Possible False Positive? Win32.SharaQQ.30
Reported Win32.SharaQQ.30 as a Trojan on yesterday's (2009-06-24) update as Scan Results on two separate XP systems (one is rarely used). Latest AVG Anti-Virus shows nothing. Nothing on Symatec or AVG website regarding Win32.SharaQQ.30. Google search shows little info on this Trojan.
Anyone else showing this?
Should I try to have Spybot fix the problem?
Operating System: Windows XP Home
Browser and Version: Internet Explorer 6
Version of Spybot S&D: 1.6.2.46
Date of the latest update: 2009-06-24
--- Report generated: 2009-06-24 10:09 ---
Win32.SharaQQ.30: [SBI $78DEFE26] Data (File, nothing done)
C:\WINDOWS\system32\SVKP.sys
Properties.size=2368
Properties.md5=F05028B163B92C302A74409D683AC9B0
Properties.filedate=1072473531
Properties.filedatetext=2003-12-26 14:18:51
Win32.SharaQQ.30: [SBI $962F118B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP
Win32.SharaQQ.30: [SBI $F02BC4BB] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SVKP
Win32.SharaQQ.30: [SBI $75C09369] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC
Win32.SharaQQ.30: [SBI $A65B8F92] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-18 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-06-23 Includes\KeyloggersC.sbi (*)
2009-06-10 Includes\Malware.sbi (*)
2009-06-23 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-17 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi (*)
2009-06-23 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Possible False Positive? Win32.SharaQQ.30
Should I just let Spybot try to fix it or is there something else that I should also do?
Possible False Positive? Win32.SharaQQ.30
Worked like a charm without having to go into safe mode!
Thank you! Thank you!
Possible False Positive? Win32.SharaQQ.30
I see there are 3 new post to my intial question regarding Win32.SharaQQ.30. Unfortuantely they appear to be in German and I'm sorry, but I don't read German. Can anyone help me? Do these state anything important that I should know?
Possible False Positive? Win32.SharaQQ.30
Very Cool! I bookmarked that one.
I had the same question as Geronimo104 and that answered it.
Thanks Yodama!
DITTO: Possible False Positive? Win32.SharaQQ.30
I've also just recently begun receiving IDENTICAL disposition (my report below) as the initial poster of this thread (jgs57).
-----------------------------------------------------------------------
Win32.SharaQQ.30: [SBI $78DEFE26] Data (File, nothing done)
C:\WINDOWS\system32\SVKP.sys
Properties.size=2368
Properties.md5=F05028B163B92C302A74409D683AC9B0
Properties.filedate=1188104952
Properties.filedatetext=2007-08-25 22:09:12
Win32.SharaQQ.30: [SBI $962F118B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP
Win32.SharaQQ.30: [SBI $F02BC4BB] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SVKP
Win32.SharaQQ.30: [SBI $75C09369] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC
Win32.SharaQQ.30: [SBI $A65B8F92] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
-----------------------------------------------------------------------
However, I believe this to be false positive. Why?
1. I have submitted the suspect file [C:\WINDOWS\system32\SVKP.sys] to VirusTotal, and it receives not even one hit from any of the 41 current and up-to-date malware scanners.
2. The subject file has been resident and unchanged (i.e., identical SHA1 checksums) on the PC for AT LEAST the past 18 months (just that I know of ... probably longer).
3. There's been no relative suspicious behavior at all during that period.
4. A thorough Google search of the file is conspicuously thin: Only 3 hits within past month, and only 8 hits within the past YEAR. NONE of them (except one) contain any discussion directly related to "SVKP.sys" as a malware culprit; but rather simply contained within HJT (HiJackThis) reports or the like. I would expect much more forum based activity for any true malware of this age.
CORRECTION: Oops! My above referenced Google search was for "C:\WINDOWS\system32\SVKP.sys" AND "false positive". That notwithstanding, my initial search using only the filename resulted in tellingly thin results as well, which led me to my course of (in)action that follows.
Although I have not yet determined the source/vector software which placed this file, given the facts at hand, I'm adequately confidant at this time to leave it be. However, that would not be my general advice to anyone else who is not as confidant as me. For them I would recommend allowing SpyBot S&D to go ahead and "fix" (and quarantine) it, then if/when it's definitively determined to be a false-positive, simply restore from quarantine.
If the capable SpyBot S&D folks could look into this and provide an updated report/DB update regarding this matter, it would sincerely be appreciated by me, and apparently several others as well. Thanks in advance for your attention and all your good work.
Possible False Positive? Win32.SharaQQ.30
OK... now I'm really confused. Should I not have let Spybot correct this problem? SVKP.sys now only shows in my spybot/recovery fold. Right clicking on the file to show Properties indicate the date of this 3k file is 12/26/2003... if that means anything. I agree that a Google search show little info or help. What is this file for and should I restore it? Do I need it? Is it a Trojan or a False Positive?
Possible False Positive? Win32.SharaQQ.30
Well I have never used TweakXP so what should I do? Are there other program involved using that file? Everything seems to be working OK right now.