12 replies to this topic

[gazray4699]

Hello,

I'm not sure if what I'm reporting is a false positive or not however after running an AdAware scan, it detected and quarantined everything relating to a program that modifies memory addresses - trainers for games.

Not only did it quarantine every trainer I had, it also quarantined the exe file of a program I downloaded and installed myself from the author's website. It also seemed to brand all the trainers as trojans that were entirely unrelated to the program at hand - for instance, how would a program designed to change memory addresses for game-related processes relate to a trojan virus designed to download and install adware? Makes no sense to me.

It also seemed to just "stick" a virus name to each file as despite each exe file being downloaded from different locations at widely apart dates, they were all given similar definitions.

A total of 12 files were detected as viruses, all of them relating to a keygen and trainers for games. Only a small infection of cookies were detected, which was to be expected. Did you want a full upload of all files?

One of the programs detected was Cheat Engine - a program designed to create trainers for games via the manipulation of memory addresses. It was downloaded from http://cheatengine.org/ and millions of users are using this program with no issue.

What further gives me doubts is that Avast considers all of these files safe and detected no trojans anywhere on the system - whereas if these trojans were present, they would have been detected.

Can anyone provide answers? I'd like my trainers back please

Attached Files

•  Scan_2011-10-24-11-11-08.log   47.05K   2 downloads

[LS Andy]

Hi gazray4699,

A lot of times trainers are compressed using UPX and other similar compression methods, which is what malware writers do too. Sometimes AV apps catch this similarity and mistake files for malware.

Can you upload the files that were detected? Please be sure to zip them first. Thanks!

Andy
Lavasoft Malware Labs

[65Cobra]

Not sure why I received email notification of this thread but before I make sure I'm unsubscribed to anything and everything on this forum let me just post my bottom line because your post sounds all too familiar...

After paying for a one year subscription to Ad-Aware in 2009 I never renewed the subscription due to multiple problems... one of which is exactly what you described. Not only did this program have some serious limitations with the design of its interface but... and this is my bottom line... as far as I'm concerned, this program is a virus in itself. Despite my settings, not only did it quarantine files without my knowledge but by the time I found out, I was unable to retrieve them, and I was never able to get the proper assistance here. There are much better programs out there.

[gazray4699]

I understand that some AV programs aren't the greatest - though everything will have it's faults and limitations. I installed AdAware because it is currently the only reliable detection of Adware I know - MalwareBytes and Avast both cannot detect tracking cookies or adware.

Because of such, I tend to overlook things which might become irritating. Sure it was difficult to locate the quarantine folder but I managed it. It did automatically quarantine my files and yes, that irritated me. Better to be safe than sorry however.

Anyway, my reasons aside, I'll upload the files it quarantined. If it is because of the compression, then I'll just restore them to their rightful places. I recently had a rootkit infection is all, so I want to be sure before I give it another foothold in my system.

I apologise for the seperate zipped files... for some reason the compression caused the files to inflate together rather than deflate. Both Cheat Engine.exe and the Grand Theft Auto Trainer were too big for me to upload, even with Ultra compression.

Also - I would appreciate knowing how to change the files back from the quarantined file type if the files are clean

Attached Files

•  Quarantine1.zip   110.95K   1 downloads
•  Quarantine2.zip   146.79K   1 downloads
•  Quarantine3.zip   112.3K   1 downloads

[LS Andy]

Thanks for the uploads - I'll check them out and get back to you.

When compressed, how big are the Cheat Engine.exe and the Grand Theft Auto Trainer files? I could temporarily increase the file size limit so you can upload them.

Andy

[CeciliaB]

Anyway, my reasons aside, I'll upload the files it quarantined. If it is because of the compression, then I'll just restore them to their rightful places. I recently had a rootkit infection is all, so I want to be sure before I give it another foothold in my system.

Do you want us to check the computer with programs specialised in rootkit detection?In that case, please post in the forum Help with Stubborn Infections by following the instructions in the topic Read This Before You Post!.

Also - I would appreciate knowing how to change the files back from the quarantined file type if the files are clean

When you see the list of quarantined files inside Ad-Aware, you select the files to restore and then you select "Restore" in the Action drop-down menu

[gazray4699]

No thank you for the rootkit check.. I've already done a very thorough search with MalwareBytes and are currently involved in an argument over why my CD/DVD autorun feature is disabled - I've followed their guidelines to reactivate them and it worked for the windows autoplay but autorun extensions on CD/DVDs are still inactive.

Thank you for telling me how to return them to their rightful places.

The file sizes for both compressed files are 5032 kb together.

[CeciliaB]

Your decision, but I have seen MalwareBytes Anti-Malware miss rootkits many times.

[gazray4699]

Well I only went to MalwareBytes only to confirm no rootkit remained... their search was pretty thorough, using Defogger, ComboFix and a variety of other methods. The original infection forced me to reformat my hard drive as it would not boot and I was fairly sure this would have removed the infection - and my system is due to be reformatted once again soon. The old motherboard, graphics card, processor and even memory are now removed from my system and the system is soon to be brand new - the only old thing remaining is my hard drive.

I'm also reluctant because of the intricate procedures I went through where I had no idea what was being done to my computer and ended up losing my autorun functionality for my trouble. No infections have been detected, no new viruses have appeared - the only concern was that AdAware detected my trainers as viruses.

[CeciliaB]

Sorry, I misunderstood you I thought you only had run MalwareBytes Anti-Malware and not visited their forum for an investigation of your computer. Blade or I had suggested ComboFix and some other programs if you had let us investigate your computer.

It is not much that survives a format, only MBR infections.

[gazray4699]

Yea, it's alright. I figured what you meant I'm fairly sure nothing remains.

[LS Andy]

Hi,

Thanks for uploading the quarantined files. The files have been re-examined and although they are not malware, they will continue to be flagged by AdAware due to their similarity to malware (e.g. replacing code in the winlogon.exe file). If you choose to use them, you can unquarantine and add them to your ignore list.

Andy

[gazray4699]

Thanks