13 replies to this topic

[Mattchu]

Just doing a scan of another computer with asquared free on USB and it picks up Trojan.Win32.SPY.110080.7!A2 in C:\Windows\$hf_mig$\KB956572\SP3QFE\services.exe

Now i`ve uploaded the file to Jotti and Virustotal and it comes back as clean and seen before so i`m pretty sure it`s a False Positive.
I just can`t seem to find where you sumbit fp`s.

File: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
Size: 110592 bytes
File Version: 5.1.2600.5755 (xpsp_sp3_qfe.090206-1316)
Modified: 06 February 2009, 11:06:24
MD5: 020CEAAEDC8EB655B6506B8C70D53BB6
SHA1: 6DA7935A38DBC2A02E85B012CE39215E34F4576F
CRC32: 2A1B5551

If anyone could be so fine as to confirm the above is correct, Windows XP SP3.
Many thanks,Mattchu


Apologies just found out how to sumbit as fp, just if anyone could confirm the same hash would be great...

[Lynx]

Hi Mattchu, welcome to the forum

Yes, I can confirm the same hash and file was submitted from here as well

My regards

[Mattchu]

Cheers S....Lynx

Mattchu (_R)

[XIII]

Here as well with A2 Anti-Malware 4.5 (non-free) (still scanning, will submit later)

Nasty False Positive?!

But for me in C:\WINDOWS\System32

I guess I better not delete that?!

[Lynx]

... But for me in C:\WINDOWS\System32 I guess I better not delete that?!

Better not.

Good morning, Guys.

There are 6 instances of the said file here (attached)
File in the \system32\ is not flagged
That's why it's always important to state OS in use, since there could be differences indeed related to that.

In addition to submitting from the detection list I submitted by e-mail. Probably you can do the same.

My regards

Attached Thumbnails

• 

[Lynx]

Hi Guys,

That was fixed ~ 3-4 hours after the e-mail submission

Cheers!

[Mattchu]

Hi Guys,

That was fixed ~ 3-4 hours after the e-mail submission

Cheers!

Champion Lynx, glad it`s sorted

Was it just the one mentioned being reported on your system? (out of the 6)

KB956572 was a Microsoft update from April 2009. I`m wondering if your services.exe in the system32 folder hasn`t been updated due to another KBxxxxxx fix XIII, have you done recent XP updates?

Just a thought, can`t see why it triggered the system32 version on your comp,you wouldn`t wan`t to quarantine/delete that

Cheers...

[Lynx]

Was it just the one mentioned being reported on your system? (out of the 6)

Hi Mattchu,

Sure only one mentioned was flagged - I highlighted that one and mentioned that on XP (here ) file in \system32\ wasn't flagged

KB956572 was a Microsoft update from April 2009. I`m wondering if your services.exe in the system32 folder hasn`t been updated due to another KBxxxxxx fix XIII, have you done recent XP updates?

Ther is no way I don't have recent MS updates

Just a thought, can`t see why it triggered the system32 version on your comp,you wouldn`t wan`t to quarantine/delete that

it was triggered on a system I don't know about, since XIII haven't stated the system
If it was flagged by any security here ... no way that "I would want to" do that ... I would thinking very hard

Cheers!

[XIII]

it was triggered on a system I don't know about, since XIII haven't stated the system

Windows XP Professional 32-bits with SP3, completely up-to-date.

I might have less entries because somewhere in 2009 I have done a clean install using the OnePiece update pack on Ryan VM's site using nLite... (so less KB folder/files on my system).

But do I understand you correct: are you saying that my services.exe is not up-to-date?

That would be worth some additional investigation (by me)!

[Lynx]

Hi XIII,

Thanks for reply and clarifying

The version here in the \system32\ 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)

My regards

[davidecosta]

It's possible fix the false positive of SARDU?

In SARDU_1 I have a collection of tools, Emsisoft see this file as
Exploit.Win32.IMG-WMF!IK This is a false positive:

Emsisoft 5.1.0.2 2011.02.25 Exploit.Win32.IMG-WMF!IK

You can fix this?
Thanks and king regards

[Ray]

Hi davidecosta,

Please read this post http://support.emsis...s-for-analysis/

[davidecosta]

Hi davidecosta,

Please read this post http://support.emsis...s-for-analysis/

Thanks, I send an email, i found the false positive in virustotal.com

[Ray]

@davidecosta

I noticed the false positive have been fixed with latest signature update today.

Cheers!