Jump to content

spyware.password false positive?


polarburn
 Share

Recommended Posts

This past Tuesday we initiated a scan with the Barracuda Malware Removal Tool (Malwarebytes Antimalware, I presume?) on several machines after some suspicious browser behavior.  Four infections were detected on each machine:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\csc (Spyware.Password)

 

C:\Windows\System32\drivers\csc.sys (Spyware.Password)

 

C:\Windows\winsxs\Backup\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.1.7601.17514_none_a04fb2d2ba296321_csc.sys_06be9334 (Spyware.Password)

 

C:\Windows\winsxs\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.1.7601.17514_none_a04fb2d2ba296321\csc.sys (Spyware.Password)

 

I then decided to randomly scan machines.  Each machine I scanned had the exact same four files detected.

 

Is this a false positive?  I've attached one of the logs.

 

-pb

bmrt-log-2013-08-29 (15-58-46).txt

Link to post
Share on other sites

Hi,

 

Your version of Barracuda is really outdated which explains this misdetection. Please update your baracuda build to 1.75.0.1300.

Then let me know if you are still having the same problem/detections.

 

Thanks

What are you referring to when you say Barracuda build?  Our energize updates are all current and none of the current versions are in the 1's (1.75.......)

 

-pb

Link to post
Share on other sites

Hi,

The scan you did was with "Barracuda Malware Removal Tool 1.46".

This needs to be updated to latest build 1.75.0.1300 - because what you are using is a real outdated version which explains these misdetections.

The tool is downloaded directly from the Barracuda.  When I check for updates within the application after installing it reports that it is up to date.  What is the process to update the tool so the current version is downloadable from the Barracuda?

 

Thanks,

 

-pb

Link to post
Share on other sites

Hi,

The scan you did was with "Barracuda Malware Removal Tool 1.46".

This needs to be updated to latest build 1.75.0.1300 - because what you are using is a real outdated version which explains these misdetections.

Scanning with the most current version from your website did not reveal the same infections.  My question now is, how do I restore the quarantined files on the scanned machines?  When I say restore all it only restore two of the files.  I can go back in and say restore all and they disappear as if restored but when I launch the barracuda malware removal tool again the two files are still showing as being quarantined.

 

Thanks,

 

-pb

Link to post
Share on other sites

  • Staff

Hi,

 

Were you able to restore this file?

C:\Windows\System32\drivers\csc.sys
Can you verify this?
 If you couldn't restore the two others, it's not such a big deal since that's only a backup location. It might be because of the resrictions on the winsxs folder that mbam has problems to restore it properly to there.

Link to post
Share on other sites

Hi,

 

Were you able to restore this file?

C:\Windows\System32\drivers\csc.sys

Can you verify this?

 If you couldn't restore the two others, it's not such a big deal since that's only a backup location. It might be because of the resrictions on the winsxs folder that mbam has problems to restore it properly to there.

Yes, I was only unable to restore the two files in C:\windows\winsxs

 

-pb

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.