AntiVirGear false positive ?

**TrucMuche** · 2009-09-25, 21:54

Hello,
This is my first post so I hope I am doing the right things.
I just installed the latest version 1.6.2 and ran a scan and I got the following alert which I believe is a false positive.
For the following reasons :
- I never installed this fake Antispyware program "AntiVirGear"
- I Cannot find "AntiVirGear" in the Program files folders
- I Cannot see "AntiVirGear" in the Add or Remove control panel list
- There is no icon of this "AntiVirGear" program in my system tray

And here are the requested details :
# Operating System : Windows XP Professional SP2
# Browser and Version : currently opened Firefox 2.0.0.20, and also installed Firefox 3.0.10 and Internet Explorer 7.0.5730
# Version of Spybot S&D and Date of the latest update : 1.6.2.46 and updated on 09-25-09
# where did the false positive occur : at the Scan result

Can you please advise the next steps I should take.
Thank You.

Shortened Log (I removed the tracking cookies alerts) :
--- Report generated: 2009-09-25 12:29 ---

AntiVirGear: [SBI $72F309E5] Program directory (Directory, nothing done)
C:\Program Files\
(I removed the tracking cookies alerts here)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-25 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-09-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-22 Includes\HijackersC.sbi (*)
2009-09-22 Includes\Keyloggers.sbi (*)
2009-09-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-22 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-22 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-22 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-09-15 Includes\Trojans.sbi (*)
2009-09-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

**drragostea** · 2009-09-27, 05:32

AntiVirGear: [SBI $72F309E5] Program directory (Directory, nothing done)

It's sitting right in your Programs Folder. But the news is that this does not pose a threat (because it lacks the system files and registry keys) nor is it a False Positive. I have no idea how it got there (dropped?) but in the meantime you shouldn't worry over such the folder. Remember it's an empty folder (you can always navigate to that folder in your Programs Folder and check the properties of that folder itself [should be like 0KB, since it is empty]).

Check to make sure there's nothing in there.

**TrucMuche** · 2009-09-28, 18:18

Hello drragostea and everyone,
sorry I am not sure I understand your answer.
I assume when you refer to the "empty folder", you meant the "AntiVirGear" folder ?

Because the alert message says :
AntiVirGear: [SBI $72F309E5] Program directory (Directory, nothing done)
C:\Program Files\
It seems here Spybot refers to the "root" "Program Files" Directory ?
And under C:\Program Files\, this is where I have all my applications being installed. There is around 3 GB of programs in there.
Which why I was worried when I got this message, and the proposed solution by Spybot is to "delete" that C:\Program Files\ folder ?

On the other hand, If I understood you correctly, then in fact I have no "AntiVirGear" folder, visible or hidden, right under C:\Program Files.
On the other hand, right under C:\Program Files, I noticed only two files and they are called :
".EXE" of 0 byte. (No Prefix Name in front of the ".EXE")
"107A.EXE" of 0 byte.
Could any of these 2 be a remnant of the AniVirGear being "dropped" in here ?

Thanks for your help.

**drragostea** · 2009-09-29, 02:33

Then again, you're right. I'm not sure how to approach this (might need some Team member's help) but I would suggest you upload those two specific .exe files to Virustotal (www.virustotal.com). Virustotal is a site that utilizes multiple anti-virus/malware scanners to scan the file that you upload. In the end it'll return with some results about the file (infected or not).

It seems very suspicious and odd about those two files. I think that was what Spybot was flagging. I had a misunderstanding back there, because I thought Spybot was flagging a folder. But again, you said it was the directory itself.

**Yodama** · 2009-09-29, 07:40

Hello,

hm, these 2 files really are suspicious. The ".exe" file is what caused Spybot S&D to identify the program files folder as part of AntivirGear. I think we should narrow down our detection a bit here, removing the whole program files folder would usually be very bad

@TrucMuche
determine the creation and modify date of these 2 exe files you named above and do a search on your computer for files with the same dates.
Doing a scan with Rootalyzer (check downloads below) may also shed some light on this.

**TrucMuche** · 2009-09-29, 18:25

Hello Yodama,
First Thanks for confirming about narrowing the detection on the result. Indeed removing C:\Program Files would probably not be a good idea :-(

Second Thanks for the 2 suggestions about the date search and the Rootalyzer tool.
Just a preliminary result on the 2 files :
".EXE". Created 08/21/2008 10:00 AM, Modified 08/21/2008 10:00 AM.

"107A.EXE". Created 05/12/2009 01:23 PM, Modified 04/18/2008 09:35 AM : this is weird as the created date is after the modified date.

I will post more after I do more search.

**TrucMuche** · 2009-09-29, 18:56

Originally Posted by drragostea

Then again, you're right. I'm not sure how to approach this (might need some Team member's help) but I would suggest you upload those two specific .exe files to Virustotal (www.virustotal.com). Virustotal is a site that utilizes multiple anti-virus/malware scanners to scan the file that you upload. In the end it'll return with some results about the file (infected or not).

It seems very suspicious and odd about those two files. I think that was what Spybot was flagging. I had a misunderstanding back there, because I thought Spybot was flagging a folder. But again, you said it was the directory itself.

Hello drragostea,
Thanks for helping here.
I just tried Virustotal, but it did not really work as the files are empty (argh, as in for no possible analysis). And they cannot be uploaded ...

**TrucMuche** · 2009-10-01, 02:56

Hello Yodama,
Here are the results of my searches.
1) Rootalyzer
Ran the quick scan : nothing found
Ran the deep scan : nothing found

2) search for files with same Modified dates

- ".EXE". Created 08/21/2008 10:00 AM, Modified 08/21/2008 10:00 AM.
Found 1 instance ".EXE" in "C:\Program Files"
Found 2 instances ".EXE" in "C:\Program Files"
And several other files, but none of them seems suspicious.
When I look at the properties for the 2 other instances of ".EXE", it says "Compressed Item Properties".

- "107A.EXE". Created 05/12/2009 01:23 PM, Modified 04/18/2008 09:35 AM.
Similarly to above, found 3 instances in total, 1 in "C:\Program Files" and 2 in "C:\Program Files" all dated of 04/18/2008.
Found 9 files all 0 byte in C:\Windows\COE.

**Yodama** · 2009-10-02, 11:08

Hello TrucMuche,

Rootalyzer not finding anything suspicious softens the situation a bit.

Your findings of several instances of the files in question is still very suspicious.
Try to rename the files, for instance by renaming the extension to .exe# so that the files are disabled.
It that does not work try Icesword to copy the files to a different location and then delete the files from the program files folder.

**TrucMuche** · 2009-10-08, 22:32

Hello Yodama,
Sorry for the delay in my answer.
1) First I noticed I had a typo in my previous report of the instances I found.
Here are the correct names.

- ".EXE". Created 08/21/2008 10:00 AM, Modified 08/21/2008 10:00 AM.
Found 1 instance ".EXE" in "C:\Program Files"
Found 2 instances ".EXE" in "Program Files" (note the missing C:\)

- "107A.EXE". Created 05/12/2009 01:23 PM, Modified 04/18/2008 09:35 AM.
Found 1 instance "107A.EXE" in "C:\Program Files"
Found 2 instances "107A.EXE" in "Program Files" (note the missing C:\)

Note : I think these extra 2 instances seem to be a "normal" report when you search in Windows Explorer (?)
Because when I search for (for ex.) Firefox.exe, it also shows me 1 instance in "C:\Program Files\Firefox"
and 2 instances in "Program Files/Firefox". (note also the forward slash /).

2) WRT renaming the 2 suspicious files : no problem it works in Explorer.
No need for using "Icesword".
One question though : Why did you suggest to rename instead of simply deleting the files ?

Thread: AntiVirGear false positive ?

Thread Tools

Display

AntiVirGear false positive ?

Posting Permissions