1 2 3 Previous Next 21 Replies Latest reply on Jan 26, 2011 2:40 PM by Ueberwald

    FakeAlert!PCVirusless - Stinger false positive?

    Hayton

      Someone was asking a question about the Stinger in Home and Home Office, so I downloaded it to have a look at the threats it was designed to pick up. (For the record, the current version of Stinger looks for 2112 named malware threats.)

       

      Then, having got it, I decided to give it a go and ran it on my system. It ran for hours, nothing found, very boring, and then ...

       

      When I wasn't looking it detected - it said - something called "FakeAlert!PCVirusless" in C:\Windows\System32\atl71.dll - and promptly deleted the file. My fault, it was left on the default setting of "Repair" instead of "Report Only" or "Rename".

       

      I was extremely surprised by this : I've had no signs of malware infection at all. Even more surprising is what I found when I Googled for this piece of malware, putting its name in quotes, I got back just 3 - three - results : two from the 15th Jan. (one of them in these forums) and one from today. And all seem to be from running the Stinger.

       

      I cannot find this alleged Trojan anywhere, and it is not in the list of malware that the Stinger is meant to look for.

       

      The file itself is a required file for Visual Studio and possibly other .NET applications, so I'll look for a way to get a copy from somewhere to download. It shouldn't be too difficult. But this has set me wondering : first, was this a false positive? And has anyone else come across this Stinger behaviour?

       

      Edit - You can find instructions on how to get a fresh copy of atl71.dll at http://support.microsoft.com/kb/915564

       

       

      Message was edited by: Hayton on 20/01/11 13:08:49 GMT
        • 1. Re: FakeAlert!PCVirusless - Stinger false positive?

          I had an identical experience.  The atl71.dll file was deleted and now the system will not boot normally!  I can only boot ito Safe mode.  I tried replacing the file per the instructions in the Editor's note, but that didn't help.  Can anyone offer any suggestions?

           

          Thanks,

          Roger

          • 2. Re: FakeAlert!PCVirusless - Stinger false positive?
            Hayton

            If by 'Editor' you mean me, well, I'm honoured to be promoted. :-)

             

            All I can say is that I went to the Microsoft page and followed the link there, downloaded a new dll file and put it into Windows\System32, then rebooted my machine (as per the Microsoft instructions), and everything seems fine.

             

            Perhaps there's something different you need to do if you don't have XP. What's your OS?

             

            Edit - Have a look at this warning against downloading dll files from anywhere but (in this case) Microsoft. The author also gives his opinion that it may be necessary to uninstall the entire application or set of applications (in this case, all of Microsoft's .NET software) and reinstall it. Not nice.

            The same author also gives some more advice here, and one of the things he says I agree with : use System Restore to undo the Stinger deletion.

             

             

            Message was edited by: Hayton on 20/01/11 16:27:46 GMT
            • 3. Re: FakeAlert!PCVirusless - Stinger false positive?

              Thanks, Hayton.  I am running XP Home Edition.  Unfortunately, System Restore isn't an option because I turned it off prior to running Stinger (per McAfee's recommendation)  to prevent the system from restoring any infected files automatically.  I recovered the deleted file using Recuva and replaced it, but that did not work.  Perhaps there is some real malware on the system that is preventing it from booting, now that the dll is gone.

              • 4. Re: FakeAlert!PCVirusless - Stinger false positive?
                Hayton

                Oh dear, a Double Whammy.

                 

                Let's deal with the boot problem first. If the Stinger only deleted that one file, it shouldn't give you problems. If you have Safe Mode with Internet Access, try checking for updates - not just McAfee, but also Microsoft. Download any that are pending, then run a McAfee scan in Safe Mode (not that you have much choice). If you have Malwarebytes installed, run that too, otherwise you can get a free copy from here.

                 

                What you have may not be malware, so much as a corrupted XP installation. If you can get into a DOS window, or Start/Run, type 'sfc' (no quotes) and settle back to wait while all the system files are checked for damage and/or absence. Anything that needs to be replaced will be taken from c:\I386.

                Then download Microsoft's Baseline Security Analyzer and run it to check for security holes in your setup; and if you don't have Microsoft's Fixit Center for XP installed, I recommend you get that too and run a few checks on different parts of Windows - you'll have to experiment, I've mainly used it to fix problems with IE.

                 

                If none of that works I think you might have a bit of a problem. In which case you'll need the wisdom of Ex_Brit, he's an ex-Microsoft expert. I think that means former expert in Microsoft products, I don't think he's ever been to Redmond.

                • 5. Re: FakeAlert!PCVirusless - Stinger false positive?

                  Bad form of MS to point to a 3rd party website for a MS Dll... but stranger things have been done by them previously!

                   

                  I can't replicate this issue using the latest download of Stinger and the MS Dll. I wonder why.

                  • 6. Re: FakeAlert!PCVirusless - Stinger false positive?

                    Thanks for the advice everyone.  The PC is all fixed, thanks to some expert help from a forum member on geekstogo.com.  A combination of OTL and Combofix did the trick.

                     

                    Roger

                    • 7. Re: FakeAlert!PCVirusless - Stinger false positive?
                      Hayton

                      I'm glad to see your problem has been fixed. I keep forgetting how useful geekstogo can be; I'm adding it to my Favourites/Experts Forums list.

                       

                      There's still been no word as to why Stinger did this, but from what you said I assume it's been modified so as not to do it again. And I can count myself lucky, I suppose, that I didn't have the same problem you had.

                      • 8. Re: FakeAlert!PCVirusless - Stinger false positive?

                        Seems that the new version posted 2011/01/24 still detects the false positive (Stinger 10.1.0.1346)

                         

                         

                        Message was edited by: Nosvarato on 2011/01/24 12:26:30 PM
                        • 9. Re: FakeAlert!PCVirusless - Stinger false positive?

                          Have now replicated the issue with the latest Stinger build:

                           

                          FP.JPG

                           

                          It seems that you must have the file in the SYSTEM32 directory to get the detection - it won't trigger in other directories.

                          1 2 3 Previous Next