False positives 3970

Discussion in 'ESET NOD32 Antivirus' started by edwin3333, Mar 27, 2009.

Thread Status:
Not open for further replies.
  1. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
    We are a VB / .NET shop.

    Pattern file 3970 is false positiving on VB6 as vm.nzw trojan.

    Joy!
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Um, odd. Which files? Have you sent them off?
     
  3. johnpd

    johnpd Registered Member

    Joined:
    May 23, 2004
    Posts:
    80
    I am receiving the same thing on the file C:\Windows\setup1.exe. The file has been on my system for a while (date modified from over a year ago). I ran a scan on the file with both Malwarebytes and Spybot and they found nothing. I sent the file in to ESET.
     
  4. gaslad

    gaslad Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    116
    Location:
    Toronto, Ontario
    Same here.

    The detection occured during an MBAM scan just now.

    From my Nod32 log:

    27/03/2009 6:25:32 PM
    Real-time file system protection
    file C:\WINDOWS\Setup1.exe Win32/VB.NZW trojan
    cleaned by deleting - quarantined
    Event occurred during an attempt to run the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
     
  5. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    NOD32 v2, defs 3970, XP home SP3

    Same problem here:

    C:\WINDOWS\Setup1.exe - Win32/VB.NZW trojan

    And more:

    FP's on installation files of programs of KarenWare:

    D:\KarenWare\Disk Slack Checker\Version 2_5_2\ptslack-setup.exe »ZIP »PTSlack.CAB »CAB »SETUP1.EXE - Win32/VB.NZW trojan

    D:\KarenWare\Drive Info\Version 2_3_1\ptdinfo-setup.exe »ZIP »PTDInfo.CAB »CAB »SETUP1.EXE - Win32/VB.NZW trojan

    D:\KarenWare\URL Discombobulator\Version 1_9\ptlookup-setup.exe »ZIP »PTLookup.CAB »CAB »SETUP1.EXE - Win32/VB.NZW trojan

    For KarenWare, see:
    http://www.karenware.com/powertools/powertools.asp

    I will inform Karen.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    The file Setup1.exe is a Microsoft file.
     

    Attached Files:

  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    MD5 checksum (at least on my system):

    The file C:\WINDOWS\Setup1.exe has the following Checksum(s)

    MD5 - C6264B17629F6F9F0BD2BA7671CEFF69
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Give me a moment and I'll submit it too.
     
  9. xMarkx

    xMarkx Registered Member

    Joined:
    Dec 1, 2008
    Posts:
    447
    Is 3970 bugged like 3901 and 3918 were earlier this month?
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I wouldn't really call this anywhere near as serious as 1918, because 3918 should have been caught by testers where as this is much harder to catch.
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Ough :rolleyes: this is a Microsoft file ...
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    About 8 hours after the first posting about this and no reply from ESET in this thread on its official forum and no fix and the weekend is coming .....
     
  13. johnpd

    johnpd Registered Member

    Joined:
    May 23, 2004
    Posts:
    80
    ESET issued a new Def set (3971) but the issue still exists.
     
  14. xan K

    xan K Registered Member

    Joined:
    Sep 15, 2008
    Posts:
    152
    Location:
    Dominican Republic
    I can confirm the issue is still here. NOD32 just performed an scan and detected setup1.exe as a "Win32/VB.NZW trojan".
     
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    In an hurry:

    It's fixed with defs 3972 :thumb:
     
  16. xan K

    xan K Registered Member

    Joined:
    Sep 15, 2008
    Posts:
    152
    Location:
    Dominican Republic
    yay, noticed it when I woke and first used the PC. well done.
     
Thread Status:
Not open for further replies.