Jump to content


Photo

Two False Positives?


  • Please log in to reply
5 replies to this topic

#1 PlatinumCS

PlatinumCS

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 01 August 2007 - 04:22 PM

Ok, I think I have two false positives here.

The two programs are:

1) PCPal
2) IconArt


Thanks for any assistance,


Here is my log file:

--------------------------------------------------------------------------------------------------------------------
Ad-Aware 2007 Build
Log File Created on: 2007-08-01 11:36:27

System information
===========================
Number of processors: 1

Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3


Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Unloading Explorer if necessary during removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Notify when Definitions File is outdated
Create and save WebUpdate log file

Databaseinfo
===========================
Version number: 12
Build Number: 0
Build Date and Time: 2007/07/31 06:15:42

Scan Statistics
===========================
Method: Full
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: Off

Item Scanned: 335663
Infections Detected: 7
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 0 0
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 0 0
File Hash Scan..: 4 4

Infections Found
===========================
Family Id: 541 Name: Possible Browser Hijack attempt Category: Malware TAI:3
Item Id: 800000725 Value: Browser: Internet Explorer Favorite URL: URL=http://free.aol.com/tryaolfree/index.adp?205493
Item Id: 800000725 Value: Browser: Internet Explorer Favorite URL: URL=http://free.aol.com/tryaolfree/index.adp?205493
Family Id: 229 Name: BroadCastPC Category: DataMiner TAI:7
Item Id: 42157 Value: File: C:\.......................................\IconArt\ia_install.exe
Item Id: 42157 Value: File: C:\...............................\PCPal\pcpal_setup.exe
Item Id: 42157 Value: File: D:\...................................................\IconArt\ia_install.exe
Item Id: 42157 Value: File: D:\...........................................\PCPal\pcpal_setup.exe
Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
Item Id: 1 Value: MRU Path: C:\............................\Recent Count: 5

Items Ignored During Scan
===========================
--------------------------------------------------------------------------------------------------------------------

#2 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1535 posts

Posted 01 August 2007 - 06:21 PM

Hi PlatinumCS,

Thanks for posting your log - I'll check into this to see what's going on.

Regards,

Andy
Lavasoft Research
unsolicited@tenalia.com

#3 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1535 posts

Posted 01 August 2007 - 08:17 PM

Hi PlatinumCS,

I recreated the Possible Browser Hijack objects (http://free.aol.com/...ndex.adp?205493) detection which is being identified as a possible problematic URL. That particular site does not pose any threat - in the meantime, I would suggest adding it to the ignore list. We will look at removing it from detection. I also recreated the detection of ia_install.exe - this file does not pose a threat and will be removed from detection.

At the time of writing I've been unable to recreate the detection of pcpal_setup.exe - this is because I haven't been able to acquire a sample of the exact same file that was detected on your PC. Would it be possible to email the file to research@lavasoft.com? Before mailing it, could I ask you zip the file and password protect it with the password infected? Put 'FAO Andy' in the subject heading too. Thanks!

Regards,

Andy
Lavasoft Research
unsolicited@tenalia.com

#4 PlatinumCS

PlatinumCS

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 02 August 2007 - 08:06 AM

Sent it.

Thanks for the quick response.

#5 LS Andy

LS Andy

    Lavasoft Staff/Forum Overlord

  • Root Admin
  • 1535 posts

Posted 02 August 2007 - 12:17 PM

Hi again,

Thanks for sending the file in! All your results have been recreated - the IconArt and PCPal .exe files are not in the detection database. At first glance these appear to regular installer files - in actual fact they are archives, like .zip or .rar files. To illustrate, if you rename the exe files to zip, you can extract them like a zipped file.

Within the two installer/archive files was a dll file that was detected by Ad-Aware (Ad-Aware can be configured to scan inside archive files). This dll file is the same as one that is dropped by a BroadcastPC program. Having checked out the dll file further, on its own or when included with legitimate programs, it does not pose a threat to your PC. To be on the safe side, it will be taken out of detection as of the next update.

Regarding the detection of the AOL favourite - again, this object is not in the detection database. The reason for it being flagged is due to the pop up that occurs when you go to that particular site rather than the site/favourite being specifically targetted. If you would rather Ad-Aware did not flag this object, as mentioned previously, after you have scanned your PC, you have the choice to put that favourite into your ignore list, unless you would like to remove it.

Hope this clears everything up for you!

Regards,

Andy
Lavasoft Research
unsolicited@tenalia.com

#6 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 01 September 2007 - 04:29 PM

Since your issues seem resolved I'll go ahead and archive this topic in the "Resolved" section (read only)

If you should have any further issues, please feel free to post a new topic.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users