False positives / Missing detections thread

Joe, you and Marcos and PWD are to continued to be commended for all you do for Prevx. Anyone that ever steals you 3 away will have to fork over big bucks.

Mel, you listening.

 

Hi, i'm back on XP now and i've done a fresh install of Prevx which found these 2 as threats -

c:\windows\system32\drivers\rkd.sys [PX5: 68EC60E2001AE922DEA800F5AA74D5009172B053] Malware Group: Medium Risk Malware

c:\windows\gendel32.exe [PX5: FC4A0195009B0798DC5800C90DC6C70066776FED Malware Group: High Risk Worm

Above from the log.

I'm sure rkd.sys is from one of my ARK's. Properties says, Chinese (PRC) KAVBC.exe

gendel32.exe Properties says nothing.

TIA

 

Hello,
I've corrected the rkd.sys FP (indeed a component of an antirootkit program) but the gendel file seems to be malicious (or at least quite a few vendors do, Panda calling it with a name of HackTool/Gendel.A which may give some credence to the detection) so for now I've left that in place pending further review

Let me know if you have any thoughts on it or where it came from!

 

Good and not good lol.

Shall i send you the gendel32.exe ?

 

Yes If you can email it to report@prevxresearch.com, we'll take a look at it to see what its trying to do.

 

I'll send it now

TIA

 

The file is indeed a FP, by us and ~10 vendors but it is caused (at least from us) because the file has come primarily from malware installers. It looks to be a component of an install package, albeit, done quite suspiciously

I've corrected it now Thanks for the report!

 

Jeepers talk about fast responses !

I hoped it would be a FP, i don't mind them at all, better than no detects on real Malware. In the meantime i renamed it.

I found this " As far as I know, gendel32.exe is put in by the third party installer we use " on http://forums.http-tunnel.com/showthread.php?t=1800

-

I don't remember installing http-tunnel, but it could have been from something similar at sometime ?

As you say, a number of other vendors are detecting it as Malware too. I'll try and alert them as well.

Thanx again,

S

 

Today for some reason i suddenly got threat alerts on these 2 - ole2plgin.dll and madchook.dll both in System32

madchook.dll SH1 = B9AA426CE405969B2EC64E4A2CE2BFFCB65BA2D9 MD5 = 83DDA547DA1248E2EAAE8133B79C24F7 = api hooking for 9x/nt = www.madshi.net = SAFE Been in there for ages, OA uses it.

ole2plgin.dll SH1 = B9AA426CE405969B2EC64E4A2CE2BFFCB65BA2D9 MD5 = 83DDA547DA1248E2EAAE8133B79C24F7

FileAlyzer analysis mentions network and sockets etc ! Also, Characteristics: A18E - Executable, Line Numbers Stripped, Local Symbols Stripped, Bytes Reversed Lo, Bytes Reversed Hi, 32bit Machine Expected, DLL

No info in Properties ? Name is similar to MS etc .dll's, but of course that could be deliberate if it's a baddie ! Not loaded according to Autoruns, and not running according to Process Explorer. Your www says it's dodgy so ?

TIA

 

Hello,
I believe I've fixed them - we don't use MD5/SHA1 so I can't be sure but can you run a scan to see if they're found again?

Madchook.dll is unfortunately very heavily used by malware but it is a good and useful utility, definitely not malicious by itself.

 

You don't use MD5/SHA1, ooh, why not if i may be so bold as to ask ?

Yep, just did a scan and the've diskapeared lol.

I don't know what you guys are on, but i want some lol.

Thanx

 

MD5/SHA1 are only useful for detecting a single file and both have exploits against them which are growing in computational feasibility quickly. We use our own algorithms which are much more generic than MD5/SHA1

 

Prevex not finding an active spambot

Prevx at al, Hope this is the right thread to use for my query.

I finally found your Prevx product after trying a bunch of the other top rated anti-spyware/malwarerootkit products. When I took my personal laptop to work and hooked it in to our network via DHCP it was found to be generating lots of Port 25 (SMTP) spam and caused my works ISP to blacklist our company, ouch! At work on their router, for a test we blocked Port 25 and could see my laptop banging against it with constant spambot activity. The ISP said they had identified it as Cutwail, but who really knows. So, I ran every major tool (anti-virus, anti-spyware, anti-rootkit) I could find on the net and they found nothing! I deleted all those and my laptop is still sending SMTP spam. I also tried your free Prevx 3.0 version and it's scan also found absolutely nothing. I am very puzzled by this. There is what seems like a spambot on my laptop and no software tool can find it. Is it too new I was hoping that since your product is cutting edge I would finally solve my problem, but no luck so far. You are the first anti-malware company I've contacted since it seems like a cool product. Your help would be much appreciated and I would be glad to buy the product if it could find and (after I paid) remove this active spambot on my laptop.
Thanks!

 

Hello cyb_2009,
We'd be glad to help If you could run a scan with Prevx 3.0 and then click Tools > Save Scan Results and email us that log to report@prevxresearch.com, we'll report back with our results if we see anything unusual.

Let me know if you have any questions!

 

Re: Prevex not finding an active spambot

Hi cyb_2009,

Here is some info that you probably like to see about Cutwail!

http://www.youtube.com/watch?v=Ap0KIT4etZ0&feature=channel_page

TH

 

Thanks. I just sent the scan per your instructions.

 

Re: Prevex not finding an active spambot

Thanks Triple Helix. After watching that I downloaded the latest GMER and ran it. On first scan of C: it found nothing, but my drive is partitioned C/D and when I checked both drives, C & D it found something in the next scan. While I didn't really know what to look for, GMER reported the following lines in red as rootkit activity:

---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [900] 0x10000000
Library C:\Documents (*** hidden *** ) @ C:\Documents [2292] 0x00400000

---- EOF - GMER 1.0.15 --

I did another Prevx scan right after and nothing reported. I assume Prevx scans all drives and attached devices automatically?

 

Hello,
We couldn't find anything malicious in your log Could you try installing a firewall to warn on any traffic outbound or inbound to try and see what process it is coming from?

 

Re: Prevex not finding an active spambot

That is indeed strange. If you're interested, would you like one of our researchers to help you remotely during the week to try and diagnose this more accurately?

 

I am a running just the Windows XP firewall (I know, useless). What firewall would you suggest, if you can. I was trying to find some kind of tool to log Port 25 but short of Wireshark (which I have but not sure how to use it ) I couldn't find anything handy. I suppose that's what firewalls do, but I'm hesitant to load one of the bloatware apps out there that infiltrate the whole PC worse than malware...

 

Re: Prevex not finding an active spambot

Sure, that would be fine. I'll email you my contact info since I see I can't PM here.

Also, I am still running just the unregistered scan version of Prevx 3.0, does it look at my D: drive too or does that take a full (paid) scan?

 

Re: Prevex not finding an active spambot

It looks at any programs which are active or can become active but doesn't perform an on-demand scan of every file (as they aren't threatening to your system if they aren't active/able to become active).

I'm surprised GMER would perform differently between the two scans depending on what you scanned as the detections were still just from your C:\ drive.

We'll uncover the cause soon

 

Re: Prevex not finding an active spambot

I see what happened. When I fire up GMER it starts what looks like a scan and lists a few items, but no problems. I have to press the SCAN button and then it runs a full scan and found the issue on C: with just C: selected. I was confused by how it works originally.

Thanks

 

Re: Prevex not finding an active spambot

I know Joe is helping you but in the mean time you can try this tool to see if it shows up!

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight

TH

 

Re: Prevex not finding an active spambot

Thanks TH. I grabbed it and ran it, and it found nothing. Ran GMER again as a check and it found the same items I listed above.