Introducing, The New Prevx Edge.

File is clean on ~VirusTotal link removed per Policy.~ except for the Prevx detection of course.

Guess it's a False Positive from Prevx for this file.

Thanks for posting about this file, never knew it existed. I really appreciate this little program. I make a lot of screenshots for tutorials and don't want the dotted lines/triangle on my pictures.

 

First I looked at this:

So that in itself tells me Prevx has classified it as malware.

Also; the behavior it is conducting is similar to that of a malicious file. Of course I do not know the file itself, but judging from it's behavior it is malicious. This does not mean that it is malicious as many programs can be seen this way due to their behavior even when they aren't.

So really the only way to determine it's safety is to send it in for analysis

 

I got a false positive for "combofix.exe". Let me know if you need a screenshot.

 

This is a FP. I have had these files since last week and they have scanned clean, previously. This is software by a Wilders member softtouch who has made posts in this thread recently concerning his software. Edit - spelling


Prevx Scan Log - Version v3.0.1.65
Log Generated: 1/6/2009 11:34, Type: 1,8192
Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 2 (Dir: 1)
Last Scan: Mon 2009-06-01 11:28:56 E. Australia Standard Time. Number of Scans: 325. Last Scan Duration: 24 minutes 32 seconds.
[BP] (ACTIVE) h:\downloads copy\downloads\ads1.0.0.2.exe [PX5: 8C9CB87A00190972AE3106F96C5B500078164639] Malware Group: Medium Risk Malware Dropper
[BP] (ACTIVE) c:\documents and settings\<myname>\desktop\ads1.0.0.2.exe [PX5: 8C9CB87A00190972AE3106F96C5B500078164639] Malware Group: Medium Risk Malware Dropper

 

Indeed this file was found because it does some quite suspicious behavior - it injects itself into every process, modifies system process memory, accesses remote process windows, and it adds itself to registry bootup areas.

However, it does appear that it is a false positive - one which I can't blame our system for blocking

I've now marked it safe

 

Fixed - a new heuristic from over the weekend went a bit too heuristic and caught a few other security tools as well

 

FP
Prevx Scan Log - Version v3.0.1.65
Log Generated: 1/6/2009 10:10, Type: 1,8192
Windows XP Home Service Pack 3 (Build 2600) 32bit|1043
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Mon 2009-06-01 09:52:47 Romance (zomertijd). Number of Scans: 5. Last Scan Duration: 1 minute 51 seconds.
c:\program files\slysoft\anydvd\anydvd-uninst.exe [PX5: F9F56C5249E7337A715400A65BB7EE002CC78D17] Malware Group: Medium Risk Malware Dropper
Thanks

 

This is caused by the same false positive as the others - will be sorted momentarily

 

no i am using kaspersky internet security

 

The 2 FPs that reported earlier are fixed. Thanks.

Have another one:

Prevx Scan Log - Version v3.0.1.65
Log Generated: 1/6/2009 19:03, Type: 1,8192
Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 2 (Dir: 1)
Last Scan: Mon 2009-06-01 18:54:26 E. Australia Standard Time. Number of Scans: 327. Last Scan Duration: 22 minutes 1 second.
(ACTIVE) c:\program files\opera 10.0 alpha\opera.exe [PX5: BC1AA82A00E9E697BEF401DC1AD8A600ABC01DAE] Malware Group: Medium Risk Malware Dropper

 

Thanks This is still the same signature causing issues - will be fixed shortly

 

Regarding the recent string of FPs - we believe we've found the source of them (an issue which started on Sunday) and we've now retroactively corrected the other falsely detected files.

Please let me know via PM, email, or post here if you do see any other FPs Thanks for the help!

 

Just noticed a change, quoted below, from the log in MJ Registry Watcher:

Joe, is this valid?

I am currently in the middle of a scan.




** Monday 1/06/2009 7:54:12 PM **
Important Executables and Driver Files
File Details Changed from
c:\windows\system32\drivers\pxscan.sys - Size=22,024 Date=Wed Apr 29 11:18:57 2009 Attributes=---A-
to
c:\windows\system32\drivers\pxscan.sys - Size=22,024 Date=Mon Jun 01 19:47:37 2009 Attributes=---A-
File Details Changed from
c:\windows\system32\drivers\pxsec.sys - Size=27,656 Date=Wed Apr 29 11:18:57 2009 Attributes=---A-
to
c:\windows\system32\drivers\pxsec.sys - Size=27,656 Date=Mon Jun 01 19:47:37 2009 Attributes=---A-
=======================================================
** Monday 1/06/2009 7:54:13 PM **
Change Auto-Accepted

 

Those are indeed the correct drivers and the correct sizes - I'm not sure why they would have changed now tho If you'd like, feel free to send me the files and I can double check that they are exactly the same as the ones we released

 

No, I am sure the files are Ok.

I think maybe it had something to do with my HIPs (SSM) throwing up popups which I kept ignoring.

And a scan aborted. So I killed Prevx. Then it restarted automatically.

BTW, Opera FP is now gone.

 

Re. RemoveFocusRect.dll:

To Ctrlaltdelete

No problem - credit to the author, who lurks on Neowin, I think.


To Joe

Thank you Joe - I wasn't at all irked by the FP - I'm very glad Prevx was awake to the behaviour and sought to lock out the .dll - could well have been a baddie for all I knew, not knowing the exact provenance of the file...

philby

 

@PrevxHelp: Sent you PM regarding my software. They are now digitally signed.

 

absolutely! i would not change a thing, especially for someone who in all likelihood is not even licensed for or using the product. let 'em eat mud.


Mike

 

Whatever text, does not matter for me.
I only take a look at the tray icon, and if it is green, all is ok for me... if it is red, something is wrong, and I then do not care what text is written there...

 

Hi PrevXHelp,

I have a FP here from the R-Wipe and Clean website. Log file details:

e:\downloads\rwc_en_8.exe [PX5: C8012388D092EC2A937E2BDEB3FDF300E0740192] Malware Group: Medium Risk Malware
e:\downloads\rwc_en_8.exe [PX5: C8012388D092EC2A937E2BDEB3FDF300E0740192] Malware Group: Medium Risk Malware

The file in question is their trial program - never had an issue with the earlier release of R-wipe just this new one.

Cheers!
Neil

 

Fixed now! Thanks

 

Hi, I hope someone can help me out with this,

This may be a possible bug, this behavior cant be right

Ok then let me give you a quick summary of events:

I downloaded a screen saver, recommended by some trustworthy sites. I researched before downloading.
Well prevx detected 2 high risk worms Being a screen saver and all I thought that anything is possible(personally, still believing it to be a false positive)

Alarm bells went off within prevx and me...

I didn't want to clean up just yet, thought I would perform a system scan that's when it all started

I sopped (not paused)the scan because I had to urgently attend to something, just for a minute. I wanted to restart the scan and had realised my red blinking icon had turned green(safe) STRANGE Well I proceed with my scan and there are no more threats on my system... CLEAN

I couldn't believe it, So I thought I would run the exe again alarm bells in prevx detecting the same worm, well... scan, paused(clean green)restart scan and no more threats
What has happend

Now to make things worse I ran the exe again, this time prevx detects nothing
the file is now clean or is it

Could you please explain this behaviour

I have both log files
1. Infection is noted at page bottom(high risk worm)
2.the miraculous recovery from certain destruction no mention of its existence (taken later; not even detecting or mentioning the previous infection)

Can some one replicate this, I'm sure it's not limited to my exe?(for identifying it as clean after a stopped scan and rescan)

Who can I post the log files too? I would like to send you the link to the site so you can verify it as a threat or FP

help

 

EDIT: I've analyzed your log and it is indeed a legitimate detection - the files appear to be a component of MyWebSearch. It looks like we caught it before it was able to do anything in the system and being that it was trying to run from only a temporary folder, the problem seems to have fixed itself

 

I am aware of this entry( myweb seach bar) I downloaded it, wanted to see if I would be alerted. But that was about 1 week ago and has nothing to do with the alert I had yesterday.

Last night: ******screensaver.zip\setup.exe [PX5:A497B95B001AE21240450510FFC75400F7BE684B] Malware Group: High Risk Worm

Last week: mwssetup.exe [PX5:CD7240500027C077B07B51453A86160079FD000A] Malware Group: Low Risk Adware

 

I suspect the real "problem" is that the file existed in a temporary directory and was either removed by the installer which extracted it or was removed by Windows automatically.

I downloaded the archive and tried installing it and didn't receive any warning, however, the file which I got when downloading it was much larger than the one you had (yours was ~66kb while mine is ~300kb).