Solved

A threat has been eliminated


Userlevel 6
Good morning USA;)
Yesterday, when using my laptop, I have a WSA mesage: "this site is not secure".
Then I saw on the security bookmark: "1 threat has been elimanted".
Is it possible to see what was this threat?
icon

Best answer by Rakanisheu Retired 29 June 2013, 20:18

View original

31 replies

Userlevel 6
Hello Raka
Thanks:D
Userlevel 6
Hello Rakanisheu
I go on my "webconsole" and I find this:
 


 
I think that this is not a malware.
What do you think ?
Userlevel 7
I don't see Rakanisheu online this morning, but I might be able to help.
 
It's hard to say just based on the file name.  The file name alone doesn't tell us as much as the MD5 of the file would.  The MD5 is submitted automatically when you contact us via the support system, which is why we suggest using that system in all cases of false positives or infections.
 
That said, I'm leaning more towards it being an infection, based on this.  However, we won't really know for sure until we get a closer look, since file names alone can be misleading.  If you update your support case, we can provide a better answer since we'll have more data to go on.
Userlevel 7
Looking at the file now (MD5:C8BB4B1F3E8B5AB8809B836119209188). What makes you think its good(it might be I am still investigating it)?
Userlevel 7
Update: I have marked that file as good.
 
Thanks!
Userlevel 6
@ wrote:
Update: I have marked that file as good.
 
Thanks!

Hello Rakanisheu
I'm not sure, it was a guess because the file looked like to those of my professional software.
Userlevel 6
@ wrote:
I don't see Rakanisheu online this morning, but I might be able to help.
 
It's hard to say just based on the file name.  The file name alone doesn't tell us as much as the MD5 of the file would.  The MD5 is submitted automatically when you contact us via the support system, which is why we suggest using that system in all cases of false positives or infections.
 
That said, I'm leaning more towards it being an infection, based on this.  However, we won't really know for sure until we get a closer look, since file names alone can be misleading.  If you update your support case, we can provide a better answer since we'll have more data to go on.
Thanks Jim
This thread was on my old laptop and I cannot access to it before Saturday evening or Sunday.
 
Userlevel 7
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work 🙂
Userlevel 6
@ wrote:
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work :)
Thanks Rakanisheu:D
But I don't understand the link given by Jim:@ :
http://www.prevx.com/filenames/X460799281356301372-X1/HDCTRLEX.DLL.html#nogo
Can you explain to me ?
Userlevel 7
That page is out of date since I just changed the database entry for that file. I assume it will autoupdate soon enough.
Userlevel 6
Thanks Rakanisheu:D
Can you tell me if this file is really a file of my professional program ?
Userlevel 6
Hello Roy;)
I'm sorry to insist but I don't understand what I have to do.
Now I'm at home and I run my laptop, and I see that the suspicious file ("hdctrlex.dll") remains in the quarantine.
I don't know if I can restore it?
I'll send you a PM with the report of detection.
Userlevel 7
Badge +56
Hi Robert you can call him Roy if you like!
 
Daniel
Userlevel 6
@ wrote:
@ wrote:
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work :)
Thanks Rakanisheu:D
But I don't understand the link given by Jim:@ :
http://www.prevx.com/filenames/X460799281356301372-X1/HDCTRLEX.DLL.html#nogo
Can you explain to me ?
Another think that I don't understand is that the page above reports always that the file hdctrlex.dll is a "fraudulent security program".
Userlevel 6
@ wrote:
Hi Robert you can call him Roy if you like!
 
Daniel
Thanks Daniel for the info;)
Userlevel 7
Replied to the PM! The file is good and can be restored. The prevx information is out of date.
Userlevel 6
Hi Roy,
Thanks for your help:D
I have restored the file, even if my laptop continued to works well without it.
Then I launched an analyse and the laptop is clean.
Good Sunday!
Robert
Userlevel 6
Hi Roy,
 
I think that's WSA-C have blocked another sure file on my home PC this time:
 
Automated Cleanup Engine Starting Cleanup at 30/06/2013 - 16:05:42 GMT Starting Routine> Removing c:users
obertdesktoplanguagepack_french.exe...#(PX5: - MD5: D2AFB7BBE8DDF4C4BD05537BD1598870)... Deleting File> c:users
obertdesktoplanguagepack_french.exe
 
Is it this a false positive ?
Userlevel 7
Badge +56
Hello Robert I can't tell for sure but to me it looks like an FP and I did a Search on VT using your MD5 Hash File D2AFB7BBE8DDF4C4BD05537BD1598870 as only Symantec came up with some kind of detection so it's best to wait for a conformation from Roy or another Threat Researcher. I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold. http://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462#.UdBubW2DmJO  :D
 
HTH,
 
Daniel 😉
Userlevel 7
@ wrote:
I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold.
I agree Daniel. If I could cheat and Triple Kudo it, I would. 😃
Userlevel 6
@ wrote:
Hello Robert I can't tell for sure but to me it looks like an FP and I did a Search on VT using your MD5 Hash File D2AFB7BBE8DDF4C4BD05537BD1598870 as only Symantec came up with some kind of detection so it's best to wait for a conformation from Roy or another Threat Researcher. I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold. http://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462#.UdBubW2DmJO  :D
 
HTH,
 
Daniel ;)
Hi
Thanks Daniel!
Idea kudoed;)
Now I wait the Roy's answer.
Userlevel 7
Not sure why that file was removed on your PC, its not bad in our database.  I have whitelisted the file in anycase, its not behaviour is not malicious and its associated files/processes are good. WSA not being on VT doesnt really bother me too much, VT is only a rough guide and should never be taken as gospel.
Userlevel 6
Hello Roy,
Thanks for whitelisting this file.
I don't know if this can help you but when I download this file with IE9 (Vista pro) I get the following error message and then WSA-C deleted the file:


 
I think it might be interesting to try to download "Sapnish pack" and "German pack";)
Userlevel 7
That doesnt look like it was us that removed that! My french is rusty is that saying that the file was not downloaded to your PC as it may cause damage?
Userlevel 6
No it says that this file was rarely downloaded and should be insecure.
The file was deleted by WSA-C after I have accepted to download it......

Reply