opera.dll malware

Discussion in 'Prevx Releases' started by overangry, Feb 5, 2011.

Thread Status:
Not open for further replies.
  1. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    After a scheduled scan Prevx detected opera.dll as malware. I dont use opera often but it has been on my system for some time.
    I reported it as a false positive and sent the scan log to Prevx as required, after checking the file online with Virus Total, the result 1/42 (Prevx detecting)

    I then right clicked the the file in the warning window and also marked it as a false positive.
    Rescanning my PC, resulted in system status protected screen.

    My question.
    The initial scan log showed the malware infection
    (ACTIVE) c:\program files (x86)\opera\opera.dll [PX5: B70F15CB70EEDD3AB5D0BA507A99B200B3A1463E] Malware Group: Medium Risk Malware Dropper


    The subsequent scan resulted in a clean system yet this was in place of the previous scan result
    [NF] (ACTIVE) c:\program files (x86)\opera\opera.dll [PX5: B70F15CB70EEDD3AB5D0BA507A99B200B3A1463E]

    Note the different PX5

    Is this the same file?

    If I report a file as a FP is my system automatically marked as clean? I may be wrong, it could well be malware.

    After the first scan I get this message at the end of the scan log
    Previously Detected Files:
    c:\users\kay\appdata\local\temp\7zipsfx.000\opera.dll [PX5: B70F15CB70EEDD3AB5D0BA507A99B200B3A1463E] Malware Group: Medium Risk Malware Dropper
    [DP] c:\users\kay\appdata\local\temp\{ac6d9941-2102-48b4-bdc5-50c1244051d1}\{ac6d9941-2102-48b4-bdc5-50c1244051d1}.theme [PX5: ED50331F005DDEF7467004725C42C700BDD53E93]

    End of Prevx Scan Log - http://www.prevx.com

    Yet the second scan makes no mention of the previous infection

    Previously Detected Files:
    [DP] c:\users\kay\appdata\local\temp\{ac6d9941-2102-48b4-bdc5-50c1244051d1}\{ac6d9941-2102-48b4-bdc5-50c1244051d1}.theme [PX5: ED50331F005DDEF7467004725C42C700BDD53E93]

    End of Prevx Scan Log - http://www.prevx.com

    Is this correct? Shouldn't their be at least a mentioning of an infection or me marking it as a FP?

    I haven't heard back from Prevx support so I don't believe that they have processed this yet.

    Just confused...
     
  2. Jules Blue

    Jules Blue Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    12
    I have just experienced the same thing, and again don't use Opera very often.

    I have not reported it as a false positive yet, because the software says that if I do, then this "prevents it from being detected in the future". That seems a little silly. It should give you the option to quaranteen until Prevx have investigated.

    I look forward to Prevx's reply too.
     
  3. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    Would be nice if there would be an option in Prevx to disable AV signatures and just use heuristics.
    That would be great, this way you can wake up next day and see some 'High Risk Backdoor' out of the blue.
     
  4. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Happened to me this morning on two different computers, one W7 and one Vista, Prevx .220. Same Opera version 11.01 but several days old, both with valid digital signatures. Reported both as FPs with detection overrides.
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Please follow the instructions in this thread https://www.wilderssecurity.com/showthread.php?t=245129 to report possible FP's and not in the forums! I will close this thread now if PrevxHelp wants to reopen he can!

    TIA,

    TH

    EDIT: I sent in a scan log to get the FP Fixed!
     
    Last edited: Feb 5, 2011
  6. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    FYI: the fp has been fixed ;)
     
Thread Status:
Not open for further replies.