Full Version: Win32TrojanDropperDelf - False positive?
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive False Postive Issues
Just Updated Adaware and Ad Watch live just informed me of malware Win32TrojanDropperDelf. I see from previous postings in May that a similar thing happened and this was a false positive. Has te same thing happened again with the latest update?
http://www.lavasoftsupport.com/index.php?showtopic=25857
I'll move this to the False Positive Forum so you can sort it out there.
QUOTE
0148.0045 is now available for Ad-Aware Anniversary Edition.
Updated definitions:
====================
Win32.TrojanDownloader.Delf
Updated definitions:
====================
Win32.TrojanDownloader.Delf
I'll move this to the False Positive Forum so you can sort it out there.
Hello Humster
Thank you for reporting this. Could you please post a log file from when the file is being detected. For more information about posting a log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Thank you for reporting this. Could you please post a log file from when the file is being detected. For more information about posting a log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
QUOTE(LS Anders @ Jun 4 2009, 01:27 PM) 
Hello Humster
Thank you for reporting this. Could you please post a log file from when the file is being detected. For more information about posting a log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Thank you for reporting this. Could you please post a log file from when the file is being detected. For more information about posting a log file please see:
http://www.lavasoftsupport.com/index.php?showtopic=18033
Regards
LS Anders
Anders,
Only just seen your post, and in the interim I had updated AdAware AE. No reference to "previous false positive, however possible new one has come up:
Malware: Win32Tr.\.\perDelf.
Has the same thing happened again and is this another false positive?
SCAN LOG FOR TROJAN DROPPER DELF WAS
Lavasoft Ad-Aware version: 8.0.5
Extended engine version: 8.1
User performing scan: USER
*********************** Definitions database information ***********************
Lavasoft definition file: 148.45
Extended engine definition file: 8.1
******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 30752
Objects detected: 7
Type Detected
==========================
Processes.......: 1
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 6
Browser hijacks.: 0
MRU objects.....: 0
Removed items:
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0
Quarantined items:
Description: c:\windows\system32\ssa3d30.ocx Family Name: Win32.TrojanDropper.Delf Clean status: Success Item ID: 936000 Family ID: 1385
Scan and cleaning complete: Finished correctly after 427 seconds
*********************************** Settings ***********************************
Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480
Scan global:
ID: global, enabled:1
THE SECOND "FALSE POSITIVE"? WAS SHOWN FOR
Win32Tr.\.\perDelf.
Logfile created: 04/06/2009 10:39:58
Lavasoft Ad-Aware version: 8.0.5
Extended engine version: 8.1
User performing scan: USER
*********************** Definitions database information ***********************
Lavasoft definition file: 148.44
Extended engine definition file: 8.1
******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 30575
Objects detected: 12
Type Detected
==========================
Processes.......: 1
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 11
Browser hijacks.: 0
MRU objects.....: 0
Removed items:
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0
Description: *bluestreak* Family Name: Cookies Clean status: Success Item ID: 408904 Family ID: 0
Description: *estat* Family Name: Cookies Clean status: Success Item ID: 408873 Family ID: 0
Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0
Description: *uk.sitestat* Family Name: Cookies Clean status: Success Item ID: 409118 Family ID: 0
Quarantined items:
Description: c:\windows\system32\ssa3d30.ocx Family Name: Win32.TrojanDropper.Delf Clean status: Success Item ID: 936000 Family ID: 1385
Scan and cleaning complete: Finished correctly after 345 seconds
*********************************** Settings ***********************************
Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480
Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav
Scheduled scan settings:
<Empty>
Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Thu Feb 05 05:39:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Thu Feb 05 05:39:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: true
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language
Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: false
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
****************************** System information ******************************
Computer name: ACER-C5B576C93C
Hope this helps,
Humster
Thank you for uploading the log file. We will re-investigate the file and if it is found to be a false positive it will be removed from detection.
Regards
LS Anders
Regards
LS Anders
Update: The file will be removed from detection with the next definition file update.
/LS Anders
/LS Anders
QUOTE(LS Anders @ Jun 5 2009, 12:04 AM)
Update: The file will be removed from detection with the next definition file update.
/LS Anders
/LS Anders
I have exactly the same problem. I just downloaded the new update and Adaware is still finding this file. I am correct in thinking that this is definitely a false positive? I thought it would disappear after the update but unfortunately it wasn`t the case.
Any suggestions as to what to do next? AVG doesn`t find anything when i scan the system so I am more than a little bit confused!!
QUOTE(LS Anders @ Jun 4 2009, 07:04 AM)
The file will be removed from detection with the next definition file update.
QUOTE(jayd0gg @ Jun 4 2009, 04:11 PM)
I just downloaded the new update and Adaware is still finding this file. I am correct in thinking that this is definitely a false positive? I thought it would disappear after the update but unfortunately it wasn`t the case.
There was no update in the 9 hrs between these posts. Try again when def version 148.0046 is released.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.