as well.

Thanx

{QUOTE-> Ahhh, but if you try and right click from the Detection Overides panel to do that as i just did, it won't let you. As it seems this option is only avaialable from the Scan results panel ! I must have done it like that before.

Might be nice if we could do it from within the Detection Overides panel in future as well.

Thanx <-QUOTE}

Ah I see what you mean - in the Detection Overrides screen you just have to double click on the entry and you can change it :) But yes, the scan results screen is where the right click option is most prominently available (and easiest to get to).

{QUOTE-> Latest update. When I ran a GMER today it found nothing. When I went to the GMER site in IE8 to see if I could get more info on it, the www.gmer.net page was turned into a page of hex gibberish. Repeatable. Other sites were OK. I could bring up the www.gmer.net just fine in Safari or Opera, so it seems like a IE thing, and an obvious infection. When I ran GMER again I was unable to press the SCAN buttion in the rootkits area, so something is blocking it now. I emailed GMER about that. Prevx still shows nothing, while spams were being actively sent on Port 25/SMTP.

I used the firewall to selectively turn off my "allow" apps in LnS and the spam stopped being generated when Outlook was blocked. Whatever it is, it seems pretty sophisticated, watching webpages, blocking functions, etc... <-QUOTE}

Hi,

I've sent to you two e-mails today. Could you check if you have got them or if they have been moved inside a spam folder maybe?

Thank you :)

Yes that's obviously why right clicking didn't work. All's well now though, overidden them Thanx.

If i may,

samurai version 2.7 You didn't say why you class it as a Back Door. Adware/Pup possibly you say, but Back Door ? That's a lot more dodgy than any Adware.

Sysprot = Why the warning still on this SAFE ARK ?

TIA

{QUOTE-> If i may, <-QUOTE}
You may! ;D

{QUOTE-> samurai version 2.7 You didn't say why you class it as a Back Door. Adware/Pup possibly you say, but Back Door ? That's a lot more dodgy than any Adware. <-QUOTE}

Malware group names/types are very hard to define perfectly automatically which sometimes causes it to have different names. It is definitely adware/pup instead of a backdoor and I'll work on correcting this :)

{QUOTE-> Sysprot = Why the warning still on this SAFE ARK ? <-QUOTE}
Simply the result of copy and paste failing me across two different computers ;D It is fixed now - thanks :)

{QUOTE-> Hi,

I've sent to you two e-mails today. Could you check if you have got them or if they have been moved inside a spam folder maybe?

Thank you :) <-QUOTE}

Hi EraserHW, I was in a lot of work meetings today and finally able to check. I did get them. Thanks. I responded in PM. When I get a chance I'll get back looking at this. I appreciate all the help!

{QUOTE-> Hi EraserHW, I was in a lot of work meetings today and finally able to check. I did get them. Thanks. I responded in PM. When I get a chance I'll get back looking at this. I appreciate all the help! <-QUOTE}

Ok, perfect :)

hey prevxhelp you might want to take a look at this...http://www.raymond.cc/forum/general-forum/13153-is-prevx-3-rogue.html

{QUOTE-> hey prevxhelp you might want to take a look at this...http://www.raymond.cc/forum/general-forum/13153-is-prevx-3-rogue.html <-QUOTE}

Thanks :) Replied/Fixed!

Prevx is detecting the Rainmeter uninstaller as malware. FP??

{QUOTE-> Prevx is detecting the Rainmeter uninstaller as malware. FP?? <-QUOTE}

Hello,
Thank you for the report - we've corrected the FP :)

Just a point of interest - if people get alerts like that shown in the last screenshot, would a right-click and report as a FP also work as well as mentioning it here?

If this is the case, perhaps some users don't realise they can do the above option; I don't think it's clear within the program or elsewhere that they can do this when reporting FPs - it's certainly not in the sticky post about reporting false positives or missing detections.

{QUOTE-> Just a point of interest - if people get alerts like that shown in the last screenshot, would a right-click and report as a FP also work as well as mentioning it here?

If this is the case, perhaps some users don't realise they can do the above option; I don't think it's clear within the program or elsewhere that they can do this when reporting FPs - it's certainly not in the sticky post about reporting false positives or missing detections. <-QUOTE}

Right clicking "Report as a false positive" does get it forwarded to our research team, however, I personally prefer to have FPs reported here directly just because it gives much more credibility to the FP report itself - we have run into a lot of cases of malware authors using bots to try and get their malware whitelisted so we receive quite a lot of false-false positive reports which makes very-low volume FPs like the one reported above harder to find.

Prevx detected these files as malware:

http://img5.imageshack.us/img5/5130/prevx.jpg

I have formated my computer yesterday...

{QUOTE-> we have run into a lot of cases of malware authors using bots to try and get their malware whitelisted <-QUOTE}
hehe;D

{QUOTE-> Prevx detected these files as malware:

http://img5.imageshack.us/img5/5130/prevx.jpg

I have formated my computer yesterday... <-QUOTE}

Hello,
Can you please save a scan log by clicking Tools > Save Scan Results and send it to report@prevxresearch.com so we can analyze the exact file which exists on your computer?

Thanks! :)

False positive?

http://img5.imageshack.us/img5/5130/prevx.jpg

The log is attached

Ok, thanks!

{QUOTE-> Ok, thanks! <-QUOTE}

Hello,
We've corrected the FP - thank you for the report :)

{QUOTE-> False positive?

http://img5.imageshack.us/img5/5130/prevx.jpg

The log is attached <-QUOTE}

Replied in the other thread ;) (FP fixed)

Joe,
Should PrevX catch Flash buffer overflow? I came across a 0-day Flash buffer overflow POC that upon execution runs calculator as a shellcode, it worked like a champ on a test machine with PrevX, MSE and Mamutu (A-2 caught it in paranoid mode via behavior engine).
I'm not sure if I'm allowed to post it here, but video of the actual POC is here:
http://www.youtube.com/watch?v=wJb6a-J3i4c
You can go to author's blog to get more details and POC itself.
Now, I understand that signature-based detection would've failed here as this is a 0-day, but should buffer overflow be caught by either of the products I listed?

{QUOTE-> Joe,
Should PrevX catch Flash buffer overflow? I came across a 0-day Flash buffer overflow POC that upon execution runs calculator as a shellcode, it worked like a champ on a test machine with PrevX, MSE and Mamutu (A-2 caught it in paranoid mode via behavior engine).
I'm not sure if I'm allowed to post it here, but video of the actual POC is here:
http://www.youtube.com/watch?v=wJb6a-J3i4c
You can go to author's blog to get more details and POC itself.
Now, I understand that signature-based detection would've failed here as this is a 0-day, but should buffer overflow be caught by either of the products I listed? <-QUOTE}

Question:

How is the computer infected then? Will this shellcode execution lead to an infected file on the computer which PrevX is able to cach?

RootRepeal gets detected:
http://rootrepeal.googlepages.com/

{QUOTE-> eheheh, perfetto! ;D <-QUOTE}i am new to prevx:) where is prevx is stronger with?spyware?virus?rootkits?keyloggers?thanks

{QUOTE-> Question:

How is the computer infected then? Will this shellcode execution lead to an infected file on the computer which PrevX is able to cach? <-QUOTE}

Shellcode could be anything, I'm not worried about PrevX catching (or not) actions of the shellcode itself; what I was wondering was if PrevX should be able to catch buffer overflow attacks, and if Flash one I posted above was different in some way.

{QUOTE-> Shellcode could be anything, I'm not worried about PrevX catching (or not) actions of the shellcode itself; what I was wondering was if PrevX should be able to catch buffer overflow attacks, and if Flash one I posted above was different in some way. <-QUOTE}

Our secure browser will improve upon our exploit prevention but we do not try and block calls which lead to no actual damage - an exploit which executes calc.exe is not the same as an exploit which downloads/executes malware :) We focus on the latter and leave the former either to specialized routines or maximum settings (but currently you aren't able to configure Prevx to block a specific exploit like this - you will be able to in the future, however).

Joe,
Thank you for your reply. So in theory, PrevX should've caught this buffer overflow if the actions of the shellcode would've been malicious, correct? If so, what particular (shellcode) actions would it have marked as malicious and triggered detection on?

I still run Ewido 3.5. Ewido was bought by Grisoft(AVG). It is legacy software, which I find useful to check connections and for terminating processes.

However, I was in a snapshot that I rarely use, when an old version of Prevx detected some threats.

See log:

Prevx Scan Log - Version v3.0.1.17
Log Generated: 3/8/2009 23:01, Type: 1,8192
Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Mon 2009-08-03 22:50:50 E. Australia Standard Time. Number of Scans: 9. Last Scan Duration: 8 minutes 29 seconds.
[B] (ACTIVE) c:\program files\ewido\security suite\modules\processviewer.dll [PX5: 4418E81940954FE576FD0057B2FD8100ECD521F7] Malware Group: Medium Risk Malware
[B] (ACTIVE) c:\program files\ewido\security suite\modules\autostartviewer.dll [PX5: 85F8B2724011D8C5D06100DF82B706006CC448E5] Malware Group: Medium Risk Malware
[B] (ACTIVE) c:\program files\ewido\security suite\archive.dll [PX5: 420C70AC4086315790C80318AB37A40082640ABC] Malware Group: Medium Risk Malware
[U] (ACTIVE) c:\program files\rising\rav\defmon.dll [PX5: F1A5FAA77002BF952A37020B75E32F0035EFCF8E]
[U] (ACTIVE) c:\program files\rising\rav\mailmon.dll [PX5: 3680D60D7075F6312AA0028A69C9EA0023BFFF1F]
[U] (ACTIVE) c:\program files\rising\rav\hookweb.dll [PX5: 95B9EC997025D5A22A38013C539563006BE57138]
[U] (ACTIVE) c:\program files\rising\rav\hookcont.dll [PX5: CC51EBD6708DABBA3A920128EA1208000AB23750]........................


Today, I am back to my usual snapshot, and the following scan has not detected the above 3 files.

See log:

Prevx Scan Log - Version v3.0.1.65
Log Generated: 5/8/2009 12:20, Type: 1,8192
Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 2 (Dir: 1)
Last Scan: Wed 2009-08-05 12:04:59 E. Australia Standard Time. Number of Scans: 490. Last Scan Duration: 24 minutes 13 seconds.
[U] (ACTIVE) c:\program files\opera 10.0 alpha\opera.exe [PX5: BC1AA82A00E9E697BEF401DC1AD8A6001536B3E4]
[UP] (ACTIVE) c:\program files\opera 10.0 alpha\opera.dll [PX5: 21979BB6001FC73E08F83CF6981F5D0008E36E2A]
[U] (ACTIVE) c:\program files\grisoft\avg7\avgabout.dll [PX5: 4DEBC8EA00AA7B9F047B1179DF6C650134CDC624]


This program(Ewido 3.5) is installed in both snapshots. However, 3 threats are found in one snapshot, but not the other. Same files, but different scan results.

P.S. I updated the version(3.0.1.17) shown in the first log to v 3.0.1.65, but still have the 3 detections occurring in that snapshot.

How long should it take, roughly, for FPs to be fixed if sent by email?

I sent email at 6.54pm last night re: the installer for Jalbum, but Prevx still detects the executable as medium risk malware at 1.32pm today.

{QUOTE-> Joe,
Thank you for your reply. So in theory, PrevX should've caught this buffer overflow if the actions of the shellcode would've been malicious, correct? If so, what particular (shellcode) actions would it have marked as malicious and triggered detection on? <-QUOTE}

It depends on the infection and its hard to say exactly what would trigger it as it uses our community intelligence (so behaviors are gathered/age is considered/etc.)

{QUOTE->
P.S. I updated the version(3.0.1.17) shown in the first log to v 3.0.1.65, but still have the 3 detections occurring in that snapshot. <-QUOTE}

FPs fixed :) Thanks!

{QUOTE-> How long should it take, roughly, for FPs to be fixed if sent by email?

I sent email at 6.54pm last night re: the installer for Jalbum, but Prevx still detects the executable as medium risk malware at 1.32pm today. <-QUOTE}

I found your submission - there was a management issue in report@prevxresearch... it was assigned to Marco (EraserHW) but he's on vacation currently ;D I've corrected the FP - sorry for the delay!

Spyware Cease, as discussed here (http://www.wilderssecurity.com/showthread.php?t=250241), doesn't appear to be detected by Prevx. The setup file is 14.1MB in size - I haven't sent this through as unsure if too big to send even when compressed.

hi joe spyblaster is getting away from prevx:)
i think it is a rouge some antiviruses at vt recognize it as malware but not prevx;D

{QUOTE-> hi joe spyblaster is getting away from prevx:)
i think it is a rouge some antiviruses at vt recognize it as malware but not prevx;D <-QUOTE}Confirmed. It's listed by hpHosts as a rogue, and is on a couple of other domain blocklists.

I've submitted the file to Prevx Research.

{QUOTE-> Confirmed. It's listed by hpHosts as a rogue, and is on a couple of other domain blocklists.

I've submitted the file to Prevx Research. <-QUOTE}

Great, thanks :) Will have it added shortly!

EDIT: I've analyzed the file - we already block all components of it, we just don't look at the .msi (but if the malware was to try and run we block every piece of it).

It's me again with:

[7/8/2009 16:15] The file [c:\users\[user]\appdata\roaming\updatestar\updatestar.exe] contains a threat of type [Low Risk Adware] - Identity: 93066E19F0C8E004E0494706987F3E007EB55664

Last time you identified the detection of the previous version of the application as age/popularity false positive. However, this version of updatestar.exe was installed on July 27 and PrevX didn't detect this "threat" in the July 27 - August 6 timeframe (minimum two scans a day). I don't understand why this is detected two weeks after installation first? If this is a heuristical detection I'd have expected an alert shortly after installation or at least 1 day later. (According to the information in your malware network the file was first seen in SPAIN or ITALY on Jul 28 2009).

{QUOTE-> It's me again with:

[7/8/2009 16:15] The file [c:\users\[user]\appdata\roaming\updatestar\updatestar.exe] contains a threat of type [Low Risk Adware] - Identity: 93066E19F0C8E004E0494706987F3E007EB55664

Last time you identified the detection of the previous version of the application as age/popularity false positive. However, this version of updatestar.exe was installed on July 27 and PrevX didn't detect this "threat" in the July 27 - August 6 timeframe (minimum two scans a day). I don't understand why this is detected two weeks after installation first? If this is a heuristical detection I'd have expected an alert shortly after installation or at least 1 day later. (According to the information in your malware network the file was first seen in SPAIN or ITALY on Jul 28 2009). <-QUOTE}

I just checked our database - on August 7th (today) at 13:30 we added a new rule to detect some new Adware.Lop samples and it seems to have overstepped its bounds a bit and caught this one again. I've updated the rule and corrected the file's determination.

Thanks for the report :)

{QUOTE-> EDIT: I've analyzed the file - we already block all components of it, we just don't look at the .msi (but if the malware was to try and run we block every piece of it). <-QUOTE}I confirm the program executable is detected when run after installation. :)

Could you check Spyware Cease please as mentioned in post #200 (http://www.wilderssecurity.com/showpost.php?p=1519807&postcount=200) as I just checked during a sandboxed install. There are no alerts at any point when running the program after installation.

{QUOTE-> Could you check Spyware Cease please as mentioned in post #200 (http://www.wilderssecurity.com/showpost.php?p=1519807&postcount=200) as I just checked during a sandboxed install. There are no alerts at any point when running the program after installation. <-QUOTE}Any further news on this one yet? Just did a scan on my sandboxed installation of the application, and Prevx doesn't detect.

Your answer was already posted I believe...

{QUOTE-> EDIT: I've analyzed the file - we already block all components of it, we just don't look at the .msi (but if the malware was to try and run we block every piece of it). <-QUOTE}

That pretty much summarizes our take on the rouge, having had a closer look, its tough to even touch the installer as it is and if truth be known, this is purely user initiated scareware, using rouge just doesnt do justice here, I cant even classify it as that since it doesnt actually drop anything Id classify as malicous or atleast it didnt here.

As Joe said, with full protection, you can dload the installer(.msi) but it should never be able to fully execute or drop file to disc, again, atleast it wasnt able to here, its always possible your using a different installer than the one I found.

{QUOTE-> Your answer was already posted I believe... <-QUOTE}That answer was in relation to Spyblaster; I'm now talking about Spyware Cease, which I first mentioned in post #200.

{QUOTE-> That answer was in relation to Spyblaster; I'm now talking about Spyware Cease, which I first mentioned in post #200. <-QUOTE}

Sorry - I've tracked back to your post now. I'm testing Spyware Cease as we speak and will report back with what I find!

Confirmed Rogue: Will add protection momentarily - it looks quite good, however :-\ Definitely upping the bar on how subtle rogues can be.

{QUOTE-> Confirmed Rogue: Will add protection momentarily - it looks quite good, however :-\ Definitely upping the bar on how subtle rogues can be. <-QUOTE}I thought it was, and judging by the thread where it's discussed, others think so too.

Just as a point of reference, when files are large, like say 14MB in size, it probably isn't practical to send for analysis even when compressed. (The 7z compression I did of it actually increased it slightly. ???) Is the best way then to report it here or do you accept such large attachments?

Feel free to just send links if its easier - I just Googled it to find it this time :)

{QUOTE-> Confirmed Rogue: Will add protection momentarily - it looks quite good, however :-\ Definitely upping the bar on how subtle rogues can be. <-QUOTE}Ref: Spyware Cease - just done a scan of all the installed files in the sandbox; no alerts. ??? I can PM you the log if you wish.

The installer generates no alerts either.

{QUOTE-> Ref: Spyware Cease - just done a scan of all the installed files in the sandbox; no alerts. ??? I can PM you the log if you wish.

The installer generates no alerts either. <-QUOTE}

Hmm... could you send me a log to report@prevxresearch.com? We may have gotten different versions.

{QUOTE-> Hmm... could you send me a log to report@prevxresearch.com? We may have gotten different versions. <-QUOTE}Sent. :)

{QUOTE-> Sent. :) <-QUOTE}

Yikes... I dug deeper and have determined more than 1,000 variants of SpywareCease as bad now, stretching back to Oct. 2008, most with barely any detections on VT :-\

The primarily malicious component is the .exe itself - the other DLLs are mostly repackaged legitimate components so I've left them but we should now detect it fine :)

Umm.. I don't really understand this.

Scanning the files in the sandbox still yield no results; scanning the single .exe in the sandbox produces no alerts.

However, if I copy the .exe from the sandbox to the Desktop and scan it, hurrah, there's an alert.

Something isn't right here. I'd like to test the execution of these kinda programs in a sandboxed environment for safety reasons - that's the point of the sandbox surely. Maybe I'm doing it all wrong, who knows. :/

{QUOTE-> Umm.. I don't really understand this.

Scanning the files in the sandbox still yield no results; scanning the single .exe in the sandbox produces no alerts.

However, if I copy the .exe from the sandbox to the Desktop and scan it, hurrah, there's an alert.

Something isn't right here. I'd like to test the execution of these kinda programs in a sandboxed environment for safety reasons - that's the point of the sandbox surely. Maybe I'm doing it all wrong, who knows. :/ <-QUOTE}

What sandbox are you using? Its possible that the sandbox itself is preventing Prevx from scanning the file but its hard to say exactly>

{QUOTE-> What sandbox are you using? Its possible that the sandbox itself is preventing Prevx from scanning the file but its hard to say exactly> <-QUOTE}Sorry, I should have said before - it's Sandboxie.

{QUOTE-> Sorry, I should have said before - it's Sandboxie. <-QUOTE}

This might be caused because of a fluke in our caching and handling a sandbox - can you try rebooting your system to see if it is then detected?

I was not referring to Spyware Blaster, I was referring to Post 200 that you linked to.

Joe has confirmed exactly what I was saying....

Prevx and almost all other AVs are well aware of SpywareCease, problem is, it doesnt really do alot to the system, the reason VT has so few hits and most have deemed the app just plain bloatware/scareware type.

Its been around over 2 years now and really has no place in a DB but thats a researcher choice, if spyware cease is bad, then so is regcure and about a 1000 other apps that dont do what they claim to do or make a big deal outa of a cookie or orphaned registry entry, I spec we better add in CCleaner too, its doing about the same thing. :-\

Not knocking you or Joe, its just I went through alot last year to come to this conclusion and decided not to add it into the DB.

Its definilty one of those that runs that fine line.

{QUOTE-> This might be caused because of a fluke in our caching and handling a sandbox - can you try rebooting your system to see if it is then detected? <-QUOTE}I've rebooted, and whilst a scan of the sandboxed single .exe file didn't trigger an alert, a scan of the sandboxed folder did.

@Cretemonster:
I understand what you're saying, and agree with both you & Joe. However, that hasn't been the main issue for me. The problem has been seeing some sort of detection within a sandboxed environment. It worked out of the sandbox, but not within it.

{QUOTE-> I've rebooted, and whilst a scan of the sandboxed single .exe file didn't trigger an alert, a scan of the sandboxed folder did.

@Cretemonster:
I understand what you're saying, and agree with both you & Joe. However, that hasn't been the main issue for me. The problem has been seeing some sort of detection within a sandboxed environment. It worked out of the sandbox, but not within it. <-QUOTE}

Probably best to move this to another thread as you have ;D Also regarding SpywareCease: I disagree, Cretemonster, with it being a product that just detects cookies. On an entirely empty XP SP3 VM, it detected 22 files as backdoor trojans. Unless Microsoft has gone very lax on its software integrity measures, I suspect that it is indeed a rogue :) Maybe they started with cookies and then realized that they weren't getting enough of a conversion to buy, but, if it would just detect cookies, it may be able to pass easier as legitimate.

{QUOTE-> the app just plain bloatware/scareware type <-QUOTE}

Agree this one is a topic all its own as most of these crapwares are. :(

Hey Joe.

Prevx (highest settings) detects MWAV (Microworld Anti Virus Tool) as malware.

Temp\mexe.com => Malware

False positive with this (win7):

(~snip~ VT link removed as per policy)

Habakuck/rolarocka: Could you please send a scan log by clicking Tools/Save Scan Results to report@prevxresearch.com? I'm trying to track down the exact files without luck so far :-[

{QUOTE-> [U] d:\temp\mexe.com [PX5:66A4BD73483BA9653A3420B0F06CC300C95541ED] <-QUOTE}
I think the problem is solved. I used an older Version 9 of the MWAV Tool.
Updating to Version 11 and i have no problem anymore... ;)

fdprint.dll is not on the scan log anymore. It only appears as a false positive after an new install of prevx. Will try it again.

edit: Its not detected after a new fresh install... I will continue to monitor this.

{QUOTE-> I think the problem is solved. I used an older Version 9 of the MWAV Tool.
Updating to Version 11 and i have no problem anymore... ;) <-QUOTE}

Great :) I've re-corrected that file anyway so it won't cause any warnings for anyone. Thanks for the report!

{QUOTE-> Great :) I've re-corrected that file anyway so it won't cause any warnings for anyone. Thanks for the report! <-QUOTE}

Great. You are wellcome.:)

Combofix is being detected again :(

[B] (ACTIVE) h:\software\combofix.exe [PX5: D9BC1C83D92D58BA1822302D1CE52B00C94E2332] Malware Group: Medium Risk Malware

{QUOTE-> Combofix is being detected again :(

[B] (ACTIVE) h:\software\combofix.exe [PX5: D9BC1C83D92D58BA1822302D1CE52B00C94E2332] Malware Group: Medium Risk Malware <-QUOTE}

Combofix will unfortunately continue to have problems - I've corrected this one but there simply isn't a way to generically trust them... it makes far too many system changes using suspicious programs which are also frequently used by malware :-\

Nearly ever version is detected by between 8 and 22 vendors on VT, they simply far-exceed the threshold for suspicious behavior all around.

{QUOTE-> Combofix will unfortunately continue to have problems - I've corrected this one but there simply isn't a way to generically trust them... it makes far too many system changes using suspicious programs which are also frequently used by malware :-\

Nearly ever version is detected by between 8 and 22 vendors on VT, they simply far-exceed the threshold for suspicious behavior all around. <-QUOTE}

Understood, but maybe you could consider asking whoever is in charge of whitelisting other AV software, to check each version of Combofix & Smitfraudfix as they come out?

Speaking from the "frontline", it's amusing in an annoying kind of way to see security software sitting happily on an infected computer & then blocking the cleaners! :-\

FP with Wavosaur (http://www.wavosaur.com/)

wavosaur.1.0.5.0.exe [PX5: 90E7036A008D32B9B0E10821220B5400EDEBCF34] Malware Group: Low Risk Adware

{QUOTE-> FP with Wavosaur (http://www.wavosaur.com/)

wavosaur.1.0.5.0.exe [PX5: 90E7036A008D32B9B0E10821220B5400EDEBCF34] Malware Group: Low Risk Adware <-QUOTE}

Fixed :) Thanks for the report!

{QUOTE-> Understood, but maybe you could consider asking whoever is in charge of whitelisting other AV software, to check each version of Combofix & Smitfraudfix as they come out?

Speaking from the "frontline", it's amusing in an annoying kind of way to see security software sitting happily on an infected computer & then blocking the cleaners! :-\ <-QUOTE}

Blocking the cleaners is not intentional - many other AVs do it also, simply because to clean the system it has to make changes to the system and Combofix/similar programs go about it in a very malware-like manner.

I'll see what we can do to prevent Comboxfix FPs in the future without impacting detection.

http://www.imagesforme.com/out.php/i641925_Pr3vX.bmp

{QUOTE-> http://www.imagesforme.com/out.php/i641925_Pr3vX.bmp <-QUOTE}

Could you please send a scan log to report@prevxresearch.com by clicking Tools > Save Scan Results? The filename isn't enough to go on because kilf.sys has been used by malware.

Done███

Possible missed detection: Perfect Uninstaller

It isn't detected by Prevx:

[U] perfectuninstaller_setup.exe [PX5: 14A6205A504CA605C865337FD347C70037F7DEE2]
[U] pu.exe [PX5: F62A38384096AD93ED273744EFB45E000D60C72C]

Downloaded from: perfectuninstaller.com

Discussed here: http://www.wilderssecurity.com/showthread.php?p=1524387

{QUOTE-> Done <-QUOTE}

I don't see anything :-\ Could you try sending it in a rar or 7z archive or just sending it plaintext?

PrevX Team i was not amused to see that PrevX didn't catch this sample:
~snip~ Possible malware link removed
I will PN Joe the password for the archive.

Why is it not detected? I think that the source code has some mistakes and because of that the programm does not run fine but i think the malicious behavior should be enough for prevx to catch it.

And another very bad failure:
{QUOTE-> ~snip~ Please refrain from posting direct links to live malware <-QUOTE}
This is real malware! No skript kiddy code like the first failure i posted.

So why is that not detected? The malicious behavior is so obvious! And i run PrevX with highest settings....

{QUOTE->
Why is it not detected? I think that the source code has some mistakes and because of that the programm does not run fine but i think the malicious behavior should be enough for prevx to catch it. <-QUOTE}

We don't focus on detecting files like this (a batch script). We may consider adding more detection for files like this in the future but today, these are not threats to normal users (and nearly always only exist in malware collection).