speedfan427.exe - TSR.COM virus ???

Discussion in 'NOD32 version 2 Forum' started by gue_st, Nov 9, 2005.

Thread Status:
Not open for further replies.
  1. gue_st

    gue_st Guest

    My testing of NOD32 gets more and more exciting.

    Accessing ~snip~ please do not post links to live viruses ~ Blackspear

    results in "probably unknown TSR.COM virus" thing.
    I have selected "submit for analysis" few days ago, now have updated definitions at least 5 times, but still the same, except that now "submit.." checkbox is greyed out.

    If I download the file and check with NOD32, it says NOT infected !?? Why?
    Of course, Kaspersky and Panda also cannot find infection.

    So, I have some serious questions.
    1. What is that "submit for analysis" thing? Does it really work, and if yes, why there is nothing displayed - what will be sent and where etc. This action also cannot be found in the logs. So, if I understand correctly, my personal information got collected and that's it?

    2. In the threat log speedfan427.exe file is classified as archive (which it is, without any doubt). So, IMON is supposed to check archives!! So, how could I possibly get infected with archived Java infections, if IMON was working properly? In replies to my previous post I was told that NOD does not check archives, and that info was wrong?

    3. Finally, have to ask again - how to shut down NOD32? I cannot understand why one who is not stupid, would want to shut down user interface, while main service is still running. That seems plain stupid to me, plus, there certainly are cases you NEED to shut down antivirus completely.
     
    Last edited by a moderator: Nov 9, 2005
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    The file that IMON says contains a virus is called speedfan427.exe.
    The one you download is called installspeedfan427.exe.
    I've used speedfan for years, and I highly suspect it to be a False/Positive.

    1. If Eset already has a copy of the file, it will not be submitted. Also make sure that 'Log sent data' is ticked in ThreatSence.NET options.

    2. IMON & the on-demand scanner checks archives (if you have configured them to do so). AMON does not and it shouldn't either.

    3. Not sure what you mean. You can disable & unload all the protection modules.
     
  3. gue_st

    gue_st Guest

    Thanks,

    1. I have ThreatSense.NET disabled. So does it mean that I cannot submit file manually and it actually didn't work?

    2. If it does check archives, it means there is a flaw - it IMON haven't detected (cannot?) Java/ClassLoader.AA trojan; on-demand scanner detects it but cannot clean from archive.

    3. Do you mean I need to unload them one by one? That would be something really weird.
    If I "Quit" in the main screen, it simply shuts down user interface but program is still running and even scanning for viruses (just does not display splash screen)!

    Maybe I am wrong, but in my old-fashioned understanding, program should be equipped with "off" button, especially if it is antivirus!
    And, if there is button which one could mistake will switch the program off (but does not), it is already a *bad* thing.
     
  4. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Well you don't have to unload them, you can just disable them when you need to.
     

    Attached Files:

  5. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    Well, it might be that there's something on the website or in it's code that's preventing the download of this application. See this screenshot I just made :
    hxxp://tinypic.com/view/?pic=fkd3d3

    FYI 1: I stripped out the URL. I'm using Blackspear's settings.
    So according to the above messages, could it be the application itself is might not be the culprit but its website where it's hosted ?
     

    Attached Files:

    Last edited by a moderator: Nov 10, 2005
  6. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    NOD only alerts you if the file has .exe or .com extensions (even if you use the on-demand scanner).

    If you rename the file extension to .zip you can see it's a gzip archive.
    Inside is a 102 byte file called speedfan427 and it contains the following:
    Bleh.. F/P :p
     
  7. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    There's something about it on a German forum here : http://www.wintotal-forum.de/index.php/topic,98123.msg510580.html#msg510580
    (it's in German of course)
    According to the answer of the moderator of that forum the file was sent to eset for analysis around the seventh of November; There's no answer to be seen on that topic yet, but they're talking about a False Positive.
     
  8. hadi

    hadi Guest

  9. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Looks like it has been fixed in the latest update (1.1284) ;)
     
  10. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    Yes, affirmative.Thanks for the headsup.
     
Thread Status:
Not open for further replies.