LS.Andy

Members
  • Content Count

    1,331
  • Joined

  • Last visited

  • Days Won

    43

Posts posted by LS.Andy


  1. @ msalt0,

     

    The file contains code that is consistent with the Win32.Expiro.BK virus family. According to the log file there are several files detected with the same name - it appears that quite a few legitimate files on your machine have been infected by the virus. The detection of the file you uploaded (BTW, thank you - it made investigation much easier) is not a false positive. Hope this helps.

     

    Regards,

     

    Andy

    Lavsoft Malware Lab


  2. Am I to assume my latest comment of having AdAware v11 remove, or hide several folders and files, on my hard drive, without giving prior notice, or indicate it in the logs, will be ignored by LS Andy and all the rest of LavaSoft personnel?

     

    I think you're being somewhat harsh here. The FP was resolved.

     

    Post #10 was very ’stream of consciousness’ and was difficult to see what you wished to say. I responded to it in post #11.

     

    Post #12 contained the database I requested with post #13 being my post-investigation response. No additional files/folders were detected in my many tests, nor was there any evidence of any detection, beyond some cookies, in the SQLite database.

     

    Post #14 appeared to be 'thinking out loud' - I must have missed what you intended to communicate.

     

    I would really appreciate if you could be concise and provide details about the problem. I'm sure you understand that I need to be able to reproduce this to be able to help you. It is helpful if you format it like:

     

    Description of problem: <concise decription>

     

    Steps to Reproduce

    1. Install program

    2. Update Ad-Adware

    3. Etc

     

    Any supporting info you can think of would be useful.

     

    I can assure all of you I didn't imagine it, as shown in the attached photos (in an earlier post) of one such instance, where a file, and folder doesn't show in the file explorer, but is there when opened in a different program.

     

    (this wasn't explained by Andy, just ignored too)

     

    The false positive report was solved. The detected file that was identified and subsequently removed from detection. The file is no longer being detected. Nothing that I interpreted as a request or question was ignored. Again, this is a bit harsh, no?

     

    As a note to Andy... The program AdAware deleted, as well as the others.. ARE PAID FOR, and fully owned by me. Not pirated..! And they were deleted by your software after a scan..!

    No-one said the programs were pirated or not owned by you. I am not disputing the FP occurred. I was able to recreate it.

     

    That's a fact..!

     

    If you can demonstrate the additional items that were detected and removed, I will investigate. With respect, thus far, I have no facts to go on - just your feeling that Ad-Aware did something.

     

    When you say ‘they were deleted by your software’, kindly identify the files being detected and I will investigate.

     

    I'd like to know why this incident is seemingly being ignored, or brushed-OFF ???

     

    it did happen, I'm not making it up.

     

    Nothing is being ignored and no-one said you were making anything up. The FP was resolved. I double checked the files installed by the installer and found no detection - the report was considered closed.

     

    If there is something else being flagged, please provide the relevant information and I will investigate.

     

    Andy


  3. could AdAware v11 have hidden the folders from view, somehow, when dong the disinfecting after the scan?

    No, Ad-Aware does not hide anything - just deletes & quarantines.

     

    are any of the previous scan reports still on the drive, from that 1st install of AdAware v11..?

    If Ad-Aware is uninstalled I believe all program data is uninstalled with it. In any case, historical detection info is stored in an SQLite database. Can you zip, password protect and upload the Scanner.db file located in C:\ProgramData\Lavasoft\Ad-Aware 11\History?

     

    Andy


  4. So the autorun.exe, (md5: 44ea31a350f662ad597c092a7bee2575) was the only one being detected as actually a False Positive?

    Correct.

     

    Because other files from that uncompressed original install .EXE file, also showed-up as being infected, and were deleted.

    Can you zip/password protect the detected files and upload here please?

     

    Did the autorun.exe file show signs of ANY type of threat?

    The file looked suspicious (was packed with Armadillo and has some anti-debug capabilties) but did not exhibit malicious behaviour.

     

    have you tried installing the software to see if other files get infected during the install process

    Yes. The installer was not a PK file, so the next easiest way to extract the files from it was to install the application. The file in question was contained within bootdisk.iso which was unpacked and scanned. The FP was found in the contents of the unpacked bootdisk.iso file.

     

    Andy


  5. Hi,

     

    It turns out that the file being detected is actually a file contained deep inside the installer (autorun.exe, md5: 44ea31a350f662ad597c092a7bee2575), not the installer itself. The file will be removed from detection in an upcoming update.

     

    I'm also going to submit a bug report to the development team. The log file did not give any information that an 'InnerObject' was the cause of detection - it looked like the installer was being detected, which is not correct.

     

    Thanks for the report!

     

    Andy

    Lavasoft Malware Lab


  6. Hi Kruk,

    I've been trying to recreate the problems you're seeing but without any luck so far. I haven't come across problems with Kaspersky Internet Securty 2014 and Ad-Aware 11 Free in 'non-compatible mode'. It doesn't mean that there aren't problems, just that I can't reproduce yours yet. It would be helpful if you could give me some more details:

    I had KIS 2014 and then installed Ad-Aware 11 - issues with KIS.

     

    I'm assuming you installed Ad-Aware 11 Free. Is that correct?

     

    Because I haven't come across any problems, more info about these issues will be very helpful. I also want to reproduce your actions when you experienced the issues to try to get the same problems to occur on my machine.

     

    Can you describe the issues you're seeing, like error messages, crashes or anything else that will help me recognise on my systems what you're experiencing? Were you doing anything that might have generated the issue, like running a scan?

    Then I removed both and installed first KIS then Ad-Aware - still issues with KIS

     

    Same issues? Something else? Similar additional info as described above would be helpful.

    Then I installed first Ad-Aware and KIS - still issues with KIS (I tried the same order with AD-Aware in compatible mode - still issues)

     

    Which order? Ad-Aware 11 first (which mode - express or compatible?), then KIS? What were the issues? Can you describe what was happening prior to the issue occurring?

     

    Thanks,

     

    Andy

    Lavasoft Malware Lab


  7. Hi Djay,

     

    Users have several options available - add the file to the ignore list, use an alternative compression application such as 7-zip, use an anti-malware application that does not flag the file (see here to see which vendors do not detect it) or allow Ad-Aware to detect it.

     

    This is not considered a false positive and will remain in detection.

     

    Regards,

     

    Andy

    Lavasoft Malware Lab


  8. Hi Djay,

     

    This is not a false positive - the application is adware. Click the "Learn More" link on http://softzipper.com

     

    There are a few companies that also block the link and detect this application, including Malwarebytes:

     

    https://www.virustotal.com/en/file/148d97c31ce04b37dd3e32efdacefea22c21690dafa9f4c1d5a594415e09aeca/analysis/1382092270/

     

    The application seems to be built using 7zip - I'd suggest installing 7zip instead: http://www.7-zip.org/

     

    Hope this helps!

     

    Andy

    Lavasoft Malware Labs


  9. Hi all,

     

    We're planning to stop supporting Ad-Aware 9.x in the near future, so you really should upgrade to version 11 as soon as possible, like, now.

     

    Can I ask why you are still using 9.x? It's really old and AA 11 is much better (faster, better detection rates etc etc).

     

    Thanks for any and all feedback!

     

    Andy

    Lavasoft Malware Lab