Hello,
This is my first post so I hope I am doing the right things.
I just installed the latest version 1.6.2 and ran a scan and I got the following alert which I believe is a false positive.
For the following reasons :
- I never installed this fake Antispyware program "AntiVirGear"
- I Cannot find "AntiVirGear" in the Program files folders
- I Cannot see "AntiVirGear" in the Add or Remove control panel list
- There is no icon of this "AntiVirGear" program in my system tray

And here are the requested details :
# Operating System : Windows XP Professional SP2
# Browser and Version : currently opened Firefox 2.0.0.20, and also installed Firefox 3.0.10 and Internet Explorer 7.0.5730
# Version of Spybot S&D and Date of the latest update : 1.6.2.46 and updated on 09-25-09
# where did the false positive occur : at the Scan result

Can you please advise the next steps I should take.
Thank You.

Shortened Log (I removed the tracking cookies alerts) :
--- Report generated: 2009-09-25 12:29 ---

AntiVirGear: [SBI $72F309E5] Program directory (Directory, nothing done)
C:\Program Files\
(I removed the tracking cookies alerts here)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-25 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-09-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-22 Includes\HijackersC.sbi (*)
2009-09-22 Includes\Keyloggers.sbi (*)
2009-09-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-22 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-22 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-22 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-09-15 Includes\Trojans.sbi (*)
2009-09-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

AntiVirGear: [SBI $72F309E5] Program directory (Directory, nothing done)
It's sitting right in your Programs Folder. But the news is that this does not pose a threat (because it lacks the system files and registry keys) nor is it a False Positive. I have no idea how it got there (dropped?) but in the meantime you shouldn't worry over such the folder. Remember it's an empty folder (you can always navigate to that folder in your Programs Folder and check the properties of that folder itself [should be like 0KB, since it is empty]).

Check to make sure there's nothing in there.

Hello drragostea and everyone,
sorry I am not sure I understand your answer.
I assume when you refer to the "empty folder", you meant the "AntiVirGear" folder ?

Because the alert message says :
AntiVirGear: [SBI $72F309E5] Program directory (Directory, nothing done)
C:\Program Files\
It seems here Spybot refers to the "root" "Program Files" Directory ?
And under C:\Program Files\, this is where I have all my applications being installed. There is around 3 GB of programs in there.
Which why I was worried when I got this message, and the proposed solution by Spybot is to "delete" that C:\Program Files\ folder ?

On the other hand, If I understood you correctly, then in fact I have no "AntiVirGear" folder, visible or hidden, right under C:\Program Files.
On the other hand, right under C:\Program Files, I noticed only two files and they are called :
".EXE" of 0 byte. (No Prefix Name in front of the ".EXE")
"107A.EXE" of 0 byte.
Could any of these 2 be a remnant of the AniVirGear being "dropped" in here ?

Thanks for your help.

Then again, you're right. I'm not sure how to approach this (might need some Team member's help) but I would suggest you upload those two specific .exe files to Virustotal (www.virustotal.com). Virustotal is a site that utilizes multiple anti-virus/malware scanners to scan the file that you upload. In the end it'll return with some results about the file (infected or not).

It seems very suspicious and odd about those two files. I think that was what Spybot was flagging. I had a misunderstanding back there, because I thought Spybot was flagging a folder. But again, you said it was the directory itself.

Hello,

hm, these 2 files really are suspicious. The ".exe" file is what caused Spybot S&D to identify the program files folder as part of AntivirGear. I think we should narrow down our detection a bit here, removing the whole program files folder would usually be very bad :oops:

@TrucMuche
determine the creation and modify date of these 2 exe files you named above and do a search on your computer for files with the same dates.
Doing a scan with Rootalyzer (check downloads below) may also shed some light on this.

Hello Yodama,
First Thanks for confirming about narrowing the detection on the result. Indeed removing C:\Program Files would probably not be a good idea :-(

Second Thanks for the 2 suggestions about the date search and the Rootalyzer tool.
Just a preliminary result on the 2 files :
".EXE". Created 08/21/2008 10:00 AM, Modified 08/21/2008 10:00 AM.

"107A.EXE". Created 05/12/2009 01:23 PM, Modified 04/18/2008 09:35 AM : this is weird as the created date is after the modified date.

I will post more after I do more search.

Then again, you're right. I'm not sure how to approach this (might need some Team member's help) but I would suggest you upload those two specific .exe files to Virustotal (www.virustotal.com). Virustotal is a site that utilizes multiple anti-virus/malware scanners to scan the file that you upload. In the end it'll return with some results about the file (infected or not).

It seems very suspicious and odd about those two files. I think that was what Spybot was flagging. I had a misunderstanding back there, because I thought Spybot was flagging a folder. But again, you said it was the directory itself.

Hello drragostea,
Thanks for helping here.
I just tried Virustotal, but it did not really work as the files are empty (argh, as in for no possible analysis). And they cannot be uploaded ...

Hello Yodama,
Here are the results of my searches.
1) Rootalyzer
Ran the quick scan : nothing found
Ran the deep scan : nothing found

2) search for files with same Modified dates

- ".EXE". Created 08/21/2008 10:00 AM, Modified 08/21/2008 10:00 AM.
Found 1 instance ".EXE" in "C:\Program Files"
Found 2 instances ".EXE" in "C:\Program Files"
And several other files, but none of them seems suspicious.
When I look at the properties for the 2 other instances of ".EXE", it says "Compressed Item Properties".

- "107A.EXE". Created 05/12/2009 01:23 PM, Modified 04/18/2008 09:35 AM.
Similarly to above, found 3 instances in total, 1 in "C:\Program Files" and 2 in "C:\Program Files" all dated of 04/18/2008.
Found 9 files all 0 byte in C:\Windows\COE.

Hello TrucMuche,

Rootalyzer not finding anything suspicious softens the situation a bit.

Your findings of several instances of the files in question is still very suspicious.
Try to rename the files, for instance by renaming the extension to .exe# so that the files are disabled.
It that does not work try Icesword (http://majorgeeks.com/Icesword_d5199.html) to copy the files to a different location and then delete the files from the program files folder.

Hello Yodama,
Sorry for the delay in my answer.
1) First I noticed I had a typo in my previous report of the instances I found.
Here are the correct names.

- ".EXE". Created 08/21/2008 10:00 AM, Modified 08/21/2008 10:00 AM.
Found 1 instance ".EXE" in "C:\Program Files"
Found 2 instances ".EXE" in "Program Files" (note the missing C:\)

- "107A.EXE". Created 05/12/2009 01:23 PM, Modified 04/18/2008 09:35 AM.
Found 1 instance "107A.EXE" in "C:\Program Files"
Found 2 instances "107A.EXE" in "Program Files" (note the missing C:\)

Note : I think these extra 2 instances seem to be a "normal" report when you search in Windows Explorer (?)
Because when I search for (for ex.) Firefox.exe, it also shows me 1 instance in "C:\Program Files\Firefox"
and 2 instances in "Program Files/Firefox". (note also the forward slash /).

2) WRT renaming the 2 suspicious files : no problem it works in Explorer.
No need for using "Icesword".
One question though : Why did you suggest to rename instead of simply deleting the files ?

Hello Yodama,
After my last post of 10/08/09, I have a new update for you.
This morning 10/12/09, I made a new update to Spybot, did a run and the tool found now the following:
SpyLocked: [SBI $CE75118B] Program directory (Directory, nothing done)
C:\Program Files\

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-25 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-10-06 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-10-06 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-06 Includes\HijackersC.sbi (*)
2009-09-29 Includes\Keyloggers.sbi (*)
2009-10-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-10-06 Includes\Malware.sbi (*)
2009-10-06 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-06 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-10-06 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-10-06 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-10-06 Includes\Trojans.sbi (*)
2009-10-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

So I checked in the C:\Program Files directory, and I found a new copy of :
".EXE" of 0 byte created on 10/09/09, the day after I renamed it.
The old renamed file is still under the name "#.EXE#".
The 2nd file still remain named "107A.EXE#, no new copy of it.

Now I am truly worried about the infection with this new Rogue AntiMalware detection, and the re-creation of the ".EXE" file.

Can you please advise on the next best steps to take ?

Thanks in advance.

Hello TrucMuche,

sorry for my delayed reply.
Renaming a file instead of deleting it gives us a chance to analyse the file since there could be more behind it.

It appears that there are still some of our detection rules which go haywire when they encounter a .exe file without a prefix. This should be fixed with the next detection udpate scheduled for Wednesday 2009-10-14.

However it is very disturbing that the file was recreated after you renamed the original one. The problem is that it was recreated one day after the renaming, this actually denies us a simple method to find out which process generates this file. Try to delete the file using Icesword and see if it returns.

Hello Yodama,
No problem at all.
So I used IceSword to delete the ".EXE" file at 08:30 am. No problem with that.

But at 10:00 am, the ".EXE" file is being re-created at the exact same time stamp than the original file (that I still have).
Thanks.

Hello TrucMuche,

please try the following:

1) try to determine if the file recreates at about the same time, if that is the case:

2) use sysinternals procmon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) as follows to monitor the creation of the .exe file.

wait until a couple of minutes before the estimated recreation time of the .exe file (procmon monitoring will take more and more system resources the longer it runs so we need to minimize its monitoring time to a couple of minutes)
start procmon
delete the .exe file
wait until it gets recreated
stop the monitoring by procmon via "file" menu and uncheck "capture events"
save a process monitor log file in its PML format
email the log file to detections@spybot.info with a reference to this thread

Hello Yodama,
1) Yes, the file was recreated at the same time with the same time stamp.
2) Will do as you indicated, and I should be able to send an email with the results later today if all goes well.
Thanks for your help.

Hello Yodama,
I was not able to save a "decent" PML log file today. The .EXE file was recreated today at 10:02 am, but when I let procmon run for 2+ min, the PML log file was huge (800MB uncompressed, and 100MB Zipped).
I tried to trick whatever process recreated the file by deleting it, then by setting my computer clock back to before 10:02 am, but no luck of getting a new copy of the .EXE file at this juncture.
So I will have to wait until tomorrow again. And this time I will try to be much narrower to the window of the creation time, to get a smaller PML log file.
Thanks.

Hello,

you can also set a filter for the events that get monitored in procmon, that way we can reduce the size of the pml file. I did not mention this earlier because I did not expect the log file to become this large in such a small time.
I have attached a configuration file for procmon that you only need to import via file - import configuration.

Hello Yodama,
I was able to generate a good PML file today with your configuration file (size is much smaller, about 1 MB) and the .EXE was indeed recreated at 10:00 AM.
I sent this file and an email to : detections@spybot.info, referring to this thread.
Thanks for your help again.

Hello,

I received your email containing the requested PML file. It shows that the following Visual Basic Script is responsible for creation of the .exe file:


C:\WINDOWS\system32\CCM\Cache\0000002D.1.System\CreateVerExe.vbs

Are you running a Windows server? This folder C:\WINDOWS\system32\CCM is usually only found on Windows server systems.
You can take a look at the vbs file with a text editor or send it to us for analysis to detections@spybot.info again with a reference to this thread.

Hello Yodama,
My apologies for the delay in answering your previous suggestions, as I was away for a long week-end and I did not have access to my laptop.
I don't think I am running any kind of "Windows server".

So I looked into the VBS script content and the content looks pretty "clean".
But this is a laptop I use for both personal and professional usage.
So it has some automatic update function, and I got confirmation the file is part of the machine load for Microsoft patch update etc.
And therefore the VBS file and the ".EXE" file are not malicious.
(Although I am not sure why it creates such a strange file w/o a prefix).

Note : I run again a full scan with the most recent update of 10/28/09, and NO more alert on the "empty" ".EXE" file.
It looks like your new detection rules work better now, as you hinted in one of your previous messages.
Thank You very much for your help in this matter.