Agent OQE Trojan False positive

Discussion in 'NOD32 version 2 Forum' started by gary_580, Jan 11, 2009.

Thread Status:
Not open for further replies.
  1. gary_580

    gary_580 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    7
    Im using NOD32 V2.7 (signature 3757)

    I have two machines in two different places (that have never been connected together or use the same web site) both report the file SDPBLB32.DLL as possibly a variant of WIN32/Agent OQE trojan.

    Restoring back to May last year still shows the same issue but NOD32 only just started reporting it so sounds like a false positive.

    The file is only in Vista

    Anyone else seen this or know how to resolve it?
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you submitted the file in a password protected archive and "False positive" in the subject to samples[at]eset.com ?

    I was able to find only one file sdpblb32.dll submitted to us which gives the following results at VT:

    File sdpblb32.dll received on 01.11.2009 19:21:25 (CET)
    Result: 20/38 (52.64%)

    File size: 8704 bytes
    MD5...: 103eed47b911ec1d7a6d8c6506440ba0
    SHA1..: 2531903baee15e5a73617a652bfa671848037a76
    SHA256: 1032f33848a1ba72596f19405c68e2cbd691863ffaff58e8ac1dad5b56572881
    SHA512: 126534f313c08750cde6ee22fabe0641cacdef393e1d9d86ecf63bbbe27b3a64
    048f5a25d06fb840335406ed15c00296657c807569e6c112d27cbf2e94891e0f
     
    Last edited: Jan 15, 2009
  4. gary_580

    gary_580 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    7
    I will send it on the ESET.

    Why does it have to be password protected archive?


    what is VT?? so that i can run the same checks on the same file. The file you checked is in the same location as mine
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    VT = Virustotal (www.virustotal.com). When emailing suspicious files, it's a good practice to compress them and protect with a password so that they are not removed by an antivirus program on email servers. Also I'd like to mention that v2 detects less than v3/v4 so I'd strongly suggest upgrading to a newer version.

    By the way, what makes you think that it's a false positive? The file states that it's from Microsoft, but why then Microsoft detects it as a threat? That makes the file highly suspicious to me.
     
  6. gary_580

    gary_580 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    7
    only reason i think its a false positive is i went to a back up taken in may 08 and the file on the back up is supposedly infected despite it not being picked up until jan 09. Ive also checked the same file on another PC and it came up with the same alert.

    Having looked at the results on virus total my version of the file is very different to yours so looks like it could be infected


    Can you send me your version of the same file and ill check it on my machine
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You can compare the file hashes with the information above:
     
  8. gary_580

    gary_580 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    7
    Its definately a different file.

    Does anyone know what this DLL is for? It appears to run on startup (via the run option in the registry)
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Nope, have you sent it for analysis?
     
  10. gary_580

    gary_580 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    7
    yes, sent it for analysis, had no response
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Your file is now detected by 22 AVs while, by contrast, 20 AVs detected it on the day you submitted the file to us. There was only one email with that file that came from the domain "ntworld.com" so it must have been yours. So you must have either submitted a wrong file or you scanned a wrong file at VT, otherwise the results must be same.
     
  12. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    The SDPBLB32.DLL in question is a trojan which appears to be a MS file, but it is not. Legitimate MS file is sdpblb.dll in C:\WINDOWS\system32\
     
  13. gary_580

    gary_580 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    7

    So does that mean the file Marco's has is also a Trojan but has not yet been identified as one?
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I was speaking about your file, I don't have any such file in my system folders.
     
  15. gary_580

    gary_580 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    7
    i was a little confused as you posted the hashes in post 3 for the file which was before i'd sent the file. The hashes on my file were different. i realsie now you were saying that only one had been sent to you before but this appears to be different to mine
     
    Last edited: Jan 15, 2009
Thread Status:
Not open for further replies.