I just did a intelli scan and came up with Trojan.FakeAlert.
I have quarrentined the malware.

Is this a false positive, or is it real?

I have googgled it, and as far as I can tell, it is NOT a fales positive.

Can anyone verify this for me

Thanks

Hi Antontonkovic

I have the same Fake Alert infection this morning after the update, giving me a list of 14 infections plus a Backdoor.VB.Gen
The first part of the log file looks as though it is something to do with Java and Inprocserver32.

My system was clean yesterday so I think this may well be a FP.
GC

Hello,
same here...
Yesterday with Database 5.11331 and 951.386 signatures a full scan was clean!
This morning update to database 5.11340 and 951.886 signatures here is the detection of Trojan.FakeAlert. Here is the report:
PC Tools Spyware Doctor
Date Status
15/12/2008 10:35:00:289 Moteur de détection de logiciels malveillants
Chargement de la configuration du moteur de détection de logiciels malveillants réussi.
15/12/2008 10:35:19:890 Résultats d'Immunizer
La section ActiveX a été immunisée. Aucun élément n'a été traité.
15/12/2008 10:42:23:510 Analyse démarrée
Type d'analyse - Analyse complète

15/12/2008 10:51:09:509 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Fichier
Degré de risque - Haut
Infection - C:\Program Files\Java\jre6\bin\deploytk.dll

15/12/2008 11:05:29:943 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Valeur de registre
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CAFEEFA C-DEC7-0000-0000-ABCDEFFEDCBA}, (Default)

15/12/2008 11:05:29:944 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Valeur de registre
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CAFEEFA C-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32, (Default)

15/12/2008 11:05:29:946 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Valeur de registre
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CAFEEFA C-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32, ThreadingModel

15/12/2008 11:05:29:947 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Clé de registre
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CAFEEFA C-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32

15/12/2008 11:05:29:948 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Clé de registre
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CAFEEFA C-DEC7-0000-0000-ABCDEFFEDCBA}

15/12/2008 11:05:29:961 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Fichier
Degré de risque - Haut
Infection - C:\Windows\System32\deploytk.dll

15/12/2008 11:42:41:749 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Valeur de registre modifiée
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit

15/12/2008 11:42:41:753 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Valeur de registre modifiée
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile, EnableFirewall

15/12/2008 11:42:41:754 Une infection a été détectée sur cet ordinateur
Nom de la menace - Trojan.FakeAlert
Type - Valeur de registre modifiée
Degré de risque - Haut
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile, EnableFirewall

15/12/2008 11:42:41:773 Analyse terminée
Type d'analyse - Analyse complète
Eléments traités - 254503
Menaces détectées - 1
Infections détectées - 10
Infections ignorées - 0

Fake Alert? FP?
Regards,
Jérôme.

Hi Jerome
Yes, your log file looks very similar to mine, although I'm still using 4.1 on this old PC the findings appear to suggest that PCT need to tweak the update.

GC

After update this AM I did a scan and was 100% clean. Nothing at all.
May not be a FP may be something that was on there that wasn't identified until the new updates. That is the reason for updates!

Same here Backdoor.vb.gen, found in file zlib.dll

Is this another FP ? Again ?

Makes ya dont want to rely on Spyware Dr...

Same as with that boy that cried wolf a couple of times too many :D

I also got Backdoor.VB.GEN found in file zlib.dll, it looks to be another FP if we are all getting this at the same time. I just hope this doesn't cause the system damage the last FP a month ago did. I had to do a total reinstall on my Norton 360 v2 after the FP Spydoctor gave me on 11-13-08. I have SD stand alone v6.0.0.386 Database v5.11340

[QUOTE=spiderknight;197980]I also got Backdoor.VB.GEN found in file zlib.dll, it looks to be another FP if we are all getting this at the same time.

Last time this forum reported a false positive I inquiried through the on-line technical support and got an answer.

This time I tried to inquire. In my message I typed the word false positive. The automatic inquiry went to faq about false positives and would not let me complete my inquiry but instead sent my message. I could log onto the message storage place and add to my message but something seemed wrong with the inquiry process.

Like I said I did not get this. Same version & database. If it was a FP I would think everyone would have it. No?

Hi Guys,

This is a FP and we are currently working on a fix which will hopefully be available later today.

Hi Guys,

This is a FP and we are currently working on a fix which will hopefully be available later today.

thank goodness for this forum that allows nervous nellies like me to cope with FPs. I assume we simply ignore the scan that has picked up this fp and then scan again and hope it is not picked up.

Anyway, I'm not removing it or quarantining it or anything. Assume that is the correct approach

thank goodness for this forum that allows nervous nellies like me to cope with FPs. I assume we simply ignore the scan that has picked up this fp and then scan again and hope it is not picked up.

Anyway, I'm not removing it or quarantining it or anything. Assume that is the correct approach

Check out http://www.pctools.com/forum/showthread.php?t=55575 :)

I just want to know if I have the latest database/signatures

Sd 6.0.0.6386
Database Version 511340
Signatures 951,886

Is this the latest? Will there be an update sometime Today?

I have restored this FakeAlert from quarantine

I just want to know if I have the latest database/signatures

Sd 6.0.0.6386
Database Version 511340
Signatures 951,886

Is this the latest? Will there be an update sometime Today?

I have restored this FakeAlert from quarantine

Yep that is the latest DB available atm. Hopefully the fix will be in 511350 released later today.

This is all becoming way too funny.
The desired operation of SD is a TOTAL SILENCE , since no one believes already that any given detection is valid.

Food for thought:
After uninstalling KIS 7 , and running full scan with SD+AV the same day , I've installed NIS 2009 , ran full scan and buuuuaaaaa.....
4 previously undetected trojans with registry traces!
It managed to deeply clean the registry and none of the trojans came back
And I had SD always on
Since I have full trust in Norton FP wise, the conclusion is obvious.....
As of today , SD is completely shut down and will be used once a month for a scan only.
System load decreased three fold , NIS 2009 is amazing in this area
Not interested at all in SD "real-time(LOL)" performance

peace

Hello,
today update to database 5.11350 with 951.151 signatures.
Full scan perfectly clean.
Thank you,
Jérôme.

Jerom , in a matter of minutes you just reinforced my case LOL

All
Today I restored all the files from quarantine including the backdooor entry believing this to be part of the FP from yesterday, which others have noticed being flagged up as well.

I have updated to the latest signature database but on scanning the Backdoor is still being picked up as per below.

Spyware Doctor Activity Report
Generated on 16/12/2008 08:08:26 Spyware Doctor Homepage PC Tools Homepage Technical Support


Scans (basic information only):

Scan Results:
scan start: 16/12/2008 10:00:01
scan stop: 16/12/2008 10:12:12
scanned items: 126092
found items: 1
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Backdoor.VB.GEN C:\WINDOWS\system32\zlib.dll Medium



This was my report logs from yesterday if it helps.

Scan Results:
scan start: 15/12/2008 10:00:01
scan stop: 15/12/2008 10:12:24
scanned items: 126256
found items: 13
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Trojan.FakeAlert C:\PROGRAM FILES\Java\jre6\bin\deploytk.dll Medium
Trojan.FakeAlert C:\WINDOWS\system32\deploytk.dll Medium
Backdoor.VB.GEN C:\WINDOWS\system32\zlib.dll Medium
Trojan.FakeAlert HKCR\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} Medium
Trojan.FakeAlert HKCR\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}## Medium
Trojan.FakeAlert HKCR\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32 Medium
Trojan.FakeAlert HKCR\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32## Medium
Trojan.FakeAlert HKCR\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32##ThreadingModel Medium
Trojan.FakeAlert HKLM\Software\Classes\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} Medium
Trojan.FakeAlert HKLM\Software\Classes\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}## Medium
Trojan.FakeAlert HKLM\Software\Classes\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32 Medium
Trojan.FakeAlert HKLM\Software\Classes\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32## Medium
Trojan.FakeAlert HKLM\Software\Classes\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32##ThreadingModel Medium

Scan Results:
scan start: 15/12/2008 10:50:57
scan stop: 15/12/2008 11:13:42
scanned items: 173837
found items: 2
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Trojan.FakeAlert C:\System Volume Information\_restore{F3696A19-11C7-4990-871B-CE71B7561DBC}\RP1535\A0211450.dll Medium
Trojan.FakeAlert C:\System Volume Information\_restore{F3696A19-11C7-4990-871B-CE71B7561DBC}\RP1535\A0211451.dll Medium






Has anyone else had this scenario today, Jerome said his scan was clean, but in his log I didn't notice that the backdoor.VB.GEN was picked up yesterday.

Can we asume that this is a genuine nasty and should be removed

Any info greatly received


GC

Yep, same here. Database version 5.11350 still picks up zlib.dll as malware :(


6-12-2008 11:28:46:250
Infection was detected on this computer
Threat Name - Backdoor.VB.GEN
Type - File
Risk Level - High
Infection - c:\windows\system32\zlib.dll
16-12-2008 11:28:46:250
Infection was detected on this computer
Threat Name - Backdoor.VB.GEN
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\SharedDLLs, C:\WINDOWS\System32\ZLIB.DLL = 3

Yep, same here. Database version 5.11350 still picks up zlib.dll as malware :(

Initially I had the fp malware in the java folder. With11350 full scan it was clean this morning. Your logs show the malware in a different location.

Incidentally what do the many pct customers do who don't read this forum and who get the fP. Maybe pct should have some way of posting fps

Incidentally what do the many pct customers do who don't read this forum and who get the fP. Maybe pct should have some way of posting fps

That is a very good idea. Maybe PCT customers can be informed by email whenever an 'infection' is recognised as a false positive. After all if PC Tools can email out a newsletter to their customers they can email out a false positive warning.

Hello,
I 100% agree with this opinion: if PC Tools can send us e-mails of advertising they can also send e-mails to tell us their errors!
Good night from Paris , France,
Jérôme.

The latest database version 5.11360 now reports my system as clean again, so the Zlib.dll must be no longer suspect or else it is set to ignore it.

Actually this makes me wonder: How can one tell the difference whether a file or program that was previously detected as potential threat now is marked as false positive and no longer considered a threat or is the intelli scan just modified to ignore it ?

Does this mean the Intelli-Signatures are updated with a different algorithm, pattern or some other validity check mechanism ? How are False Positives recognised/matched with the real thing ? More interestingly, how can they suddenly surface when these intelli signatures are enhanced. Isnt there some Quality Control ?

Questions which might not be suitable to address here, but perhaps someone can shed some light on it ?

I am genuinely interested in the philosophy behind this, since the reason for purchasing a security enhancement like Spyware Dr. (SD) is based on the concept of trust and frankly I don't trust SD that much any more. Its like I stated before "a boy who cried wolf once too many" and with each false positive one feels less secure.

Immortal
I've just restored the Zlib file from quarantine as well and scanned using todays database. My system also now shows clean which is nice to see.

I did PM Achen this morning when I found no note within the thread saying that they had resolved the issue, which would have helped.
I am totally in agreement with comments of others about PCT posting reactions/solutions to FP's found by users


Without your note I would not have restored the file, so I thank you.

Regards GC

GeeCee, Your welcome and thanks for the feedback.

Makes me very nervous. Why did SD pick it up on some machines & not mine. Maybe it wasn't a FP but now it's been tagged as such never to be found again.:(

Silvertones.
As you are aware no 2 PC configs are likely to be the same. I have been in a similar situation, where only recently, a number of FP's have been raised but my system never squeaked. That could be because my old PC can only run Version 4.1 without suffering and V6x.x was finding conflicts that mine doesn't.

My 2penneth on the FakeAlert this week was that it was found in the Java folders.
My Java updates on 25th of each month which it did in November.
Last week it updated again to Ver 6 Update 11 which I also downloaded

My questions would be
a. do you have Java installed
b. is your version the same as mine
c. maybe the recent update caused a conflict when PCT revised their database. If we sit at different revisions maybe this is why it shows on some PC's and not others.

I really don't know, I am only guessing to be honest.

Maybe Immortal could post what his set up is re Java and either back my theory or shoot it down completely.

As I say what I have written here could be total tosh!! maybe Achen could shed some light on this to put us in the picture.

Regards
GC

I am happy to say that now with database version 5.11360 my pc is considered clean, but can imagine why peeps feel nervous..

Reason why I felt that in my case I considered it a false positive as it happened on three different test machines.

They all have this zlib.dll which is part of novell 4.91 SP 5 client for my network operating system and this zlib.dll is a general purpose compression Library. I also scanned it with other tools which I will not mention here as that is against the rules. But never got flagged as containing this backdoor.

I have indeed applied the Java Update ya mentioned.

My questions still stand though and sure would appreciate an answer of a PCTools rep if feasible.

1. I have the latest version of Java same as you.
2. SD is a paid version and right up to date
3. windows 2000 pro up to date

I specifically scanned the Java folder immediately when this issue was posted.I did a complete scan. I follow this forum at least 3 times a day.
I also have
1. TF
2. FW Plus
3. Avast

I have this file zlib.dll it's part of my wireless network card program. At least that's were it is.