Detection Of Osxpui.dll In Windows\system32 Folder ? False Positive

pcbugfixer

G'Day Folks,

I get the feeling that we are making programming errors in the detection codes in BDIS / BDTS 2009 etc.

I just got one EE.exe cleared and now for no reason BDTS suddenly blocks and deletes the osxpui.dll file in the C:\WINDOWS\system32 folder.

Details of this file are:

File Name : osxpui.dll

File Size : 1314816 byte

File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi

MD5 : 2180517b5a0df473b8feb27539e44b67

SHA1 : 708af5723c2b381d152b422a6843c471399b5d0e

On Google search in one of the sites wilderssecurity.com, pettyracing posted this back in 2007 - see last post had this to say,

"pettyracing

April 14th, 2007, 10:43 PM

Nick:

I deleted the e-mails to eset(nod32) and sas about a day or two after I sent them. I deleted the file in question the day that kaspersky identified it as a hupigon trojan.

I can only recall that I referenced the fact that Kaspersky identified the product as noted above. and attached the file to an e-mail per instructions I found at your site.

If you look at the eset website under updates, you'll find numerous references to hupigon over the last few weeks. Again, maybe you call it something different. I know when I scanned the file before deleting it with sas and nod32 following scanning it with kaspersky's kis6, neither program flagged it. When I did a search on the web for hupigon, it did show up as a trojan.

In the future I will try to save the files.

Update:

I found some notes I made at the time of the problem:

Kaspersky KIS6 identified the infection as:

backdoor.win32.hupigon.dka

It was in the file outxp2 = outlook backup.exe

I found this when googling for a program to try to backup my outlook files. I don't know what site I d/l it from.

Hope this helps.

Ok. I found the file at this link ~Link removed. No links to real or potentially real malware. - Ron~

I downloaded it just now and KIS found the noted trojan above in osxpui.dll"

Sending zip file with usual password for scrutiny by Tech Support

alexcrist

Thank you for reporting it. I got the file and sent it to analysis.

As soon as I get the result I will post here.

Cris.

pcbugfixer

G'Day Folks,

Also getting a popup with Quaranteened message for a file called loaderadv463.exe which I have never heard of and do not know where it comes from, except that it was in My Documents folder.

Have submitted this and the previous file to the Lab and sent zip with pw "infected" to Cris.

alexcrist

First file has been analyzed and deemed to be clean. Detection should be removed in one of the future updates (next few hours).

The second file is still under analysis.

Cris.

EDIT: osxpui.dll is not detected anymore. Thank you for reporting it.