Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as resolved.
joe schmoe Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 6th Aug, 2010 21:31
Ranking: 32
Posts: 130
User Since: 26th Nov, 2008
System Score: N/A
Location: US
Last edited on 6th Aug, 2010 21:35

Running XP Home SP3, MalwareBytes, SuperAntiSpyware, SpywareBlaster.

On 7/06/2010 I downloaded the above uninstall file from Panda antivirus website to uninstall Panda Internet Security 2010 on another machine offline since that program on that machine was expired. Uninstall was successful near as I could tell.

I never ran this file on this machine.

On 8/3/2010 I ran MalwareBytes and it reported this file as malicious. SuperAntiSpyware reported this file as malicious on 8/4/2010.

MalwareBytes quarantined this file as "Trojan.Dropper'.

SuperAntiSpyware quarantined a system restore file in system restore as "Trojan.Agent /Gen.Nullo[Short]". I am assuming the restore point was created when the first file was quarantined.

I do not believe Panda is aware of a problem with this file, and I have posted twice in their technical support forum. First post was 8/4/2010. I do not think this is a false positive as two different programs have identified this as a threat.

My resident antivirus never saw this file as a threat.

What is troubling is that there has been no response from Panda after I posted. Seems like their forum is dead in the water as there are very few recent posts. Most of them seem to be at least three months old, or older.

Any thoughts?

If this is really a trojan, what about the other machine? At the moment that machine is offline, and has been for about two weeks. What should I look for as far as malware behavior and/or infection? if and when I put it back online? At last use, it appeared to be clean, but did have some issues with some programs opening and closing slowly and/or freezing for a couple of minutes.

The other machine is running Avast! Home Edition Free v. 5.0.594, same above antispyware programs, XP Professional SP3.







--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit

Post "RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan" has been selected as an answer.
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 6th Aug, 2010 22:02
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 6th Aug, 2010 22:09
@Joe Schmoe ,

SAS and MBAM are strong indicators , but the nature of the tool could provoke a behaviour based type reaction ; much depends on the source of the download :eg: was it from the Panda website ?? Is it signed , etc ??

IF Panda are not responding , I would load the files to Jotti and virus total ;-

http://virusscan.jotti.org/en-gb

http://www.virustotal.com/

Send a possible FP report to SAS :-

http://forums.superantispyware.com/index.php?/topi...

and the same for MBAM (can't just find link for now :((

Panda are responsible for the FP (if that is what it is) but it is the MBAM and SAS rules that are consequent .

Then see what comes back to you .

Let us know your progress .

Anthony

EDIT : MBAM link :-

http://forums.malwarebytes.org/index.php?s=14fddab...


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 6th Aug, 2010 23:29
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Per your suggestions, I restored the quarantined file from MBAM. Since I had wiped the folder from the drive it was on, I created a new one in the exact same location.

File is good for digital signatures, etc. VirusTotal shows 0/42 for infection, and am currently waiting for SAS to finish a complete scan with latest definitions as of today. If SAS finds this file again, I have the option to submit as a false positive before quarantining.

Interesting note: unable to log in except via PSI program to enter and post on forums. I am using correct name and password.

SAS reports system clean with file restored to original location.

MBAM reports a file as dirty with latest definitions. (Full Scan)

Still waiting. Will update as scan is completed. As of the moment, file unknown.

MBAM scan complete 31 minutes later. Says "Worm.Koobface" in path C:\Program Files\Last.fm\killer.exe.

As of the moment, system shows no adverse impact. Going to quarantine file. Have not run last.fm last few days.

Signing off to allow MBAM to execute quarantine.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 7th Aug, 2010 00:34
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Erased the folder for panda uninstaller. Everything seems clean but...

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 7th Aug, 2010 12:00
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 7th Aug, 2010 16:47
Hi joe schmoe ,

Well that complicates rather than clears things .

1)You need to keep rescanning with MBAM until it comes up clean .

2)If MBAM's found a real dropper previously and has now found Koobface*** then that says to me that something else may be lurking and popping up things ; finding something in System Restore could also be implicated .

If it were me and so knowing my limitations , I would go talk to the security guru's and ask them to hold my hand and read logs for me from say HiJackThis (now from TrendMicro) and GMER's anti-rootkit scanner . DO NOT DOWNLOAD OR USE THESE PROGRAMMES UNTIL ASKED TO SO DO OR THAT ADDS FURTHER COMPLICATIONS .

To purge my paranoia , I would want a second opinion and so present my problem as is with MBAM running clean (record/log all scan results) to "bleepingcomputer" or a similar site if you know of one (I don't know how good the MBAM forum is) :-

http://www.bleepingcomputer.com/

You might want to isolate your second computer and run your anti-malware ; 50/50 as to whether you go on the net to update the signatures . Again , if nothing is pressing , I would wait for expert advice . I would also resist using passwords and accessing confidential date anywhere on my PC , for now .

Please ask if anything is not clear and keep us up to date with your progress .

Take care :)

Anthony

PS : here's WIKI on Koobface , please read it :-

http://en.wikipedia.org/wiki/Koobface

EDIT : here's a link to the MBAM forum which offers a solution ; note the original poster's reference to Spy Hunter which is a commercial product with a very questionable reputation , so caveat emptor !! :-

http://forums.malwarebytes.org/index.php?showtopic...


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 10th Aug, 2010 17:11
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Turns out the Koobface.Trojan has been on my system since 3/19/2010. It is named "killer.exe" and is a Lastfm Process Killer. Bear in mind that only MBAM sees this file as malicious.

I restored my system from a backup, so anything that happened during the month of July and August has been removed.

MBAM found this file on the backup too.

Thank you for your help. Not experiencing problems at this time.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 10th Aug, 2010 19:28
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A


Hi Joe ,

Thanks for your update .

Here's the data on "killer.exe" from process list :-

http://www.processlist.com/info/killer-4.html

and you've probably seen the Last.fm forum :-

http://www.last.fm/forum/34905/_/640095

All things point back to an FP , but with KoobFace rather be 100% sure and for me that would need MBAM to confirm it as a definite FP .

Reinstalling from 2 months ago was most wise :))

Let us know if yuo get any more news .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 11th Aug, 2010 17:05
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Last edited on 11th Aug, 2010 17:06
Will keep the file quarantined just to be safe. No adverse impact on Lastfm.

Thanks.

BTW, reinstalling only took nine minutes, so no problem there.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 11th Aug, 2010 19:53
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Sounds cool Joe :)

If you need to get at the MBAM log and quarantine files , they are hidden files in this path ;

C:\Documents and Settings\User\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\...

Take care

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 12th Aug, 2010 16:52
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Thanks, Anthony for the info. :-)

This way I can access the file and submit it to MalwareBytes?





--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 12th Aug, 2010 18:55
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

This thread on the MBAM Forum FP site seems to indicate that they have it in hand ; but there may be more than one Killer.exe file that needs to be looked at - some confusion at least :-

http://forums.malwarebytes.org/index.php?s=783c232...

You might want to follow the site tru' 'till it's sorted ; they might need to look at your files ??

Definitely looking FP now , but be sure and Joe cool :)))

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 13th Aug, 2010 23:44
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Just so you know, I just got an email from Panda Security Forums re UNINSTALLER.EXE.

Visiting the site via email link and via Google produced the message below:


General Error
SQL ERROR [ mysqli ]

Table './panda_support_2/phpbb_sessions' is marked as crashed and should be repaired [145]

An sql error occurred while fetching this page. Please contact an administrator if this problem persists.

Please notify the board administrator or webmaster: forumregister@pandasecurity.com


Interesting?

Looks like their site went down for now.

Thanks for all the help and info. :-))


--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 14th Aug, 2010 13:04
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi Joe ,

Well if KoobFace is put to bed , then let us know when/if Panda gets sorted ; that should complete the circle (or circus maybe :)))

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 14th Aug, 2010 18:48
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Just went to the process list site and tried to post a comment about the Koobface virus there.

Unable to post upon submitting. Site says "no comments" are posted. I can see why if all one gets is a blank page upon submit.

I have been looking through the Secunia website and see you are very active there.

I know this may now seem off-topic, but it really isn't, since this thread started with Panda UNINSTALLER.EXE. Just checked their forum for the update posted, and the site is still down.

Doesn't Panda know, or care?

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 16th Aug, 2010 21:33
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Last edited on 16th Aug, 2010 21:40
on 13th Aug, 2010 23:44, joe schmoe wrote:
Just so you know, I just got an email from Panda Security Forums re UNINSTALLER.EXE.

Visiting the site via email link and via Google produced the message below:


General Error
SQL ERROR [ mysqli ]

Table './panda_support_2/phpbb_sessions' is marked as crashed and should be repaired [145]

An sql error occurred while fetching this page. Please contact an administrator if this problem persists.

Please notify the board administrator or webmaster: forumregister@pandasecurity.com


Interesting?

Looks like their site went down for now.

Thanks for all the help and info. :-))

I was able to get to this thread today at Panda forums and found that the response from jtorre was to offer a fresh download of this file and an assertion that this file is 100% virus free.

Dunno what is going on as Panda seems to be missing the point of opening a thread over there re this issue.

Whether this is deliberate or not I do not know.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 16th Aug, 2010 21:44
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

It's a dark area , Joe , Panda should provide software that is correctly detectable but MBAM's rules also need to be updated .

So if Panda can give you gauranteed clean software , then I would load it and see if MBAM picks it up again .

IF no , cool .

IF there is a detection then it is up to MBAM (via you ) either directly (preferable) or via Panda (or both) to update their detection rules - it's their responsibility to at least talk to each other and not leave FP's hanging , but you need to do the banging of heads .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 16th Aug, 2010 21:59
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
on 16th Aug, 2010 21:44, Anthony Wells wrote:
It's a dark area , Joe , Panda should provide software that is correctly detectable but MBAM's rules also need to be updated .

So if Panda can give you gauranteed clean software , then I would load it and see if MBAM picks it up again .

IF no , cool .

IF there is a detection then it is up to MBAM (via you ) either directly (preferable) or via Panda (or both) to update their detection rules - it's their responsibility to at least talk to each other and not leave FP's hanging , but you need to do the banging of heads .

Anthony

I just ran both MBAM and SuperAntispyware and both say my system is clean.

I will download the 'clean' file from Panda, not open or run it, and see what happens.

Both ASP are updated w/ latest definitions, so if anything changed, should be no detection by either one.

Either the defs were updated, or the new file is clean, as Panda asserts, or if detected again, the new file is dirty and/or both defs see no change in this file.


--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 16th Aug, 2010 22:29
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
Downloaded the newest version of the file, (see Panda Forums under Issues w/ exact same title) and scanned w/ both MBAM and SuperAntispyware.

File and system clean.

Unless both program definitions got updated to remove the false positive, the old rules that found the file I had to be dirty would still be there in the definitions, right?

Can we conclude that the file I had was dirty? and that maybe Panda did in fact clean their file w/o stating that it did modify it? maybe because I brought it to their attention?

Just want to know if this was really a FP or not.

I think honesty brings good results. Deception, if it applies here, does not.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0
Anthony Wells RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Expert Contributor 16th Aug, 2010 22:49
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 16th Aug, 2010 22:53
1)You don't know what the file was that SAS found in System Restore nor if it was an FP or not , unless it is still in quarantine and you can check it's properties against the Panda file .

2)Panda would not clean a file just to fool you and Malwarebytes' would be incensed if they caught it up , like the rest of the industry . It was either a spy riding Panda whic you killed or more likely an FP , you will never know .

3)If you query every result when your system is (reportedly) clean , you will end trying to beat off the men with the white coats and straightjacket .

4)Don't worry about FP's they happen , don't waste too much energy there , do worry that your software and your own habits keep you clean . If the SAS file was a positive that would be a concern . It's gone so forget it .

Getting infected is a nightmare , MBAM and SAS are good but nothing like 100% , the rest is up to you .

Bi for now .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
joe schmoe RE: Panda Antivirus UNINSTALLER_10.EXE marked as a Trojan
Member 16th Aug, 2010 23:01
Score: 32
Posts: 130
User Since: 26th Nov 2008
System Score: N/A
Location: US
I'm going to mark this thread as closed, if that's ok with you.

This is one of those things I will never know for sure, as it is possible just opening the old file to examine it's properties on my system might result in re-infection, a risk I would not rather take.

In any case, both files have been securely wiped, but I still have the original on a floppy disk, same as before.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2007 AIS
Win 7 Home Pro SP1 Pentium D 2.8 2 GB RAM Avast 9.0.2007 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability