2 False Positives

Discussion in 'NOD32 version 2 Forum' started by minacross, Feb 1, 2004.

Thread Status:
Not open for further replies.
  1. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    Nod32 has detected 2 infections as follows:
    -..\Program Files\PC Wizard 2004\pcwizard.dll - probably unknown NewHeur_PE virus
    -..\GRC\DCOMbob.exe - Win32/Exploit.DComRpc.A trojan
    the first file is a component of PC Wizard 2004, an system information program from http://www.cpuid.org/pcw.php
    The second on is a program available at Gibson Research Corporation http://www.grc.com/dcom/
    How can I submit these files to Eset?

    Edit: I already contacted Eset support @ http://www.nod32.com/support/support.htm but there is no way to attach files at this page
    :rolleyes:
     

    Attached Files:

  2. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    found a related thread here.
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Please submit the PC wizard 2004 file to samples@nod32.com
     
  4. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    done, thanx :D
     
  5. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    Hello minacross, do you have DCOMbobulator installed on your computer? I'm almost certain I hadn't. :)
     
  6. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    I have the setup file, I did not install it. Nod32 detected the trojan in the setup file.. :(
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Just a minor point of clarification on the file "DCOMbob.exe" from GRC.

    That is not actually a setup file. When you download it from the GRC site, the 29KB file named DCOMbob.exe is the real program which you simply run if you want to use it. Deleting that file removes the program. Not that this is related to what sounds like a false positive result from NOD32...

    FYI - Just checking the current version from GRC, it is still the file last updated back in Sept. MD5 appears to be: 96BBAF5C624EBBEE275DEC7C4CF87C74
     
  8. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi,

    As LWM points out, removing the file removes the program, so since manOFpeace is not 100% sure whether he had that file on his system or not, it could have been removed by NOD32 at that time. He no longer gets an alert and the file is not present, now, so that would seem a definite possibility.

    Concerning the MD5, the version on my system did not match(52AFF7C0C78CD6162824C26D37B1DDC1), so I downloaded the one available now. It matches on the MD5 as to what LWM sees, but still no alert from NOD32 during download or any user intervention scans. Running the new version produces no alerts from NOD32 either, but Zone Alarm warns me of a new program requesting permission to access the net. The creation date on my system with this new version has today’s date as opposed to a creation date of 9/12/03 on the "old" version. Both are identified as v2.00.

    FYI, As a side note, I do get the alert about the PC Wizard .dll
     
  9. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    There is one more point that may make a difference. My detection was
    made in Ad-aware file. There is the main "Logs" file where the scan logs are stored. Inside this file was another "Log" file where the problem was, this file is not normally there, it was new.
    The Steve Gibson stuff was in file above Ad-aware. I have said that I doubt whether or not I had DCOMbob in system, so maybe this may help to eliminate DCOMbob being in my system with the detection being made in Ad-aware file.
    As mentioned elsewhere every time I tried to delete rogue file everything showing was wiped out leaving me looking at desktop. On one occasion all icons were cleared as well, only way I was able to close was Ctrl, Alt, Delete. Task bar was wiped out as well. On reboot all
    was back in place. I deleted whole Ad-aware file and reinstalled and all
    (touch wood) has been well since. ;)
    While this stuff above was happening I wasn't aware there was a problem, I was confused by it all.
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Well I just checked the MD5 for my version of DCOMbobulator and it is the same as that reported by LowWaterMark. I have NO alerts from AMON or NOD32 scanner or adv. heuristics command line scanner on this file on either my WXP box or my W98SE box. I have the latest definitions and am running 2.000.6 version of NOD32.
     
Thread Status:
Not open for further replies.