False Positive? BAT/DelTree trojan

I am currently using NOD32 V2.7.12 RC with Blackspear's extra settings.

I came across this alert which was likely to be a false positive (it is definitely not a rogue site) & it didn't appear all the time when accessing this web page (I tried for about 6 or 7 times & got about 4 alerts)

Any comment?

* changed "http" to "hxxp"

 

samples(at)eset.com

 

smith, I've tried this webpage both with Firefox and IE and I got no warning from NOD32. Do you have the latest definitions version: 1868 (20061115) ?

 

Thanks for the reply.

Yes, I have the latest version of signatures.

In fact someone else was also having this problem.

The first time I accessed the web page, everything was fine. However I was not that lucky in my subsequent attempts.

May be you want to try a few more times.

 

Thank you for that.

I will try writing to Eset.

Note: There is nothing in the Quarantine, only entries in the event log

 

I don't get anything like that here...

If you look in the NOD32 Quarantine (and you're confident you are able to do so safely) you should be able to see an entry for hxxp://forums.hardwarezone.com/showthread.php?t=1457112 that you can restore to an alternate location using 'restore to' from the right click menu.

edit: just read your post - you may wish to check your IMON settings against these

If you are happy to then let me know and I'll PM you an email address and take a look at it.

Cheers

 

There is no entry in the Quarantine as I am using Blackspear's extra settings (the option "When a threat from the Internet is detected, Automatically deny download of file" was checked).

This problem was posted by someone & I happily replied "no problem" to him after first time checking. Unfortunately I wasn't that lucky after the next few attempts.

See here:
http://forums.hardwarezone.com/showthread.php?t=1457218

 

Right you are - I don't get anything in quarantine either unless I select display warning and choose quarantine when prompted but I still get no alert on that page...

Cheers

 

Thanks for your help & I appreciate it.

 

You're welcome

Just because I don't get an alert does not make it a FP since it could be in a linked object that is regionalised for example a contextual ad or banner or similar that does not get inserted into the page because of my region but gets triggered in yours... That's why I was hoping you would be able to forward it from your quarantine.

Cheers

 

The strange thing is now I am no longer getting this alert (I tried 7 or 8 times just now).

Before I started my thread, I still had it frequently.

 

smith I suggest you also to scan your PC with NOD32 to see if it's clean or not.

 

http://img296.imageshack.us/img296/2674/stillhavezd6.jpg

All max settings (with Blackspears settings) and computer is clean (unless NOD32 missed something), I know what I am doing so please do not say it's on my end.

It will not detect it when you off IMON (unticked) OR set IE to compatibility mode.

 

Just an update, I have managed to quarantine the files (after disabling IMON) & sent them to Eset.

Time Module Event User
11/16/2006 22:04:00 PM Kernel The file 'C:\Program Files\ESET\infected\V5QAXZBA.NQF' has been sent to Eset's labs for analysis.

11/16/2006 22:03:32 PM Kernel The file 'C:\Program Files\ESET\infected\V5QAXZBA.NQI' has been sent to Eset's labs for analysis.

 

Thanks for the suggestion.

 

It can still be detected with IMON disabled, see my earlier post.

It is likely to be a false positive.

Lets wait for a reply from Eset.

 

My IMON doesn't give a peep on that website. How did you manage to make IMON detect it?

 

Marcos,

There are at least 5 or 6 persons having this problem.

See here:
http://forums.hardwarezone.com/showthread.php?t=1457218

Cheers
Smith

 

The question is whether they all are using the most current version 1689.

 

I'm running Version 2.70.12RC with sig 1869 (20061116). I clicked the link ie7 vs ie6 many times without any problems. I'm using Blackspear's full settings.
I'm also using BoClean as a backup. No alarm was given.

 

Macros,

I was running version of signatures: 1868 (the latest then, I have version of signatures: 1869 now) when this problem occurred (I know at least another user got this problem with the latest signatures then).

By the way, has Eset received & analyzed file V5QAXZBA.NQF & V5QAXZBA.NQI? Anything abnormal?

Cheers
Smith

 

This is from another user who is using the latest version of signatures: 1869 (20061116)

http://tkfiles.storage.msn.com/x1pxOYwqu4SjF41pxzdS4gqjSpdFV0wImE0kvABq_4PDV8ABzqtrcmALgIDTGZBfdWWWdk0DFfFQgWigTu-kns8OVk1hp3w-GAkhVde9LzzNDRIHoTrcJIVGaAAX_UqfIwk8txCnq5iJZEyHT5CcuL-LIpjJ4hwF3UO

 

It could be that the page contains a rotating ad and it is actually the ad that is infected. This would account for the sporadic occurances...