Swreg false positive?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Stopzilla keeps telling me that Swreg is a evil. Is it?

TIA.

wolf k.

Re: Swreg false positive?


| Stopzilla keeps telling me that Swreg is a evil. Is it?

| TIA.

| wolf k.

Depends.  You didn't provide enough information.

Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Swreg false positive?

On 02/16/2009 03:54 PM, Wolf K sent:
Quoted text here. Click to load it

Hello

There's about a dozen different swreg.exe files around.  All have
different files sizes and checksums.

Please submit yours to:

                  <http://www.virustotal.com/

Cut and paste the VirusTotal report into a reply to this thread.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Swreg false positive? -- VirusToal report

1PW wrote:
Quoted text here. Click to load it

Thanks, Dave and Pete. Here's the report. Only eSafe reports it as
suspicious; Stopzilla is not listed. (SZ found the policy change in the
registry that prevented re-installing anti-malware, 3hich is why I
decided to keep it.)

wolf k.
................................

  File swreg.exe received on 02.03.2009 20:35:19 (CET)
Current status: finished
Result: 1/39 (2.56%)
Compact Compact
Print results Print results
Antivirus     Version     Last Update     Result
a-squared     4.0.0.93     2009.02.03     -
AhnLab-V3     5.0.0.2     2009.02.03     -
AntiVir     7.9.0.71     2009.02.03     -
Authentium     5.1.0.4     2009.02.03     -
Avast         4.8.1281.0     2009.02.03     -
AVG         8.0.0.229     2009.02.03     -
BitDefender     7.2         2009.02.03     -
CAT-QuickHeal     10.00         2009.02.03     -
ClamAV         0.94.1         2009.02.03     -
Comodo         961         2009.02.03     -
DrWeb         4.44.0.09170     2009.02.03     -
eSafe         7.0.17.0     2009.02.01     Suspicious File
eTrust-Vet     31.6.6339     2009.02.03     -
F-Prot         4.4.4.56     2009.02.03     -
F-Secure     8.0.14470.0     2009.02.03     -
Fortinet     3.117.0.0     2009.02.03     -
GData         19         2009.02.03     -
Ikarus         T3.1.1.45.0     2009.02.03     -
K7AntiVirus     7.10.617     2009.02.03     -
Kaspersky     7.0.0.125     2009.02.03     -
McAfee         5514         2009.02.02     -
McAfee+Artemis     5514         2009.02.02     -
Microsoft     1.4306         2009.02.03     -
NOD32         3822         2009.02.03     -
Norman         6.00.02     2009.02.03     -
nProtect     2009.1.8.0     2009.02.03     -
Panda         9.5.1.2     2009.02.03     -
PCTools     4.4.2.0     2009.02.03     -
Prevx1         V2         2009.02.03     -
Rising         21.15.10.00     2009.02.03     -
SecureWeb-Gateway     6.7.6     2009.02.03     -
Sophos         4.38.0         2009.02.03     -
Sunbelt     3.2.1835.2     2009.01.16     -
Symantec     10         2009.02.03     -
TheHacker     6.3.1.5.245     2009.02.03     -
TrendMicro     8.700.0.1004     2009.02.03     -
VBA32         3.12.8.12     2009.02.03     -
ViRobot     2009.2.3.1587     2009.02.03     -
VirusBuster     4.5.11.0     2009.02.03     -
Additional information
File size: 135168 bytes
MD5...: e417d888fdde9a2290c369c82a7aec3e
SHA1..: 54a6acf7ed038afc6a632ccd568c17fc31eac00e
SHA256: 668232d0976e87f30bcfe1a52b17c96702eef3028fe05ef6263596ff9c80279b
SHA512: 6b5c490537adc038ff0e1fc60ef566e93a1b3aebc39b60bef1a9f01ff4fd3e9e
842f84310ae67c3556ab1fb12d8e80324c723b6b37ee45926937694b3f349ef1
ssdeep: 3072:TjKmNZpxXhiBXnwOvx3E3xMTjxSOLX2y1UnrXNFIRW8I3LfSJDUmWN:ymN/
zsBOPODI7cI3rSJDUmW
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x70ce0
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x50000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x51000 0x20000 0x20000 7.89 d72c8bdacf340e7eddff5dcc9816577e
.rsrc 0x71000 0x1000 0xc00 3.23 06c18c191a679ec075bfbb493e76149c

( 6 imports )
 > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
 > advapi32.dll: GetAce
 > ole32.dll: CoInitialize
 > oleaut32.dll: VariantCopy
 > user32.dll: CharNextA
 > version.dll: VerQueryValueA

( 0 exports )
packers (Kaspersky): UPX
...........................................

Re: Swreg false positive? -- VirusToal report

On 02/17/2009 06:39 AM, Wolf K sent:
Quoted text here. Click to load it

I believe you may be able to draw your own conclusion regarding your
swreg.exe file and perhaps your choice of STOPzilla as antispyware
scanner.  Do you now believe this was a false positive?

Although STOPzilla may be constantly improving, I have yet to see your
scanner recommended in these newsgroups the way others are.  What other
choices have you made regarding antimalware protection?

At the very minimum, you now know how to check such findings in the future.

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Swreg false positive? -- VirusToal report

1PW wrote:
[...]
Quoted text here. Click to load it

Thank you, I did. Now to find the reg key that starts SZ _before_ "your
personal settings" are loaded. Bah!

SZ is good for only one thing: highlighting possible evil changes to the
registry. Is there another tool that will do this? Preferably
stand-alone, so it can be run from a CD.

TIA

Re: Swreg false positive? -- VirusToal report

On 02/19/2009 04:45 PM, Wolf K sent:
Quoted text here. Click to load it

Although it can be made to run from a CD, you may wish to consider
STOPzilla's retirement in favor of a somewhat more trusted application
such as SAS, SUPERAntiSpyware:

               <http://www.superantispyware.com/

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Swreg false positive? -- VirusToal report


| 1PW wrote:
Quoted text here. Click to load it









| Thanks, Dave and Pete. Here's the report. Only eSafe reports it as
| suspicious; Stopzilla is not listed. (SZ found the policy change in the
| registry that prevented re-installing anti-malware, 3hich is why I
| decided to keep it.)


http://www.prevx.com/filenames/492020686164536244-0/SWREG.EXE.html

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline