[clamav-users] Are Win.Trojan.Shopperz and Win.Trojan.Uztuby-3 false positives?

Wed Feb 17 19:00:20 UTC 2016

Sorry about the misdirection on my greeting. It should have been:
"Thank you for the answer, AL!"

That's what happens when I'm writing a single message on two different
computers and alternating between mail program and mail webpage...

Às 18:24 de 17-02-2016, JD Ackle escreveu:
> Thank you for the answer, Joel
>
> Although I wouldn't be surprised myself to learn an ISP included Adware in something they provided for free, Shopperz was not the one found on my free copy of Panda Antivirus Pro, it was Uztuby-3 (Shopperz was on dnsapi.dll).That being said, I had previously downloaded and executed the said Panda installer on my Windows system and indeed I noticed the logo of my ISP on Panda's window. I opted out of receiving third party offers and such when I first signed with this ISP but I guess otherwise that area on Panda's window might be used to show advertisements. And I believe this would classify it as Adware but what is actually reported by ClamAV is a Trojan.I'm not al all savy on these matters but wouldn't a Trojan pose a greater risk than the mere disply of (possibly unwanted) ads on one program?I did contact my ISP about this and their response (no verbal communication towards me whatsoever) was to remove the free license I had previously activated from my account management webpage. I can still access it and I redownloaded the file which remains unchanged.
> Concerning the Shopperz detection, I got it on a Windows system file ( C:\Windows/System32/dnsapi.dll ) and the its full name is: Win.Trojan.Shopperz-381dnsapi.dll is a Windows system file without which Windows will not connect to the Internet (at least on my WiFi setup).ClamAV also detected Sopperz-381 on the same file, in a different location (cached?) on the same Windows system: Windows/WinSxS/amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.0_none_22114c18cd7ccd17/dnsapi.dllThe first time I ran ClamAV on these files (first scan = detection) was immediately after installing Windows 10 from a DVD burned with an ISO file downloaded from Microsoft's site. After my first login to that Windows system I rebooted to a Linux Live DVD (NO network connection was made until after booting Linux - which I performed in order to install ClamAV and run freshclam).VirusTotal thinks it's "probably harmless" but Antiy-AVL agrees with ClamAV that it contains a Trojan:https://www.virustotal.com/en/file/b51a82ed2d45855ea9018b6269931ca62f3dc430fd513c7e751fc2cb76014bab/analysis/1455724650/FYI at least since version 8 of Windows, there is this Microsoft Shop application that enables you to download free/bought software - I'm guessing there might me some code in dnsapi.dll facilitating that feature.
> Hope that helps.
>
>  
>
>    
>
>  On Tuesday, February 16, 2016 10:13 PM, Al Varnell <alvarnell at mac.com> wrote:
>  
>  
>
>  Without the exact name of the Shopperz infection, I can’t tell you whether it’s a recent definition or an old one.  There are currently 351 such signatures.
>
> The Uztuby-3 was added to the database on 30 Jan 2016 04-36 -0500 in daily:21324, so it’s been there for a couple of weeks.
>
> It would not surprise me to learn that an ISP was providing something for free that included Adware.  I’m sure that’s what Shopperz’s are.
>
> -Al-