(Msg. 1) Posted: Wed Nov 19, 2008 12:01 am
Post subject: AVG false positive reported on user32.dll Archived from groups: alt>comp>anti-virus (more info?)
(Msg. 2) Posted: Wed Nov 19, 2008 5:51 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"AVG is detecting a key windows file as a false positive trojan virus.
An update for the AVG virus scanner released yesterday contained an
incorrect virus signature, which led it to think user32.dll contained
the Trojan Horses PSW.Banker4.APSA or Generic9TBN."
Unfortunately, there is no date on the article, so it's unclear what
"yesterday" refers to. I've e-mailed the webmaster and hope that in
future all articles (and follow-ups) will be dated.
(Msg. 3) Posted: Wed Nov 19, 2008 5:51 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
I belong to the users group hal pc users. I will call tomorrow and see what
they say. I was looking for the date too.
"Wolf Kirchmeir" <wolfkir.DeleteThis@sympatico.ca> wrote in message
news:49245ed7$0$5526$9a6e19ea@news.newshosting.com...
tommy wrote:
> http://tinyurl.com/66okyz >
> -
> Tommy
>
>
>
Quote:
"AVG is detecting a key windows file as a false positive trojan virus.
An update for the AVG virus scanner released yesterday contained an
incorrect virus signature, which led it to think user32.dll contained
the Trojan Horses PSW.Banker4.APSA or Generic9TBN."
Unfortunately, there is no date on the article, so it's unclear what
"yesterday" refers to. I've e-mailed the webmaster and hope that in
future all articles (and follow-ups) will be dated.
(Msg. 4) Posted: Thu Nov 20, 2008 10:24 am
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Wolf Kirchmeir" <wolfkir DeleteThis @sympatico.ca> wrote in message
news:49245ed7$0$5526$9a6e19ea@news.newshosting.com...
> tommy wrote:
> > http://tinyurl.com/66okyz > >
> > -
> > Tommy
> >
> >
> >
>
> Quote:
>
> "AVG is detecting a key windows file as a false positive trojan virus.
> An update for the AVG virus scanner released yesterday contained an
> incorrect virus signature, which led it to think user32.dll contained
> the Trojan Horses PSW.Banker4.APSA or Generic9TBN."
>
> Unfortunately, there is no date on the article, so it's unclear what
> "yesterday" refers to. I've e-mailed the webmaster and hope that in
> future all articles (and follow-ups) will be dated.
>
> --
> Wolf Kirchmeir
sources at halpc said Dwight Silverman's blog mentioned this in their widely
read techblog for the Houston Chronicle.
(Msg. 5) Posted: Sun Nov 23, 2008 7:07 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
File Renamed:
Old Filename New Filename
C:\WINDOWS\system32\user32.DLL C:\WINDOWS\system32\gucrqqx
Files Created:
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\5E7EYQDH\data[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\5E7EYQDH\r[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\BNPHK11H\data[1].htm
C:\WINDOWS\system32\aston.mt
C:\WINDOWS\system32\clfjmnm
C:\WINDOWS\system32\dllcache\user32.dll
C:\WINDOWS\system32\fjes.ra
C:\WINDOWS\system32\fxe.sp
C:\WINDOWS\system32\nvaux32.dll
C:\WINDOWS\system32\rigv.xl
C:\WINDOWS\system32\user32.DLL
So one has to be "cautious" of calling something like this a False Positive.
In the above case, as you can see, user32.DLL is renamed and then the malware dropped a
file to replace the one in %windir%\system32\ as well as in the
%windir%\system32\dllcache\ .
(Msg. 6) Posted: Sun Nov 23, 2008 10:11 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:9OedndWRzuK3bbTUnZ2dnUVZ_q7inZ2d@giganews.com...
> From: "tommy" <tommylee9_2000.RemoveThis@removeyahoo.dropcom>
>
>
> | http://tinyurl.com/66okyz >
> | -
> | Tommy
>
> I just examined the payload of a PDF exploiting the
Collab.collectEmailInfo() Javascript
> function in a highly obfuscated Javascript. The payload is a file named
SVCHOST.EXE --
http://www.virustotal.com/analisis/0e2cef86cda905258d39b9482ca08f9f >
> The malicious file did the following...
>
> File Renamed:
> Old Filename New Filename
> C:\WINDOWS\system32\user32.DLL C:\WINDOWS\system32\gucrqqx
>
> Files Created:
> C:\Documents and Settings\user\Local Settings\Temporary Internet
> Files\Content.IE5\5E7EYQDH\data[1].htm
> C:\Documents and Settings\user\Local Settings\Temporary Internet
> Files\Content.IE5\5E7EYQDH\r[1].htm
> C:\Documents and Settings\user\Local Settings\Temporary Internet
> Files\Content.IE5\BNPHK11H\data[1].htm
> C:\WINDOWS\system32\aston.mt
> C:\WINDOWS\system32\clfjmnm
> C:\WINDOWS\system32\dllcache\user32.dll
> C:\WINDOWS\system32\fjes.ra
> C:\WINDOWS\system32\fxe.sp
> C:\WINDOWS\system32\nvaux32.dll
> C:\WINDOWS\system32\rigv.xl
> C:\WINDOWS\system32\user32.DLL
>
> So one has to be "cautious" of calling something like this a False
Positive.
>
> In the above case, as you can see, user32.DLL is renamed and then the
malware dropped a
> file to replace the one in %windir%\system32\ as well as in the
> %windir%\system32\dllcache\ .
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp >
>
I see your point. That's really scary. So many sites require Javascript too.
Did you see the sources for those reports about AVG?
seems as though they admit it, and are offering free updates to the pro
version for a year for those that suffered any damage.
Adobe flash has also been labeled
Slick fellow that Dwight, he spoke to our user group and sold / signed
copies of his book about Vista.
I have switched to AVAST after reinstalling due to a bad drive because I
tried to install AVG 8 Free and it wouldn't install to anything but C:
drive. Avast is slicker than I first perceived, but I wish I could schedule
scans with it, and stamp email with certification stamps .
--
Tommy
(Msg. 7) Posted: Sun Nov 23, 2008 11:30 pm
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
tommy wrote:
> and stamp email with certification stamps .
Please don't do that. It's only advertising. There is no way any a-v
product can truthfully state that your mail is virus-free. Think about
it.
(Msg. 8) Posted: Mon Nov 24, 2008 7:02 am
Post subject: Re: AVG false positive reported on user32.dll [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Beauregard T. Shagnasty" <a.nony.mous.DeleteThis@example.invalid> wrote in message
news:ggdal7$8nv$1@news.motzarella.org...
> tommy wrote:
>
> > and stamp email with certification stamps .
>
> Please don't do that. It's only advertising. There is no way any a-v
> product can truthfully state that your mail is virus-free. Think about
> it.
>
> --
> -bts
> -Friends don't let friends drive Windows
its reassuring to pc novices, and verifies that I do "have" an anti-virus
program running on my pc.
--
Tommy
All times are: Eastern Time (US & Canada) (change) Goto page 1, 2
Page 1 of 2
You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Security