Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positives?


  • Please log in to reply
5 replies to this topic

#1 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,856 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:55 PM

Posted 06 April 2008 - 04:50 PM

Operating system: Windows XP Home SP2
Security programs, besides those listed in my sig., MalwareBytes, NoScript extension for Firefox.

Having learned that MalwareBytes is intended for general security use and not as a specialized fix tool, I installed the program, updated, and ran a complete scan to see what it might find.

It flagged two files and nothing else:

C:\WINDOWS\SYSTEM32\lsprst7.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\ssprs.dll (Trojan.Agent) -> No action taken.

I navigated to the files in question and scanned them on VirusTotal. No programs there flagged them.

I also checked properties. Both files are identified as Application Extensions. Modification date for both files is July 16, 2006 1:52 p.m. Under each file in the list is a .tgz file with the same letters before: lsprt7.tgz and ssprs.tgz These files were NOT flagged and have the same modification date and time. These files are associated with AlZip, my file compression program. My suspicion is that the .dll files in question are also associated with the AlZip program though nothing in properties indicates that.

Note: No other programs I have tried as yet have flagged these two files.

My suspicion is that these are false positives. Any other steps I should take?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:55 PM

Posted 06 April 2008 - 05:51 PM

under more tools you could email them to tim with a link to your post

when the program was first released there was another false positive I investigate that the well know super video conversion program put into your system files, google showed some very advanced malware experts removing it from peoples computers

MBAM always gives you the option to restore

some other methods don't

reinstalling the programs fixes it tho

Edited by DaChew, 06 April 2008 - 05:54 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:55 PM

Posted 06 April 2008 - 06:05 PM

a quick test is let MBAM quarantine the files and then see if the program breaks
Chewy

No. Try not. Do... or do not. There is no try.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:55 PM

Posted 06 April 2008 - 08:59 PM

Hi OB, there are a few references I've seen with this some were malware. yet you present no symptoms. Yet it is in the malware path not the perhaps proper path of sub folder in C:...Programs. I'd recommend an SDFix scan, yet you present no symptoms,correct.
Others are an array of license management apps to apps like yours.

One solution attempt I've have seen is similar to DaChew's..
Boot into safe mode and rename each of those files. You rename them by locating them in a Windows Explorer window and right clicking on them. And then select Rename.
Go to the C:\windows\system32 folder and rename the extension.
FROM lsprst7.dll to something as, lsprst7.ddd
Reboot back to normal mode and see if things are OK. Give it a day or two if it seems OK.
Once we are sure you don't need them, we can just delete the renamed files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Topic Starter

  • Moderator
  • 36,856 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:55 PM

Posted 06 April 2008 - 09:29 PM

Hi boopme,

Correct, there are absolutely no symptoms. Since I posted, I ran Process Explorer while AlZip was running, and neither .dll showed up in the lower pane. That said, I didn't try all the program's functions either.

The .tgz files are also in the System32 folder, listed right under the .dll files. I'll try renaming the two .dll files and see what happens. It'll probably be more than a couple days to find out if the program's affected or not since I don't use it a great deal. When I need it though, it's wonderful.

Hmm. I wonder if those files are related to the program's automatically naming new file folders with bird names.

Thanks,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:55 PM

Posted 06 April 2008 - 09:42 PM

smab.dll


some assembler coded program handler that super uses to control all the opensource tools in a video encoding

http://www.virustotal.com/analisis/2e4292a...9221c2b5178decd

EvID4226Patch.exe (Malware.Tool) -> No action taken.


EvID4226Patch.exe is being flagged as a security breach, it's disabling the no more than 10 open connection implemented in sp2 of xp, evidently a p2p tweak?

If tools weren't aggressive they wouldn't be very good

MBAM has the best response and support I have ever seen with a program
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users