False positives / Missing detections thread

Hello,
I'm very sorry for the confusion and issues here. Can you please save a scan log by clicking Tools - Save scan results and send this to us by emailing it to report@prevxresearch.com? Some rootkits can hide their data in such a way that checksumming/comparing the files will make them appear clean although they are not.

A scan log will allow us to diagnose the problem accurately, whether it is a cleanup.issue or a false positive.

 

Things have gone from bad to worse. I'm reinstalling Windows for the second time. I'm almost convince that something might have infected Prevx. Once I get a stable system up again, I'll try to run prevx and save the log you requested.

Thanks for replying!

 

enchant try to clean your MBR befor reinstalling! Use the recovery console with /fixmbr to do so.

Directly after that you have to reinstall.

 

Sorry, I'm afraid I don't understand any of that.

Ok, since my post at 5:05pm yesterday, here is the sequence of events:

While Prevx was complaining about those two files, I re-installed WinXP Service Pack 3. Once that was done, I hit "next" on Prevx and let it reboot and try to fix those two files.

When my system came back up, Prevx started scanning again. This time, it found 96 infections! At this point, I probably should have killed the prevx process from the task manager, or just hit the reset button or something, but I figured I'd continue with prevx one more time.

When my system tried to reboot, it wouldn't come up. It sat at the blue "Welcome" screen for about 15 minutes. Wouldn't even come up in safe mode.

I realized I'd have to reinstall windows again, but at this point, I was thinking that Prevx wasn't really my friend anymore. So I booted on another clean disk with my main disk mounted. I renamed c:\program files\prevx, then went through the process of reinstalling windows and SP3.

My machine seems to be stable now. I did a full scan using SuperAntiSpyware and it found nothing. I understand that sometimes Prevx find things that others miss. I'm just sayin'...

I'd be willing to re-enable Prevx, but I'd like to do it in such a way that when it finds all of the "infected" files, I have the option to tell it not to do anything. Then I could submit a log.

Is this possible?

Thanks again for the help.

 

Hello,
I'm still concerned that your system is infected, possibly by a rootkit - it is not normal for this many detections to exist and all of them be completely incorrect

Could you send a scan log by clicking Tools > Save Scan Results and email it to report@prevxresearch.com? We will analyze it there to see what the reason is for these detections.

I suspect Habakuck is correct in thinking it is a MBR rootkit - that can survive past operating system reinstallations and could be causing the infections you are seeing. Also, please ensure you're downloading Prevx from http://info.prevx.com/downloadcsi.asp. There have been some illegitimate copies of Prevx created in the past by malware authors looking to deface the Prevx name (and Trend Micro's name for that matter) by packaging malware with a look-alike Prevx.

 

I share your concern.

I'd definitely like to do that. But is there a way for me to run Prevx with the option of not having it do anything? Re-installing Windows and the SP is kind of time consuming, and I'd prefer not to have to do it if I can avoid it.

That's definitely where I got it initially, and it's a registered copy. It pulled me out of a problem that other packages couldn't fix about a month ago. I just tried to PM you my license info, but it says that PMs are currently unavailable.

 

FP with SARDU Multi Boot AV Rescue CD/USB

sardu.exe
[PX5: 4095E928E768CBBBAD8A063C5B425B00FF1729D5] Malware Group: Medium Risk Virus

I know its a rare utility but very useful.

 

Since no one is replying, should I assume that there is no way to run Prevx without it forcing you to comply with its cleaning suggestions?

 

Just do not click "Cleanup Now" - after the scan finishes, it will show you the list of files and then you can click "Status" again, then "Tools" and "Save Scan Results".

Let me know if you have any questions with this and I'll write a more detailed set of instructions for it.

 

Fixed, thanks Indeed that is a very useful utility!

 

Thanks. When I fired up Prevx, it had the previous set of found infections listed, so I saved those in a log. I then scanned again and saved THAT in another log and mailed the two of them to report@prevxresearch.com.

Thanks again for the help.

Edit: For what it's worth, I ran Malwarebytes and it found nothing.

 

Hello,
Thank you for the log - it is quite odd as you probably expected. Prevx did remove a number of actual threats from your system but the log is full of Manually Added files - files which were added to cleanup by the user. Did you use the Tools > Manual File Cleanup function at all? I can't see any way that this would happen outside of manually using the Manual File Cleanup feature.

If you uninstall and reinstall Prevx 3.0 from the Add/Remove Programs control panel applet, you should return to a normal "Secure" status as all of the detections are marked as good in the database.

Please let me know if you somehow still get the detections and we'll investigate further. Quite a bizarre case, however

 

I really believe that I didn't, but if nothing else explains it, I can't say that I've never ever clicked the wrong button in an application.

I'll uninstall/reinstall and report back. Thanks.

 

I uninstalled/reinstalled, and as you predicted, the scans are now clean.

Thanks again for the help with this.

 

When reading the above exchange (my boldings), I realized that there may be confusion with some users as to whether the instruction (Cleanup Now) is directed at the user or at the program. In other words, is the program telling the user to clean up, or is the user being given the option to tell the program to clean up? Despite what the developer believes the instruction is doing, in actual use, it depends on the user's point of view, and there appears to be room for misinterpretation, which can lead to lots of trouble.

As I understand it, the "Cleanup Now" instruction in Prevx is not instructing the user to clean up now. It is not a "suggestion". It is a choice that the user may select which, if chosen, instructs the program what to do. However, an unknowing user might see "Cleanup Now" and think to himself, "I guess I'd better do what Prevx wants me to do".

Likewise, I think that the wording used in Prevx detection dialogs ("It is strongly recommended that you Remove these threats") could be softened. If I followed those instructions every time Prevx produced a false positive, I don't know what kind of a mess I would find myself in.

 

In my case, it seemed similar to installing a piece of software. When doing a software installation, you get a series of dialog boxes, each with a few choices (e.g., back, next, cancel) Once you make your selection, you get the next dialog box in the sequence.

At the time, there appeared to be only two options - clean up, or scan again. Scan again simply brought me back to the box.

Somehow, it didn't occur to me that I could simply minimize Prevx and go about my business. It truly seemed that Prevx was in the middle of doing something, and it was waiting for final confirmation.

 

I agree - this does indeed open up some confusion. "Cleanup Now" is a recommendation to the user, not a mandate (otherwise we would just automatically clean the files).

Most of the FPs you've personally encountered have been heightened-heuristic-induced false positives and we agree that we should lighten up this text when the detection is the result of a high level of heuristics.

 

Without a doubt (and I should have stressed this)... nearly all fp's I've had were due to maxed-out heuristics.

 

page with all the level-headness you demonstrated through this thread, you get my vote for license for a year.

 

I am guilty of the same offence, Page.

 

CMDRTR64.DLL

This file is being reported as cloaked malware. As far as I know, it is part of my sound card driver package install from Creative for my X-Fi sound card. I just did an update and rebooted, and this file is now reported. In the file properties, it says it is copyright Creative Technology.

 

I am really biting my lip on this but how does it happen. I know, vendors have explained but their approach is not working.

 

sorry I am finished dealing with products like this. I just ran a full scan on a totally clean shot and this what I get:


Heuristics Settings: Age: 2, Pop: 2, Heu: 3 (Dir: 1)
Last Scan: Tue 2009-09-01 16:27:07 Eastern Daylight Time. Number of Scans: 4. Last Scan Duration: 33 minutes 41 seconds.

Previously Detected Files:
c:\windows\winsxs\amd64_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20777_none_867317cf39b013d2\iebrshim.dll [64] [PX5: DAF1ECB500CCAA3C380802F5FA77E200095EE9A8] Malware Group: Medium Risk Malware


Prevx 3.0 v3.0.1.65 Cleanup Log for 1/9/2009 16:31
(0) Remove File: \DosDevices\c:\windows\winsxs\amd64_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20777_none_867317cf39b013d2\iebrshim.dll

Cleanup Complete

this is a FP and I have had it with FPs. Especially with this product. iebrshim.dll is part of Vista and safe and deleting it can do big damage. But it wont because I am finished listening to how FPs are not a real threat with Prevx. They are, you know it, and I wish you well. You are a good person, but your constant denial of this issue will be brought out in time.

 

I have to agree with trjam. The very fact that there is a thread specifically devoted to Prevx users self-reporting FPs indicates a problem...

 

well Joe is here and I am sure typing, and this is not to say that Prevx does not have a long range plan for it that may very well work. But quit telling me there isnt a frigging issue when there is. Just be honest. There is nothing wrong with cranking the heuristics up. I remember those specific words from Stefan when comenting on Aviras FPs. He was honest about it. It doesnt matter, I am just one user, Prevx will do well and life goes on.