Urgent: False positives

Discussion in 'NOD32 version 2 Forum' started by minacross, Oct 20, 2003.

Thread Status:
Not open for further replies.
  1. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    after todays update, Nod32 is showing false positives regardig 2 setup files of dic.programs that I had on my HDD for months now.. :mad:

    Scanning Log
    NOD32 version 1.537 (20031020)
    Command line: /ah /all /shext C:\ D:\ E:\
    Checking CRC of the NOD32.EXE file: status OK
    Operating memory is OK.
    date: 20.10.2003 time: 21:27:09
    Scanned disks, directories and files: C:\; D:\; E:\
    C:\WIN98SE\WIN386.SWP - error opening (file locked) [4]
    C:\WIN98SE\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip > ZIP > RELATED.HTM - error - file is password protected
    C:\WIN98SE\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip > ZIP > sbRecovery.ini - error - file is password protected
    E:\CDs\CD_1\Internet Stuff\Documents\Information Technology\Companies\ALWIL Software\Others\avast! antivirus program - virus protection for any computer from PDA, PC to Server & Network - avast! Antivirus ~ Versions comparison_files002.tmp\button-free-download.gif - error opening [4]
    E:\CDs\CD_1\Internet Stuff\Documents\Information Technology\Companies\ALWIL Software\Others\avast! antivirus program - virus protection for any computer from PDA, PC to Server & Network - avast! Antivirus ~ Versions comparison_files002.tmp\page_layout_print.css - error opening [4]
    [glow=red,2,300]E:\CDs\CD_1\Internet Stuff\Downloads\Dictionary\wordweb.exe - Win32/IRC.SdBot.EC trojan
    E:\CDs\CD_1\Internet Stuff\Downloads\Dictionary\QuickDic57_db41.exe - Win32/IRC.SdBot.EC trojan[/glow]
    number of files scanned: 71367
    number of viruses found: 2
    time of termination: 21:54:22 total scanning time: 1633 sec (00:27:13)
    Notes:
    [4] File cannot be open. It is being exclusively used by another application or operating system.


    any comment from ESEt's guys? o_O
     
  2. jocera

    jocera Registered Member

    Joined:
    Jan 28, 2003
    Posts:
    22
    me too, false postive:

    C:\Program Files\WinRAR\Default.SFX - Win32/IRC.SdBot.EC trojan

    sent it to eset already
     
  3. radicalb21

    radicalb21 Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    164
    Location:
    USA
    Its radicalb21. I have just tested and gotten the same result as you. First what version of WinRAR are you running? I am running WinRAR 3.20. Also could you please post a copy of your Virus Log as well as post a copy of your system information as screenshots. Second could you please send a copy of the quarantine files to samples@nod32.com. Also if you are running Windows XP or ME you will want to delete your restore points and then restart your computer. Right click my computer choose prorperties select the system restore tab and put a check mark in turn off system restore click apply then ok you will also get another box come up telling you are disabling system restore just click ok. Next restart your system. When you get back to your desktop right click on my computer and choose properties then select the system restore tab and take the check mark out of turn off system restore then click apply then ok. Next go to Start then all programs then accessories then system tools then system restore. Then click on system restore select create a restore point and name it whatever you want then click ok.


    Time Module Object Name Virus Action User Info
    10/20/2003 23:08:52 PM AMON file C:\Documents and Settings\v1ru5\My Documents\teamshadow_ecqttc.sfx.exe Win32/IRC.SdBot.EC trojan error occured while quarantining the object - - error while deleting - error while deleting - error while deleting - error while renaming
    10/20/2003 23:08:00 PM AMON file C:\Documents and Settings\v1ru5\My Documents\teamshadow_ecqttc.sfx.exe Win32/IRC.SdBot.EC trojan quarantined - deleted V1RU5-RUI01HDAI\v1ru5


    NOD32 Antivirus System information
    Virus signature database version: 1.537 (20031020)
    Dated: Monday, October 20, 2003
    Virus signature database build: 3989

    Information on other scanner support parts
    Advanced heuristics module version: 1.003 (20030805)
    Advanced heuristics module build: 1032
    Archive support module version: 1.005 (20030924)
    Archive support module build version: 1061

    Information on installed components
    NOD32 For Windows NT/2000/XP - Base
    Version: 2.000.6
    NOD32 For Windows NT/2000/XP - Internet support
    Version: 2.000.6
    NOD32 for Windows NT/2000/XP - Standard component
    Version: 2.000.6

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 1
    Version of common control components: 5.82.2800
    RAM: 512 MB
    Processor: Intel(R) Pentium(R) 4 Mobile CPU 1.50GHz (1495 MHz)

    I would appreciate a response from an ESET Moderator, Forum Moderator or member as well as an Administrator. I believe this to be a false positive. I scanned this file before trying to do a self extracting exe file. I tried this both in a .rar and .zip format and both times AMON popped up numerous times about this. Any and all help would be appreciated. I also scanned the file in question numerous times with online scanners looking at that specific file. These online services didn't detect the trojan it said I have. I will be forwarding the quarantined file to ESET samples email address.
     
  4. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > I tried this both in a .rar and .zip format and both times AMON popped up numerous times about this.

    This is a false positive introduced today with update 1.537

    The bug will be rectified as soon as possible.

    Which version/flavor of ZIP are you using ? I have no FPs with self-extracting PKZip or WinZIP archives ... only with self-extracting WinRAR v3.20 archives.
     
  5. FanJ

    FanJ Guest

Thread Status:
Not open for further replies.