2 curious scan results - false positives?

This is my first post. I’m not sure these are false positives, but I didn’t see anywhere else I should be posting them. Let me know if I should post somewhere else…

I just installed CIS and ran my first scan. It thankfully detected nothing on my C: system drive (running Windows 7 64-bit), but came up with several items on other partitions, which are mostly archives of files I’ve downloaded over the past couple of years. Two items were striking to me:

1. This is really a category of items - three lines in the report:

UnclassifiedMalware@122687352 …\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\76b61fd6-59c38e5e|vmain.class
UnclassifiedMalware@122756636 …\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\774dcea0-73062db4|vmain.class
TrojWare.JS.TrojanDownloader.Agent.~fng@141221096 …\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\74d2e8f2-3cb0961a

These are all in backups of old user accounts - the first two are recent Windows 7 backups, and the third is from a Vista system. Are these pieces of malware I picked up by visiting some nasty website? The first one clearly has a rap-sheet at virustotal:

http://www.virustotal.com/file-scan/report.html?id=6f73f2ecd90555dce0898ee3206b26a850edc60d9ac352f3763fe7c1d0c5cd63-1291489370

2. A downloaded executable named SpinRite6.exe (disk recovery software from GRC.COM) is getting flagged as “Packed.Win32.MUPX.Gen@129019204”. The odd thing about this is that I can’t get access to the file - even read access to submit it to virustotal.com or comodo. I am running as administrator, and I can’t copy the file or take ownership of it. If I try to delete or rename or copy the file I get: “You require permission from the computer’s admin…” and if I try to take ownership I get “Unable to set new owner … Access is denied”.

Thanks in advance for any advice/guidance you can provide … I’m just starting out with CIS, so if there’s something I should be doing differently or a newbie FAQ/tutorial I should be looking at, let me know.

Really liking CIS so far, by the way - was using ESET for the past couple of years and was getting frustrated with it. First impressions of CIS very positive.

Hey and Welcome!

I have looked at it. VT is good way to control if a file is a malware or not. I recommend you to download malwarebytes, update it and make a full system scan. Try Hitman pro as well.

I will copy this in “malware research” and I will come back to you.

Regards,
Valentin

I recommend clearing out you java cache. To do that go to control panel, click java from there. In the general tab at the bottom you will see Temp Internet files, select settings, then select delete files. Hit ok in the new window, making sure both options are ticked. Select ok again and ok one last time. Now try to do a scan again.

Thanks Valentin!

I don’t see a “Malware Research” here, but maybe it’s buried? Let me know if I should have posted this somewhere else.

Thanks languy!

Just to be clear - these files are in another partition from my system, so I don’t think they’re posing any threat to me now. I can easily just delete the files, but I’m curious to know what they were and how I got them, and whether they might have been nasty enough to do any real harm. I guess it’s possible that I will boot to that older partition again in the process of migrating to Windows 7, so I should be sure to let Comodo clean the files before I do that. I just wanted to do some research on them first.

Thanks for the quick replies…

Hi Guys,

Hi huge1,

You are getting the any time you use Java. Most likely they are not harmful at all.
Sure you have rights to be cautious, but we should not be paranoid
Java cash files are flagged by many security and in many if not most cases those are FPs.

As languy99 suggested - just clean them

In any case – the good practice is to clean temporary file locations / cash / cookies / etc … prior to any scan of the substantial size
Using CCleaner is quite sufficient (I’m not talking about its Registry cleaning part in this context)

I think you should not worry a lot in this case, but sure you can check with Comodo developers by sending the items, if you prefer

As for the locked SpinRite6.exe, that is most likely FP as well, but
What you can try – ignore the flagging and submit the file
or
if that did not help, then - temporarily disable real-time protection and send the file

Hi Valentine,
Good way, but never 100% reliable way despite “Total” in it’s name

Most likely that is not necessary in this case re: Java cache, since as it was pointed those could be flagged again & that would be just confusing
but that is indeed not bad idea having additional on-demand scanners due to so many FPs that Comodo produces (well, missed malware has to be counted too)

Cheers!

more and more thanks for the continued help and advice!

After banging my head against the wall trying to get any sort of control over the locked spinrite.exe file (followed about 10 different sets of instructions for taking ownership, unlocking, overriding permissions, etc) I rebooted my machine and all was well again. And I noticed the same issue with another file that CIS had flagged - this one a pretty clear false positive. Does CIS put some sort of lock on the files it flags?

Anyway … now that I have access to the file, I submitted it to virustotal, and the same file has been seen there before, repeatedly between 2006 and last week:

http://www.virustotal.com/file-scan/report.html?id=acf18fdd30396f9a326644c1802947c565f33eb8dc1a9d5acd8010b7adaf4dcc-1290407236

Here’s the weird thing … I have another copy of what I would expect to be the same file sitting on another HD partition. It has a slightly different name “SpinRite.exe” vs “SpinRite6.exe”, but the same byte-count. Comodo does not flag the other file, and when I submit it to VT, it has a very similar report - it has been submitted multiple times before, between 2006 and now, and the same other two AV’s report it as suspicious, but Comodo does not:

http://www.virustotal.com/file-scan/report.html?id=230be922979b19338c7395d318317c23a003e50ec949eedb3b8f7e7a9a653174-1291404304

My gut tells me that this is a false positive, especially because of what I know about Spinrite - very low-level commercial software that probably goes to some length to pack/encrypt itself to avoid reverse engineering. So it makes sense that some scanners would flag it as suspicious.

But it does seem really weird that I have two copies of the same file, one of which is flagged by Comodo and 2 other AV’s, and one of which is flagged only by the other two.

I’m inclined to just scratch my head and not worry about it, but if anyone has any thoughts, or if you have a copy of SpinRite, submit it to VT and let me know what you find…

(With the Java stuff, yeah I’ll stop being paranoid, just clean the files and move on … thanks for the reassurance)

huge1,

Scratching your head is more appropriate approach than “banging you head against the wall” heheh!
In any circumstances use the PC’s LCD instead of the wall - much softer

Nahh! don’t do that.

Again - instead of using VT or any site like this it is always advisable sending the file to the vendor that produced flaggings if you are not sure.

The code resided on you PC - that is what important.
Sure we can download the file … but what is the point?

• That can be already different version (the code changed);
• Then, send the same file 5 min later to VT or alike - & you can get different results due to updated DB versions of the scanners;
• In addition (hopefully not in this case) any file can be compromised by the 3rd party infection that is currently present on your PC and that has to be taken into account as well.

Cheers!

Hi huge1,
We are going to have a look at it and will get back to you after investigation.
Thanks and Regards,
Lin mengze

Thanks Lin, and all the others who responded … super-helpful. I look forward to hearing any results from your investigation. Let me know if you want me to post the version of SpinRite that Comodo does not flag.

I have a couple other files that look like similar maybe-false-positives to me (from my Hiren’s Boot CD download). I’ll post them in another thread…

here is the reslut

Hello Valentinchen Malware SHA1:5cbb72947e281875e213064668aa4cd36951cd13 SIG ID:141221096 Not Malware SHA1:630ad5b25cd291b0e7b7329e67b41fa3836cf3b0 SIG ID:122687352 SHA1:ab2d66d1907ee92e12f07a0206018dc7a42260e7 SIG ID:122756636 linmengze

here are the VT results:

http://www.virustotal.com/file-scan/report.html?id=b0d442b3b3f203d84f6d5cfc321cbc4474ad4256e9453838b7b980e46f2af2a0-1291783355

http://www.virustotal.com/file-scan/report.html?id=413d9d70bf9170ebfab54bb1b95e1b93d124b0f69b63aacb01f169e39b81bc5d-1291776992

http://www.virustotal.com/file-scan/report.html?id=e0996236ef8f1a9fbef7c7af19dfe969bd282451dc866c94d73221d2c44147f5-1291776976

Regards,
Valentin

Hi huge1,

Reported FP is fixed and you can confirm this with DB V6988.

Regards,
Vaishnavi.V.K

Confirmed, both on my local scan, and submitting the file to VT, now comes up clean with Comodo. Thanks for all the help!

Hi huge1 ,
Glad that you have a definite answer now & peace of mind as a result.

But for a future , please follow some advices above - clean before scanning
Currently many securities cannot handle Jave cache … needless to say Comodo with it enormous FP rate

Cheers!

off topic: Does CIS have FP; I have never got any FP so far.

Regards,
Valentin

Yes it does. It’s getting better all the time though.

okey

Sure, and a lot!!!

Most likely you are not installing/testing many Software
Definitely it depends on the system environment, meaning how the system is used
If the users got the system ; installed few packages he/she needs for daily work and - “that’s it”, so speaking , FPs still may occur but rarely… otherwise

… I have no doubts you were reading this section , where we are now currently ,
and many other reports in different threads.

Cheers!

I understand what your saying SiberLynx