Fixed (Heuristics): Two Alleged False Positives - Yobdam.ait

[TechDud]

I have been using these utilities for a while, only recently (as of Nov 30?) has Spybot (perhaps through TeaTimer) 'detected' Yobdam.ait within them.

Curiously the window popped up titled "Spybot - Search & Destroy", claiming "...has encountered & terminated a process ... listed as part of a malicious (SW)". I was the one to have closed these programs. The windows only popped up after closing the aforementioned utilities.

Dec 02 2011 9:27:26 AM Encountered and terminated Yobdam.ait

I am using WinXP-SP3, running FF8, Spybot 1.6.2.46, and both files have 'yobdam.ait' detected. I understand that these utilities were written using AutoIT from conversations with one author. In fact, it was through that conversation that Avira (potentially, technically malware itself - more later) corrected a false-positive of their own.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
26330615 FindHwids.v3.2p.exe 416.99 KB FALSE POSITIVE
26336063 fshash.dll 69.35 KB CLEAN


Please find a detailed report concerning each individual sample below:
Filename Result
FindHwids.v3.2p.exe FALSE POSITIVE

The file 'FindHwids.v3.2p.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.11.15.210.

Filename Result
fshash.dll CLEAN

The file 'fshash.dll' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

*Note: I only include the preceding quote for anecdotal reasons, as i cannot directly link to this report, as it uniquely identifies me.

1) UniExtract available here --> http://legroom.net/software/uniextract
2) FindHwids_v3.2p available here --> http://forum.driverpacks.net/viewtopic.php?id=3018

Through this experience, i have lost faith in TeaTimer/Spybot's ability to stop real malware. I still love the 'immunization' function, & I remember with fondness how Spybot found all that spyware in CreativeLabs' driver CD's (et al) years ago.

Thank you for your consideration.

 

[Yodama]

Thank you for reporting this issue.
I can confirm this false positive and it will be fixed with our next detection update scheduled for Wednesday 2011-12-07.

 

[TechDud]

Thank you kindly.

 

[nickW]

Hello,

Not fixed for UniExtract.exe

 

[TechDud]

I don't understand why it isn't working for you, yet i can confirm that it's working for me.
I regularly update & immunize; perhaps... ???

 

[nickW]

Hi,

Forced new "Manual" update with http://www.safer-networking.org/updates/files/spybotsd_includes.exe.

I still have this in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Resident.log

09/12/2011 14:41:13 Encountered and terminated Yobdam.ait in .....\Universal-Extractor-1-6-1-R4-lupopensuite\UniExtract.exe!

Source of this UniExtract.exe: http://www.lupopensuite.com/db/universalextractor.htm

 

[Yodama]

@nickW
have you tried restarting TeaTimer or rebooting your computer?
If not please give it a try.

To restart TeaTimer do the following:

• start Spybot S&D and switch into advanced mode
• navigate to Tools - Resident
• uncheck the check box for Resident TeaTimer and wait a bit to make sure TeaTimer has completed its shutdown (you can check the Taskmanager to make sure TeaTimer.exe does not run anymore)
• recheck the check box for Resident TeaTimer to restart the TeaTimer

 

[TechDud]

Très bonne trouvaille, nickW!

It appears to have permission from the original author, Jared Breland, to redistribute.
http://www.lupopensuite.com/db/author/universalextractor.txt

the main exe has the same SHA1 hash: 35d0938928ed5986329c33a48cbaaf3a3c7e1d7f :rockon:

 

[TechDud]

PS: this has been updated by gora
here --> http://www.ryanvm.net/forum/viewtopic.php?t=8201