Jump to content
SpySentinel

FP NVidia_Software_PreLoad.exe

Recommended Posts

Here is a possible FP discovered by an Analyst:

FP ?

http://www.5starsupport.com/ipboard/index....amp;#entry48840

Files Infected:

C:\Program Files\Common Files\System\NVidia_Software_PreLoad.exe.txt (Trojan.Agent) -> Quarantined and deleted successfully.

I had ran the file C:\Program Files\Common Files\System\NVidia_Software_PreLoad.exe through VirScan before and nothing detected it.

Need a dev log ?

Share this post


Link to post
Share on other sites

I had to add another layer of heuristics over something to make this miss , should be fine in next update .

Share this post


Link to post
Share on other sites

More details posted where I usually post/upload available for review Bruce, but tracked the file name to this post. That thread linked above looks like they might have failed the file upload for the scan, and is a .txt file? But not what shows in their HijackThis Winlogon shell value:

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\System\NVidia_Software_PreLoad.exe"

http://www.virustotal.com/analisis/0a1cf56...c71ed5fcda9eb16

File NVidia_Software_PreLoad.exe received on 10.06.2008 04:13:13 (CET)

Result: 5/36 (13.89%)

eSafe 7.0.17.0 2008.10.05 Suspicious File

eTrust-Vet 31.6.6129 2008.10.04 Win32/Sintun!generic

Ikarus T3.1.1.34.0 2008.10.06 Trojan-Dropper.IRC.TKB

Microsoft 1.4005 2008.10.06 TrojanDropper:Win32/Jevafus.A

Panda 9.0.0.4 2008.10.05 Suspicious file

File size: 29696 bytes

MD5...: 5ebfeb1ef992ebc7e9f74c91e03700b1

SHA1..: 790611378fa91a10c6417df5e958ac8890630633

packers (Kaspersky): UPX

packers (F-Prot): UPX_LZMA

Also downloads and installs a BHO.

Share this post


Link to post
Share on other sites

The board software cut out the spaces - the Winlogon value is actually a very large space after the Explorer.exe data:

F2 - REG:system.ini: Shell=explorer.exe																																																										  "C:\Program Files\Common Files\System\NVidia_Software_PreLoad.exe"

Share this post


Link to post
Share on other sites

Hmm.. Jintan

Legit software shouldn't be redirecting explorer's shell to load it.. What BHO is it dropping?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.