false positive?

[strix]

Hi, can anyone help me to determine if this is a legit threat or just a false positive (before i go through the painstaking process of changing all my passwords...)

Infected file:

C:\WINDOWS\mplayerplgn.dll (Trojan.BHO) -> No action taken.

Registry:

HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{1fd79a59-37b1-459b-9097-09f9fab8a523} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{b97f9125-71a1-48d0-b920-f140ef8de809} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> No action taken.

All from a quick scan. Full scan came up with an additional file:

mfc42u.dll as malware.packer.gen, from The Sage dictionary. False positive?

[nosirrah]

http://forums.malwarebytes.org/index.php?showtopic=3228

Please post a developers log .

[strix]

The same files with a quickscan:

Files:

C:\WINDOWS\mplayerplgn.dll (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

Registry:

HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

HKEY_CLASSES_ROOT\TypeLib\{1fd79a59-37b1-459b-9097-09f9fab8a523} (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

HKEY_CLASSES_ROOT\Interface\{b97f9125-71a1-48d0-b920-f140ef8de809} (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> No action taken. [85DCBDB239B2414800501F44D3EAAE86]

[nosirrah]

This has been our database for a very long time with no reports . It would be helpful to have a copy of mplayerplgn.dll to take a look at . Zip and attach it to your next post please .

I have fixed the FP in the next update , I only need the file to double check something .

[strix]

Here you go. The registry entries are nothing to be worried about?

mplayerplgn.zip

[nosirrah]

I was wrong about this being a false positive , it is malware for sure and needs to be removed :

http://www.virustotal.com/analisis/590cc6c...2a85-1265031147

[strix]

Thanks for the headsup. However MBAM doesn't find the file now that the registry keys are quarantied. Is it harmless or should I remove it to be sure?

[TonyKlein]

If you uploaded the file to VirusTotal, you'd very likely get something like this:

http://www.virustotal.com/analisis/590cc6c...2a85-1247149284

The registry entries also belong to this Webdir adware variant:

http://www.systemlookup.com/viewitem.php?l...1&item=4698

http://www.systemlookup.com/viewitem.php?l...&item=56591

[strix]

I see. The avira antivir comes up with nothing either (apart from my accelfix), in any case should I be worried that my passwords are leaked or is it a "light" threat?

[TonyKlein]

It's not a password stealer, as far as I know, so a light threat, I guess