Alan D

Detection: Trace.File.faithorfear.com!A2

Recommended Posts

The scans are faster, but the FPs are still with us, it seems.

This trace detected today, linked with c:\windows\prefetch\wmplayer.exe-18ddef9c.pf. (Scan log below.) AVG, Superantispyware, MBAM find nothing. All the online scanners at Jotti and Virustotal show the file (wmplayer.exe-18ddef9c.pf) to be clean (including a2). I've submitted the detection through the GUI.

Scan log:

a-squared Free - Version 4.5

Last update: 07/10/2009 18:21:19

Scan settings:

Scan type: quick

Objects: Memory, Traces, Cookies

Scan archives: On

Heuristics: Off

ADS Scan: On

Scan start: 07/10/2009 18:25:57

c:\windows\prefetch\wmplayer.exe-18ddef9c.pf detected: Trace.File.faithorfear.com!A2

Scanned

Files: 289

Traces: 675221

Cookies: 129

Processes: 32

Found

Files: 0

Traces: 1

Cookies: 0

Processes: 0

Registry keys: 0

Scan end: 07/10/2009 18:26:46

Scan time: 0:00:49

Later

I see someone else (sandy) has this detection too, posting in Malware removal

here.

Share this post


Link to post
Share on other sites

Hi Alan,

That is most likely FP.

I saw the thread you are referring to

Unfortunately I am neither using WMP nor Prefetch, therefore nothing to submit, but I will try to emulate the situation

My regards

Share this post


Link to post
Share on other sites

Hi Alan,

I recreated \Prefetch

After invoking WMP WMPLAYER.EXE-3A528C4F.pf was created (the name doesn't matter). The subsequent scan of the folder produced no flaggings.

There were couple of Additional Signatures updates since.

I hope that fixed the problem for those who got the detection.

My regards

Share this post


Link to post
Share on other sites

Hi Alan,

I recreated \Prefetch

After invoking WMP WMPLAYER.EXE-3A528C4F.pf was created (the name doesn't matter). The subsequent scan of the folder produced no flaggings.

There were couple of Additional Signatures updates since.

I hope that fixed the problem for those who got the detection.

My regards

The most recent update still hasn't fixed it.

I have several of those types of file in the Prefetch folder:

WMP WMPLAYER.EXE-18DDEF9C.pf

WMP WMPLAYER.EXE-18DDEF9F.pf

WMP WMPLAYER.EXE-18DDEFA2.pf

WMP WMPLAYER.EXE-18DDEFA4.pf

All of them are clean. It seems that a2 only detects the registry trace that it associates with WMP WMPLAYER.EXE-18DDEF9C.pf; scanning the file itself (by right-clicking) produces no result, either with a2 itself or with any other online scanner.

(Sandy - if you read this, I suggest you just wait for a day or two before taking any action. Hopefully the FP will be fixed soon.)

Share this post


Link to post
Share on other sites

Alan,

It is 16:12PM in Austria.

The last update of a-squared (!A2) signatures was 16:05PM - few min ago.

You can try another Quick Scan after update.

As for Trace.File detection it is based only on a specific file location (path) if that was found as a spyware in the past

(probably a bit strange for this particular file :unsure: ... but)

Prefetch(ed) items could be cleaned and the files there recreated as soon as the Software was called if you are using prefetching feature.

This particular detection should be fixed, but it is not dangerous if moved (quarantined/deleted)

- no need to act though, as you said, for sure.

As for Shell Extension scan (file/folder only) that type of scan does not search for Traces.

My regards

Share this post


Link to post
Share on other sites

Lynx and Alan, I just did another update and it still detects that same file. Hopefully it'll be taken care of soon. Thanks for the replies on this.

Sandy

Share this post


Link to post
Share on other sites

Lynx and Alan, I just did another update and it still detects that same file. Hopefully it'll be taken care of soon. Thanks for the replies on this.

Yes, I too am still getting the detection too after the most recent update, Sandy. I'm going to carry on waiting, because I'd take a lot of persuading that it isn't a false positive.

Lynx - even though I've read all I can find on 'traces', I still don't understand the link between the detected trace, and a particular associated file (as in this case). If this were really spyware, what exactly would have been happening? How would the file be linked with the registry trace?

And is it actually possible for a registry trace to be a real detection, if the file associated with it is clean?

I realise that the prefetch folder could be cleaned without harm, but I don't want to take action of that sort, merely to get rid of a false positive alert that shouldn't have happened in the first place.

Share this post


Link to post
Share on other sites

It's a prefetch copy of the Windows Media Player. You can delete those with no ill effects. However, the next time you run WMP it will create another prefetch entry.

Share this post


Link to post
Share on other sites

It's a prefetch copy of the Windows Media Player. You can delete those with no ill effects. However, the next time you run WMP it will create another prefetch entry.

Thanks SPD.

There's another update this morning but the detection is still there.

Share this post


Link to post
Share on other sites

And another update, but still the detection is there.

I've submitted the file by email.

Later (8.50 pm) - 3 more a2 updates, but the detection is still there.

Share this post


Link to post
Share on other sites

Well, A2 still shows the detection after updating just now. Would it normally take this long to clear up a FP? Keep waiting, I guess.

Sandy

Sandy, I too am baffled. You're right - this trace is still being detected by A2 after the most recent update, and I'm quite at a loss. I've submitted the detection twice using the 'submit' option in the GUI, and then I sent the file and the scan log by email on Friday. All the online scanners, including a2 itself, show the file as clear. All my other on demand scanners report that my computer is free from infection.

I simply don't believe that this isn't a false positive (particularly since a2's track record for FPs in recent months has been particularly poor), so I don't understand why it hasn't been fixed.

Lynx? Anyone? - can you shed any light on what's happening, please?

Share this post


Link to post
Share on other sites

Hi Guys,

The developers will have a look at this & advise. I've sent the note

Cheers!

Thanks Lynx. I've been away all day so couldn't check until now, but the fp is now fixed with the latest updates. (Sandy - update a2 and do a quick scan, and you should find that the problem has gone away now.)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.