Possible False Positive? Win32.SharaQQ.30

**jgs57** · 2009-06-26, 01:04

Reported Win32.SharaQQ.30 as a Trojan on yesterday's (2009-06-24) update as Scan Results on two separate XP systems (one is rarely used). Latest AVG Anti-Virus shows nothing. Nothing on Symatec or AVG website regarding Win32.SharaQQ.30. Google search shows little info on this Trojan.

Anyone else showing this?
Should I try to have Spybot fix the problem?

Operating System: Windows XP Home
Browser and Version: Internet Explorer 6
Version of Spybot S&D: 1.6.2.46
Date of the latest update: 2009-06-24

--- Report generated: 2009-06-24 10:09 ---

Win32.SharaQQ.30: [SBI $78DEFE26] Data (File, nothing done)
C:\WINDOWS\system32\SVKP.sys
Properties.size=2368
Properties.md5=F05028B163B92C302A74409D683AC9B0
Properties.filedate=1072473531
Properties.filedatetext=2003-12-26 14:18:51

Win32.SharaQQ.30: [SBI $962F118B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP

Win32.SharaQQ.30: [SBI $F02BC4BB] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SVKP

Win32.SharaQQ.30: [SBI $75C09369] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC

Win32.SharaQQ.30: [SBI $A65B8F92] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-18 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-06-23 Includes\KeyloggersC.sbi (*)
2009-06-10 Includes\Malware.sbi (*)
2009-06-23 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-17 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi (*)
2009-06-23 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

**Yodama** · 2009-06-26, 07:44

This is no false positive, you should fix this on both of your computers.
This Trojan horse is contacting malicious domains in background.

**jgs57** · 2009-06-26, 17:58

Should I just let Spybot try to fix it or is there something else that I should also do?

**Yodama** · 2009-06-29, 06:58

Fixing it with Spybot S&D should be enough. If removal should fail for some reason try to fix it in Windows safe mode (press F8 before 1st Windows loading screen to enter Windows safe mode).

**jgs57** · 2009-06-29, 20:30

Worked like a charm without having to go into safe mode!

Thank you! Thank you!

**Geronimo104** · 2009-06-30, 17:35

Hi,

also ich habe heute genau die selbe Meldung über den Win32.SharaQQ.30 bekommen, wie jgs57.
Ich habe die svkp.sys (Dateiversion 4.0.1381.1) seit dem 02. Februar 2009 auf meinem Rechner.
Wieso ist das jetzt plötzlich ein Trojaner.

Geronimo104
...

**salim38** · 2009-07-03, 14:01

I too following the 24/6 update received exactly the same message.
After consultation with spybot I 'fixed' the problem and it was successful.
Results were submitted and it was recommended that I carry out a Rootalyzer test.
I am awaiting feedback but it looked ok to me.
Anyway, I have run all progs on my computer to see if I got a message saying that SVKP.sys was missing but all seemed fine.
Today (3/7/09) I d/l new spybot updates and carried out test.
Guess what - the same Trojan (sharaQQ) detected and when I checked the SVKP.sys file was back in place.
I have again 'fixed' it and sent in results- awaiting reply.
Incidentally Norton 360 v3 still tested clear.

In 2005 that same SVKP file caused problems on an older Norton version with a particular update from Norton. (Hacktool Rootkit virus). This turned out to be innocent and a further update from Norton rectified it.

I hope this is the same cos I am starting to get paranoid.

Thread: Possible False Positive? Win32.SharaQQ.30

Thread Tools

Display

Hybrid View