Results 1 to 11 of 11

Thread: False positive?

  1. #1
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    False positive?

    I had AVG alert me to a file named C:windowssystemcorelsys.dll as being the Trojan Downloader.Agent.2.A. It appears that the internal name of this 15KB dll is ADown (maybe suspicious) and it also show a dependency on apphelp.dll - a known spyware component I believe - and userenv.dll, neither of which are on my system. Perhaps a leftover from a browser hijack I cleaned up?

    I can't find any info of use on the web. My "on demand" AV (F-Prot) and anti-trojan software don't blink at it either. But what seems funny is that its modification date is the same as all the system files that are a part of 98SE. Maybe it's part of really "clever" spyware, that changes its file attributes to mask its presence? Or maybe it's a false positive? Anyone have any info on this one, please?

    Alan

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: False positive?

    I have just searched the C: drive of a system running Windows98 SE, which also has CorelDraw version 9 installed, and I can find no similarly named file. A quick Google search suggests that this really is a trojan.

    StuartR

  4. #3
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    Thanks Stuart. What (specifically) did you search for in Google? I could only find references to the exact situation I have, without answers.

    Another funny thing though - despite this sharing the same time/ date as my W98 system files, its properties include a Copyright 2004! I really do wonder whether whatever installed it was "clever" enough to do this adjustment on the datestamp. Anyhow, I figured out that it was genuinely orphaned (nothing else on the system depends on/ refers to it) so I deleted it.

    Alan

  5. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: False positive?

    Alan

    It seems surprising that a file purporting to be from Corel Draw would validly have the same date/time as operating system files?

    I searched Google with the corel filename you quoted and got wuite a lot of hits!

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  6. #5
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    John

    Indeed, it does seem odd that it shares the same date/time as O/S files, whether it be from Corel (which I've never had installed) or what seems likely now, from some spyware module that jumped on some time in 2004... hence the thought of a "clever" spyware installer. But please enlighten me re: lots of hits on Google. My search for "corelsys.dll" yields these four results, none of which provide any information beyond what I know already.

    Alan

  7. #6
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: False positive?

    Alan.

    Badly expressed - I was referring to the long thread "The Worst Trojan on the Net"!

    John

    PS Which, incidently, is a fascinating read for those who think that CMOS can run (virus) code, that replacing every component on your PC (except possibly the case!) <img src=/S/smash.gif border=0 alt=smash width=30 height=26> can still leave the PC infected, and so on...! [chuckle] <img src=/S/yikes.gif border=0 alt=yikes width=15 height=15>
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  8. #7
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    John,

    Maybe I'm blind, but I can't see any reference to any Corel file in the thread you mention. ?

    Alan

  9. #8
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: False positive?

    Alan

    No, not blind - that's what Google threw up (!), so I looked through the index for the word "Trojan", and I read through the whole series of posts in some fascination before coming to exactly the same conclusion as you!

    Perhaps I should just go home quietly now?

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  10. #9
    2 Star Lounger
    Join Date
    Feb 2001
    Location
    Brussels, Brussel, Belgium
    Posts
    159
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    hi Alan,

    highly probable it's a piece of malware. try using this free online malware scanservice to find out more
    as for avoiding these types of mishaps, using a restricted user account will prevent 99%+ of infections, since they almost all need administrator rights to install properly. (at least for those who have a windows NT flavor OS)

  11. #10
    Uranium Lounger
    Join Date
    Jan 2001
    Location
    Cincinnati, Ohio, USA
    Posts
    7,089
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    <hr>they almost all need administrator rights to install properly. (at least for those who have a windows NT flavor OS)<hr>
    So true, but Microsoft has made the default user an administrator - and worse still, the software designed for Windows has never been written with true multi-user systems in mind, and assumes that the user has Admin rights. Getting things to run as a non-admin can sometimes be a real challenge.

    Nonetheless...it's an excellent start to secure computing.
    -Mark

  12. #11
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    Thanks for that link, Pieter - I've bookmarked it for (hopefully infrequent) future use. The file in question showed up as OK according to all the AV program checks. This brings me back to the false positive <img src=/S/dizzy.gif border=0 alt=dizzy width=15 height=15>. I think I might leave it quarantined, since I'm sure it's a remnant of something? and is not needed by any other app.

    cheers

    Alan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •