|
-
July 9th, 2009, 05:12 PM
#1
Malwarebytes False Positive
I just ran a scan with Malwarebytes and I think what shows in the results are fale positives.
Malwarebytes' Anti-Malware 1.38
Database version: 2400
Windows 5.1.2600 Service Pack 3
7/9/2009 3:47:05 PM
mbam-log-2009-07-09 (15-46-50).txt
Scan type: Full Scan (C:\|)
Objects scanned: 117183
Time elapsed: 20 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{09571a4b-f1fe-4c60-9760-de6d310c7c31} (Malware.Packer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{345caa15-4f12-4a28-afe9-383625563a83} (Malware.Packer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f23b1f18-cb1a-47ed-a1fe-b60494a626d0} (Malware.Packer) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files\k-lite codec pack\Filters\CoreAVCDecoder.ax (Malware.Packer) -> No action taken.
I've had a file related to the K-lite codec pack show up in the results before and that ended up being a false positive, so I really do think these are false positives as well. Has anyone else with the K-lite codec pack noticed this in their results? I can't double check on my other computer. I have K-lite codec pack version 3.5.3 Standard on the computer I got these scan results on and on my other computer I have version 4.1.0 Standard and that version doesn't seem to have the CoreAVCDecoder.ax file.
Here are Virustotal and Jotti scan results:
http://www.virustotal.com/analisis/c...951-1247128111
http://virusscan.jotti.org/en/scanre...945c6fe3bab437
Last edited by Syzich; July 9th, 2009 at 05:26 PM.
-
July 9th, 2009, 05:35 PM
#2
Syzich--Here is a very brief description of a Malware.Packer
http://blogs.windowsecurity.com/park...lware-packers/
And your scans of the files suggest you do have some problems.
Time to run HiJackThis?
I am sure Broni or crunchie will be along soon.
Jim
WIN7 Ultimate SP1 64bit, IE 11, NTFS,
cable, MS Security Essentials, Windows 7 firewall
-
July 9th, 2009, 06:28 PM
#3
Here's a current HijackThis scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:39 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clansilverfox.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1229090271076
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1229090223388
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
--
End of file - 4481 bytes
I don't see anything out of the ordinary in the scan, though. And yes, I realize I need to get around to updating AVG to version 8 or finding a replacement.
-
July 9th, 2009, 07:55 PM
#4
HKEY_CLASSES_ROOT\CLSID\ {09571a4b-f1fe-4c60-9760-de6d310c7c31} (Malware.Packer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\ {345caa15-4f12-4a28-afe9-383625563a83} (Malware.Packer) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\ {f23b1f18-cb1a-47ed-a1fe-b60494a626d0} (Malware.Packer) -> No action taken.
I checked the above CLSIDs, and they seem to be safe.
I also searched, where they could have come from, and they all belong to Haali Media Splitter, if you have\had that installed.
As for CoreAVCDecoder.ax, upload it to http://www.virustotal.com/ for security check.
I see one problem, though.
You're using AVG 7, which is not functional anymore.
You need up to date AV program.
I suggest...
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/index.html
- free PC Tools Antivirus: http://www.pctools.com/free-antivirus/
- free PC Tools Firewall Plus: http://www.pctools.com/firewall/
- free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.
If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use PC Tools Firewall Plus, or Comodo firewall..
If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.
IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.
-
July 11th, 2009, 09:08 AM
#5
Ok, then it would seem the registry keys that Malwarebytes picked up are indeed false positives. The Haali Media Spliter is installed as part of the K-Lite codec pack.
I scanned the K-Lite Codec pack folder after updating Malwarebytes and the CoreAVCDecoder.ax file and the registry keys from before are still being detected. I included Virustotal and Jotti scan results in my first post in this thread, but here are scan results from today:
http://www.virustotal.com/analisis/c...951-1247262314
http://virusscan.jotti.org/en/scanre...422a9e13e76371
The results still show a few of the scanners aren't showing CoreAVCDecoder.ax as clean, but since Malwarebytes is detecting registy keys related to the Haali Media Splitter, that leads me to beleive the CoreAVCDecoder.ax is a false positive as well since it was also installed with K-Lite Codec pack. I'll probably wait a few more days to see if this is corrected in an update.
Also, thanks for the AV reccomendations. I'm not sure which I'll use if I switch from AVG on this computer. Though, I think I'll stick with Sygate as my firewall for the time being, if I'm not mistaken, Train still uses it, too.
Last edited by Syzich; July 11th, 2009 at 09:13 AM.
-
July 11th, 2009, 12:34 PM
#6
I'm not sure which I'll use if I switch from AVG on this computer
Well, since AVG 7 is not functional anymore, you have no protection, so you better switch now.
I'm going to report those false positives to MBAM.
Thanks.
-
July 11th, 2009, 01:07 PM
#7
If I do end up keeping AVG, I was going to update to version 8. I didn't mean that I was intending to keep version 7. I was under the impression that all the compnents such as the Resident Shield and the scanner itself were still functional. I thought it was just that AVG users can't receive updates unless they update to version 8. I mean, I can still start a scan of the whole computer and manually scan files.
Also, thanks for reporting the false positives to MBAM.
Last edited by Syzich; July 11th, 2009 at 01:10 PM.
-
July 11th, 2009, 01:28 PM
#8
Yes, but without new definitions, your AV is not up to date.
At MBAM they asked me to provide developer log to speed things up. Can you do it for me?
1. Click the Start Menu.
2. Click Run.
3. Type in "mbam.exe /developer", without the quotes.
4. Run the same type of scan you did before and save the logfile and post it.
-
July 11th, 2009, 01:34 PM
#9
Those guys are always fast 
I just got another reply:
The next update (2410+) should have this fixed
-
July 13th, 2009, 09:24 AM
#10
I updated Malwarebytes today and manually scanned the K-Lite Codec pack folder to see if the false positives had been resolved. CoreAVCDecoder.ax didn't show up in the results, but the registry keys that were previously being reported were still in the results. So, I decided to run a developer scan of my whole computer. Here are the scan results:
Malwarebytes' Anti-Malware 1.38
Database version: 2417
Windows 5.1.2600 Service Pack 3
7/13/2009 8:15:45 AM
mbam-log-2009-07-13 (08-15-25).txt
Scan type: Full Scan (C:\|)
Objects scanned: 117597
Time elapsed: 20 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{09571a4b-f1fe-4c60-9760-de6d310c7c31} (Malware.Packer) -> No action taken. [525351424740523017130121372234213521222219213821222136202020191938212121362136]
HKEY_CLASSES_ROOT\CLSID\{345caa15-4f12-4a28-afe9-383625563a83} (Malware.Packer) -> No action taken. [525351424740523017130121372234213521222219213821222136202020191938212121362136]
HKEY_CLASSES_ROOT\CLSID\{f23b1f18-cb1a-47ed-a1fe-b60494a626d0} (Malware.Packer) -> No action taken. [525351424740523017130121372234213521222219213821222136202020191938212121362136]
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\system volume information\_restore{3ddf678d-e6a9-4f98-a091-a3d829945af6}\RP107\A0007196.ax (Malware.Packer) -> No action taken. [525351424740523017130121372234213521222219213821222136202020191938212121362136]
Malwarebytes isn't detecting the CoreAVCDecoder.ax file in the K-Lite Codec pack folder, though, for some reason it seems to be detecting the backed up version in the System Restore folder.
-
July 13th, 2009, 11:30 AM
#11
Thanks for letting me know. I'll report back at MBAM.
-
July 14th, 2009, 12:30 PM
#12
It seems the issue has been resolved . Here are the scan results after updating Malwarebytes to the newest version and database:
Malwarebytes' Anti-Malware 1.39
Database version: 2427
Windows 5.1.2600 Service Pack 3
7/14/2009 11:18:03 AM
mbam-log-2009-07-14 (11-18-03).txt
Scan type: Full Scan (C:\|)
Objects scanned: 114263
Time elapsed: 20 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Thanks for your help, Broni .
Last edited by Syzich; July 14th, 2009 at 12:38 PM.
-
July 14th, 2009, 06:17 PM
#13
This is one of the reasons, I like MBAM.
Those people reaction is almost instant.
-
July 21st, 2009, 11:22 AM
#14
It seems the new database is causing Malwarebytes to flag the same registry keys and the backed up version of the CoreAVCDecoder.ax file again. Though, this time they're being flagged as something else. Here are the results of my most recent scan:
Malwarebytes' Anti-Malware 1.39
Database version: 2470
Windows 5.1.2600 Service Pack 3
7/21/2009 10:13:59 AM
mbam-log-2009-07-21 (10-13-55).txt
Scan type: Full Scan (C:\|)
Objects scanned: 115501
Time elapsed: 20 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{09571a4b-f1fe-4c60-9760-de6d310c7c31} (Backdoor.Bot) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{345caa15-4f12-4a28-afe9-383625563a83} (Backdoor.Bot) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f23b1f18-cb1a-47ed-a1fe-b60494a626d0} (Backdoor.Bot) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\system volume information\_restore{3ddf678d-e6a9-4f98-a091-a3d829945af6}\RP107\A0007196.ax (Backdoor.Bot) -> No action taken.
-
July 21st, 2009, 06:36 PM
#15
OMG. Let me get them again. 50 lashes this time 
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
