False positives / Missing detections thread

It is a false positive It's AVZ driver. I've fixed it

 

EraserHW

Thank you Sir.

See here for more background to this https://www.wilderssecurity.com/showthread.php?t=246938

 

Just a big misunderstanding. Probably it has been reported as Bagle by one company and everyone else started detecting it as Bagle

 

Prevx detects WirelessKeyView, SparkleXP and SmitFraudFix as Medium Risk Malware, I believe they are FPs.

 

Can you check again? They should be now fixed

Thank you

 

PrevX3 identifies Unibet Poker client´s OperatorRes.dll as High Risk Worm

Prevx Scan Log - Version v3.0.1.65
Log Generated: 11/7/2009 00:11, Type: 0,1
Windows Vista Home Premium Service Pack 2 (Build 6002) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Sat 2009-07-11 00:10:30 FLE Daylight Time. Number of Scans: 156. Last Scan Duration: 4 minutes 2 seconds.
(ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\en\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270004B2972A] Malware Group: High Risk Worm
c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\de\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700697A291B] Malware Group: High Risk Worm
c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\es\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700A450220E] Malware Group: High Risk Worm
c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\nl\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270009329DB9] Malware Group: High Risk Worm

 

Hate to beat on a dead horse, but PrevxE is not picking up any of these on a production machine.
http://i31.tinypic.com/33o6rfn.png
I can send the scan log privately, if needed.

 

If you could please send a scan log, that would be very useful Most of the entries are just registry entries and are not malicious by themselves but there does appear to be some missed files here.

 

Fixed Thanks for the report!

 

Joe,
In an enterprise mode, is there a log stored locally somewhere, or is it server-side only?
Thanks!

 

The logs exist only within the server console and it might be easier to diagnose a missed detection by using our consumer product on the local PC (as it lets you save/view scan logs easier on that PC itself).

 

Joe,
Is this what you need? This is the only log I could find on the server:

The following bad PX5's have ever been seen
(bad at the time of encounter)


File
c:\windows\system32\drivers\hjgruiiimpuirj.sys
Do you disagree?

PX5
01dc6a330038997204ac018aa9adae00e5a7e609
Read more about this malware
File
c:\documents and settings\administrator\xwjtgj.exe
Do you disagree?

PX5
409a7a9400789f49309f017dab7ad6004425bf5a
Read more about this malware
File
c:\documents and settings\administrator\local settings\application data\opera\opera 10 beta\temporary_downloads\install_flash_player.exe
Do you disagree?

PX5
547c7d4800d2dcdf823600f21473ce00e3063b0d
Read more about this malware
File
c:\documents and settings\administrator\winlogon.exe
Do you disagree?

PX5
547c7d4800d2dcdf823600f21473ce00e3063b0d
Read more about this malware
File
c:\documents and settings\administrator\administrator.exe
Do you disagree?

PX5
8383cbd00093f326ca9300b80a669c00b4294746
Read more about this malware
File
c:\documents and settings\administrator\administrator.exe-vir
Do you disagree?

PX5
8383cbd00093f326ca9300b80a669c00b4294746
Read more about this malware
File
c:\documents and settings\administrator\swooic.exe
Do you disagree?

PX5
b547c93200a58ff58a5f00ada21a2c0059621db3
Read more about this malware
File
c:\windows\system32\hjgruiqjtpuxai.dll
Do you disagree?

PX5
d6cb3d1c002667344c28003b3c2e0700fb8e0a9e
Read more about this malware
File
c:\windows\system32\hjgruikcgqfqmw.dll
Do you disagree?

PX5
e25fd966009c4244a60300ec1651d100cc2656b5
Read more about this malware

 

Those look like the known bads - I'm looking for the files which are currently unknown. I'm not sure if the enterprise console can dump the unknown files, however. It would probably be easier to use the consumer product and email the scan log to report@prevxresearch.com

 

Joe,
I just PMed you the link to actual exploit and malware. This should make things easier.

 

3 hour malware, gotta sleep sometime

 

Prevx detects Newsleecher.exe as medium level malware. It's a binary news reader and not malware. Panda Cloud AV had the same FP... i obtained NewsLeecher from http://www.newsleecher.com//?id=download. It's the beta 7 version on the bottom part. Installs fine but when i run the program, Prevx jumps in.

 

Assuming I got the same file as you when I downloaded it, I believe I've fixed the FP but it didn't warn for me (granted, my heuristic settings are at default which may produce different results than yours).

If you run a scan, could you let me know if you receive any warnings again? Thanks!

 

That's odd, my settings are all on default (still using the detect-only free version) and it alerted me on both Beta6 yesterday, and today Beta7 which was just released.

At any rate, i removed newsleecher.exe from Detection overrides, re-scanned my system and launched the .exe and got no alerts this time.

Thanks.

 

Joe, can you fix the following FPs. They are on my sons computer for a game he plays called Crossfire. thanks


Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Wed 2009-07-15 14:25:01 Eastern Daylight Time. Number of Scans: 4. Last Scan Duration: 2 minutes.

Previously Detected Files:
[BP] c:\windows\system32\gamemon.des [PX5: 35F62B302E18710F81F62A5B5065BD00FA319465] Malware Group: Medium Risk Malware
[BP] (ACTIVE) c:\program files\subagames\crossfire\gameguard\gamemon.des [PX5: 35F62B302E18710F81F62A5B5065BD00FA319465] Malware Group: Medium Risk Malware


Prevx 3.0 v3.0.1.65 Cleanup Log for 15/7/2009 14:25
(0) Remove File: \DosDevices\c:\windows\system32\gamemon.des
(1) Remove File: \DosDevices\c:\program files\subagames\crossfire\gameguard\gamemon.des
(0) Remove Reg Key: \REGISTRY\Machine\system\ControlSet001\Services\npggsvc
(0) Remove Reg Value: ImagePath
(1) Remove Reg Key: \REGISTRY\Machine\System\CurrentControlSet\Services\npggsvc
(1) Remove Reg Value: ImagePath
(0) Remove Service: \REGISTRY\Machine\system\ControlSet001\Services\npggsvc
(1) Remove Service: \REGISTRY\Machine\System\CurrentControlSet\Services\npggsvc

Cleanup Complete

 

Fixed - gamemon.des is essentially a rootkit which protects games. I have added a rule which should prevent FPs on future versions now.

 

as always, you are the best. Thank you

 

Still have 3 different false detections of OperatorRes.dll in 3 subdirectories. Seems only 1 of 4 false detections was fixed.

(ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\en\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270004B2972A] Malware Group: High Risk Worm
(ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\es\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700A450220E] Malware Group: High Risk Worm
(ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\nl\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E463270009329DB9] Malware Group: High Risk Worm

Fixed one seems to be this:
[G] (ACTIVE) c:\program files\microgaming\unibetpokermpp\theme\unibetpoker\local\de\clientconfig\operatorres.dll [PX5: 13F5E0436A67D80760AC0386E4632700697A291B]

 

I must be going blind... I thought I read all four files as the same identity but apparently not

Fixed now with a more intelligent signature. Thanks

 

Just installed PrevX on my new system with Windows Vista Ultimate 64 Bit.

PrevX 3.0 found an infection, but I think it is a FP:

Status: THREAT
Name: startup.exe in c:\windows\system32\
Threat Identified: Medium Riskware

My PC is totally fresh and untouched, it is very unlikely that I've already catched a threat.

Thx!

 

I've never seen a program named "startup.exe" in the System32 folder but could you send us a scan log by clicking Tools > Save Scan Results to report@prevxresearch.com ? We will analyze it there and report back