Spyware, Viruses, & Security forum

General discussion

big scanning and surprise

by seamaster641 / August 28, 2009 3:17 AM PDT

Hi,
after my vacation I've decided to make a big virus scan of my PC. I used Kaspersky Internet Security 2009, Windows Defender, Malwarebytes' Anti-Malware and... Webroot AntiVirus (Free scan).
Well, those programs showed that there is no threat, but Webroot found mal/ dropper- o.

My question is: is it a false-positive or are they just making me to buy the subscription (my Webroot is a free copy)?

PS. I had a similar problem with the newest Spyware Doctor ;]

THX in advance

Discussion is locked
You are posting a reply to: big scanning and surprise
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: big scanning and surprise
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Tell us the location and file name that Webroot
by Donna Buenaventura / August 28, 2009 3:31 AM PDT

is detecting or send the file for single file scan by many scanners at http://www.virustotal.com/

See if any scanners will detect the said file.

Collapse -
not so simple
by seamaster641 / August 28, 2009 3:37 AM PDT

the thing is that you have to pay for quarantine...got only info, no location...

Collapse -
Not good then.
by Donna Buenaventura / August 28, 2009 3:44 AM PDT
In reply to: not so simple

1 or all of your 3 scanners (except Webroot) should have seen if anything is there. I think you should run a free online scan and if there's nothing... just forget about Webroot scanner.

Below online scanner requires IE:
ESET Online Scanner: http://www.eset.com/onlinescan/
A-squared Web Malware Scanner: http://www.emsisoft.com/en/software/ax/

Below online scanners will run in Firefox and IE:

Trend Micro Housecall: http://housecall.trendmicro.com/
F-Secure Online Scan: http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/index.html

Collapse -
thx 4 help but still not solved
by seamaster641 / August 28, 2009 6:19 AM PDT
In reply to: Not good then.

checked the files & did some research with virustotal but a-squered pointed me a file that scores 0% at virustotal... so, what to do?

Collapse -
what's more...
by seamaster641 / August 28, 2009 6:24 AM PDT

got also registry threats at a-squared:

HKEY_CURRENT_USER\Software\KLExtensions\Tools --> Cmd1
HKEY_CURRENT_USER\Software\KLExtensions\Tools --> Preview1
HKEY_CURRENT_USER\Software\KLExtensions\Tools --> Title1

said traces registry and medium risks

what's your opinion?

Collapse -
Do you have Kazaa Lite...
by Donna Buenaventura / August 28, 2009 12:30 PM PDT
In reply to: what's more...

currently or previously installed? If so, A-square detects that as adware but if it's not existing anymore, you are only seeing detection by A-squared on Kazaa Lite's remnants in Windows Registry.

You can let A-squared to quarantine it. The web scanner of A-square will store the quarantine items for you.

Below is their info on such detection:
"Trace.Registry.<Spywarename>
Registry Traces are known Spyware or Adware traces stored in the Windows Registry. These can be Autostart entries that automatically start Spyware when Windows is started. Registry Traces can also be registrations of Adware DLL files that are used to hijack the Windows Explorer or Web Browser, i.e. to use them for Malware purposes. By definition, Registry entries are not dangerous in themselves but are used to allow Malware to be installed and started.
"
http://www.emsisoft.com/en/kb/articles/tec070120/

Collapse -
additional info about the file
by seamaster641 / August 28, 2009 6:26 AM PDT

c:\windows\prefetch\wmic.exe-3b772cc6.pf

bizzare name: Trace.File.Doni i Neti xxx!A2

Collapse -
That's Windows Management Instrumentation (WMI) Command-Line
by Donna Buenaventura / August 28, 2009 12:30 PM PDT

Utility in Windows but A-squared detected it in prefetch folder as traces infection only.

You need to decide to ignore or let a-square quarantine it.

If you decide to let a-square to handle it, you are not quarantining or removing the program itself but only a prefetch item. Note that you can even empty the prefetch folder, if you like but not necessary.

But if you decide to keep it, a-squared will often detect it unless that is gone from prefetch folder. Or if you put prefetch folder in "excluded" path to scan which is not recommended.

If you want to double-check whether it's false positive, browse for the said file then send it for single file scan in http://www.virustotal.com

My take is this seems FP since the path is not the usual and known spyware/adware folders.

Collapse -
THANK YOU!!!
by seamaster641 / August 29, 2009 12:42 AM PDT

thank you very much for your help Happy

Collapse -
(NT) You're welcome and glad we could help! :)
by Donna Buenaventura / August 29, 2009 1:08 AM PDT
In reply to: THANK YOU!!!
Collapse -
one more thing
by seamaster641 / August 29, 2009 1:12 AM PDT
In reply to: THANK YOU!!!

when i launch f-secure online scanner i get the blue screen of death and rester of my pc. any ideas why?

Collapse -
maybe i've blocked something with windows defender
by seamaster641 / August 29, 2009 1:16 AM PDT
In reply to: one more thing

file called olsserver.dat

regkey:
HKLM\Software\Microsoft\Code Store Database\Distribution Units\{076169AA-8C3D-4CFC-AC23-3ACA88FC21B5}\CONTAINS\FILES\\C:\WINDOWS\Downloaded Program Files\olsserver.dat

Collapse -
Yes..
by Donna Buenaventura / August 29, 2009 1:55 AM PDT

The {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} is the CLSID of F-Secure Online Scanner Launcher.

Temporary turn-off Windows Defender if it is blocking or interfering with F-Secure Online Scanner.

Collapse -
hmmmmm....
by seamaster641 / August 29, 2009 2:42 AM PDT
In reply to: Yes..

unblocked the file and turned off Defender but still I get blue screen after downloading necessary files and before scanning, kinda odd

Collapse -
Did you try it using IE or Firefox?
by Donna Buenaventura / August 29, 2009 3:07 AM PDT
In reply to: hmmmmm....

I am wondering if you tried with both browser? or just one browser?
You might also want to try to temporary disable Kaskersky's real-time protection (to see if F-secure scanner will work).

If disabling other realtime protection, it might also help to report to them the issue at F-Secure Online Scanner forum

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!