Fixed: Another new HP False Positive

T

The_Loegrus

New member
Hi,

I caught yesterdays post on ackpbsc.dll.

Ran the updates, restored the removed files, scanned again to make sure all was well, it didn't touch the ackpbsc.dll, but I ran into another one.

This is a new HP 8530W laptop with a camera built into the display. It is detecting the camera driver as Virtumonde.

I will email the file, here's more info on the driver.

http://translate.google.com/transla...refox-a&rls=org.mozilla:en-US:official&hs=fvn

Here's the Log:

--- Report generated: 2009-01-14 09:09 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Virtumonde: [SBI $57A3A5D0] Autorun settings (snuvcdsm) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snuvcdsm

Virtumonde: [SBI $57A3A5D0] Program file (File, fixed)
C:\Windows\snuvcdsm.exe

Virtumonde: [SBI $57A3A5D0] Autorun settings (snuvcdsm) (Registry value, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snuvcdsm

Virtumonde.sdn: [SBI $80D0D279] Library (File, fixed)
C:\Windows\System32\ackpbsc.dll


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2009-01-13 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
 
No Actually I sent you the wrong logfile :-)

That was yesterdays.

So after I read your post, I ran the update again:


But I did select Beta this time-no change.

Here's the logfile from 2 mins ago:


--- Report generated: 2009-01-15 09:53 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Virtumonde: [SBI $57A3A5D0] Autorun settings (snuvcdsm) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snuvcdsm

Virtumonde: [SBI $57A3A5D0] Program file (File, nothing done)
C:\Windows\snuvcdsm.exe

Virtumonde: [SBI $57A3A5D0] Autorun settings (snuvcdsm) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snuvcdsm

Log: Install: Directx.log (Backup file, nothing done)
C:\Windows\Directx.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\Windows\DtcInstall.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\Windows\System32\wbem\logs\wmiprov.log

Cookie: Cookie (14) (Cookie, nothing done)


Cache: Cache (236) (Cache, nothing done)


History: History (38) (History, nothing done)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2009-01-13 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2009-01-13 Includes\AdwareC.sbi (*)
2009-01-13 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2009-01-08 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-13 Includes\DialerC.sbi (*)
2009-01-13 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-13 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-01-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-14 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-13 Includes\PUPSC.sbi (*)
2009-01-13 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-01-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-13 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-14 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
 
The_Loegrus:

Thank you. The new scan report you posted looks like it has up-to-date definitions. In the original scan report you posted there are thirteen files that appear to be from the 2009-01-07 updates:
  • 2008-12-29 Includes\AdwareC.sbi (*) Old file - The date should have read 2009-01-13
  • 2008-06-03 Includes\Cookies.sbi (*) Old file - The date should have read 2009-01-08
  • 2009-01-06 Includes\DialerC.sbi (*) Old file - The date should have read 2009-01-13
  • 2008-07-23 Includes\HeavyDuty.sbi (*) Old file - The date should have read 2009-01-13
  • 2009-01-05 Includes\HijackersC.sbi (*) Old file - The date should have read 2009-01-13
  • 2008-12-22 Includes\KeyloggersC.sbi (*) Old file - The date should have read 2009-01-13
  • 2009-01-06 Includes\MalwareC.sbi (*) Old file - The date should have read 2009-01-14
  • 2009-01-06 Includes\PUPSC.sbi (*) Old file - The date should have read 2009-01-13
  • 2007-11-07 Includes\Revision.sbi (*) Old file - The date should have read 2009-01-13
  • 2008-06-18 Includes\Security.sbi (*) Old file - The date should have read 2009-01-13
  • 2008-12-29 Includes\SecurityC.sbi (*) Old file - The date should have read 2009-01-13
  • 2009-01-06 Includes\SpywareC.sbi (*) Old file - The date should have read 2009-01-13
  • 2009-01-06 Includes\TrojansC.sbi (*) Old file - The date should have read 2009-01-14
 
I can confirm this false positive, it will be fixed with the detection update scheduled for next Wednesday.
 
so, it's really a new false positive?

<hi guys,
mmmhhh........ on the WEB someone writes litterally that " SNUVCDSM.EXE description :The filename SNUVCDSM.EXE was last seen on 01.8.2009, and it is considered unsafe. Threat name Win32.X Filename [Win32Root]\snuvcdsm.exe Filesize Unknown Last seen 01.8.2009 Status Known to RemoveIT Pro as unsafe. This file can perform following behavior. - File is created as process on the disk. - This process can create, delete or modify files on the disk". (oral8.cn/viruscom/viruscom_47628.html)
Anyway some days ago I downloaded from MICROSOFT VISTA UPDATE a new drive for the webcam of my COMPAQ Presario C740EL and surely "snuvcdsm.exe" has been created in the week of the drive downloading.
I scanned more first with Norton 360 and then with Windows Defender: nothing found.
Anyway, to be sure, I removed that file with SPYBOT, tried to use the webcam and........ it worked fine, seems not to have problem as far as today.
Let's wait the new update of Wednesday and we will see......
Anyway I also think it may be a false positive.
Thank You for Your continuous work
Live long and prosper
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top