Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2668 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positive dota.exe Troj/Ransom-RT

PeterEnis

Hi.

It seems there is a problem with the recently updated Troj/Ransom-RT detection.

When i tried to launch Dota2 today Sophos claimed that dota.exe  and several other files in the game folder are infected with Troj/Ransom-RT and deleted several files. When i tried to redownload the deleted files via steam they got deleted again right away.

Since Steam downloads these files directly from the Steam servers and the Detection files for the Virus in question got updated a few hours ago i assume there is a false positive.

I added the output from Sophos regarding the files in the following spoiler tag.

Really annoying since im not able to Play Dota 2 right now.

20130815 002351    Die Erkennungsdatenversion 4.91G (Detection Engine 3.45.0) wird verwendet. Diese Version kann 5363789 Objekte erkennen.
20130815 002351    Benutzer (NT-AUTORITÄT\SYSTEM) hat den On-Access-Scan auf diesem Computer gestartet.
20130815 002351    Treibereinstellungen für On-Access-Scans:
    Filter beim Lesen: Wahr
    Filter beim Schreiben: Wahr
    Filter beim Umbenennen: Wahr
    Bootsektorzugriff genehmigen: Falsch
    Alle Dateien prüfen: Falsch.
20130815 013727    Datei "C:\Dota2\dota 2 beta\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013727    On-Access-Scanner hat den Zugriff auf den Speicherort "C:\Dota2\dota 2 beta\dota.exe" für folgenden Benutzer verweigert: ***************
20130815 013734    Datei "C:\Dota2\dota 2 beta\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{145C4EB1-10CE-49D3-BE53-63E582C576F9}" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{713F7EB8-A3EA-4490-B1FF-DFA6876F288A}" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{145C4EB1-10CE-49D3-BE53-63E582C576F9}" wurde bereinigt.
20130815 013734    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{713F7EB8-A3EA-4490-B1FF-DFA6876F288A}" wurde bereinigt.
20130815 013735    Datei "C:\Dota2\dota 2 beta\dota.exe" wurde bereinigt.
20130815 013735    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start" wurde bereinigt.
20130815 013735    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall" wurde bereinigt.
20130815 013735    Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts" wurde bereinigt.
20130815 013735    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall" wurde bereinigt.
20130815 013735    Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts" wurde bereinigt.
20130815 013735    Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall" wurde bereinigt.
20130815 013735    Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts" wurde bereinigt.
20130815 013735    Virus/Spyware 'Troj/Ransom-RT' entfernt.
20130815 020122    Datei "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020122    On-Access-Scanner hat den Zugriff auf den Speicherort "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" für folgenden Benutzer verweigert: ***********
20130815 020123    Datei "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020123    On-Access-Scanner hat den Zugriff auf den Speicherort "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" für folgenden Benutzer verweigert: ************
20130815 020129    Datei "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020131    Datei "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020132    Datei "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" wurde bereinigt.
20130815 020134    Datei "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" wurde bereinigt.
20130815 020134    Virus/Spyware 'Troj/Ransom-RT' entfernt.
20130815 020149    Datei "D:\Steam\steamapps\downloading\570\bin\shaderapiempty.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020149    Datei "D:\Steam\steamapps\downloading\570\bin\vaudio_miles.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020150    Datei "D:\Steam\steamapps\downloading\570\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020156    Datei "D:\Steam\steamapps\downloading\570\bin\shaderapiempty.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020158    Datei "D:\Steam\steamapps\downloading\570\bin\vaudio_miles.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020200    Datei "D:\Steam\steamapps\downloading\570\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020201    Datei "D:\Steam\steamapps\downloading\570\bin\shaderapiempty.dll" wurde bereinigt.
20130815 020203    Datei "D:\Steam\steamapps\downloading\570\bin\vaudio_miles.dll" wurde bereinigt.
20130815 020204    Datei "D:\Steam\steamapps\downloading\570\dota.exe" wurde bereinigt.
20130815 020204    Virus/Spyware 'Troj/Ransom-RT' entfernt.
:42622


This thread was automatically locked due to age.
Parents
  • 0

    I also recieved the same false positive. Happened sometime during the yesturday afternoon (EST). Was playing fine in the AM, then its a virus when i came back in the evening.

    Here is a post from the Steam Forums, others having the same issue.

    http://steamcommunity.com/app/570/discussions/0/864976115037054545/#p1

    ****************** Sophos Anti-Virus Log - 8/15/2013 5:59:14 PM **************

    ...
    20130815 023453 Using detection data version 4.91G (detection engine 3.45.0). This version can detect 5363789 items.
    20130815 023454 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20130815 031136 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031140 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031142 File "D:\SteamLibrary\steamapps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031143 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031143 On-access scanner has denied access to location "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" for user NT AUTHORITY\SYSTEM
    20130815 031144 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031144 File "D:\SteamLibrary\SteamApps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031144 On-access scanner has denied access to location "D:\SteamLibrary\SteamApps\downloading\570\bin\shaderapiempty.dll" for user NT AUTHORITY\SYSTEM
    20130815 031146 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031148 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" has been cleaned up.
    20130815 031150 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" has been cleaned up.
    20130815 031150 Virus/spyware 'Troj/Ransom-RT' has been removed.
    20130815 031152 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031154 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" has been cleaned up.
    20130815 031154 Virus/spyware 'Troj/Ransom-RT' has been removed.
    20130815 034110 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20130815 034123 Using detection data version 4.91G (detection engine 3.45.0). This version can detect 5363792 items.
    20130815 034124 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    ...
    (20 items)

    :42648
Reply
  • 0

    I also recieved the same false positive. Happened sometime during the yesturday afternoon (EST). Was playing fine in the AM, then its a virus when i came back in the evening.

    Here is a post from the Steam Forums, others having the same issue.

    http://steamcommunity.com/app/570/discussions/0/864976115037054545/#p1

    ****************** Sophos Anti-Virus Log - 8/15/2013 5:59:14 PM **************

    ...
    20130815 023453 Using detection data version 4.91G (detection engine 3.45.0). This version can detect 5363789 items.
    20130815 023454 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20130815 031136 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031140 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031142 File "D:\SteamLibrary\steamapps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031143 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031143 On-access scanner has denied access to location "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" for user NT AUTHORITY\SYSTEM
    20130815 031144 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031144 File "D:\SteamLibrary\SteamApps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031144 On-access scanner has denied access to location "D:\SteamLibrary\SteamApps\downloading\570\bin\shaderapiempty.dll" for user NT AUTHORITY\SYSTEM
    20130815 031146 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031148 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" has been cleaned up.
    20130815 031150 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" has been cleaned up.
    20130815 031150 Virus/spyware 'Troj/Ransom-RT' has been removed.
    20130815 031152 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
    20130815 031154 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" has been cleaned up.
    20130815 031154 Virus/spyware 'Troj/Ransom-RT' has been removed.
    20130815 034110 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20130815 034123 Using detection data version 4.91G (detection engine 3.45.0). This version can detect 5363792 items.
    20130815 034124 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    ...
    (20 items)

    :42648
Children
No Data