Earlier I updated AVG(7.5) and decided to run a scan. It detected SIntfNT.dll as being infected with Trojan Horse Proxy.ACWL. I did a little searching online and found out other people were having this file detected as well. Though, they were different infections, one was Trojan Horse Proxy.ACCX. It seems that people are having this detected when they start a game from a disc. I had already searched for the file on my computer while AVG was still scanning, to check the creation date. It was created on 10/15/2007. I installed Unreal Tournament 2004 on that date and haven't played since, so I figured it was that. After having scanned with AVG and having the file healed/deleted, I put UT2004 in the disc drive and clicked on its icon on my desktop to start it. Up pops AVG with the warning again. I then navigated to the file location C:\Users\Syzich\AppData\Local\Temp and there the file was again. I came to the conclusion that this is a false postive. I scanned with Computer Associates Online scanner, Spybot, Windows Defender and all were clean. Though, I updated AVG again today, but the new database still detected the file. I also uploaded the file to virusscan.jotti.org, here are the results:
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found Trojan.Proxy.Ranky.Lp
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Proxy.ACWL
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Proxy.W32.Ranky.lp
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Proxy.Win32.Ranky.lp
Fortinet Found PossibleThreat
Ikarus Found Trojan-Proxy.Win32.Ranky.lp
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Ranky.lp
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Proxy.Win32.Ranky.lp
I'm still inclined to think this is a false positive. I mean, the file has been on my computer since October of last year and AVG is only detecting it as of Today's updates. Also, after running a legit store bought copy of game, the file is created and detected again. Should I just wait for AVG to release a new update to be certain?
Last edited by Syzich; July 26th, 2008 at 06:05 PM.
I was just thinking about something. As I said earlier, other people were having their AVG detect the same file as being infected, though with a different infection. The posting dates that these people had on the various forums I was reading indicated that AVG had this in the database earlier this month or at the end of June. Since I had the file on my computer since October, why didn't I get a detection notice until just today?
I checked the AVG forum and quite a few people were also having SIntfNT.dll detected as well. They were also saying it happened when they tried to play a game. I don't think I'll need to make a post there though. For situations like this, all the mods seem to do is direct users to sticky posts. They don't really offer step by step help on a per user basis like here. AVG has had two updates since my last posting and the file is still being detected. Though, I uploaded the file to Jotti again. Here are the results:
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found Trojan.Proxy.Ranky.Lp
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Proxy.ACWL
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Proxy.W32.Ranky.lp
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found PossibleThreat
Ikarus Found Trojan-Proxy.Win32.Ranky.lp
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Proxy.Win32.Ranky.lp
It seems F-Secure and Kaspersky have corrected the issue with their updates. So, it does indeed seem this is a False Positive. I'll wait for more updates to be sure, though.
One thing I read on the AVG site was that you can send files you think are False Positives in a password protected zip file to AVG for analysis. Is there any way to password a zip file without a third party utility?
Send it to me. I'll password it for you. Attach the zip to a post here and I'll password it and give it back same way.
Tell me the password that you need to use.
That will also give me the opportunity to have a close look at the file for my own curiosity/tests.
I downloaded a copy of SIntfNT.dll from a dll site and it too was flagged with the same trojan... but only
by a single a/v at that multiscan site. It was probably an older or different version of that dll file.
Properties show it modified Tuesday, June 15, 2004, 11:40:42 AM
Still, that leads me to believe in the false positive theory.
This site says there are 17 variants of the file...
Thanks for offering to password it and run additional tests, fink.
There seem to be/were different detections for different versions of the file. As you said, there are 17 according to the site you linked to. I guess that would also explain the different detections I have read about and why AVG didn't detect the version of the file on my computer until the 26th of this month. The different detections I have read about were Proxy.ACQH, Proxy.ACQM and Proxy.ACCX. Though, Proxy.ACWL, the one AVG is detecting with my version of the file, I haven't found any other posts about this one in my searches. I guess the version of the file depends on the game. Maybe the file was updated with each game? Other people's posts reporting about the file were playing one of the following: Empire Earth, Rolley Coaster Tycoon, Warcraft 3, Hoyle Card Games or Hoyle Table Card games. There are probably more games out there that make this file when launched, but those are the ones I read about.
Anyhoo, I attached the file to the post like you said. The AVG site didn't specify on a password to use, so I guess "falsepositive" would be good.
I also decided to upload the file to Jotti again. Here are the results:
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found Trojan.Proxy.Ranky.Lp
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Proxy.ACWL
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Proxy.W32.Ranky.lp
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found PossibleThreat
Ikarus Found Trojan-Proxy.Win32.Ranky.lp
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Proxy.Win32.Ranky.lp
Looks like there is no change from last time.
Last edited by Syzich; July 30th, 2008 at 09:05 AM.
One thing that comes to mind is that it's being called a backdoor. that means it
allows access to a computer. If these games are interactive and meant to be played
online with other users and this dll is part of that process, then that could be part
of the reason it's being seen as a trojan.
A malware expert at Majorgeeks thinks
I believe that file may be related to some kind of game protection scheme. Possibly from Sony.
I don't know if the .dll is related to the game's online functionality or not, but I do remember reading about the game protection thing. Someone on another forum said it's possibly related to SecuROM. I'm going to send the file to AVG for analysis now.
Here are the results from today's Jotti scan incase anyone is interested:
A-Squared Found Trojan-Proxy.Win32.Ranky.ih
AntiVir Found nothing
ArcaVir Found Trojan.Proxy.Ranky.Lp
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Proxy.ACWL
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Proxy.W32.Ranky.lp
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan-Proxy.Win32.Ranky.lp
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Proxy.Win32.Ranky.lp
I tried sending the file to AVG through Yahoo mail, but their Norton attachment scanner flagged the file. I was able to send it with hotmail/livemail, but I thought if the file was passworded, it shouldn't get detected. I mean, I scanned the passworded .zip with AVG and it said it was clean. Does it depend on the scanner?
Unfortunately, the current virus database version may detect the mentioned virus on some legitimate applications. We can confirm that it is a false alarm. We would like to inform you that the false positive will be removed in the next Definitions update. Please update your AVG and if a new Definitions update was downloaded, check whether the file is still detected. If you need to restore deleted files from AVG Virus Vault you can do it this way:- Open AVG user interface.- Choose "Virus Vault" option from the "History" menu.- Locate the file that was incorrectly removed and select it (oneclick).- Click on the "Restore" button. We are sorry for the inconvenience.
Best regards,
Karel Bachura
AVG Technical Support
Here are today's Jotti scan reults:
A-Squared Found Trojan-Proxy.Win32.Ranky.ih
AntiVir Found nothing
ArcaVir Found Trojan.Proxy.Ranky.Lp
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Proxy.W32.Ranky.lp
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan-Proxy.Win32.Ranky.lp
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Proxy.Win32.Ranky.lp
Last edited by Syzich; August 1st, 2008 at 06:42 AM.
They got back to you pretty quickly. False positive as suspected.
I can think of only a very few examples of commercial software CD's containing an actual virus or trojan. One that comes to mind was a CD that came with a PC magazine maybe 5 or 7 years ago. It was a freeware/shareware sampler CD and one of the trial programs was infected somehow.
Reply With Quote
