APISlice.dll - False positive ?

[De Hollander]

c:\windows\system32\APISlice.dll


CRC32: 529DB134
MD5: 5AE09979540864BF2AFF6427DB5AEABD
SHA-1: 5EF48F7CCD80A42E173E26F459D3A19B3F22896F



Submitted to virus lab a couple of days a go - Win32:Malware-gen

Today - Win32:PUP-gen


I can't find much info on the www. http://www.google.nl/search?hl=nl&lr=&q=%22APISlice.dll&btnG=Zoeken&aq=f&aqi=g1&aql=&oq=&gs_rfai=


Except one post that I find interesting about  Acer eDataSecurity Management and Windows Live\Messenger
http://forums.v3.co.uk/showthread.php?p=1259092


The "False positive" comes from one of our Acer laptop. With Acer eDataSecurity Management disabled


http://www.virustotal.com/file-scan/report.html?id=fc3b5e2c9e3338e6b722dacf49bdc819a0f3504ffca43882300e2c356fb2b38c-1294158428#

Antivirus results
AhnLab-V3 - 2011.01.04.03 - 2011.01.04 - -
AntiVir - 7.11.1.24 - 2011.01.04 - -
Antiy-AVL - 2.0.3.7 - 2011.01.04 - Trojan/Win32.Agent.gen
Avast - 4.8.1351.0 - 2011.01.04 - -
Avast5 - 5.0.677.0 - 2011.01.04 - Win32:PUP-gen
AVG - 9.0.0.851 - 2011.01.04 - -
BitDefender - 7.2 - 2011.01.04 - -
CAT-QuickHeal - 11.00 - 2011.01.04 - TrojanPSW.Agent.uyr
ClamAV - 0.96.4.0 - 2011.01.04 - -
Command - 5.2.11.5 - 2011.01.04 - -
Comodo - 7292 - 2011.01.04 - -
Emsisoft - 5.1.0.1 - 2011.01.04 - Trojan-PWS.Win32.Agent!IK
eSafe - 7.0.17.0 - 2011.01.02 - -
eTrust-Vet - 36.1.8080 - 2011.01.04 - -
F-Prot - 4.6.2.117 - 2011.01.04 - -
F-Secure - 9.0.16160.0 - 2011.01.04 - -
Fortinet - 4.2.254.0 - 2011.01.03 - -
GData - 21 - 2011.01.04 - -
Ikarus - T3.1.1.90.0 - 2011.01.04 - Trojan-PWS.Win32.Agent
Jiangmin - 13.0.900 - 2011.01.04 - Trojan/PSW.Agent.nbp
K7AntiVirus - 9.75.3435 - 2011.01.04 - -
Kaspersky - 7.0.0.125 - 2011.01.04 - Trojan-PSW.Win32.Agent.uyr
McAfee - 5.400.0.1158 - 2011.01.04 - Artemis!5AE099795408
McAfee-GW-Edition - 2010.1C - 2011.01.04 - Artemis!5AE099795408
Microsoft - 1.6402 - 2011.01.04 - -
NOD32 - 5758 - 2011.01.04 - -
Norman - 6.06.12 - 2011.01.03 - W32/Suspicious_Gen2.FRSGZ
nProtect - 2011-01-04.01 - 2011.01.04 - Trojan-PWS/W32.Agent.73728.Z
Panda - 10.0.2.7 - 2011.01.04 - -
PCTools - 7.0.3.5 - 2011.01.04 - -
Prevx - 3.0 - 2011.01.04 - -
Rising - 22.81.01.03 - 2011.01.04 - Trojan.Win32.Generic.52532D2B
Sophos - 4.60.0 - 2011.01.04 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.01.04 - -
Symantec - 20101.3.0.103 - 2011.01.04 - -
TheHacker - 6.7.0.1.110 - 2011.01.03 - Trojan/PSW.Agent.uyr
TrendMicro - 9.120.0.1004 - 2011.01.04 - -
TrendMicro-HouseCall - 9.120.0.1004 - 2011.01.04 - -
VBA32 - 3.12.14.2 - 2011.01.04 - TrojanPSW.Agent.uyr
VIPRE - 7951 - 2011.01.04 - Trojan.Win32.Generic!BT
ViRobot - 2011.1.4.4236 - 2011.01.04 - -
VirusBuster - 13.6.127.0 - 2011.01.04 - -
File info:
MD5: 5ae09979540864bf2aff6427db5aeabd
SHA1: 5ef48f7ccd80a42e173e26f459d3a19b3f22896f
SHA256: fc3b5e2c9e3338e6b722dacf49bdc819a0f3504ffca43882300e2c356fb2b38c
File size: 73728 bytes
Scan date: 2011-01-04 16:27:08 (UTC)

Edit Malwarebytes and Superantispyware finds nothing

[Mr.Agent]

http://forum.avast.com/index.php?topic=68567.0

[Mr.Agent]

Its something strange that file... Because i think also the guy who did make the thread like you was having an acer computer also... So what wrong now ?... We need a information from avast! for this.

[De Hollander]

After two years, this file suddenly becomes suspicious  

[Mr.Agent]

Well dont know what is wrong but i think VirusTotal has quite a high detection... I think if someone here could help us to get it clear...

[Pondus]

Avira result

A listing of files alongside their results can be found below:File ID    Filename   Size (Byte)   Result
25998031    APISlice.dll    72 KB    FALSE POSITIVE



Please find a detailed report concerning each individual sample below: Filename   Result
 APISlice.dll    FALSE POSITIVE


The file 'APISlice.dll' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.11.0.153.

[De Hollander]

That looks good, 3 down, now Avast,,,

http://www.virustotal.com/file-scan/report.html?id=fc3b5e2c9e3338e6b722dacf49bdc819a0f3504ffca43882300e2c356fb2b38c-1294168881#

[Pondus]

That looks good, 3 down, now Avast,,,

not correct...yet....as in the first scan, 42 scanners was active, but in the last one only 37

[Mr.Agent]

When will ever they do put the last 4.8 ? lol... 1351 is very old the 1356 i think is the last for 4.8

[DavidR]

When will ever they do put the last 4.8 ? lol... 1351 is very old the 1356 i think is the last for 4.8

Because it is a special build for virustotal, that's why.

[Pondus]

Norman analysis

Hi,
Yes this is a fp. Detection will be removed.

[De Hollander]

That looks good, 3 down, now Avast,,,

not correct...yet....as in the first scan, 42 scanners was active, but in the last one only 37

  My mistake.




==============================
Edit: Just came in:



Hello,

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

Kaspersky Lab.