SBKUPNT.SYS

Hello,
Nod32 v4.0.437 found this at startup of the system :
file C:\WINDOWS\system32\Drivers\SBKUPNT.SYS une variante de Win32/PSW.OnLineGames.OMU

Trojan - Cleaned by deleting - Has been put in quarantine.
(Where is the quarantine folder ?)

I have submited it to Eset by clicking the icon.
Now, what must I do next ?

Thank you.

 

We have just had this same false positive on file CISMBIOS.SYS - scanned with virustotal and only NOD detcts it as PSW.OnlineGames.OMU. Only happens with latest update

EDIT : false positive caused by signature database 4335. The file CISMBIOS.SYS is a part of Intel Landesk.

 

Do you know what applications these drivers belong to? The samples we have received are ambigous, they have a highly suspicious characteristics, but there's a chance they might belong to some badly written applications.

 

I don't know which applications needs it. Here is a part of what is inside SBKUPNT.SYS

C:\NTDDK\lib\i386\free\SBKUPNT.sys
\ D e v i c e \ S B k u p N T \ D o s D e v i c e s \ S B K U P N T

Only Nod32 reports it as a virus/trojan.

Edit

I looked into the registry and it appears here :
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SBKUPNT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SBKUPNT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBKUPNT

 

As I mentioned, cismbios.sys is part of Intel Landesk, no idea what it does though.

 

SBKUPNT.SYS is a part of a hard disk partitioning program called swissknife.

I downloaded it to format a large drive as FAT32, but I've never been able to get the program to work.

In any case, it's a false positive, swissknife is a benign and well known piece of software.

 

Detection has been removed in update 4336. If you are positive that sys files belonging to legit applications were removed in error, restore them from quarantine manually or wait for the next update which should restore them automatically.

 

Hi Marcos,

Maybe it is legit, maybe not. I started my Internet connection and was unable to browse the web with Firefox or IE. I could not update to the last virus definition (4335 or 4334). I was able to download files with a FTP client (Filezilla).
So I had to restart computer and Internet connection. Nod warned me about it as mentionned in my first post.