Mattchu

False Positvie in Asquared free?

14 posts in this topic

Just doing a scan of another computer with asquared free on USB and it picks up Trojan.Win32.SPY.110080.7!A2 in C:\Windows\$hf_mig$\KB956572\SP3QFE\services.exe

Now i`ve uploaded the file to Jotti and Virustotal and it comes back as clean and seen before so i`m pretty sure it`s a False Positive.

I just can`t seem to find where you sumbit fp`s.

File: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe

Size: 110592 bytes

File Version: 5.1.2600.5755 (xpsp_sp3_qfe.090206-1316)

Modified: 06 February 2009, 11:06:24

MD5: 020CEAAEDC8EB655B6506B8C70D53BB6

SHA1: 6DA7935A38DBC2A02E85B012CE39215E34F4576F

CRC32: 2A1B5551

If anyone could be so fine as to confirm the above is correct, Windows XP SP3.

Many thanks,Mattchu

Apologies just found out how to sumbit as fp, just if anyone could confirm the same hash would be great...

0

Share this post


Link to post
Share on other sites

Hi Mattchu, welcome to the forum

Yes, I can confirm the same hash and file was submitted from here as well

My regards

0

Share this post


Link to post
Share on other sites

Here as well with A2 Anti-Malware 4.5 (non-free) (still scanning, will submit later)

Nasty False Positive?!

But for me in C:\WINDOWS\System32

I guess I better not delete that?!

0

Share this post


Link to post
Share on other sites
... But for me in C:\WINDOWS\System32 I guess I better not delete that?!
Better not.

Good morning, Guys.

There are 6 instances of the said file here (attached)

File in the \system32\ is not flagged

That's why it's always important to state OS in use, since there could be differences indeed related to that.

In addition to submitting from the detection list I submitted by e-mail. Probably you can do the same.

My regards

0

Share this post


Link to post
Share on other sites

Hi Guys,

That was fixed ~ 3-4 hours after the e-mail submission

Cheers!

0

Share this post


Link to post
Share on other sites

Hi Guys,

That was fixed ~ 3-4 hours after the e-mail submission

Cheers!

Champion Lynx, glad it`s sorted :)

Was it just the one mentioned being reported on your system? (out of the 6)

KB956572 was a Microsoft update from April 2009. I`m wondering if your services.exe in the system32 folder hasn`t been updated due to another KBxxxxxx fix XIII, have you done recent XP updates?

Just a thought, can`t see why it triggered the system32 version on your comp,you wouldn`t wan`t to quarantine/delete that :P

Cheers...

0

Share this post


Link to post
Share on other sites

Was it just the one mentioned being reported on your system? (out of the 6)

Hi Mattchu,

Sure only one mentioned was flagged - I highlighted that one and mentioned that on XP (here ) file in \system32\ wasn't flagged

KB956572 was a Microsoft update from April 2009. I`m wondering if your services.exe in the system32 folder hasn`t been updated due to another KBxxxxxx fix XIII, have you done recent XP updates?
Ther is no way I don't have recent MS updates
Just a thought, can`t see why it triggered the system32 version on your comp,you wouldn`t wan`t to quarantine/delete that :P
it was triggered on a system I don't know about, since XIII haven't stated the system

If it was flagged by any security here ... no way that "I would want to" do that ... I would thinking very hard :P

Cheers!

0

Share this post


Link to post
Share on other sites
it was triggered on a system I don't know about, since XIII haven't stated the system

Windows XP Professional 32-bits with SP3, completely up-to-date.

I might have less entries because somewhere in 2009 I have done a clean install using the OnePiece update pack on Ryan VM's site using nLite... (so less KB folder/files on my system).

But do I understand you correct: are you saying that my services.exe is not up-to-date?

That would be worth some additional investigation (by me)!

0

Share this post


Link to post
Share on other sites

Hi XIII,

Thanks for reply and clarifying

The version here in the \system32\ 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)

My regards

0

Share this post


Link to post
Share on other sites

It's possible fix the false positive of SARDU?

In SARDU_1 I have a collection of tools, Emsisoft see this file as

Exploit.Win32.IMG-WMF!IK This is a false positive:

Emsisoft 5.1.0.2 2011.02.25 Exploit.Win32.IMG-WMF!IK

You can fix this?

Thanks and king regards

0

Share this post


Link to post
Share on other sites

@davidecosta

I noticed the false positive have been fixed with latest signature update today.

Cheers!

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.