6 Replies Latest reply on Apr 27, 2011 6:16 PM by Peter M

    Trojan.Vundo-Variant/F

      Hello everyone !

       

      Here's the situation I am in :

       

      McAfee indicates that my PC is clean. Same for Malwarebyte's Anti-Malware. However I installed SUPERAntiSpyware Free Edition and it found a Trojan.Vundo-Variant/F located in C:\WINDOWS\CRYSTAL\U2LESBSE.DLL.

      I am running Windows 7 64 bits Ultimate edition.

       

      I didn't do anything additional ( I didn't remove it ) . Could it be a false positive ?

       

      Any help is appreciated !

       

      Best Regards.

       

      Message was edited by: Leeeeeeelo on 4/27/11 10:42:55 PM GMT+02:00
        • 1. Re: Trojan.Vundo-Variant/F
          Peter M

          Difficult to say but there have been some reports previously on SAS Forums about exactly the same variant.

           

          Here's the answer to one....

           

          Please be sure you're using the latest update from SAS before a scan. Reason being, if the files are indeed false positives, they may have already been addressed in the latest update.

           

          If SAS is fully updated, and the files are still detected, here are a couple of options:

           

          1) You can submit the files to Virus Total, which will check them against numerous antimalware programs.

           

          http://www.virustotal.com/

           

          2) If you still think they're FP's, then when the SAS scan completes, highlight the suspected file(s) and click on "Report False Positive"

          1 of 1 people found this helpful
          • 2. Re: Trojan.Vundo-Variant/F

            Hello Ex_Brit !

             

            Thank you for your prompt reply, I appreciate it !

             

            Well, SAS is running the latest updates, including McAfee, Malwarebyte's and Windows. Still McAfee and Malwarebyte's found nothing (full scan for both), whereas SAS insists about that trojan.

            I am worried about this, because this is a dll file, and if it was not a trojan as SAS claims, and I clean it using SAS anyways, wouldn't it make any troubles since the dll file is located in the Windows folder ?

             

            I located the dll file and tried running a custom scan ( right click ) directly on the file, and the same results showed up.

             

            I followed your advice and just sent the dll file to VirusTotal. It seems like the file has been already uploaded several times, and it was indicated that the file was clean.
            I click on "Reanalyse" and the same result showed up ( no infection ). The weird part is that VirusTotal used the SUPERAntiSpyware engine with version 4.40.0.1006 which indicated that the file is clean. However, the SUPERAntiSpyware I have, happens to be version 4.43.1000, and indicates that the dll file is a trojan.

             

            Any idea ?

             

            Thank you for your help !

            • 3. Re: Trojan.Vundo-Variant/F
              Peter M

              I stopped using SAS a while back because of these false positives and can't remember, does the free version have to facility to report a false positive to SAS directly as suggested in my previous quote?

              • 4. Re: Trojan.Vundo-Variant/F

                I downloaded the newer version of SAS, 4.51.0.1000, and it downloaded all updates. Still, SAS claims that the dll file is a trojan (full scan). It's driving me crazy ! The dll file is dated 23/9/1999, which I believe eliminates the possibility of infection ( else I think the date would be some day within the past few weeks indicating the date of infection / modification of the file )

                 

                Within the free version, one can report a false positive, which I did, as you suggested.

                 

                I am going to uninstall SAS for now as you did.

                 

                Thank you for time and help,

                 

                Best Regards !!

                 

                Leeeeeeelo.

                • 5. Re: Trojan.Vundo-Variant/F
                  ConorD62

                  Malwarebytes > SAS.

                   

                  4 hours to fix a false positive.

                   

                   

                  • 6. Re: Trojan.Vundo-Variant/F
                    Peter M

                    Well SAS has their own forums too: http://forums.superantispyware.com/ if you want to try there.

                     

                    Good luck Leeeeeeelo.