Jump to content

Trojan.MSIL.SD - False Positive

J. L.

By J. L.
in File Detections

 Share

Recommended Posts

Stisfa

Stisfa

Posted
Posted

Hello,

First time poster, so I'm not entirely familiar with the MBAM culture, so please forgive me if I'm making a mistake here (I'm sleep deprived right now, as it's ~2 AM where I'm at).

2011-04-07, I ran a full MBAM scan and had nothing infected.

Yesterday (really, all but a few hours ago), I ran MBAM and had cdbxpp.exe flagged as infected.

Now there are two variables I'm having to consider:

  1. I Updated MBAM Prior to Running the Scan
  2. I Went to ubuntugeek.com

The first is self-explanatory, but the second is where I'm concerned.

Here are two links that have me disconcerted. The second one was a URL scan I submitted after reading a couple posts that referenced virustotal.com being an integral tool for diagnosing possible malware.

It was after I visited ubuntugeek.com that I decided to run MBAM. The thing was, I'm pretty sure everything would have been fine had I just left it alone when browsing w/Chrome, but I had to get adventurous. I decided I'd see if the same warning page from Google would pop-up when running Firefox 4. Well, it didn't. I didn't navigate to any links or stay on for very long in Firefox, but feeling a little paranoid, I ran a full scan with KIS 2010 after updating it. No infections found. Following that, I updated MBAM, ran a full scan and CDBurnerXP was flagged. Under the "Vendor" column there was "Trojan.MSIL.SD", with "C:\Program Files\CDBurnerXP\cdbxpp.exe" referenced as the "Item"; I right clicked it and went to "Vendor Information". This is the link I was routed to: http://www.malwarebytes.org/malwarenet.php?name=Trojan.MSIL.SD. As you can see, the message I received was "This entry no longer exists. Please contact our support team about this problem."

I decided to do a Google search and found this on the MBAM Forums, so that's why I thought this might also be a False Positive with the new update, which I would have been fine with, had it not been for xivee.com (ubuntugeek.com - make no mistake, I'm not blaming ubuntugeek, I realize it's xivee.com that's the problem URL/URI). So, still feeling uncertain, I ran an MD5Sum Hash against the cdbxpp.exe and got this: 

0373ba18fd585e102ce6af9d7e5ed152

With this, I ran a query against VirusTotal and got this result: http://www.virustotal.com/file-scan/report.html?id=0e274ea5e7908fcfde94337e2095e0c6ad7e4d0c7eb703ebb99f12b066149906-1302273251. Other than the Anonymous comment flagging it for malware, there's no indication that it is; unfortunately, MD5 can be subverted quite easily, so I'm not entirely put at ease with this either. An hour or so ago, Kaspersky had another update, so I scanned "cdbxpp.exe" again and still had no malware issue; compared it to another MBAM scan and still had it recognized as malware (specifically targeted only "cdbxpp.exe" in both instances). Of course, that was me being naively hopeful, but I figured it was worth a shot.

FYI, I've had CDBurnerXP since Tuesday, November 9, 2010. Downloaded from CNET, since all the downloads I've had from there have been safe, in my experience.

Attached are both log files showing the difference in results (EDIT: couldn't upload earlier due to "forums.malwarebytes.org Driver Error". Tried to use "advanced uploader", but that didn't work either, database issue being cited as cause).

Apologies for the long-winded post; just wanted to make sure that I was thorough in helping you diagnose the issue (there'd be a lot less reason to worry if I had just used Ubuntu to go to that site in the first place, doh!).

mbam-log-2011-04-07 (19-55-47).txt

mbam-log-2011-04-19 (00-23-32).txt

Link to post
Share on other sites
Stisfa

Stisfa

Posted
Posted

To better keep track, I have merged all the topics here.

Ok, so I'm not the only one with the same error; so I guess I'm being overly paranoid about the possible "Drive-By Download" from xivee.com?

I know MBAM support isn't really meant to address this kind of issue, but if anybody has any personal experience they'd like to share, I'd really appreciate it.

Sorry, it's just that I've never been infected on my personal box, especially since I take extra care to make sure I'm secure. Well, there's that and the fact that Andy Grove has helped to fortify my pessimistic imagination =P.

Link to post
Share on other sites
tedus987

tedus987

Posted
Posted

i got two of the trojan.msil.SD. here are the attached files.

there from a game i installed on my slave drive and i've been using them for 4 months so i can't see how this happens and how it just showed up now.

here's the log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6395

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

19/04/2011 12:32:39

mbam-log-2011-04-19 (12-32-31).txt

Scan type: Full scan (C:\|E:\|G:\|)

Objects scanned: 456075

Time elapsed: 2 hour(s), 35 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

e:\installedgames\dragon age\dao-modmanager.exe (Trojan.MSIL.SD) -> No action taken.

e:\installedgames\dragon age\propertygridex.dll (Trojan.MSIL.SD) -> No action taken.

Dragon Age questionable files.rar

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.