Thanks in advance for your help. I have also received notification upon scanning that one of my programs is infected with Win32.Worm.LovGate, however this was detected using the definition file: 0146.0010. In the forums, Albin stated that it was removed from the database in the version mentioned below. A bit confused, because Spybot S & D, SuperAntiSpyware and Eset NOD32 did not detect this. I am attaching my scan log. I would appreciate some help. I currently have it quarantined as a precaution.

Best regards,

Mick

Hi Malik!

This is a new FP from the same family (Win32.Worm.Lovgate) and it will be removed in the next definition release.

Thanks for your scan report !!

Albin

Lavasoft Malware Labs

I appreciate the quick response and dedication that I have seen on this forum thus far; it is duly noted. Nice to know that we have support. Keep up the great tireless effort that you currently provide.

Best Regards,


Mick (Malik)

I am having exactly the same problem - what appears to be a false positive that shows the Win32.WormLovGate every time I run a full scan with Ad-Aware AE. I have the latest definitions file (046.0011) and have tried repeatedly to either Remove or Quarantine the suspect files that show up in the scan, to no avail. However, none of my other software (McAfee Security Center and Spybot Search & Destroy) detect this worm. Further I have run Symantic's FixLovGate and it does not detect the worm either. What do you advise, since the problem seems to be in the Ad-Aware definitions file?

That you patiently await the definition update that will likely be made sometime today or tomorrow and if that doesn't fix it you upload your sample here.

Hi everyone,

Thanks for your posts. Starwalker & Malik, I have carried out an investigation on entire the Win32.Worm.Lovgate family in our database and have discovered that several files that do not display malicious behaviour were listed in the database which will be removed as of the next update. The subsequent beta test I performed on the FPs show that they have been removed from the beta defintion file.

The FPs will not be included as of the next update (scheduled to be 0146.0012). In the meantime, you can remove them from quarantine and add them to your ignore list. However, if you are still having problems after the next update, please let me know.

Regards,

Andy
Lavasoft Malware Labs

Ad-Aware continues to detect the Win32.Worm.Lovgate about every second scan. This seems to happen just after I have downloaded the latest definition file. I "remove" the worn and then I get clean scans for a day or two. Then it shows up again. I am uploading the Ad-Aware log file from my latest scan. I would appreciate any help you can give me as I am not sure whether this is a "false positive" or the real thing.

For some reason I cannot upload the file so am copying and pasting it here:

MSG [1924] 2009/02/23 10:55:47: Configure new scan with profile: full
MSG [1924] 2009/02/23 10:55:47: -> scanning critical objects
MSG [1924] 2009/02/23 10:55:47: -> scanning running processes
MSG [1924] 2009/02/23 10:55:47: -> scanning registry
MSG [1924] 2009/02/23 10:55:47: -> scanning lsp
MSG [1924] 2009/02/23 10:55:47: -> scanning ads
MSG [1924] 2009/02/23 10:55:47: -> scanning hosts file
MSG [1924] 2009/02/23 10:55:47: -> scanning mru objects
MSG [1924] 2009/02/23 10:55:47: -> scanning browser hijacks
MSG [1924] 2009/02/23 10:55:47: -> scanning cookies
MSG [1924] 2009/02/23 10:55:47: -> neutralizing rootkits
MSG [1924] 2009/02/23 10:55:47: -> use spyware heuristics
MSG [1924] 2009/02/23 10:55:47: -> scan archives
MSG [1924] 2009/02/23 10:55:47: -> file size limit = 20480 kB (0 = unlimited)
MSG [1924] 2009/02/23 10:55:47: -> scan file/path = C:\
MSG [2760] 2009/02/23 11:28:08: Scan was completed in 1941 seconds
MSG [2760] 2009/02/23 11:28:08: Objects processed: 134431, infections detected: 13
MSG [2888] 2009/02/23 11:42:21: Remediating 13 infections
MSG [2888] 2009/02/23 11:42:22: Infections quarantined: 0, removed: 13, repaired: 0
MSG [2888] 2009/02/23 11:42:22: Infections ignored by remediation: 0 (0 whitelisted, 0 skipped).
MSG [1924] 2009/02/23 11:42:22: Dumping scan report:
Logfile created: 2/23/2009 10:55:47
Lavasoft Ad-Aware version: 8.0
Extended engine version: 8.1
User performing scan: Alan

*********************** Definitions database information ***********************
Lavasoft definition file: 146.14
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 134431
Objects detected: 13


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 12
Folders.........: 0
LSPs............: 0
Cookies.........: 1
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\AudioSrc.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567252 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\ColorSpConv.dll Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567263 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\DeInter.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567255 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\GraphBuilder.dll Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567248 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\ImageSource.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 569470 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\LVMAsync.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567251 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\LVMWriter.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567244 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\MGINullIP.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567258 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\PlasmaCGFilter.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567264 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\VCGCapture.dll Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567261 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\VCPMorph3D.dll Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567256 Family ID: 1192
Description: C:\Program Files\Roxio\Easy Media Creator 8\VideoCore\vCutList.ax Family Name: Win32.Worm.LovGate Clean status: Success Item ID: 567246 Family ID: 1192

Scan and cleaning complete: Finished correctly after 1941 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Wed Jan 21 11:27:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Jan 21 11:27:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: Sedona.eGL, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: false
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: N-E9BC2E6837744
Processor name: Intel® Pentium® D CPU 2.80GHz

------------------------------------------------------------------------------------------------------------

Hello

Those False positives should now be removed.


Regards
LS Anders

Thanks for your attention to this issue. No more false positives have shown up for about a week now.

I´m glad it sorted out

Thanks for reporting the issue!

Regards,

LS Pekka

Lavasoft Malware Labs

I am new to all this but, I am still seing this "virus " when I run my full scan. My update definition is 01470001. What up? What should i do next. Defender is not finding it. Thanks ike

Hello general ike

Thank you for reporting this. Could I please ask you to upload a log file from when the file is detected so that we can investigate this further.

For detailed instructions of how to post the log file please see: http://www.lavasoftsupport.com/index.php?showtopic=18033

Regards
LS Anders

dear LS Anders, sorry for my slowness to respond. I thought I set the post to email me for a replay and did not physically check it until now. the good news is that my last scan did not bring it up so the updates seem to have corrected it. i will repost if it returns!! thanks again. ike

I'm glad it sorted out

LS Pekka

Hello!

I've got the same thing on my computer. Last week it quarantined 2 files, and today it's added quite a few more.
Is this still a false positive?

I'm new to this forum and I apologize if I'm supposed to start a new thread, but here's my log scan.

TGIF! Thank you!

Hi!

The reply is provided at http://www.lavasoftsupport.com/index.php?s...mp;#entry101005

Regards,

LS Pekka

Lavasoft Malware Labs

Since it appears this issue has now been resolved, I am moving this topic to the *Resolved* archives (read only).

If anyone is still having this same problem, please feel free to post a new topic

Now closing this thread.