Results 1 to 9 of 9

Thread: False Positive detection: C:\Windows\System32\vbzip10.dll - Win32.VB.grl

  1. #1
    Junior Member
    Join Date
    May 2017
    Posts
    6

    Default False Positive detection: C:\Windows\System32\vbzip10.dll - Win32.VB.grl

    After years of using SpyBot for monthly scans I now came across the first false positive detection.

    I went back to the definitions of around April 15th to confirm. With those no false positive was found.

    So, with the current definitions (date of definitions: about May 10th - there are different dates for different types of threats but the Trojans definitions are from May 10th: 2017-05-10 Includes\Trojans-C.sbi) there's a problem of false positive:

    Win32.VB.grl: [SBI $8AADDBCA] Library (File, nothing done)
    C:\Windows\System32\vbzip10.dll
    Properties.size=147456
    Properties.md5=5B25690CC2E55A6D4BC965068A7BA1EF
    Properties.filedate=944727588
    Properties.filedatetext=1999-12-09 10:19:48


    This is on W7 64bit, using Spybot - Search & Destroy version 2.4.40.131 DLL (build: 20140425).

    As can be seen by the date of the file it has been on the system probably since installation of W7. It has never ever been detected as worm or trojan before by SpyBot or any other av scanner.

    But the strange thing is: The only software with which I can even "see" these files (there's another one called vbuzip10.dll, which is not detected as ahrmful with latest definitions) is with safer-networking software, i.e. SpyBot File Scanner and FileAlyzer. These file are not "there" if I use Windows Explorer or any other file manager (e.g. mucommander, Q-Dir) - or Windows command prompt for that matter. And yes, I know how to "show hidden files" in Windows (Explorer)!!! I see all the (previously) hidden files and folder, but not those two files... unless I use e.g. FileAlyzer. So, I can't let any other av software check those files specifically because they don't "see" them and general checks don't find any problem.

    Btw.: If I check "submit" in the "Virus Total" tab of FileAlyzer nothing happens...

    Strangely enough I can upload them to Virus Total using a browser, i.e. the browser file selection context window can "see" those files - even with hidden files not set to be seen in Windows Explorer...

    Result: 0/59 av scanners find that file to be harmful. But the analysis seems to be from May 1st, so before the date of SpyBots last definitons update.

    https://www.virustotal.com/de/file/c...e263/analysis/


    There were compromised versions of that file around, as McAfee website states, but that was back in 2010...

    https://home.mcafee.com/virusinfo/vi...ey=322346#none

    https://www.mcafee.com/threat-intell...aspx?id=283502


    And your forum search finds that file in threads all back from around 2007 and 2008...


    So, to me it seems that this is a deifinite false positive detection by SpyBot with it's latest definitions update from about May 10th.
    The scan was done on May 13th and the "check" scan with the mid-April definitions and again the May 10th definitions on May 14th. Today, there ar no new definitions to be found by SpyBot Update.

    That's why I registered and wrote this post.

    Thanks for looking into this problem.

    Mike
    Last edited by sb user; 2017-05-16 at 09:07.

  2. #2
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    274

    Default

    Thank you for this hint. We are currently looking into that again.
    (m/f)

  3. #3
    Junior Member
    Join Date
    May 2017
    Posts
    6

    Default

    Thanks.

    I just checked: The "April check" was done with 2017-04-12 Includes\Trojans-C.sbi etc.

  4. #4
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    274

    Default

    This issue has been identified as FP now. Should have been marked as FP in our system. There are also infected versions of this file though, as you mentioned. Sorry for that. Detection will be updated tomorrow. Thank you.
    (m/f)

  5. #5
    Junior Member
    Join Date
    May 2017
    Posts
    6

    Default

    Thanks for confirming that my system is clean and that I'm not crazy for assuming that my system is clean rather than SpyBot is suddenly detecting an infection after all those years this file has been on my system (I assume that file comes with W7 because I never heard of (and never installed) "Info-ZIP" before)... :-)

  6. #6
    Member of Team Spybot (m/f)'s Avatar
    Join Date
    Feb 2006
    Posts
    274

    Default

    We do not see this file in our clean Win7 environments, otherwise it would not have shown up. It is more likely to come with another program.
    Last edited by (m/f); 2017-05-16 at 10:54. Reason: typo
    (m/f)

  7. #7
    Junior Member
    Join Date
    May 2017
    Posts
    6

    Default

    Maybe some other (than ZIP-Info) program brings that "ZIP-Info" to the system...

    I'll check my fairly plain W7 system with FileAlyzer (because the file doesn't show up in any file manger even with hidden files unhidden), but that might take some time until I'll get to it.

  8. #8
    Junior Member
    Join Date
    May 2017
    Posts
    6

    Default

    I can confirm that those files (vbzip10.dll, vbuzip10.dll) are not present on my fairly plain w7 system. So, maybe some packer software like winzip, winrar, 7zip or the like uses those files as well and brings them with it.

  9. #9
    Junior Member
    Join Date
    May 2017
    Posts
    6

    Default

    FYI:

    From the ZIP-Info website:
    (http://www.info-zip.org/Info-ZIP2.html#Imposters)

    The following applications all use (or are based on) Info-ZIP code for compression and/or decompression:

    WinZip
    UnZIP95, Zip Navigator, etc.
    DynaZIP
    ZIPExplorer (via the DynaZIP DLLs)
    ZipIt
    SAMzip (uses the Zip and UnZip DLLs for Win32)
    Easy Zip 98 (uses the VB interface to the Zip and UnZip DLLs for Win32)
    Maquisistem LongFilenames Zip Compress OCX (versions 2.1 and later)
    Jorge Serrano Pérez's MVZipUnzip ActiveX control (VB 4/5/6 interface to unzip32.dll)
    LDZIP (archive long filenames under plain DOS)
    Unzip64 and Unzip128 for Commodore C64/C128
    UnZip-Ada
    TclPro
    Object Desktop for OS/2
    XDESK for Win32
    PBEM (Play By E-Mail) for Win32
    Netanything for Win32
    Stuart Caie's cabextract


    -> mystery solved. :-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •