Jump to content

A False Positive?

Bellzemos

By Bellzemos
in File Detections

 Share

Recommended Posts

Bellzemos

Bellzemos

Posted
Posted

18.7.2009 1:41:17

mbam-log-2009-07-18 (01-41-17).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 132801

Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Files Infected:

c:\program files\WinRAR\Default.SFX (Spyware.Banker) -> Quarantined and deleted successfully.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

I also have WinRAR installed but am not getting this FP (just did a quick scan to check), but I can confirm the file name and location as being legit. To resolve the FP more quickly, one of you who is getting this FP please follow the instructions here and post the developer log in a reply to this post.

Link to post
Share on other sites
HH89

HH89

Posted
Posted
18.7.2009 1:41:17

mbam-log-2009-07-18 (01-41-17).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 132801

Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Files Infected:

c:\program files\WinRAR\Default.SFX (Spyware.Banker) -> Quarantined and deleted successfully.

Just got this exact same problem today after the latest update (I scanned about 5 hours ago, prior to making this post). FWIW I use Winrar on a daily basis, and scan my computer with Malwarebytes once every 2-3 days (update the program before each scan). I scanned earlier this week around July 14-15th and it didn't pick up anything. I ended up quarantining and deleting the file just in case. I do A LOT of online banking, so didn't want to take any chances.

Anyways I just got home, and decided to try updating/scanning again to see if it would pick it up again. I went back on my computer and noticed that there were 2 new updates for Malwarebytes released in the last 5 hrs (one was released right after my initial scan, and the other was just now when I updated). Since I had already deleted the file on my main computer, I decided to update Malwarebytes on my laptop to see if it would still pick up Default.SFX as being infected with Spyware.Banker even after the latest couple of updates that were released. In short, it still does!

The latest update Database version 2455, is still picking this file up as being infected with Spyware.Banker!

Anyways, I decided to upload this file onto Jotti Scan - it comes up as clean.

On virus total it comes up as being infected by 2/41 (comes up as being infected with "Win32 malware" by eSafe and McAfee-GW-Edition).

Can anyone else confirm this problem?

Is this indeed a F/P?

Kind regards.

- HH89

Link to post
Share on other sites
HH89

HH89

Posted
Posted
This should no longer be detected .

ok, after making my initial post. I went back and updated Malwarebytes again. There was indeed another update from "Database version 2455 --> 2456".

However, "default.SFX" is still coming up as being infected.

Kind regards,

- HH89

Link to post
Share on other sites
HH89

HH89

Posted
Posted
Greetings HH89 :) .

Please follow the instructions here and post back with the developer log.

Thanks :) .

Heres the developer log guys:

Malwarebytes' Anti-Malware 1.39

Database version: 2456

Windows 5.1.2600 Service Pack 2

7/18/2009 2:57:44 AM

DeveloperLog_mbam-log-2009-07-18 (02-57-31).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)

Objects scanned: 107532

Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\WinRAR\Default.SFX (Spyware.Banker) -> No action taken. [5253514247405230251823171713012122221721362118212021222123212621362122212121362

12417172219212221382118213721222121213621241717192224201917192224201917192224201

7

17212421222221221721182220222022242139221921212018171721182220]

Link to post
Share on other sites
HH89

HH89

Posted
Posted

Hey guys, FWIW. I did scan my computer with MBAM on July 16th (prior to the latest updates that went out on the 17th - which is when MBAM first started to pick up default.SFX as being infected).

Heres the log file for the scan I did 2 days ago:

Malwarebytes' Anti-Malware 1.39

Database version: 2441

Windows 6.0.6001 Service Pack 1

7/16/2009 12:43:12 PM

mbam-log-2009-07-16 (12-43-12).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)

Objects scanned: 367564

Time elapsed: 1 hour(s), 2 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

As you can see everything comes up clean.

Heres the log file for when MBAM started picking up the spyware (which came about after updating to "Database version: 2453 - and continues through even to Database version: 2456" which I did about 5-6 hours ago on my main computer):

Malwarebytes' Anti-Malware 1.39

Database version: 2453

Windows 6.0.6001 Service Pack 1

7/17/2009 11:39:13 PM

mbam-log-2009-07-17 (23-39-13).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)

Objects scanned: 369680

Time elapsed: 59 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files (x86)\WinRAR\Default.SFX (Spyware.Banker) -> Quarantined and deleted successfully.

Hope this helps in solving the problem.

Kind regards,

- HH89

Link to post
Share on other sites
dehumanizer

dehumanizer

Posted
Posted

I just had this scare the hell out of me. I'm assuming it's a false positive as well but I still want pure 100% confirmation by you admins.

I have noticed that the only winrar it flags is version 3.71. I scanned it on multiple PC's and 3.71 was flagged to have spyware.banker each time. Newest build of winrar shows nothing.

I'm still about to change every damn password and login info I have for my accounts but thought knowing 3.71 was throwing it might help fix the issue.

Link to post
Share on other sites
HH89

HH89

Posted
Posted
Database version: 2457

If the scan is not done with this version or higher the scan is not valid .

I need someone with up to date definitions to confirm that this is fixed .

Not fixed.

I scanned with Database version: 2458

And default.SFX is still coming up as being infected.

I am using Winrar 3.71 for both computers.

Link to post
Share on other sites
HH89

HH89

Posted
Posted
I just had this scare the hell out of me. I'm assuming it's a false positive as well but I still want pure 100% confirmation by you admins.

I have noticed that the only winrar it flags is version 3.71. I scanned it on multiple PC's and 3.71 was flagged to have spyware.banker each time. Newest build of winrar shows nothing.

I'm still about to change every damn password and login info I have for my accounts but thought knowing 3.71 was throwing it might help fix the issue.

This could very well be why Exile didn't pick up anything malicious on his scan, perhaps he's using the newest build of winrar?

FWIW, i did some googling and found that spyware.banker is actually a trojan which monitors what you're doing and trys to steal account information and passwords, especially those pertaining to online banking. With that being said, before this file can actually be confirmed as 100% safe, I urge everyone to take extra precaution and to not log into any personal accounts that hold anything valuable. You can never be too safe these days =(.

Link to post
Share on other sites
HH89

HH89

Posted
Posted

Here is an updated Developers Log for Database version: 2458. Just in case you guys might need to take a look at it.

Malwarebytes' Anti-Malware 1.39

Database version: 2458

Windows 5.1.2600 Service Pack 2

7/18/2009 10:18:20 AM

DeveloperLog_DB2458_2009-07-18 (10-17-52).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)

Objects scanned: 107731

Time elapsed: 12 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\WinRAR\Default.SFX (Spyware.Banker) -> No action taken. [5253514247405230251823171713012122221721362118212021222123212621362122212121362

12417172219212221382118213721222121213621241717192224201917192224201917192224201

7

17212421222221221721182220222022242139221921212018171721182220]

Link to post
Share on other sites
HH89

HH89

Posted
Posted
There may be a bug in whitelisting that you guys just helped me find .

Either way this will be corrected in 2459 .

Just glad we could help =).

And, thank you for being so attentive. It is much appreciated.

Kind regards,

- HH89

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.