Results 1 to 6 of 6

Thread: Win32.Trojan.Spy.Ardamax.e (False Positive?)

  1. #1
    steelersfaninma Guest

    Default Win32.Trojan.Spy.Ardamax.e (False Positive?)

    ZAP 7.0.337
    Anti-spyware engine version 5.0.187.0, DAT file version 01.200711.2795

    Win32.Trojan.Spy.Ardamax.e

    Risk: Medium

    Detail
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Adobe Flash Player Plugin
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer Plugin
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe. com/FlashPlayer

    This popped up in my weekly scan today. The file, C:\WINDOWS\system32\Macromed\Flash\uninstall_plugi n.exe was created on August 12, 2007. Since it hasn't been picked up in my weekly scans before and appears to be a legit file, can I assume that this is a false positive? Thank you for all and any replies!

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Anti-Spyware

  2. #2
    jdkat Guest

    Default Re: Win32.Trojan.Spy.Ardamax.e (False Positive?)

    This also came up for me today on my weekly scan. I quarantined and deleted the files although they did seem or sound legit. I'd like to know as well, if this was a false positive.
    The one thing I did notice, prior to the scan though is that the speedtest I normally run, which uses these files to work, was showing me and my connection as being all the way across the country from where I actually am, today when I ran a speed test, and before the scan found those files as a trojan.

    I can't run the speed test now that I have deleted the files, (to check if it still shows me in the wrong area) and I am also afraid to reinstall the flash player until I know more about this. It was very odd that the speed test I always run showed my connection coming from somewhere on the East Coast when I actually live on the West, it has never done that until today, and just previous to ZA Pro detecting the flash player plug in as a trojan.

    I'd be very relieved to find out more about this one way or another if anyone else has had the same happen or has more info on whether or not it was a false positive and if the speed test could have just been a coincidental blurp.

  3. #3
    battagli Guest

    Default Re: Win32.Trojan.Spy.Ardamax.e (False Positive?)

    I've had the same issue for the past two days (with the exception that my file is dated September 13, 2007). I've run the indicated file, the installer download, and every other Flash file that I could locate through the VirusTotal.com scanner - all turn out negative. I believe this to be a false positive; however, as others seem to have already notified ZA of this issue, I am awaiting their response before I take any action.

  4. #4
    slothrop Guest

    Default Re: Win32.Trojan.Spy.Ardamax.e (False Positive?)

    I have the exact samt problem too. NOD32 turned up with nothing. Anyone heard if its a false positive?

  5. #5
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: Win32.Trojan.Spy.Ardamax.e (False Positive?)

    Hi,Welcome to the Forum!Have you reported this yet, if not PLEASE do so as soon as possible, THANKS.Please report it here:

    http://www.zonealarm.com/store/conte...are_report.jsp PLEASE keep me posted if you hear anything from your report, THANKS.SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  6. Default Re: Win32.Trojan.Spy.Ardamax.e (False Positive?)

    I know this thread looks somewhat out of date(it is now February 2008,l thread started November 2007) but I had today the same flag up.

    On my system:
    ZASS 7.0.462.000
    Anti-spyware engine version 5.0.189.0, DAT file version 01.200802.3275
    Operating System: Windows XP Home Edition

    Ardamax popped up today. ZA presents it as just that, so Ardamax Keylogger and not as you all here described Win32.Trojan.Spy.Ardamax.e.

    But here is the weird thing; it flagged some Flashplayer files as malicious:
    %Windows\system32\Macromed\Flash\uninstall_plugin. exe
    %Windows\system32\Macromed\Flash\flashplayer.xpt
    %Windows\system32\Macromed\Flash\install.log

    ...but these look like genuine Flash player files. I looked for example through the install.log and that looks like a genuine Adobe installation log. Although this installation log shows that the Flashplayer was installed on Date=06/05/2007 (Sunday) Time=13:07:06, Spybot S&D did not flag it. After checking and getting more detail on Ardamax, I looked up the details on the Symantec Threat Explorer (http://www.symantec.com/security_res...99&tabid=2). Here the Win32.Trojan.Spy.Ardamax.e. could not be found, but Ardamax was found as a part of the Spyware.Ardakey. All the registry entries and program components (files and dirs) I can not find anywhere on my system.

    I quarantined the files immediately of course, but can somebody help me out here? Is this a false positive, or are these Adobe Flashplayer files really Ardamax files?

    So in short, is this a false positive or not?

    Thanks in advance people!

    Braab

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •