Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: Possible False Positive? Win32.SharaQQ.30

  1. #11
    Junior Member
    Join Date
    Jun 2009
    Posts
    7

    Default Possible False Positive? Win32.SharaQQ.30

    Very Cool! I bookmarked that one.

    I had the same question as Geronimo104 and that answered it.

    Thanks Yodama!

  2. #12
    Junior Member
    Join Date
    Jul 2009
    Posts
    3

    Default Trojan win32.SharaQQ.30

    I too following the 24/6 update received exactly the same message.
    After consultation with spybot I 'fixed' the problem and it was successful.
    Results were submitted and it was recommended that I carry out a Rootalyzer test.
    I am awaiting feedback but it looked ok to me.
    Anyway, I have run all progs on my computer to see if I got a message saying that SVKP.sys was missing but all seemed fine.
    Today (3/7/09) I d/l new spybot updates and carried out test.
    Guess what - the same Trojan (sharaQQ) detected and when I checked the SVKP.sys file was back in place.
    I have again 'fixed' it and sent in results- awaiting reply.
    Incidentally Norton 360 v3 still tested clear.

    In 2005 that same SVKP file caused problems on an older Norton version with a particular update from Norton. (Hacktool Rootkit virus). This turned out to be innocent and a further update from Norton rectified it.

    I hope this is the same cos I am starting to get paranoid.

  3. #13
    Junior Member
    Join Date
    Jul 2009
    Location
    Puget Sound, Washington USA
    Posts
    2

    Default DITTO: Possible False Positive? Win32.SharaQQ.30

    I've also just recently begun receiving IDENTICAL disposition (my report below) as the initial poster of this thread (jgs57).

    -----------------------------------------------------------------------
    Win32.SharaQQ.30: [SBI $78DEFE26] Data (File, nothing done)
    C:\WINDOWS\system32\SVKP.sys
    Properties.size=2368
    Properties.md5=F05028B163B92C302A74409D683AC9B0
    Properties.filedate=1188104952
    Properties.filedatetext=2007-08-25 22:09:12

    Win32.SharaQQ.30: [SBI $962F118B] Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP

    Win32.SharaQQ.30: [SBI $F02BC4BB] Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SVKP

    Win32.SharaQQ.30: [SBI $75C09369] Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC

    Win32.SharaQQ.30: [SBI $A65B8F92] Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC

    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
    -----------------------------------------------------------------------

    However, I believe this to be false positive. Why?

    1. I have submitted the suspect file [C:\WINDOWS\system32\SVKP.sys] to VirusTotal, and it receives not even one hit from any of the 41 current and up-to-date malware scanners.

    2. The subject file has been resident and unchanged (i.e., identical SHA1 checksums) on the PC for AT LEAST the past 18 months (just that I know of ... probably longer).

    3. There's been no relative suspicious behavior at all during that period.

    4. A thorough Google search of the file is conspicuously thin: Only 3 hits within past month, and only 8 hits within the past YEAR. NONE of them (except one) contain any discussion directly related to "SVKP.sys" as a malware culprit; but rather simply contained within HJT (HiJackThis) reports or the like. I would expect much more forum based activity for any true malware of this age.

    CORRECTION: Oops! My above referenced Google search was for "C:\WINDOWS\system32\SVKP.sys" AND "false positive". That notwithstanding, my initial search using only the filename resulted in tellingly thin results as well, which led me to my course of (in)action that follows.

    Although I have not yet determined the source/vector software which placed this file, given the facts at hand, I'm adequately confidant at this time to leave it be. However, that would not be my general advice to anyone else who is not as confidant as me. For them I would recommend allowing SpyBot S&D to go ahead and "fix" (and quarantine) it, then if/when it's definitively determined to be a false-positive, simply restore from quarantine.

    If the capable SpyBot S&D folks could look into this and provide an updated report/DB update regarding this matter, it would sincerely be appreciated by me, and apparently several others as well. Thanks in advance for your attention and all your good work.
    Last edited by TheGeekinator; 2009-07-04 at 06:53.
    "Today's the best day of my life ... and now you're part of it!"

  4. #14
    Junior Member
    Join Date
    Jun 2009
    Posts
    7

    Default Possible False Positive? Win32.SharaQQ.30

    OK... now I'm really confused. Should I not have let Spybot correct this problem? SVKP.sys now only shows in my spybot/recovery fold. Right clicking on the file to show Properties indicate the date of this 3k file is 12/26/2003... if that means anything. I agree that a Google search show little info or help. What is this file for and should I restore it? Do I need it? Is it a Trojan or a False Positive?

  5. #15
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Again, this is no false positive.
    Here is an excerpt from the file version information:
    Company: AntiCracking
    Copyright: Copyright (C) Microsoft Corp. 1981-1999

    There are more similar files which have the exact same version information including file version number and product version number but are different in size and checksum. Meaning they are different files but are declared to be identical by the "vendor" AntiCracking.

    As you can see this certainly does not match for a proper Microsoft file.
    Additionally the tested sample connected to a chinese domain in background.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  6. #16
    Junior Member
    Join Date
    Jul 2009
    Posts
    3

    Default Trojan win32.SharaQQ.30

    Good news - for me anyway.
    I have proved conclusively that the file SVQP.sys & assoc registry entries are created by a program on my computer. This is causing the SharaQQ trojan to be recognised???
    That program is TweakXP v2.
    After I had first fixed the Trojan with Spybot S&D I ran most of my programs inc TweakXP to make sure they all worked with that file quarantined.
    They all were OK so I was disappointed (to say the least) when with the latest S&D update the Shara Trojan was found again.
    This time I 'fixed' it and then ran every program seperately each time checking with explorer to see if the SVQP.sys file reappeared.
    Lo & behold - TWEAK XP was the culprit.
    I repeated the process to make sure.
    Now, I have had that program on a previous computer and my current one since January 2004 and I have never noticed anything untoward.
    Naturally I am relieved to have solved my situation.
    So jgs57 & others exhibiting the same Trojan symptom, do you have TWEAKXP v2 ?
    If not, carry out the same experiment - it may solve your problem too!!!
    Last edited by salim38; 2009-07-07 at 01:44.

  7. #17
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    I have just tested the current TweakXP 2.1 from TweakXP.com.
    Since it is a shareware version I was not able to test all of its components but it did not install any service and it did not the SVKP service in question here.
    I also do not see any reason for TweakXP to suddenly install that service once the full features are unlocked.

    If you are still convinced that SVKP is a part of TweakXP you should contact the vendors of TweakXP.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  8. #18
    Junior Member
    Join Date
    Jul 2009
    Posts
    3

    Default win32.SharaQQ.30 Trojan

    Greetings.

    I have contacted the vendors of TweakXP and they have confirmed that the file SVKP.sys was indeed a part of v2.09, the one I am using.
    Later versions no longer have that file.
    So it looks as if in my case anyway S&D is seeing that file as the above Trojan.

  9. #19
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Hello Salim,

    thank you for your information on this. I have also received your email confirming this information.
    So I have to admit that I was wrong here

    The changes to our detection database did not make it for the update today so they will be released with the next update scheduled for Wednesday 2009-07-15. Until then you can mark the detection on the svkp.sys and the service belonging to it to be ignored from further searches.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  10. #20
    Junior Member
    Join Date
    Jun 2009
    Posts
    7

    Default Possible False Positive? Win32.SharaQQ.30

    Well I have never used TweakXP so what should I do? Are there other program involved using that file? Everything seems to be working OK right now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •