AdAware triggered an alert during install and scan after install of torrentprivacy.exe - is this a false positive?

MSG [6084] 2009/04/30 22:20:28: C:\torrentprivacy\torrentprivacy.exe (diagnosis: Malware family: Win32.TrojanDropper.Delf) => Block

Hi steve2uk!

Would it be possible for you to upload the full log file of the Ad-Aware scan that detected the object?
Guidelines for posting false positives are presented here,

http://www.lavasoftsupport.com/index.php?showtopic=18033

Regards,

LS Pekka

Lavasoft Malware Labs

Hello, LS Pekka,

I don't know if Steve2uk did send the requested files, but I got the same detection.
Please find thereafter the requested log file and the zipped suspected file.

As additional information, Spybot Search and Destroy and Clamwin do not (yet) detect them.

Please let us know (steve2uk and me) the result.

Bye.

Hello tecnobab

Thank you for uploading the file. This file will be removed from detection with the next definition update.


Regards
LS Anders

Apologies & thanks.......

I have just seen the LS & tecnobab posts (alerted by e-mail - but only after tecnobab's post). I had tried to attach the torrentprivacy file to my original post - but in .exe form rather than zipped..... so it was excluded (apologies for that)

Thanks to tecnobab's parallel post (and much more proficient use of attachments than I managed ), I now know it was indeed a false positive.

Hi! I also found a trojan during a scan today and I'm hoping it's a false positive also. I hope I"m attaching the correct info. I saved the log to my desktop so I'm attaching that. I tried looking for the log according to your instructions, but I'm not able to find "all users/app/lavasoft...." at all! I also don't know how to find the quarantined file.

Thanks and if I need to look again, let me know.

Hi kauaisis,

Don't worry about locating the quarantined file, the log file had all the info i needed. The file that was detected was removed from detection as of definition file 0148.0032. I noticed from the scan log that the most recent definition file on your machine is 0148.0031. Update Ad-Aware and you'll be good to go! Thanks for taking the time to post so much information - it was really helpful.

Regards,

Andy
Lavasoft Malware Labs

I read your "how to report false positives" section, but am so new to this I'm not sure I did it right. The log should be attached. AdWare detected the Win32.TrojanDropper.Delf when I ran a full scan. Prior to this scan my laptop wouldn't open up as usual and it was acting very strange. It said that the possible virus was located in C:Program Files\VSO\DivxtoDVD\Wins000.exe

If I attempted this incorrectly, please let me know. I'm not sure whether or not this is the culprit or not. My antivirus also detected malware Win32:Trojan-gen Filename: Anydvd-patch.exe

Any help would be wonderful ... thanks in advance!

Hi kllgh09!

Thanks for posting!

The described issue seems however not to be related to this thread (same malware family discussed, Win32.TrojanDropper.Delf, but different issue) and it should therefore be posted in a new separate thread.

The log-file that was attached did not contain any listings of detected Win32.TrojanDropper.Delf or Win32:Trojan-gen objects (4 cookies were detected though). According to the submitted log-file the scan was performed using the 148.35 definitions. You could try re-scanning your system with updated definitions (the current is 148.39) and submit the log-file from that scan.

The "Anydvd-patch.exe" object that you say was flagged as Win32:Trojan-gen was probably detected by the Antivirus engine (Extended Engine), read more about that here, http://www.lavasoftsupport.com/index.php?showtopic=19734

You state that "Prior to this scan my laptop wouldn't open up as usual and it was acting very strange. ".
This could be symptoms related to a malware infection. Do you suspect that the objects that you state were detected by Ad-Aware are false positives (i.e. legitimate objects detected falsely by Ad-Aware)?

If you can get hold of the actual files detected you could try uploading them to an online scanning service such as
virustotal.com in order to check them. If you suspect that the files were falsely detected by Ad-Aware you can start a new thread at this forum and post the complete scan-log (and/or the files detected) from the scan were the objects were detected (using the latest Ad-Aware definitions (148.39). More info here, http://www.lavasoftsupport.com/index.php?showtopic=18033

Hope that you find this information helpful!

Regards,

LS Pekka

Hello LAVASOFT Tech Support Team! Greetings from South Florida!

I hope I posted this correctly in the right spot as this is my first need to ask support a qquestion with such a great product that you guys put out!

Listen, We have a network of about 400 computers, all running a secure version of RealVNC.com's WinVNC and the service (exact path/filename: c:\program files\realvnc\vnc4\wm_hooks.dll) which is a critical part of this program but is coming back with this trojan detected: Win32.TrojanDropper.Delf

Is this a false positive or something I should seriously worry about? The WinVNC was downloaded directly from www.realvnc.com's website and I have been using them for 10 years!

I am the Net Admin for local government entity here in Florida and run a tight ship here with the very best in Virus and Spam protection with Barracuda appliances and haven't had any sort of outbreak like this in many years since implementing our ISA 2004 and proxying all of our internet traffic for all of our users, blocking several malicious sites/domains. We have been quite lucky, knock on wood!
Please help with a prompt response as I am not allowing an important user to access his PC until this is further resolved....

Thanks in advance!

-Mick Jacobson
email me at: mjacob@ci.stuart.fl.us. (I have added the domain "lavasoftsupport.com to our 'whitelist' so I can recieve a response properly without it getting filtered by the spam filter.)

Local Florida Government Entity, Network Administrator

Hi Mick,

Thanks for your report. I downloaded the latest version of VNC Viewer/Server but was unable to recreate this detection. Could I ask you to upload the log file of the scan that detected the file? You can find instructions here:

http://www.lavasoftsupport.com/index.php?showtopic=18033

This will give me the detection ID details that will help me investigate this. Thanks.

Regards,

Andy
Lavasoft Malware Labs

Wow Andy! Thanks for the "Rapid-Response!" You guys are the best! I am glad I chose your application to use for many years now for everyone's personal computers that I come across and fix!!

They remain happy, which keeps me happy!

Here is the file including references to the win32.trojandropper defl as mentioned in prior email....

Thank you so much for your help and rapid response time! It is very much appreciated and I am sure I am not the only one in the world using WinVNC and Ad-Aware on our personal machines.

-Mickie Jacobson

Hi Mickie,

Thanks for uploading the log file. This is a false positive and will be removed from detection as of today's def file update (0148.0054)

Regards,

Andy
Lavasoft Malware Labs

Andy,
Thanks so much for looking into this so quickly and getting a definition/solution for this so fast!!! If there is any sort of online QA or support survey that Lavasoft puts out, I would be MORE than happy to fill one out, and in your best interest, for the fantastic job you have done!


Great job and take care! You probably also helped out a ton of other techs potentially looking on this forum for the same solution.

Since there is a def update to resolve it, it will go away and now they will not have to even search for the issue anymore!!

Thank you so much & shoot me over a survey, that I can submit to your top dogs, if you guys even do those things....
-Mickie Jacobson
Network Specialist, SE Florida

Wow!

Glad to help! The new update with the fix was released just a few minutes ago, so update your clients. Let me know if you have any problems.

Regards,

Andy
Lavasoft Malware Labs

Hi

Using AdAware Free Anniversary edition, Definition file 148.1 I got a detection of Win32.TrojanDropper.Delf pointing to a freeware program MyPhoneExplorer and the file is C:\Program Files\MyPhoneExplorer\DLL\vbalSGrid6.ocx.

Can I get advice if this is a false poitive.

Log file attachedClick to view attachment

The current definition file is 148.62 - try updating, they may have already cleared it.

Hi HornsbyPete,

Thanks for your post. This file is a false positive and will be removed as of update 0148.0063. Regards,

Andy
Lavasoft Malware Labs

Now that these issues have been resolved, I am moving this topic to the Archive area (read only).

If anyone else has any similar issues, please feel free to post a new topic