SBKUPNT.SYS

Discussion in 'ESET NOD32 Antivirus' started by Fidelius, Aug 14, 2009.

Thread Status:
Not open for further replies.
  1. Fidelius

    Fidelius Registered Member

    Joined:
    Oct 2, 2006
    Posts:
    146
    Hello,
    Nod32 v4.0.437 found this at startup of the system :
    file C:\WINDOWS\system32\Drivers\SBKUPNT.SYS une variante de Win32/PSW.OnLineGames.OMU

    Trojan - Cleaned by deleting - Has been put in quarantine.
    (Where is the quarantine folder ?)

    I have submited it to Eset by clicking the icon.
    Now, what must I do next ?

    Thank you.
     
  2. ShaneC

    ShaneC Registered Member

    Joined:
    Aug 14, 2009
    Posts:
    2
    We have just had this same false positive on file CISMBIOS.SYS - scanned with virustotal and only NOD detcts it as PSW.OnlineGames.OMU. Only happens with latest update :rolleyes:

    EDIT : false positive caused by signature database 4335. The file CISMBIOS.SYS is a part of Intel Landesk.
     
    Last edited: Aug 14, 2009
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you know what applications these drivers belong to? The samples we have received are ambigous, they have a highly suspicious characteristics, but there's a chance they might belong to some badly written applications.
     
  4. Fidelius

    Fidelius Registered Member

    Joined:
    Oct 2, 2006
    Posts:
    146
    I don't know which applications needs it. Here is a part of what is inside SBKUPNT.SYS

    C:\NTDDK\lib\i386\free\SBKUPNT.sys
    \ D e v i c e \ S B k u p N T \ D o s D e v i c e s \ S B K U P N T

    Only Nod32 reports it as a virus/trojan.

    Edit

    I looked into the registry and it appears here :
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SBKUPNT
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SBKUPNT
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBKUPNT
     
    Last edited: Aug 14, 2009
  5. ShaneC

    ShaneC Registered Member

    Joined:
    Aug 14, 2009
    Posts:
    2
    As I mentioned, cismbios.sys is part of Intel Landesk, no idea what it does though.
     
  6. inedible

    inedible Registered Member

    Joined:
    Aug 14, 2009
    Posts:
    1
    SBKUPNT.SYS is a part of a hard disk partitioning program called swissknife.

    I downloaded it to format a large drive as FAT32, but I've never been able to get the program to work.

    In any case, it's a false positive, swissknife is a benign and well known piece of software.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Detection has been removed in update 4336. If you are positive that sys files belonging to legit applications were removed in error, restore them from quarantine manually or wait for the next update which should restore them automatically.
     
  8. Fidelius

    Fidelius Registered Member

    Joined:
    Oct 2, 2006
    Posts:
    146
    Hi Marcos,

    Maybe it is legit, maybe not. I started my Internet connection and was unable to browse the web with Firefox or IE. I could not update to the last virus definition (4335 or 4334). I was able to download files with a FTP client (Filezilla).
    So I had to restart computer and Internet connection. Nod warned me about it as mentionned in my first post.
     
Thread Status:
Not open for further replies.