Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positive? Spyware.password


  • This topic is locked This topic is locked
4 replies to this topic

#1 SpiritedTreasure

SpiritedTreasure

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:32 AM

Posted 23 September 2012 - 08:37 PM

Hi.
I'm wondering if these results could possibly be a false positive. This is a brand new computer. (about 2 months old)
Windows 7. I had done a full scan with Malwarebytes earlier and then again. I also scanned with webroot both times. Then again after.
I didn't think Adobe Air or Nero were viruses or malware. There is almost nothing out about this .. I searched dogpile.

Here are the first results from earlier which showed nothing:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.23.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/23/2012 1:49:46 PM
mbam-log-2012-09-23 (13-49-46).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354403
Time elapsed: 19 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


==================

Later on I scanned again:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.23.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/23/2012 6:29:44 PM
mbam-log-2012-09-23 (18-29-44).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354076
Time elapsed: 17 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Acer Edition\ISSetupPrerequisites\{4C6E12E5-5905-4aa5-B462-E7DFC4BD75E5}\LSDriveDetect.exe (Spyware.Password) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe (Spyware.Password) -> Quarantined and deleted successfully.

(end)
=========================

Then again after rebooting

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.23.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/23/2012 6:50:14 PM
mbam-log-2012-09-23 (18-50-14).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 353875
Time elapsed: 20 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
==================

I'm not having any issues and I did not notice anything different happening.

Please advise. Thank you.

I'm bookmarking this topic so I can watch for someone to respond.

===================

In addition I scan with Malwarebytes and Webroot every single day. Sometimes more than once a day. Also the files listed here were not present and they were not in the items that Malwarebytes quarantined.

http://forums.malwarebytes.org/index.php?showtopic=4556

Edited by SpiritedTreasure, 23 September 2012 - 08:47 PM.

Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, chocolate in one hand, beer in the other, totally worn out and screaming 'WOOO HOOOOO what a ride!'

BC AdBot (Login to Remove)

 


#2 SpiritedTreasure

SpiritedTreasure
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:32 AM

Posted 23 September 2012 - 08:57 PM

I shut my computer all the way off and ran another full scan for Malwarebytes and Webroot.

Webroot is not seeing anything at any time.

After leaving my computer off for about 20 or 25 minutes this is the latest scan which shows nothing.

====================

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.23.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/23/2012 8:38:13 PM
mbam-log-2012-09-23 (20-38-13).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354208
Time elapsed: 17 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


==================

-edit-
Sept. 24, 2012

It appears that it was indeed a false positive, according to this post.

http://forums.malwarebytes.org/index.php?showtopic=116362


Now this morning I got up and started the computer to do another full scan and it detected trojan.zbot in my JavaRa program that I had copied from the old computer to this one. Now that old computer was also scanned every single day, As well as this one being scanned, and not only that but multiple scans yesterday. Odd that it did not show up yesterday but this morning after having the computer off and unplugged for the entire night it suddenly shows up?

I'm doubting the usefulness of this program at this point. Never have had this happen before. Not only that but scanning the JavaRa.zip showed nothing.

here are the logs from this morning:

===================================

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.24.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/24/2012 7:21:18 AM
mbam-log-2012-09-24 (07-21-18).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354039
Time elapsed: 20 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Spirit\Documents\external\BackedJuly_2012\My documents\program downloads\JavaRa.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)
==============================

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.24.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/24/2012 7:48:17 AM
mbam-log-2012-09-24 (07-48-17).txt

Scan type: Custom scan (C:\Users\Spirit\Documents\external\BackedJuly_2012\My documents\program downloads\JavaRa.zip|)
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 1
Time elapsed: 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
===============================
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.24.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/24/2012 7:53:10 AM
mbam-log-2012-09-24 (07-53-10).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354288
Time elapsed: 18 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

====================================

I also need to know what to do about these quarantined files that were not actually infected.

Thank you

Edited by SpiritedTreasure, 24 September 2012 - 08:22 AM.

Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, chocolate in one hand, beer in the other, totally worn out and screaming 'WOOO HOOOOO what a ride!'

#3 SpiritedTreasure

SpiritedTreasure
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:32 AM

Posted 25 September 2012 - 12:44 PM

Update:

This situation seems to be ok now. I leave it up to you whether you still want to go through the steps with me.
I realize this will push my request back and that is unfortunate.

I reported what I thought was a false positive to Malwarebytes on their forum:

That is here:

http://forums.malwarebytes.org/index.php?showtopic=116392

They eventually instructed me to release the three items from quarantine and rescan.
I did so not just with Malwarebytes but also with VirusTotal

=======================

I have now released those from quarantine. I then used Virus Total to scan each one.
I am angry now and creeped out by the result on the Java Ra which has been deleted and recycle bin emptied.

I also did another full scan with Malwarebytes and webroot. I never did click that Java Ra on this computer. That does not make me feel any safer or better.
Now what? Once again I am finding almost nothing about this particular virus. What next? I also need to post some update for the people at Bleeping computer. I don't want an infected computer.
=======================================

ByteHero Virus.Win32.Part.j 20120918

SHA256: e30c1196ed72fd6cea663f73bd24328e11dca8c9854078ee47146ad84e2b1ff5
File name: JavaRa.exe
Detection ratio: 1 / 42
Analysis date: 2012-09-25 15:36:49 UTC ( 1 minute ago )


=============================================

SHA256: f89b7c45fa1665b59b5240ae4ce3bafe4bb3f4e74deb794b7a40d48c52af6801
File name: LSDriveDetect.exe
Detection ratio: 0 / 43
Analysis date: 2012-09-25 15:42:12 UTC ( 0 minutes ago )

=============================================



SHA256: 84e79025eff5fffe580ad264de57a29c9123258b9da522271402fa8e6ad4fda2
File name: template.exe
Detection ratio: 0 / 43
Analysis date: 2012-09-25 15:56:06 UTC ( 1 minute ago )

===============================

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.25.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Spirit :: SPIRIT-PC [administrator]

9/25/2012 11:00:50 AM
mbam-log-2012-09-25 (11-00-50).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354467
Time elapsed: 18 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


========================

I then following this thread, and an online scan without your guidance seemed simple enough so scanned with

http://www.bleepingcomputer.com/forums/topic346171.html

I think we'll start by looking for any other nasties your hard drive may be harbouring before we get stuck in. Pay a visit to the ESET Online Scanner.

Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
Accept the ActiveX download, and allow it to install.
Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.


This scan showed nothing:


==========================

The Moderator at the Malwarebytes forum said this:

Hi,

The JavaRa.exe from your quarantine is not infected nor malicous.

JavaRa is open source software >> http://raproducts.org/wordpress/

We have removed the signature(s) from our database that detected this file by accident (False positive)..

We apologize for any anxiety this has caused you but i can confirm once again the files you have submitted from your quarantine in this topic are clean and we have removed or changed the signatures that caused their unintentional detection overnight.


===================

I will continue to check this thread every day. I'll let you decide how you want to proceed with me or not.

Thank you.

Attached Files

  • Attached File  eset.jpg   52.58KB   1 downloads

Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, chocolate in one hand, beer in the other, totally worn out and screaming 'WOOO HOOOOO what a ride!'

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:32 AM

Posted 27 September 2012 - 01:44 PM

SpiritedTreasure,

It appears all of these were false positives, as you suspected, and you correctly reported them to Malwarebytes.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:32 AM

Posted 27 September 2012 - 01:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users