Hi all...
I just upgraded to the new Adaware Anniversary edition, and I'm now getting a 10 TAI hit with a registry entry. It comes up as "Win32trojandropper.other" (pretty non specific) and identifies a registry entry as "HKU:S-1-5-...software/winsystem:". It doesn't allow me to see the entire registry entry, though.
Malwarebytes and Windows Defender do *not* identify this registry key as an issue.
I've tried to delete and then quarantine, but no matter what I do, it will continue to show up in my next full Adaware scan.
Tx
Dave
Full Version: False positive or real issue? Win32trojandropper.other?
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive False Postive Issues
Hello rossipsu1
Thank you for reporting this. For us to be able to take a closer look at this could you please post a log file from when the item was detected.
For more instructions on how to post the log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Thank you for reporting this. For us to be able to take a closer look at this could you please post a log file from when the item was detected.
For more instructions on how to post the log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
QUOTE(LS Anders @ Apr 26 2009, 12:34 PM) 
Hello rossipsu1
Thank you for reporting this. For us to be able to take a closer look at this could you please post a log file from when the item was detected.
For more instructions on how to post the log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Thank you for reporting this. For us to be able to take a closer look at this could you please post a log file from when the item was detected.
For more instructions on how to post the log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Sure!!!
Here ya go...
Tx
Dave
If I can jump in this topic, I also have problem with possible false positives since they didn't seemed to do anything. On my Full scan (Ad aware AE) it picked them up and they are quarantined now.
They are Win32.TrojanDropper.Delf
This is what was writen in my aaw7boot notepad after i took recomended action.
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-04-25 16:22
[~] Preparing to execute queued commands
[~] Deleting file: C:\Program Files\vvsn\VVSN.exe
[~] Deleting file: C:\Program Files\VVSN\VVSN.exe
[~] Deleting file: C:\Program Files\GRETECH\GomPlayer\Dodge.dll
[~] Finished processing queued commands
and for the other file
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-04-26 14:39
[~] Preparing to execute queued commands
[~] Deleting file: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003563.exe
[~] Deleting file: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003562.dll
[~] Finished processing queued commands
Thank you for your help.
They are Win32.TrojanDropper.Delf
This is what was writen in my aaw7boot notepad after i took recomended action.
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-04-25 16:22
[~] Preparing to execute queued commands
[~] Deleting file: C:\Program Files\vvsn\VVSN.exe
[~] Deleting file: C:\Program Files\VVSN\VVSN.exe
[~] Deleting file: C:\Program Files\GRETECH\GomPlayer\Dodge.dll
[~] Finished processing queued commands
and for the other file
Boot Cleaner
================================================================================
[~] Cleaning started at 2009-04-26 14:39
[~] Preparing to execute queued commands
[~] Deleting file: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003563.exe
[~] Deleting file: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003562.dll
[~] Finished processing queued commands
Thank you for your help.
Hello Rikard
Could you please post the log file from when the files were first crated.
For more information about how to post a log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Could you please post the log file from when the files were first crated.
For more information about how to post a log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Hello, sorry for replying so late.
Here are the log files of the scans when those posible false positives were detected.
Note : On the scan log (2009-04-26-16-06-19) the suspected file was detected after perfoming a full scan ( as you will se i had some scan s stoped prior to that) so keep that in mind if case you have problems finding it
Thanks for your help
Here are the log files of the scans when those posible false positives were detected.
Note : On the scan log (2009-04-26-16-06-19) the suspected file was detected after perfoming a full scan ( as you will se i had some scan s stoped prior to that) so keep that in mind if case you have problems finding it
Thanks for your help
QUOTE(rikard @ Apr 29 2009, 12:37 AM)
Hello, sorry for replying so late.
Here are the log files of the scans when those posible false positives were detected.
Note : On the scan log (2009-04-26-16-06-19) the suspected file was detected after perfoming a full scan ( as you will se i had some scan s stoped prior to that) so keep that in mind if case you have problems finding it
Thanks for your help
Here are the log files of the scans when those posible false positives were detected.
Note : On the scan log (2009-04-26-16-06-19) the suspected file was detected after perfoming a full scan ( as you will se i had some scan s stoped prior to that) so keep that in mind if case you have problems finding it
Thanks for your help
Hi rikard!
Thanks for providing the log files!
We will investigate the issue further and remove the objects from detection if they turn out to be false positives.
Regards,
LS Pekka
Lavasoft Malware Labs
QUOTE(LS Pekka @ Apr 29 2009, 08:27 AM)
Hi rikard!
Thanks for providing the log files!
We will investigate the issue further and remove the objects from detection if they turn out to be false positives.
Regards,
LS Pekka
Lavasoft Malware Labs
Thanks for providing the log files!
We will investigate the issue further and remove the objects from detection if they turn out to be false positives.
Regards,
LS Pekka
Lavasoft Malware Labs
Thank you for that, but i was hoping that you would tell mi through this forum were they indeed false positives or not.
I would like to know.
Tnx
QUOTE(rikard @ Apr 29 2009, 11:37 PM)
Thank you for that, but i was hoping that you would tell mi through this forum were they indeed false positives or not.
I would like to know.
Tnx
I would like to know.
Tnx
...yeah, I'm in the same boat. I'm waiting to see if this *is* a false positive or not.
You will be advised either way, through this thread.
Spike
Spike
Hi rikard and rossipsu1!
(comments to Scan_2009_04_25_16_55_40.log posted by rikard)
The folder C:\Program Files\vvsn and the file C:\Program Files\VVSN\VVSN.exe
are associated to the "WhenU" adware family and therefore not FPs.
The Dodge.dll object (detected as Win32.TrojanDropper.Delf) has been removed from detection as it was considered to be a falsely
detected object.
----
(comments to Scan_2009_04_26_16_06_19.log posted by rikard)
The file, >>> Quarantined items:
>>> Description: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003563.exe Family Name: WhenU
Clean status: Success Item ID: 133364 Family ID: 786
is associated to the "WhenU" adware family and therefore not a FP.
The file, >>> Description: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003562.dll Family Name:
Win32.TrojanDropper.Delf Clean status: Success Item ID: 670603 Family ID: 1385
has been removed from detection as it was considered to be a falsely detected object.
----
(comments to Scan_2009_04_23_22_38_22.log posted by rossipsu1)
The detection of the registry object, >>> Quarantined items:
>>> Description: HKU:S-1-5-21-1844237615-1450960922-725345543-2116\software\winsystem: Family Name: Win32.TrojanDropper.Other Clean status: Success Item ID: 22782 Family ID: 525
is considered to be a false positive and it will be removed from detection. Users may put this item in the "ignore list" until the next core-detection-file-update.
Regards,
LS Pekka
Lavasoft Malware Labs
(comments to Scan_2009_04_25_16_55_40.log posted by rikard)
The folder C:\Program Files\vvsn and the file C:\Program Files\VVSN\VVSN.exe
are associated to the "WhenU" adware family and therefore not FPs.
The Dodge.dll object (detected as Win32.TrojanDropper.Delf) has been removed from detection as it was considered to be a falsely
detected object.
----
(comments to Scan_2009_04_26_16_06_19.log posted by rikard)
The file, >>> Quarantined items:
>>> Description: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003563.exe Family Name: WhenU
Clean status: Success Item ID: 133364 Family ID: 786
is associated to the "WhenU" adware family and therefore not a FP.
The file, >>> Description: C:\System Volume Information\_restore{3A72B4B1-4884-49AD-8270-BA5F58A5828B}\RP22\A0003562.dll Family Name:
Win32.TrojanDropper.Delf Clean status: Success Item ID: 670603 Family ID: 1385
has been removed from detection as it was considered to be a falsely detected object.
----
(comments to Scan_2009_04_23_22_38_22.log posted by rossipsu1)
The detection of the registry object, >>> Quarantined items:
>>> Description: HKU:S-1-5-21-1844237615-1450960922-725345543-2116\software\winsystem: Family Name: Win32.TrojanDropper.Other Clean status: Success Item ID: 22782 Family ID: 525
is considered to be a false positive and it will be removed from detection. Users may put this item in the "ignore list" until the next core-detection-file-update.
Regards,
LS Pekka
Lavasoft Malware Labs
OK.
Thank you for your help.
Just one more thing.. What do you recomend that I should do now? Should i put those FPs out of the quarantene or just leave them there. In general, what should someone do after this?
Thank you for your help.
Just one more thing.. What do you recomend that I should do now? Should i put those FPs out of the quarantene or just leave them there. In general, what should someone do after this?
QUOTE(rikard @ Apr 30 2009, 02:05 PM)
OK.
Thank you for your help.
Just one more thing.. What do you recomend that I should do now? Should i put those FPs out of the quarantene or just leave them there. In general, what should someone do after this?
Thank you for your help.
Just one more thing.. What do you recomend that I should do now? Should i put those FPs out of the quarantene or just leave them there. In general, what should someone do after this?
Hi rikard!
If you use/or have use for the falsely detected object ("Dodge.dll" associated to "GOM Player", a free multimedia player)
you can restore it from the quarantine.
The other falsely detected object ("A0003562.dll" also "Dodge.dll" associated to "GOM Player", a free multimedia player),
was detected within system restore (associated to a specific system restore point) and that object could also be restored from the quarantine if you wish to do so.
If you have no use for the objects (associated to "GOM Player") you can restore the files from quarantine and then uninstall them correctly using the uninstaller of the "mother-application".
Regards,
LS Pekka
Lavasoft Malware Labs
Great...thanks so much for the help!!!
QUOTE(rossipsu1 @ May 1 2009, 04:14 AM)
Great...thanks so much for the help!!!
I am glad it sorted out
LS Pekka
Lavasoft Malware Labs
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.