Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sdfix Coming Up As Spyware


  • Please log in to reply
5 replies to this topic

#1 researchvet

researchvet

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 06 July 2008 - 11:01 PM

I installed SDfix and now McAfee Virus Scan is alerting me of notes in the access protection log that indicate that SDFix is malicious. The log reads as follows:

7/6/2008 10:18:45 PM Would be blocked by Access Protection rule (rule is currently not enforced) C:\SDFix\catchme.exe C:\Documents and Settings\xxx\Local Settings\Temp\catchme.dll Anti-spyware Maximum Protection:Prevent all programs from running files from the Temp folder Action blocked : Execute

Can you explain this? I dled SDFix at the suggestion of this site and am confused that McAfee is sending me alerts about it.

Thanks.

Edited by researchvet, 07 July 2008 - 03:19 PM.


BC AdBot (Login to Remove)

 


#2 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 07 July 2008 - 12:16 PM

Hi. First of all, from what you have posted there, it's not actually saying it's malicious. There isn't anything malicious about it, to get that out of the way. Catchme is a userland rootkit detector which needs to interact with your system in special ways in order to look for said rootkits. What your message is saying is that McAfee has a rule set up that doesn't allow anything (be it legitimate or not, it's not making that judgment) to run a program that is located in the Temp folders. Since SDFix runs catchme.dll from a Temp folder, it won't allow it to run. However, if you are following the instructions on the site and running it in Safe Mode, I don't think you should be encountering that problem, as I wouldn't think McAfee runs in Safe Mode. Does that answer your question?

#3 researchvet

researchvet
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 07 July 2008 - 04:00 PM

Hi. First of all, from what you have posted there, it's not actually saying it's malicious. There isn't anything malicious about it, to get that out of the way. Catchme is a userland rootkit detector which needs to interact with your system in special ways in order to look for said rootkits. What your message is saying is that McAfee has a rule set up that doesn't allow anything (be it legitimate or not, it's not making that judgment) to run a program that is located in the Temp folders. Since SDFix runs catchme.dll from a Temp folder, it won't allow it to run. However, if you are following the instructions on the site and running it in Safe Mode, I don't think you should be encountering that problem, as I wouldn't think McAfee runs in Safe Mode. Does that answer your question?


McAfee runs all the time so I don't imagine that it is running in safe mode, right?

Here is another example from the log that doesn't have to do with temp files:

7/7/2008 1:09:28 AM Deleted C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\SDFIX\APPS\PROCESS.EXE PrcViewer (Potentially Unwanted Program)

Also, when I go to http://www.virustotal.com I get this for SDFix.exe:

File catchme.exe received on 06.29.2008 02:01:32 (CET)
Current status: finished
Result: 6/33 (18.18%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - W32/Heuristic-KPP!Eldorado
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - Virus in password protected archive
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Heuristic-KPP!Eldorado
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - -
TrendMicro - - PAK_Generic.001
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 20bb6e71b06c072260c51e6325b33b3c
SHA1: 1e3d2b252a8449c1acb3cedd155db73ef4ae38d7
SHA256: 8c3b1e5f95f40fe859f45b21c383c295c43e0acd127512d9bb374b905e6850ed
SHA512: 995a805aad03042d0fd32e2aeebbb8cda813fb0a57165f8c6ba33629ce51cf9d04dda041a548b8a1f2a9c75c24c479d063587a37bb541cd4a5fde38dc147556c


Finally, McAfee is now deleting files. I just received a warning that process.exe located in C:\SDFix\APPS was deleted for being an unwanted program.


Strangely, now I notice that part of the McAfee on access scan is timing out for no apparent reason.

Any thoughts on the above info about SDfix and about the McAfee timing out issue?
Thank you.

Edited by researchvet, 07 July 2008 - 04:08 PM.


#4 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 07 July 2008 - 04:42 PM

McAfee runs all the time so I don't imagine that it is running in safe mode, right?

Not sure what you mean here, but like I said, while I don't use McAfee I wouldn't think it would run in safe mode as most things don't. It is also where SDFix is designed to be run.

I left out the part about heuristic detection and such since you weren't experiencing that. It is common for that to occur on those processes. As you can see, the detections are heuristic or potentially unwanted program. While potentially unwanted programs (PUPs) are often things you don't really want, some like the processes SDFix uses are not being used maliciously, but the AV can't discern whether it is being used for a legitimate or malicious purpose. In this case, the files/processes SDFix uses are there to look for/remove malicious things or perform other actions it needs to.

The detections are normal, (although some of them might better be characterized as false positives) and you can see what McAfee says about for instance, PrcViewer here:
http://vil.nai.com/vil/content/v_137331.htm

There is also some information in a link there on how to configure your McAfee product to exclude detections such as these. Hope that helped.

Edited by drex23, 07 July 2008 - 04:45 PM.


#5 researchvet

researchvet
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 07 July 2008 - 08:04 PM

McAfee runs all the time so I don't imagine that it is running in safe mode, right?

Not sure what you mean here, but like I said, while I don't use McAfee I wouldn't think it would run in safe mode as most things don't. It is also where SDFix is designed to be run.

I left out the part about heuristic detection and such since you weren't experiencing that. It is common for that to occur on those processes. As you can see, the detections are heuristic or potentially unwanted program. While potentially unwanted programs (PUPs) are often things you don't really want, some like the processes SDFix uses are not being used maliciously, but the AV can't discern whether it is being used for a legitimate or malicious purpose. In this case, the files/processes SDFix uses are there to look for/remove malicious things or perform other actions it needs to.

The detections are normal, (although some of them might better be characterized as false positives) and you can see what McAfee says about for instance, PrcViewer here:
http://vil.nai.com/vil/content/v_137331.htm

There is also some information in a link there on how to configure your McAfee product to exclude detections such as these. Hope that helped.


Does SDFix run all the time? Sorry, I'm not a computer person so my questions may sound ignorant. Also, is it important that I try to find a way for McAfee not to pick up these processes? Can SDFix run, for example, if McAfee is deleting process.exe?

If I mistakenly remove something important while using these spyware removal tools, will I be aware of this? I'm concerned now that these antivirus/malware programs are removing files that I should keep.

#6 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 07 July 2008 - 09:11 PM

SDFix does not run all the time. It is a program designed to remove certain infections and restore default settings that may have been changed by malware. Like I said, it is designed to be run in safe mode and most programs like AV's don't run their real-time protection in safe mode and therefore won't have the opportunity to detect it or prevent it from running. Since, McAfee has already deleted (if I understand what you've said) components of SDFix, if you wish to run it again you should delete what's left and re-download it so it runs correctly. So, in that case it would be worth it to find out how to configure McAfee so it doesn't delete those components. It also appears that McAfee may have deleted Malwarebytes' Antimalware (MBAM). That program is also not malicious and is a very effective application.

Unfortunately, your question about will you know if things that are legitimate are removed isn't a simple yes or no. Google is your friend and you can always look up things there. Sometimes, you won't find a definitive answer and at times files can be named the same thing, but run from different locations, etc. So, you have to be careful. You do know about VirusTotal and scanning files that you're unsure of and you can always ask like you did here if you would like another opinion. To be honest, most programs you will usually come across will not do this, but some of specialized tools we employ in the anti-malware community will show up like that occasionally.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users