Results 1 to 9 of 9

Thread: Two Alleged False Positives - Yobdam.ait

  1. #1
    Junior Member
    Join Date
    Oct 2011
    Location
    Canada
    Posts
    18

    Default Two Alleged False Positives - Yobdam.ait

    I have been using these utilities for a while, only recently (as of Nov 30?) has Spybot (perhaps through TeaTimer) 'detected' Yobdam.ait within them.

    Curiously the window popped up titled "Spybot - Search & Destroy", claiming "...has encountered & terminated a process ... listed as part of a malicious (SW)". I was the one to have closed these programs. The windows only popped up after closing the aforementioned utilities.
    Quote Originally Posted by From 'Resident.log
    Dec 02 2011 9:27:26 AM Encountered and terminated Yobdam.ait
    I am using WinXP-SP3, running FF8, Spybot 1.6.2.46, and both files have 'yobdam.ait' detected. I understand that these utilities were written using AutoIT from conversations with one author. In fact, it was through that conversation that Avira (potentially, technically malware itself - more later) corrected a false-positive of their own.
    Quote Originally Posted by AviraVirusLabResponseTeam
    A listing of files alongside their results can be found below:
    File ID Filename Size (Byte) Result
    26330615 FindHwids.v3.2p.exe 416.99 KB FALSE POSITIVE
    26336063 fshash.dll 69.35 KB CLEAN


    Please find a detailed report concerning each individual sample below:
    Filename Result
    FindHwids.v3.2p.exe FALSE POSITIVE

    The file 'FindHwids.v3.2p.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.11.15.210.

    Filename Result
    fshash.dll CLEAN

    The file 'fshash.dll' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.
    *Note: I only include the preceding quote for anecdotal reasons, as i cannot directly link to this report, as it uniquely identifies me.


    1) UniExtract available here --> http://legroom.net/software/uniextract
    2) FindHwids_v3.2p available here --> http://forum.driverpacks.net/viewtopic.php?id=3018

    Through this experience, i have lost faith in TeaTimer/Spybot's ability to stop real malware. I still love the 'immunization' function, & I remember with fondness how Spybot found all that spyware in CreativeLabs' driver CD's (et al) years ago.

    Thank you for your consideration.
    Last edited by TechDud; 2011-12-02 at 20:08.

  2. #2
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Thank you for reporting this issue.
    I can confirm this false positive and it will be fixed with our next detection update scheduled for Wednesday 2011-12-07.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Junior Member
    Join Date
    Oct 2011
    Location
    Canada
    Posts
    18

    Default

    Thank you kindly.

  4. #4
    In Memoriam -Always in our heart nickW's Avatar
    Join Date
    Oct 2005
    Location
    France
    Posts
    535

    Default

    Hello,

    Not fixed for UniExtract.exe
    nickW, traductrice de Spybot-S&D en français
    ASAP & UNITE member
    Forum d'Assiste.com

  5. #5
    Junior Member
    Join Date
    Oct 2011
    Location
    Canada
    Posts
    18

    Default

    I don't understand why it isn't working for you, yet i can confirm that it's working for me.
    I regularly update & immunize; perhaps... ???

  6. #6
    In Memoriam -Always in our heart nickW's Avatar
    Join Date
    Oct 2005
    Location
    France
    Posts
    535

    Default

    Hi,

    Forced new "Manual" update with http://www.safer-networking.org/upda...d_includes.exe.

    I still have this in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Resident.log

    09/12/2011 14:41:13 Encountered and terminated Yobdam.ait in .....\Universal-Extractor-1-6-1-R4-lupopensuite\UniExtract.exe!

    Source of this UniExtract.exe: http://www.lupopensuite.com/db/universalextractor.htm
    nickW, traductrice de Spybot-S&D en français
    ASAP & UNITE member
    Forum d'Assiste.com

  7. #7
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    @nickW
    have you tried restarting TeaTimer or rebooting your computer?
    If not please give it a try.

    To restart TeaTimer do the following:
    • start Spybot S&D and switch into advanced mode
    • navigate to Tools - Resident
    • uncheck the check box for Resident TeaTimer and wait a bit to make sure TeaTimer has completed its shutdown (you can check the Taskmanager to make sure TeaTimer.exe does not run anymore)
    • recheck the check box for Resident TeaTimer to restart the TeaTimer
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  8. #8
    Junior Member
    Join Date
    Oct 2011
    Location
    Canada
    Posts
    18

    Default

    Très bonne trouvaille, nickW!

    It appears to have permission from the original author, Jared Breland, to redistribute.
    http://www.lupopensuite.com/db/autho...lextractor.txt

    the main exe has the same SHA1 hash: 35d0938928ed5986329c33a48cbaaf3a3c7e1d7f

  9. #9
    Junior Member
    Join Date
    Oct 2011
    Location
    Canada
    Posts
    18

    Default

    PS: this has been updated by gora
    here --> http://www.ryanvm.net/forum/viewtopic.php?t=8201

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •