possible false positives - eh?

system · April 4, 2013, 8:56pm

couple days ago avast free pops up with 2 files as shown in screencap,
win xp pro sp3. im assuming false positives.
logs attached

system · April 4, 2013, 9:00pm

better screencap

Pondus · April 4, 2013, 9:02pm

run aswMBR and attach log. http://forum.avast.com/index.php?topic=53253.0

essexboy is notified…

system · April 4, 2013, 9:06pm

afk for awhile will continue later tonight - thanks

essexboy · April 4, 2013, 9:27pm

It could be a false positive but…

File Scanner
There are some files I need you to upload for checking

[]Make sure to use Internet Explorer for this
[]Please go to VirSCAN.org FREE on-line scan service
[*]Copy and paste the following file path into the “Suspicious files to scan” box on the top of the page:

[*]C:\WINDOWS\System32\drivers\rdpdr.sy0

[*]Click on the Upload button
[*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.
[*]Once the Scan is completed, click on the “Copy to Clipboard” button. This will copy the link of the report into the Clipboard.
[*]Paste the contents of the Clipboard in your next reply.

system · April 4, 2013, 9:48pm

more scans from aswMBR - which caused more popup notice and possible crash (not sure what happened yet)
eboy - i will perform what you want later - thanks

system · April 4, 2013, 9:55pm

here you go - virulog

SORRY - link in next post

system · April 4, 2013, 9:57pm

not sure if i did last log right
VirSCAN.org Scanned Report :
Scanned time : 2013/04/04 17:51:16 (EDT)
Scanner results: Scanners did not find malware!
File Name : rdpdr.sy0
File Size : 196864 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : a2cae2c60bc37e0751ef9dda7ceaf4ad
SHA1 : 0ac844aa57078ec7817e0bde54b14faeee46f4ac
Online report : http://r.virscan.org/7e143ada983d25550bfc9f72dae11028

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20130404190447 2013-04-04 0.35 -
AhnLab V3 2013.04.05.00 2013.04.05 2013-04-05 2.97 -
AntiVir 8.2.10.202 7.11.50.58 2012-11-16 0.18 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.17 -
Arcavir 2011 201303291430 2013-03-29 2.36 -
Authentium 5.1.1 201304041546 2013-04-04 1.48 -
AVAST! 4.7.4 130404-1 2013-04-04 0.21 -
AVG 13.0.3114 2641/6224 2013-04-04 0.26 -
BitDefender 7.90123.9496674 7.46447 2013-04-05 5.84 -
ClamAV 0.97.5 16956 2013-04-05 0.34 -
Comodo 5.1 15806 2013-04-04 2.42 -
CP Secure 1.3.0.5 2013.04.05 2013-04-05 0.24 -
Dr.Web 7.0.4.9250 2013.04.04 2013-04-04 17.47 -
F-Prot 4.6.2.117 20130404 2013-04-04 0.84 -
F-Secure 7.02.73807 2013.04.04.06 2013-04-04 2.84 -
Fortinet 4.3.392 16.549 2013-04-05 0.14 -
GData 22.8839 20130404 2013-04-04 7.53 -
ViRobot 20130404 2013.04.04 2013-04-04 0.40 -
Ikarus T3.1.32.31.0 2013.04.04.83854 2013-04-04 8.42 -
JiangMin 16.0.100 2013.02.09 2013-02-09 11.67 -
Kaspersky 5.5.10 2013.04.04 2013-04-04 0.42 -
KingSoft 2009.2.5.15 2013.4.3.9 2013-04-03 0.88 -
McAfee 5400.1158 7035 2013-04-04 9.34 -
Microsoft 1.9302 2013.04.04 2013-04-04 4.09 -
NOD32 3.0.21 7951 2013-01-30 0.18 -
Norman 6.8.3 201208311030 2012-08-31 0.00 -
Panda 9.05.01 2013.04.04 2013-04-04 2.17 -
Trend Micro 9.500-1005 9.674.06 2013-01-22 0.21 -
Quick Heal 11.00 2013.04.04 2013-04-04 1.04 -
Rising 20.0 24.56.01.04 2013-04-02 3.36 -
Sophos 3.40.1 4.86 2013-04-05 7.33 -
Sunbelt 3.9.2565.2 16556 2013-04-04 0.82 -
Symantec 1.3.0.24 20130404.003 2013-04-04 0.63 -
nProtect 20130403.02 14402031 2013-04-03 1.63 -
The Hacker 6.8.0.0 v00225 2013-04-03 0.67 -
VBA32 3.12.20.2 20130403.1141 2013-04-03 2.27 -
VirusBuster 5.5.2.13 15.0.400.0/112731962013-04-04 0.18 -

system · April 5, 2013, 1:21am

aswMBR created a DAT file - is that a backup or something? can i delete it now?

essexboy · April 5, 2013, 1:15pm

The dat file is a copy of your MBR so can be deleted

Lets run one final check to back up my feeling of an FP

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

system · April 5, 2013, 2:40pm

report exceeds limit - so here is attached log

essexboy · April 5, 2013, 2:41pm

That has confirmed a false positive

Are you experiencing any problems ?

system · April 5, 2013, 2:47pm

no problems except avast popup (original alert) when i start computer

essexboy · April 5, 2013, 2:53pm

On the actions to take dropdown, select ignore

system · April 5, 2013, 2:55pm

OK Thanks

possible false positives - eh?

Announcements