question about SuperAntiSpyware identifications

I am running super anti spyware and it has identified a few things the look like false positives.

These are in my download folder for motherboard drivers and bios versions, but are detected as Troan.agent/Gen-Sisproc
motherboard_bios_ga-ep45t-ds3r_f3.exe
motherboard_driver_sataraid_intel_bootdisk_64.exe
motherboard_driver_sataraid_intel_bootdisk_32.exe

This .dll is detected as Troan.agent/Gen-Hupigon
C:\Program Files\TrojanHunter 4.5\THSec.dll

As far as I know, these are legitimate files, but I suppose they could have been infected by something.

Any opinions on any of these?

LMHmedchem

 

Which directory were the motherboard drivers in?

 

The drivers are in my download directory,
C:\Download_Install\system_tools\bios
C:\Download_Install\system_tools\raid_drivers

These are directories that I created to store things I download.

Here is the complete log,

Code:

http://www.superantispyware.com

Generated 11/19/2011 at 07:52 PM

Application Version : 5.0.1136

Core Rules Database Version : 7965
Trace Rules Database Version: 5777

Scan type       : Complete Scan
Total Scan Time : 03:24:04

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 423
Memory threats detected   : 0
Registry items scanned    : 36173
Registry threats detected : 3
File items scanned        : 152880
File threats detected     : 6

Registry Cleaner Trial
	C:\Documents and Settings\basic_user\Desktop\Registry Cleaner.lnk

Disabled.SecurityCenterOption
	HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
	HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY
	HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY

Trojan.Agent/Gen-Hupigon
	C:\PROGRAM FILES\TROJANHUNTER 4.5\THSEC.DLL

Trojan.Agent/Gen-Sisproc
	C:\DOWNLOAD_INSTALL\SYSTEM_TOOLS\BIOS\MOTHERBOARD_BIOS_GA-EP45T-DS3R_F3.EXE
	C:\DOWNLOAD_INSTALL\SYSTEM_TOOLS\RAID_DRIVERS\MOTHERBOARD_DRIVER_SATARAID_INTEL_BOOTDISK_32.EXE
	C:\DOWNLOAD_INSTALL\SYSTEM_TOOLS\RAID_DRIVERS\MOTHERBOARD_DRIVER_SATARAID_INTEL_BOOTDISK_64.EXE

Trojan.Downloader-Gen/A
	F:\_DATA_LEVEL\_MOLCONN_BUILD\MOLCONNC_DEV_BUILD\IPC\FORK_PIPES\09-04-01_FORK-PIPES\POSIX_VERS_002\A.EXE

I have had the security center notifications disabled for some time. I have ZoneAlarm ISS installed and the notifications were becoming annoying. It doesn't seem as if they do anything.

I'm not sure why the Trojan hunter file is causing an alert, but I could uninstall that since I haven't really used it in a long time. I have malwarebytes at this point.

The a.exe file is from one of my programs. It is a simple multi threader that runs several different processes at the same time. I can't imagine what would be in there that would cause a fuss, but I could post the src code if anyone wants to have a look. I didn't write all of it myself, so I suppose there could be something in there that isn't supposed to be. Is there just some nasty file with the same name, or is this doing a deeper scan of functionality?

What is the issue with the link to Eusing free registry cleaner?

[color=#00009]LMHmedchem[/color]

 

All false positives IMO.
SAS probably flagged it because it was in a folder with this:

It probably thinks it's some sort of fake AV.

There is a "report false positive" button after you've completed scanning. Maybe it will eventually get fixed

 

I just finished running combofix and it removed a file called c:\windows\system32\Device.dll. It didn't seem to do anything else. Here is the log
[edit: thisisu > inline CF log removed / not allowed]

LMHmedchem

 

There are some questionable items in that log including drivers running memory.

If you would like for me to check for malware I need you to first read this thread: READ & RUN ME FIRST Malware Removal Guide

Attach all the logs requested to your next post. Do not copy / paste them in here. See >> How to attach items to your post

 

I had an issue a few days ago where I thought I may have been compromised, so I thought I would run a few scans and such. I was hoping to avoid a full removal protocol, since that can take a long time with the 3 million+ files on my file system.

I have more or less run everything recommended, ComboFix quarantined a few things, like a file called C\WINDOWS\system32\Device.dll and some registry entries. I ran RootRepeal, but it didn't finish. It gave me a Find Next File error 1117. I need to run a diagnostic on that drive to make sure it's ok. When I rebooted, am getting a plug and play trying to install new hardware. The new hardware is identified as "unknown". There is something in the device manager also called "unknown". I have attached the quarantined list from combofix. If you think it warranted, I will run the entire removal process from start to finish tomorrow.

LMHmedchem

 

Yes please do.

 

Attached are the log files from all the different scans. There appeared to be some kind of error with HijackThis during the MG scans, so I don't know it that one went through. There was a window asking if I wanted to report the error to HJT and ie opened. I can run HJT separately if you want me to. There was also some kind of error with process.exe, or process.dll, or something like that. If you need to know, I can run MG again and write the errors down. It appeared to be a windows error.

LMHmedchem

 

These logs are clean.

It's just because you don't have .NET framework installed. Some of the logs make use of it.

No need, the HJT log is complete.

You can uninstall this:

• Java(TM) 6 Update 23 (outdated)

http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

There were a few items quarantined by ComboFix when I ran it yesterday. I think I posted the names. Are there differences between the combo logs that indicate that something was identified and fixed, or was nothing found?

I had an issue last week with a credit card being used for unauthorized online purchases. Since the purchases were online, whoever used the card would have needed a fair amount of information, such as the complete billing address, name as it appears on the card, card number, expiration date, security code, etc. This card is only used for online purchases. In order to obtain enough information to use the card, whoever did this likely compromised either one of the emerchants I used, or my computer. My card company identified the charges as fraud, and they never went past pending. I have contacted the emerchants I use to let them know they may have been compromised, but I thought it made sense to check my own rig as well.

If something was found and removed, that is something I need to know about.

I am going to do a complete re-install soon, so I would like some information about current security software. Is that something to ask here, or should I create a thread in software?

LMHmedchem

 

Device.dll >> False positive // Related to the EASEUS Partition Manager 3.0 Home Edition program you have installed.

• http://911cd.net/forums//lofiversion/index.php/t22742.html
• http://www.techsupportforum.com/for...-send-and-gives-me-error-messages-333360.html

Service_COMSysApp >> False positive // http://www.theeldergeek.com/com+_system_application.htm ( thanks chaslang )

Those were the only two items removed. Both are actually false positives though. I assume you left the motherboard drivers that SAS detected alone. They were most likely only flagged because of the path they were in.

"System Tool" being semi-related to a FakeAV rogue.

I would take a look at Top Freeware Picks