Real threat or false positive?

Discussion in 'Prevx Releases' started by lorripop, Feb 4, 2010.

Thread Status:
Not open for further replies.
  1. lorripop

    lorripop Registered Member

    Joined:
    Feb 4, 2010
    Posts:
    7
    after scanning my local drive with norton 360, malwarebytes, MRT, and Prevx 3.0,

    ONLY Prevx identified "funshioninstall2.0.0.29beta.exe" (downloaded from funshion.com ) as a "Medium Risk Malware".

    should i be concerned that it is a real malware? or is this a false positive?

    (sorry for posting this so much i don't know where it goes under)

    EDIT: ok so here's the scan log from Prevx 3.0




    Prevx Scan Log - Version v3.0.5.50
    Log Generated: 5/2/2010 09:59, Type: 0,1
    Windows Vista Home Premium Service Pack 2 (Build 6002) 32bit|1033
    Hostname: Laura-Laptop
    Some non-malicious files are not included in this log.
    Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
    Last Scan: Thu 2010-02-04 18:28:24 Malay Peninsula Standard Time. Number of Scans: 18. Last Scan Duration: 11 seconds.
    c:\users\hp\documents\funshioninstall2.0.0.29beta.exe [PX5: D95BFA4F8032110946EE3EBC37159F00C796261D] Malware Group: Medium Risk Malware
    c:\users\hp\appdata\local\temp\idc2.tmp\esetsmartinstaller.exe [PX5: 55DCEDE9B89E059BC60B28F558D3F200E91255CE]
    [G] c:\users\hp\appdata\local\temp\mpengine.dll [PX5: A5A4683D50CAB446FF534A1C8C998100147F70B9]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\acroform.api [PX5: 85713B076347D1CB5818848EA68AD10081B35FB6]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\annots.api [PX5: 977D2D4D632A22EBF0133E90489E7100C29D41B2]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\checkers.api [PX5: 1DA23B766366CBB9CC380C00D9DA8D0083001567]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\digsig.api [PX5: 96451BDD63ED7BD28AF811CC6180C80012291CE0]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\dva.api [PX5: CF8C8685639350CCE8A501C78E0EEC00D8972603]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\ebook.api [PX5: 08F5A46A630E7B98C88400FBD94321003DA193EC]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\escript.api [PX5: 6D277404631FB929A0EF1538CC31D200B97F36B5]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\ewh32.api [PX5: 01643ADA63E0ED85EC450168F37740000277C605]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\hls.api [PX5: 64E5397E6392E3FAC8CB00E1284D7F000640BCFA]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\ia32.api [PX5: F5CD2359633A03BB4A6D01D5015DC300F91E3ACA]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\imageviewer.api [PX5: FB81CE176346B3F122F307D430166C00565464B8]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\makeaccessible.api [PX5: 1212EDBD6371F2050C911F82431E0800409F620D]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\multimedia.api [PX5: C156BCDA637B83048E0B148B8BC49E00F9CCACFE]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\pddom.api [PX5: 1E18E20C6301EF26101C068B6D4CBD00B9DDBFFA]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\ppklite.api [PX5: 79BCD6E163A5EF9E264A5898FAC10C0013EF159E]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\readoutloud.api [PX5: 2EBDB16E63B7C630A02D01E7429B0B00E64C86A6]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\reflow.api [PX5: 6099E98463701FFF8A8D0589DF58AB00657EAB78]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\saveasrtf.api [PX5: 4A437003634ED92F967B045F61F0720051BC0C37]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\search.api [PX5: 9D0419C76310DA8C622405F7446BCE006A4883BA]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\search5.api [PX5: 17E305A9635073714E2F01AFF4C21C00BF9458B9]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\sendmail.api [PX5: 128AC56663F2B51EE6720183AAC2C000E5AAACDD]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\spelling.api [PX5: 774DC83B63D1960C18AA042B9D3B8300D3026D21]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\updater.api [PX5: F38F4C3D63D92E08860702D457276F0044688EFB]
    [G] c:\program files\adobe\reader 8.0\reader\plug_ins\weblink.api [PX5: E78768DE63755C28CEEE022492A69C00CBF38439]
    [G] c:\program files\adobe\reader 8.0\reader\cryptocme2.dll [PX5: F76819DC00C5883310E8067EA24A5200817BD6B4]
    [G] c:\program files\adobe\reader 8.0\reader\ccme_base.dll [PX5: D752984600DFDFC340B707252C1A1900BA338606]
    [G] c:\program files\adobe\reader 8.0\reader\adobelinguistic.dll [PX5: C7D63C6200D92F4F206507D3786F8A0087E1E5E9]
    [G] c:\program files\adobe\reader 8.0\reader\adobeupdater.dll [PX5: D8D9E35378D1FFEEB1A507C20217D2007E14A855]
    [G] c:\windows\system32\vdmdbg.dll [PX5: C3E08FF1009FFB0144CB00609249C00003CA5EB4]
    [G] c:\program files\adobe\reader 8.0\reader\bibutils.dll [PX5: 96DE17E200C25AC252AE02C33C6D0700D2FB1CBF]
    [G] c:\program files\eset\eset online scanner\onlinescanner.ocx [PX5: E90A101F4896CB413603336803AA3E00039AEFD0]


    End of Prevx Scan Log - http://www.prevx.com




    if anyone can read it, is there malware in the log?

    and if there is, must i use special tools to remove the malware? or do i just delete it manually? or uninstall off from my computer?

    and if tools are needed, any recommended ones?
     
    Last edited: Feb 4, 2010
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    That site is known to contain some malware. I suspect Prevx is right in that detection.

    However, if you want to be doubly sure, you can submit a scan log by e-mail to report@prevxresearch.com after clicking on "Scan Now" on the front screen of Prevx and then saving the scan log by clicking on Tools/Save Scan Results.
     
  3. lorripop

    lorripop Registered Member

    Joined:
    Feb 4, 2010
    Posts:
    7
    ok, i added some extra information. can you read it and see if any of my extra info helps? thanks
     
  4. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    The entry



    is the one we're interested in. Only PrevxHelp might be able to confirm whether that file is definitely malware. This is why I suggested you send the log to the report@prevxresearch.com address.
     
  5. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    Any site offering their own installer is suspect, as is the installer itself.

    There is absolutely NO NEED to repack files distributed by other vendors. Main trick here is usually to get some form of adware in to the system ...
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Indeed - we hadn't responded here because it appeared that this user got assistance from members of another forum, but this file is packaged with known adware. Prevx is probably one of the few vendors to find it because this is a new version of the program (v2 when previous versions were all in the range of v1.3/1.4) but our genetic analysis was able to track back this new version as being a derivative of the previous release and automatically condemn it as malicious.
     
  7. lorripop

    lorripop Registered Member

    Joined:
    Feb 4, 2010
    Posts:
    7
    ...does this mean that the file i have on my computer is a real threat?

    EDIT:

    ok i uploaded the file on virustotal.com once today, and once a few days ago. a few days ago, virustotal listed that Prevx flagged it as a "medium risk malware" but today, Prevx doesn't flag it at all... ~ VirusTotal link removed per Policy ~ what's going on?
     
    Last edited by a moderator: Feb 27, 2010
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm going to be re-analyzing the download now - it's possible that they've disabled or removed the adware from the file, which is why we're no longer flagging it.
     
    Last edited by a moderator: Feb 27, 2010
  9. lorripop

    lorripop Registered Member

    Joined:
    Feb 4, 2010
    Posts:
    7
    uhm, okay so please tell me after you finish re-analyzing it
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It appears as if the adware from the older version is disabled, but the newest version from their website is detected by Prevx automatically.
     
  11. PatG

    PatG Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    579
    Location:
    South Alabama
    GOD, I love it when a plan comes together! :D
     
  12. lorripop

    lorripop Registered Member

    Joined:
    Feb 4, 2010
    Posts:
    7
    ...they put up a newer version?? ._.
     
  13. lorripop

    lorripop Registered Member

    Joined:
    Feb 4, 2010
    Posts:
    7
    ...what do you mean "plan" ._.
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,724
    Location:
    localhost
    yes, Funshion v2.1.0 Build16 Version :)
     
  15. PatG

    PatG Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    579
    Location:
    South Alabama
    You must be to young to remember, "The A Team", huh? :) That's what the lead guy, George Peppard, said at the end of every episode when everything worked out to their satisfaction from fighting crime. :D
     
  16. lorripop

    lorripop Registered Member

    Joined:
    Feb 4, 2010
    Posts:
    7
    To fax:

    oh? ok then i guess i shouldn't worry about it so much now XD but ya i should still remove it right O:

    To PatG:

    either i'm too young, or they never showed it in my region . A .

    ...and doesn't that phrase get irritaing after a while . A .
     
Thread Status:
Not open for further replies.