Results 1 to 11 of 11

Thread: False positive?

  1. #1
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    False positive?

    I had AVG alert me to a file named C:windowssystemcorelsys.dll as being the Trojan Downloader.Agent.2.A. It appears that the internal name of this 15KB dll is ADown (maybe suspicious) and it also show a dependency on apphelp.dll - a known spyware component I believe - and userenv.dll, neither of which are on my system. Perhaps a leftover from a browser hijack I cleaned up?

    I can't find any info of use on the web. My "on demand" AV (F-Prot) and anti-trojan software don't blink at it either. But what seems funny is that its modification date is the same as all the system files that are a part of 98SE. Maybe it's part of really "clever" spyware, that changes its file attributes to mask its presence? Or maybe it's a false positive? Anyone have any info on this one, please?

    Alan

  2. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: False positive?

    I have just searched the C: drive of a system running Windows98 SE, which also has CorelDraw version 9 installed, and I can find no similarly named file. A quick Google search suggests that this really is a trojan.

    StuartR

  3. #3
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    Thanks Stuart. What (specifically) did you search for in Google? I could only find references to the exact situation I have, without answers.

    Another funny thing though - despite this sharing the same time/ date as my W98 system files, its properties include a Copyright 2004! I really do wonder whether whatever installed it was "clever" enough to do this adjustment on the datestamp. Anyhow, I figured out that it was genuinely orphaned (nothing else on the system depends on/ refers to it) so I deleted it.

    Alan

  4. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: False positive?

    Alan

    It seems surprising that a file purporting to be from Corel Draw would validly have the same date/time as operating system files?

    I searched Google with the corel filename you quoted and got wuite a lot of hits!

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  5. #5
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    John

    Indeed, it does seem odd that it shares the same date/time as O/S files, whether it be from Corel (which I've never had installed) or what seems likely now, from some spyware module that jumped on some time in 2004... hence the thought of a "clever" spyware installer. But please enlighten me re: lots of hits on Google. My search for "corelsys.dll" yields these four results, none of which provide any information beyond what I know already.

    Alan

  6. #6
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: False positive?

    Alan.

    Badly expressed - I was referring to the long thread "The Worst Trojan on the Net"!

    John

    PS Which, incidently, is a fascinating read for those who think that CMOS can run (virus) code, that replacing every component on your PC (except possibly the case!) <img src=/S/smash.gif border=0 alt=smash width=30 height=26> can still leave the PC infected, and so on...! [chuckle] <img src=/S/yikes.gif border=0 alt=yikes width=15 height=15>
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  7. #7
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    John,

    Maybe I'm blind, but I can't see any reference to any Corel file in the thread you mention. ?

    Alan

  8. #8
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: False positive?

    Alan

    No, not blind - that's what Google threw up (!), so I looked through the index for the word "Trojan", and I read through the whole series of posts in some fascination before coming to exactly the same conclusion as you!

    Perhaps I should just go home quietly now?

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  9. #9
    2 Star Lounger
    Join Date
    Feb 2001
    Location
    Brussels, Brussel, Belgium
    Posts
    159
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    hi Alan,

    highly probable it's a piece of malware. try using this free online malware scanservice to find out more
    as for avoiding these types of mishaps, using a restricted user account will prevent 99%+ of infections, since they almost all need administrator rights to install properly. (at least for those who have a windows NT flavor OS)

  10. #10
    Uranium Lounger
    Join Date
    Jan 2001
    Location
    Cincinnati, Ohio, USA
    Posts
    7,089
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    <hr>they almost all need administrator rights to install properly. (at least for those who have a windows NT flavor OS)<hr>
    So true, but Microsoft has made the default user an administrator - and worse still, the software designed for Windows has never been written with true multi-user systems in mind, and assumes that the user has Admin rights. Getting things to run as a non-admin can sometimes be a real challenge.

    Nonetheless...it's an excellent start to secure computing.
    -Mark

  11. #11
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: False positive?

    Thanks for that link, Pieter - I've bookmarked it for (hopefully infrequent) future use. The file in question showed up as OK according to all the AV program checks. This brings me back to the false positive <img src=/S/dizzy.gif border=0 alt=dizzy width=15 height=15>. I think I might leave it quarantined, since I'm sure it's a remnant of something? and is not needed by any other app.

    cheers

    Alan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •