Monday, November 23rd 2009, 2:32am UTC+1
You are not logged in.
Date of registration:
Nov 7th 2009
Version: AntiVir Personal
Saturday, November 7th 2009, 10:43am
More False Positives In HP Drivers Files (Printers)
RELATES TO: False Positives reported in this thread (Mod: Nicolae Moldoveanu) :
http://forum.avira.com/wbb/index.php?page=Thread&threadID=100775
Sorry if this first time poster is a bit out of line/place. Just want to not see in future scans.
It's helpful to know you're not alone
when the same is found by others also.
Scanned today (Nov.2nd )using Nov.1 updated def file. (also re-scanned Nov.5 using newest defs). Avira Personal.
Heuristics for "scan" at Medium ("Guard" set for High).
Traditionally (8 months w/ Avira) the scan shows NO Objects & 3 "warnings" about files unable to open, always the same 3 incl. sys page file.
Tonight got 10 findings of adware gen. all in HP files & sys.restore files. Sys Restore Files have never been flagged before either.
Note: There has been NO Contact by this machine to HP Home for 2 years & no new HP files added. Further, Full daily scans w MBAM & SAS & 2 T /week full scans w/ Avira have never flagged these files. First Flag after Nov.1st defs added. False positives??
After reading Top Linked posts, I restored these files from quarantine & they were removed again on Nov. 5th.
I am submitting the 3 main HP files identified separately via link provided in top post. This is an HP Laptop & believe these are native.
Thanks so much for quick attention so I don't have to keep going around this re & re circle. Sandy
Here's the report:
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '53' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\hp\drivers\printers\deskjet\hpzglu08.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69aaa0.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\drivers\printers\deskjet\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a054751.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\drivers\printers\deskjet\util\common\hpfpdi09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b55aab3.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\tmp\src\psptr\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69aab4.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69acf9.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Swsetup\MSWorks\REDIST\IE6\TEMPFILE.CAB
[0] Archive type: CAB (Microsoft)
--> msoe.hlp
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066923.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a1.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066924.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a777f72.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066925.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a3.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066926.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a777f74.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066927.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a5.qua' ( QUARANTINE )
[NOTE] The file was deleted!
End of the scan: Monday, November 02, 2009 23:39
Used time: 46:39 Minute(s)
The scan has been done completely.
4966 Scanned directories
349830 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
10 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
349819 Files not concerned
10636 Archives were scanned
3 Warnings
11 Notes
37776 Objects were scanned with rootkit scan
0 Hidden objects were found
http://forum.avira.com/wbb/index.php?page=Thread&threadID=100775
Sorry if this first time poster is a bit out of line/place. Just want to not see in future scans.
It's helpful to know you're not alonewhen the same is found by others also.
Scanned today (Nov.2nd )using Nov.1 updated def file. (also re-scanned Nov.5 using newest defs). Avira Personal.
Heuristics for "scan" at Medium ("Guard" set for High).
Traditionally (8 months w/ Avira) the scan shows NO Objects & 3 "warnings" about files unable to open, always the same 3 incl. sys page file.
Tonight got 10 findings of adware gen. all in HP files & sys.restore files. Sys Restore Files have never been flagged before either.
Note: There has been NO Contact by this machine to HP Home for 2 years & no new HP files added. Further, Full daily scans w MBAM & SAS & 2 T /week full scans w/ Avira have never flagged these files. First Flag after Nov.1st defs added. False positives??
After reading Top Linked posts, I restored these files from quarantine & they were removed again on Nov. 5th.
I am submitting the 3 main HP files identified separately via link provided in top post. This is an HP Laptop & believe these are native.
Thanks so much for quick attention so I don't have to keep going around this re & re circle. Sandy
Here's the report:
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '53' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\hp\drivers\printers\deskjet\hpzglu08.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69aaa0.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\drivers\printers\deskjet\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a054751.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\drivers\printers\deskjet\util\common\hpfpdi09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b55aab3.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\hp\tmp\src\psptr\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69aab4.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hpzglu09.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b69acf9.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\Swsetup\MSWorks\REDIST\IE6\TEMPFILE.CAB
[0] Archive type: CAB (Microsoft)
--> msoe.hlp
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066923.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a1.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066924.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a777f72.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066925.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a3.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066926.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4a777f74.qua' ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP397\A0066927.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Adware.Gen
[NOTE] A backup was created as '4b1fb1a5.qua' ( QUARANTINE )
[NOTE] The file was deleted!
End of the scan: Monday, November 02, 2009 23:39
Used time: 46:39 Minute(s)
The scan has been done completely.
4966 Scanned directories
349830 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
10 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
349819 Files not concerned
10636 Archives were scanned
3 Warnings
11 Notes
37776 Objects were scanned with rootkit scan
0 Hidden objects were found
Date of registration:
Mar 28th 2008
Version: AntiVir Personal
AntiVir Premium
Operating System: Windows 7 / Windows Vista & Ubuntu 9.10 on VMware
Location: France
Saturday, November 7th 2009, 2:30pm
Hello sandybeach,
Please post here the file ID numbers given after uploading them.
Quoted
I am submitting the 3 main HP files identified separately via link provided in top post
Please post here the file ID numbers given after uploading them.
Cordialement - Best regards - Grüße
Aucun support par message privé - No support per PM - Kein Support über PN
Une assistance téléphonique en français est disponible pour Antivir Premium et Avira Premium Security Suite : voici le lien
English Tutorials : HijackThis - Rescue CD - Malwarebytes’
Tutoriels en français : HijackThis - Rescue CD - Malwarebytes’
Aucun support par message privé - No support per PM - Kein Support über PN
Une assistance téléphonique en français est disponible pour Antivir Premium et Avira Premium Security Suite : voici le lienEnglish Tutorials : HijackThis - Rescue CD - Malwarebytes’
Tutoriels en français : HijackThis - Rescue CD - Malwarebytes’
Date of registration:
Nov 7th 2009
Version: AntiVir Personal
Sunday, November 8th 2009, 8:29am
Hi, johnnyjohn! OOOPS!!! I Failed To
write them down when doing the submission!! 
I will have them when findings are mailed to my Hotmail
account. They were listed as under investigation. I'm running XP on an HP laptop & I believe those files were native to either HP or OS or both.
(Hp wrote the native printer drivers for my XP Pro as well). Thanks for your response & I'll post back when I get more info.
Have a good one!
I will have them when findings are mailed to my Hotmailaccount. They were listed as under investigation. I'm running XP on an HP laptop & I believe those files were native to either HP or OS or both.
(Hp wrote the native printer drivers for my XP Pro as well). Thanks for your response & I'll post back when I get more info.
Have a good one!
Date of registration:
Nov 7th 2009
Version: AntiVir Personal
Monday, November 9th 2009, 6:51am
Hi Again, johnnyjohn! I Rec'd these Receipt #'s
(auto response) which seem to contain "Unique ID" & "Incident" #'s and URL's (3 of). Do these contain the case #'s you requested?
I haven't had a chance to visit them yet as had to evacuate the house as entire interior being re-painted today. Only got back in an hour or two ago.
1) http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F&incidentid=393608
http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F
2) http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F&incidentid=393610
http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F
3) http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F&incidentid=393611
http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F
I may be a little high from fumes that linger yet.
I'll check those urls later as I still have regular net duties to perform tonight.
Thanks/Merci for staying w/ this newbie in your neighborhood!
I haven't had a chance to visit them yet as had to evacuate the house as entire interior being re-painted today. Only got back in an hour or two ago.
1) http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F&incidentid=393608
http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F
2) http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F&incidentid=393610
http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F
3) http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F&incidentid=393611
http://analysis.avira.com/samples/details.php?uniqueid=Szdbw4IDVgmZDYm2ZmFgNqdEhWbmBp2F
I may be a little high from fumes that linger yet.
I'll check those urls later as I still have regular net duties to perform tonight.Thanks/Merci for staying w/ this newbie in your neighborhood!
Date of registration:
Nov 7th 2009
Version: AntiVir Personal
Tuesday, November 10th 2009, 8:55am
Hello, Nicolae! Thank You For Your Reply!
Yes, I just checked my mail and have received results.
2 were classed as "Clean" & the 3rd was classed as "False Positive".
Question?: What do they consider the difference between these 2 different results?
All 3 were grabbed & quarantined together...why not all 3 as F.P? Just curious (always seek knowledge!).
I'd like to thank all here in forums & in the lab for timely, courteous & helpful responses to clarify the situation.
Very Well Done!!!
2 were classed as "Clean" & the 3rd was classed as "False Positive".
Question?: What do they consider the difference between these 2 different results?
All 3 were grabbed & quarantined together...why not all 3 as F.P? Just curious (always seek knowledge!).
I'd like to thank all here in forums & in the lab for timely, courteous & helpful responses to clarify the situation.
Very Well Done!!!