AVG false positive reported on user32.dll

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

http://tinyurl.com/66okyz

-
Tommy




Re: AVG false positive reported on user32.dll

tommy wrote:
Quoted text here. Click to load it

Quote:

"AVG is detecting a key windows file as a false positive trojan virus.
An update for the AVG virus scanner released yesterday contained an
incorrect virus signature, which led it to think user32.dll contained
the Trojan Horses PSW.Banker4.APSA or Generic9TBN."

Unfortunately, there is no date on the article, so it's unclear what
"yesterday" refers to. I've e-mailed the webmaster and hope that in
future all articles (and follow-ups) will be dated.

--
Wolf Kirchmeir

Re: AVG false positive reported on user32.dll


I belong to the users group hal pc users. I will call tomorrow and see what
they say. I was looking for the date too.

tommy wrote:
Quoted text here. Click to load it

Quote:

"AVG is detecting a key windows file as a false positive trojan virus.
An update for the AVG virus scanner released yesterday contained an
incorrect virus signature, which led it to think user32.dll contained
the Trojan Horses PSW.Banker4.APSA or Generic9TBN."

Unfortunately, there is no date on the article, so it's unclear what
"yesterday" refers to. I've e-mailed the webmaster and hope that in
future all articles (and follow-ups) will be dated.

--
Wolf Kirchmeir



Re: AVG false positive reported on user32.dll


Quoted text here. Click to load it

sources at halpc said Dwight Silverman's blog mentioned this in their widely
read techblog for the Houston Chronicle.

http://blogs.chron.com/techblog /

search for "avg free"
--
Tommy





Re: AVG false positive reported on user32.dll



| http://tinyurl.com/66okyz

| -
| Tommy

I just examined the payload of a PDF exploiting the Collab.collectEmailInfo()
Javascript
function in a highly obfuscated Javascript.  The payload is a file named
SVCHOST.EXE --
http://www.virustotal.com/analisis/0e2cef86cda905258d39b9482ca08f9f

The malicious file did the following...

File Renamed:
Old Filename                                   New Filename
C:\WINDOWS\system32\user32.DLL    C:\WINDOWS\system32\gucrqqx

Files Created:
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5E7EYQDH\data[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5E7EYQDH\r[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\BNPHK11H\data[1].htm
C:\WINDOWS\system32\aston.mt
C:\WINDOWS\system32\clfjmnm
C:\WINDOWS\system32\dllcache\user32.dll
C:\WINDOWS\system32\fjes.ra
C:\WINDOWS\system32\fxe.sp
C:\WINDOWS\system32\nvaux32.dll
C:\WINDOWS\system32\rigv.xl
C:\WINDOWS\system32\user32.DLL

So one has to be "cautious" of calling something like this a False Positive.

In the above case, as you can see, user32.DLL is renamed and then the malware
dropped a
file to replace the one in %windir%\system32\ as well as in the
%windir%\system32\dllcache\ .



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: AVG false positive reported on user32.dll



Quoted text here. Click to load it
Collab.collectEmailInfo() Javascript
Quoted text here. Click to load it
SVCHOST.EXE --
http://www.virustotal.com/analisis/0e2cef86cda905258d39b9482ca08f9f
Quoted text here. Click to load it
Positive.
malware dropped a
Quoted text here. Click to load it
I see your point. That's really scary. So many sites require Javascript too.
Did you see the sources for those reports about AVG?

here's Dwight's first blog post on the subj 11-11-08
http://tinyurl.com/6o6akp

here's his source [s]:
http://tinyurl.com/5sug22

http://www.pcworld.com/article/154378 /

he made another post  about AVG false pos on 11 23 08
http://blogs.chron.com/techblog/archives/2008/11 /

seems as though they admit it, and are offering free updates to the pro
version for a year for those that suffered any damage.

Adobe flash has also been labeled

Slick fellow that Dwight, he spoke to our user group and sold / signed
copies of his book about Vista.

I have switched to AVAST after reinstalling due to a bad drive because I
tried to install AVG 8 Free and it wouldn't install to anything but C:
drive. Avast is slicker than I first perceived, but I wish I could schedule
scans with it, and stamp email with certification stamps .
--
Tommy





Re: AVG false positive reported on user32.dll

tommy wrote:

Quoted text here. Click to load it

Please don't do that.  It's only advertising. There is no way any a-v
product can truthfully state that your mail is virus-free. Think about
it.

--
   -bts
   -Friends don't let friends drive Windows

Re: AVG false positive reported on user32.dll



Quoted text here. Click to load it

its reassuring to pc novices, and verifies that I do "have" an anti-virus
program running on my pc.
--
Tommy





Re: AVG false positive reported on user32.dll

tommy wrote:

Quoted text here. Click to load it

It is probably more annoying than reassuring to even novices. I doubt
they care if you have an a-v app running, especially those who don't
know what one is. Further, for those who forward email all over the
place, that 'certification' will be included - meaning nothing to the
next level except to confuse.

And as I said, there isn't a single a-v app that can fully guarantee
that what you sent is virus-free. Remember, zero-day viruses won't be
detected, along with the latest morphs of older viruses. It truly is
only an advertisement.

You may certainly continue to scan your outgoing mail (though that isn't
even necessary as all modern viruses use their own SMTP engines quietly
sending while you aren't looking), but there is no need to bother
everyone else. I have one friend who can't be talked out of removing the
ad, and all he does is embarrass himself by showing that he scanned with
an a-v database that is always three to four weeks or more out of date,
and therefore useless.

Be kind to your correspondents and turn it off.

--
   -bts
   -Friends don't let friends drive Windows

Re: AVG false positive reported on user32.dll


| tommy wrote:

Quoted text here. Click to load it



| It is probably more annoying than reassuring to even novices. I doubt
| they care if you have an a-v app running, especially those who don't
| know what one is. Further, for those who forward email all over the
| place, that 'certification' will be included - meaning nothing to the
| next level except to confuse.

| And as I said, there isn't a single a-v app that can fully guarantee
| that what you sent is virus-free. Remember, zero-day viruses won't be
| detected, along with the latest morphs of older viruses. It truly is
| only an advertisement.

| You may certainly continue to scan your outgoing mail (though that isn't
| even necessary as all modern viruses use their own SMTP engines quietly
| sending while you aren't looking), but there is no need to bother
| everyone else. I have one friend who can't be talked out of removing the
| ad, and all he does is embarrass himself by showing that he scanned with
| an a-v database that is always three to four weeks or more out of date,
| and therefore useless.

| Be kind to your correspondents and turn it off.

| --
|    -bts
|    -Friends don't let friends drive Windows

I agree with what BTS posted here.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: AVG false positive reported on user32.dll



Quoted text here. Click to load it
I don't have it turned on. I don't know if AVAST has that feature even. I
like feedback , at least until I can verify that something new to me is
working.



Re: AVG false positive reported on user32.dll

wrote:
Quoted text here. Click to load it
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
That can work 2 ways.   I've had malware attachments even though the e-
mails had 'certified virus free by *insert AV name*'.  Of course the e-
mail was never scanned by any vendor,  the text was added in to give
the impression the attachment was scanned.


Re: AVG false positive reported on user32.dll



wrote:
Quoted text here. Click to load it
==========
That can work 2 ways.   I've had malware attachments even though the e-
mails had 'certified virus free by *insert AV name*'.  Of course the e-
mail was never scanned by any vendor,  the text was added in to give
the impression the attachment was scanned.

perfection is hard to attain. I settle in such cases for 99% where it's not.
I can't tag messages because gmail uses ssl, but since I use gmail now, the
incoming mail is scanned by them .  Moot point




Site Timeline