Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible virus/not sure?


  • This topic is locked This topic is locked
9 replies to this topic

#1 Acer77

Acer77

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2016 - 07:54 AM

For the past 1-2 months, Norton Internet Security has been removing a .dll file called pebiosinterface32. Even though it was high risk, I haven't been concerned for a while as after looking it up, I read numerous forums and they said that it is a false positive.

 ghwscfN.png

 

 

I'd just like to make sure from you guys if this is a false positive, cause I can't really be sure. Thanks.

 



BC AdBot (Login to Remove)

 


#2 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 30 March 2016 - 01:50 AM

Hello Acer77.

 

Welcome to Bleepingcomputer! I am Marie Curie and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
 

  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.

--------------------------------------------------------------
 

 

STEP 1
YjhLJro.pngSystemLook

  • Please download SystemLook (x32) / SystemLook (x64) and save the file to your Desktop.
  • Right-Click SystemLook.exe / SystemLook_x64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Copy the entire contents of the codebox below and paste into the textfield.
    
    :filefind
    pebiosinterface32.dll
    
    
  • Click the Ji0XpU4.png button to start the scan.
  • Upon completion, a log (SystemLook.txt) will open. Copy the contents of the log and paste in your next reply.
  • Click the OCFv7xc.png button.

 

 



#3 Acer77

Acer77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 30 March 2016 - 08:22 AM

Hi, thanks for the reply.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:15 on 30/03/2016 by [irl name, dont want to show on forums]
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "pebiosinterface32.dll"
No files found.
 
-= EOF =-
 
^^most likely because Norton removes it every day. 


#4 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 31 March 2016 - 06:33 AM

Hi Acer77.

 

This is most likely a false positive. If you want to check the file to be sure, we need to get it back from quarantine. Alternatively you can report the file to Norton directly: https://submit.symantec.com/false_positive/

 

STEP 1
Restore Quarantined File

  • In the Norton product main window, click Advanced.

  • On the left pane, click Activity.

  • In the Security History row, click the view icon.

  • In the Security History window, under Protect my Mac, click Quarantine.

  • In the quarantined items list, select the item pebiosinterface32.dll.

  • Click the Actions icon on the top-left corner, and then click Restore.

  • Click Done.

 

STEP 2
File Submission

  • Please go to my channel
  • Click Browse and locate the following file (if it is still present):
    • pebiosinterface32.dll
  • Click Submit Query.

 

Tell me when you are finished or if you have any problems during the steps.


Edited by Curie, 31 March 2016 - 06:39 AM.


#5 Acer77

Acer77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 01 April 2016 - 07:08 AM

Done. Also submitted it to Symantec.



#6 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 02 April 2016 - 02:45 AM

Hi Acer77.

 

This programme has a false positive detection by some antivirus vendors, because of the way it is protected from reverse engineering. Sometimes a too heavy protection of a legitimate programme will lead the antivirus scanner to think that the file is malicious.

 

You will get an answer by Symantec as well, but based on the recent Virustotal results of the file Norton does not detect it anymore.

I suggest you update your Norton product and the signature database and see if the detection is still there. If Norton's behaviour blocker is responsible, it might still quarantine the file.

 

Please use the following link to update the product.

 

Do you know how to update the signature database of Norton? I can't find any instructions on that and I don't use the product. But I will ask around if necessary.

 

Please tell me in your next reply if you were able to update Norton and if the file is still detected by the product.


Edited by Curie, 02 April 2016 - 09:16 AM.


#7 Acer77

Acer77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 02 April 2016 - 08:21 AM

Hi Curie, thanks for the help! :D

 

I got this email from Norton;

 

We have been unable to reproduce the detection issue described in your submission. Our investigation shows that the software you submitted is known-good and as such does not trigger any detections.

The file has been whitelisted for a few months. According to your submission, this detection took place on November 2015.

Please ensure that you are using the latest definition files available on our website: http://securityresponse.symantec.com/avcenter/defs.download.html

Thank you for your consideration.

Sincerely,
Symantec Security Response
http://securityresponse.symantec.com

 

Also, it isn't detecting it anymore - most likely because of the whitelist. The update page on Norton's website says that this version of Norton is up-to-date, so yeah :P.

 

Thank you!!!


Edited by Acer77, 02 April 2016 - 08:25 AM.


#8 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 02 April 2016 - 09:16 AM

You are welcome. :)

 

======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
  • Emsisoft Antimalware (free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus.
  • Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • Secunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
  • SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
  • Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
     

Need a second opinion on a file or website? Scan the file/URL before clicking by using one of the following free online scanner services.


-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 

 



#9 Acer77

Acer77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 02 April 2016 - 10:02 AM

thanks! :D



#10 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 02 April 2016 - 11:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users