Jump to content


Photo

False Positive? Trojan.Win32.Generic.pak!cobra

Started by taffy078 , Mar 21 2011 11:11 AM

  • Please log in to reply
7 replies to this topic

#1 taffy078

taffy078

    Advanced Member

  • Members
  • PipPipPip
  • 70 posts

Posted 21 March 2011 - 11:11 AM

A scan last night (AAW Free) found a Trojan.Win32.Generic.pak!cobra in c:\program files\uniblue\registrybooster\unins000.exe
I left the PC to run overnight the "ThreatWork Alliance - submitting suspicious files".
I noticed that one of the 'suspicious files' was in the AdAware folder.

As there was no message showing this morning, I scanned again. It found the above plus another one: Trojan.Win32.Generic.pak!cobra in
c:\system volume information\_restore{dee4b321-5e9d-4a92-95c5-eacebc257d73}\rp348\a0092084.exe.

I cannot find this folder in My Computer C: drive.

The "ThreatWork Alliance - submitting suspicious files" started at 07:20 this morning and finished at 08:26. I've not done this before so I have no idea if that's what it normally takes.

I seached this forum and found from last October the below thread, which shows a false positive: http://www.lavasofts...showtopic=30226
Unfortunately I seems that I should have saved the log file before enabling the ThreatWork Alliance submission. I didn't and found when that had finished that the "export log" button was no longer there.

I scanned again. The above two threats didn't appear again. (But there were two more found, both cookies which I have deleted.) The two are in quarantine, your recommended action. Should I delete them
or can I get log files from them?

Is there anything else you need from me to enable you to check if these are false positives, please?

Edited by taffy078, 21 March 2011 - 11:11 AM.

#2 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1428 posts

Posted 21 March 2011 - 11:45 AM

Hi taffy078,

Thanks for your report. We should be able to recover the log file as well as the detected files from your machine to check them out.

Locate & Upload Log Files
Can you check in the appropriate folder for your operating system for the log files?

XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log
Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Logs\Scan_<date information>.log

Just double click on the .log file to open it. Upload the log files that detected the files to this topic.

Locate and Upload Quarantine Files
Navigate to:

XP - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine
Vista and 7 - C:\ProgramData\Lavasoft\Ad-Aware\Quarantine

Again, upload the two quarantine files to this topic and I can check them out.

Regards,

Andy
Lavasoft Malware Labs
irc.geekshed.net /join #MalwareLab

Twitter: @LSAndyB
unsolicited@tenalia.com

#3 taffy078

taffy078

    Advanced Member

  • Members
  • PipPipPip
  • 70 posts

Posted 21 March 2011 - 02:02 PM

thank you Andy. Here's the log-file from last night i.e. the first one in my post. The second one wasn't in that location.

There are four files in quarantine - these are attached too. Not having done this for a long time, I've forgotten if I can send you a folder! Let's see!

No - it's rejected the folder - "Upload failed. You are not permitted to upload this type of file". I'll try one file at a time.

Taffy078

Attached Files


Edited by taffy078, 21 March 2011 - 02:10 PM.

#4 taffy078

taffy078

    Advanced Member

  • Members
  • PipPipPip
  • 70 posts

Posted 21 March 2011 - 02:09 PM

I keep getting the "not permitted to upload this type of file" message.

Here's a screen print of the contents of the Quarantine folder. What else should I do please?

AAarrrggggggggggghhhhhh. This too has failed - it's just a word document. Help would be appreciated!!

Can I email it (the Word Document) if all else fails?

Edited by taffy078, 21 March 2011 - 02:11 PM.

#5 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1428 posts

Posted 21 March 2011 - 02:18 PM

I recommend zipping the quarantine files individually and password protecting them with the password infected then uploading them. If you would like some guidance on how to do that, let me know.

Andy
irc.geekshed.net /join #MalwareLab

Twitter: @LSAndyB
unsolicited@tenalia.com

#6 taffy078

taffy078

    Advanced Member

  • Members
  • PipPipPip
  • 70 posts

Posted 21 March 2011 - 10:50 PM

I recommend zipping the quarantine files individually and password protecting them with the password infected then uploading them. If you would like some guidance on how to do that, let me know.

Andy

Thank you Andy. Here we go:

Attached Files


#7 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1428 posts

Posted 22 March 2011 - 02:29 PM

Hi taffy078,

Thanks for uploading everything - it was very helpful. This was an FP - it has been corrected and will reflect in a definitions update this afternoon.

Regards,

Andy
Lavasoft Malware Labs
irc.geekshed.net /join #MalwareLab

Twitter: @LSAndyB
unsolicited@tenalia.com

#8 taffy078

taffy078

    Advanced Member

  • Members
  • PipPipPip
  • 70 posts

Posted 22 March 2011 - 04:12 PM

Hi taffy078,

Thanks for uploading everything - it was very helpful. This was an FP - it has been corrected and will reflect in a definitions update this afternoon.

Regards,

Andy
Lavasoft Malware Labs


That's a relief! :unsure: Thank you for your prompt help, Andy. Much appreciated.
Back to Resolved/Inactive False Postive Issues


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Lavasoft Support Forums
  2. Archived Topics
  3. Archives: Resolved/Inactive Topics
  4. Resolved/Inactive False Postive Issues
  5. Terms of Service