ANTIVIR warning: Process Explorer = SDBOT "signature"

I have been running Process Explorer for about a year. A few months back I switched my antivirus over to "AntiVirâ€, and after a recent AntiVir update, started getting a warning message at startup on Process Explorer (pasted in below), to which I respond "deny access" each time… So, in the interest of eliminating this message at startup, I am wondering if this is one of those "false positives" that I have heard about that I can ignore, or should I eradicate the culprit? If "eradicate" (or even if not), are there any good (new and better) freeware replacements out there for Process Explorer?

D:\WINDOWS\SYSTEM32\DRIVERS\PROCEXP.SYS Contains a signature of the (dangerous) backdoor program BDS/Sdbot.ST

EDIT: I guess that I neglected to note that I did update and run scans with MS's Antispyware, ANTIVIR, and the Ewido Security Suite apps, with no resultant malware detections, but did not think to also run Spybot, Adaware, Swatit, etc..., which I will do post haste and will report accordingly if anything of note arises from that, altho for some reason I sincerely doubt that that will transpire...

 

thanx tony

yes, its the same PE, and also unable to locate any file by that name (altho I am updating the index on Copernic Desktop Search to see if it exists outside the locations where it should be...)

likely, it is the equiv of a "proc" or something gen'd by the startup executable, or maybe gen'd by actual malware, altho i have updated and run ALL malware scanners and nothing nefarious was indicated as being found...

so, it's a mystery, and altho i am chalking it up as a false positive for now, i do intend to uninstall PE and reinstall it if unable to discern anything new and better out there in the way of a freeware task manager...

 

psuedo-resolution, for those that may later locate this in a search...

first, to clarify what i previously neglected to note: the file identified in the antivir warning message, procexp.sys, was never found to exist in the folder indicated (whether before, during, or after exection of the procexp exe...) or anywhere else, altho i guess that might have something to do with the fact that antivir was flagging this on startup and since i was selecting "dissallow access ", maybe it never was actually allowing generation of the sys file?

secondly, i did eradicate the existing PE files and did download and install a newer version, and have since not encountered the warning message....

conclusion? it would seem that the noted malicious "signature" was there, whether or not it was truly indicative of the presence of an actual trojan, but it would seem that since antivir did not flag this for quite some time, either an "infection ", real or not, did occur or an antivir update initiated the warning message whether a false positive or an actual hit... end of story

 

As a side note, process explorer, regmon and filemon use a fancy programmers trick to embed a .sys file inside the .exe and dynamicly extract and load it. You wouldnt see the sys files until you ran it to get the files extracted, and then it goes away on reboot.

a similar thing happened to me on a program i wrote, just due to wierd chance, it 'matched' a signature for a virus. I just twiddled the bits and recompiled, no more false positive. I'm not aware of any problems like that for procexp, but its possible.

Its also possible that you did have something odd on your machine. He used to publish source code for all those apps for people to learn from, but someone wrote a virus based on his code, so that had to stop. (every tools developers nightmare).

Since you whacked it, installed the current version and the signature match went away, i agree that it was probably just a false positive.

 

TONY

sure, those options are on, i insist on everything being visible...and, blocking access likely killed the generation of the .sys file, thereby eliminating it from being located via searches...

JOE

that's what i suspected (been programming mainframes for 40 years...), thanks for the verification...