Agent OQE Trojan False positive

Im using NOD32 V2.7 (signature 3757)

I have two machines in two different places (that have never been connected together or use the same web site) both report the file SDPBLB32.DLL as possibly a variant of WIN32/Agent OQE trojan.

Restoring back to May last year still shows the same issue but NOD32 only just started reporting it so sounds like a false positive.

The file is only in Vista

Anyone else seen this or know how to resolve it?

 

Not heard of it no, but follow this: http://www.eset.com/support/kb.php?option=com_kb&Itemid=29&page=articles&articleid=141

 

Have you submitted the file in a password protected archive and "False positive" in the subject to samples[at]eset.com ?

I was able to find only one file sdpblb32.dll submitted to us which gives the following results at VT:

File sdpblb32.dll received on 01.11.2009 19:21:25 (CET)
Result: 20/38 (52.64%)

File size: 8704 bytes
MD5...: 103eed47b911ec1d7a6d8c6506440ba0
SHA1..: 2531903baee15e5a73617a652bfa671848037a76
SHA256: 1032f33848a1ba72596f19405c68e2cbd691863ffaff58e8ac1dad5b56572881
SHA512: 126534f313c08750cde6ee22fabe0641cacdef393e1d9d86ecf63bbbe27b3a64
048f5a25d06fb840335406ed15c00296657c807569e6c112d27cbf2e94891e0f

 

I will send it on the ESET.

Why does it have to be password protected archive?


what is VT?? so that i can run the same checks on the same file. The file you checked is in the same location as mine

 

VT = Virustotal (www.virustotal.com). When emailing suspicious files, it's a good practice to compress them and protect with a password so that they are not removed by an antivirus program on email servers. Also I'd like to mention that v2 detects less than v3/v4 so I'd strongly suggest upgrading to a newer version.

By the way, what makes you think that it's a false positive? The file states that it's from Microsoft, but why then Microsoft detects it as a threat? That makes the file highly suspicious to me.

 

only reason i think its a false positive is i went to a back up taken in may 08 and the file on the back up is supposedly infected despite it not being picked up until jan 09. Ive also checked the same file on another PC and it came up with the same alert.

Having looked at the results on virus total my version of the file is very different to yours so looks like it could be infected


Can you send me your version of the same file and ill check it on my machine

 

You can compare the file hashes with the information above:

 

Its definately a different file.

Does anyone know what this DLL is for? It appears to run on startup (via the run option in the registry)

 

Nope, have you sent it for analysis?

 

yes, sent it for analysis, had no response

 

Your file is now detected by 22 AVs while, by contrast, 20 AVs detected it on the day you submitted the file to us. There was only one email with that file that came from the domain "ntworld.com" so it must have been yours. So you must have either submitted a wrong file or you scanned a wrong file at VT, otherwise the results must be same.

 

The SDPBLB32.DLL in question is a trojan which appears to be a MS file, but it is not. Legitimate MS file is sdpblb.dll in C:\WINDOWS\system32\

 

So does that mean the file Marco's has is also a Trojan but has not yet been identified as one?

 

I was speaking about your file, I don't have any such file in my system folders.

 

i was a little confused as you posted the hashes in post 3 for the file which was before i'd sent the file. The hashes on my file were different. i realsie now you were saying that only one had been sent to you before but this appears to be different to mine