False positive?

Topic

New Reply

I had AVG alert me to a file named C:windowssystemcorelsys.dll as being the Trojan Downloader.Agent.2.A. It appears that the internal name of this 15KB dll is ADown (maybe suspicious) and it also show a dependency on apphelp.dll – a known spyware component I believe – and userenv.dll, neither of which are on my system. Perhaps a leftover from a browser hijack I cleaned up?

I can’t find any info of use on the web. My “on demand” AV (F-Prot) and anti-trojan software don’t blink at it either. But what seems funny is that its modification date is the same as all the system files that are a part of 98SE. Maybe it’s part of really “clever” spyware, that changes its file attributes to mask its presence? Or maybe it’s a false positive? Anyone have any info on this one, please?

Alan

Reply | Quote

Replies

I have just searched the C: drive of a system running Windows98 SE, which also has CorelDraw version 9 installed, and I can find no similarly named file. A quick Google search suggests that this really is a trojan.

StuartR

Reply | Quote

Thanks Stuart. What (specifically) did you search for in Google? I could only find references to the exact situation I have, without answers.

Another funny thing though – despite this sharing the same time/ date as my W98 system files, its properties include a Copyright 2004! I really do wonder whether whatever installed it was “clever” enough to do this adjustment on the datestamp. Anyhow, I figured out that it was genuinely orphaned (nothing else on the system depends on/ refers to it) so I deleted it.

Alan

Reply | Quote

Alan

It seems surprising that a file purporting to be from Corel Draw would validly have the same date/time as operating system files?

I searched Google with the corel filename you quoted and got wuite a lot of hits!

John

Reply | Quote

John

Indeed, it does seem odd that it shares the same date/time as O/S files, whether it be from Corel (which I’ve never had installed) or what seems likely now, from some spyware module that jumped on some time in 2004… hence the thought of a “clever” spyware installer. But please enlighten me re: lots of hits on Google. My search for “corelsys.dll” yields these four results, none of which provide any information beyond what I know already.

Alan

Reply | Quote

Alan.

Badly expressed – I was referring to the long thread “The Worst Trojan on the Net“!

John

PS Which, incidently, is a fascinating read for those who think that CMOS can run (virus) code, that replacing every component on your PC (except possibly the case!) can still leave the PC infected, and so on…! [chuckle]

Reply | Quote

John,

Maybe I’m blind, but I can’t see any reference to any Corel file in the thread you mention. ?

Alan

Reply | Quote

Alan

No, not blind – that’s what Google threw up (!), so I looked through the index for the word “Trojan”, and I read through the whole series of posts in some fascination before coming to exactly the same conclusion as you!

Perhaps I should just go home quietly now?

John

Reply | Quote

Alan

No, not blind – that’s what Google threw up (!), so I looked through the index for the word “Trojan”, and I read through the whole series of posts in some fascination before coming to exactly the same conclusion as you!

Perhaps I should just go home quietly now?

John

Reply | Quote

hi Alan,

highly probable it’s a piece of malware. try using this free online malware scanservice to find out more
as for avoiding these types of mishaps, using a restricted user account will prevent 99%+ of infections, since they almost all need administrator rights to install properly. (at least for those who have a windows NT flavor OS)

Reply | Quote

[indent]

---

they almost all need administrator rights to install properly. (at least for those who have a windows NT flavor OS)

---

[/indent]So true, but Microsoft has made the default user an administrator – and worse still, the software designed for Windows has never been written with true multi-user systems in mind, and assumes that the user has Admin rights. Getting things to run as a non-admin can sometimes be a real challenge.

Nonetheless…it’s an excellent start to secure computing.

Reply | Quote

[indent]

---

they almost all need administrator rights to install properly. (at least for those who have a windows NT flavor OS)

---

[/indent]So true, but Microsoft has made the default user an administrator – and worse still, the software designed for Windows has never been written with true multi-user systems in mind, and assumes that the user has Admin rights. Getting things to run as a non-admin can sometimes be a real challenge.

Nonetheless…it’s an excellent start to secure computing.

Reply | Quote

Thanks for that link, Pieter – I’ve bookmarked it for (hopefully infrequent) future use. The file in question showed up as OK according to all the AV program checks. This brings me back to the false positive . I think I might leave it quarantined, since I’m sure it’s a remnant of something? and is not needed by any other app.

cheers

Alan

Reply | Quote

Thanks for that link, Pieter – I’ve bookmarked it for (hopefully infrequent) future use. The file in question showed up as OK according to all the AV program checks. This brings me back to the false positive . I think I might leave it quarantined, since I’m sure it’s a remnant of something? and is not needed by any other app.

cheers

Alan

Reply | Quote

John,

Maybe I’m blind, but I can’t see any reference to any Corel file in the thread you mention. ?

Alan

Reply | Quote

Alan.

Badly expressed – I was referring to the long thread “The Worst Trojan on the Net“!

John

PS Which, incidently, is a fascinating read for those who think that CMOS can run (virus) code, that replacing every component on your PC (except possibly the case!) can still leave the PC infected, and so on…! [chuckle]

Reply | Quote

John

Indeed, it does seem odd that it shares the same date/time as O/S files, whether it be from Corel (which I’ve never had installed) or what seems likely now, from some spyware module that jumped on some time in 2004… hence the thought of a “clever” spyware installer. But please enlighten me re: lots of hits on Google. My search for “corelsys.dll” yields these four results, none of which provide any information beyond what I know already.

Alan

Reply | Quote

Alan

It seems surprising that a file purporting to be from Corel Draw would validly have the same date/time as operating system files?

I searched Google with the corel filename you quoted and got wuite a lot of hits!

John

Reply | Quote

Thanks Stuart. What (specifically) did you search for in Google? I could only find references to the exact situation I have, without answers.

Another funny thing though – despite this sharing the same time/ date as my W98 system files, its properties include a Copyright 2004! I really do wonder whether whatever installed it was “clever” enough to do this adjustment on the datestamp. Anyhow, I figured out that it was genuinely orphaned (nothing else on the system depends on/ refers to it) so I deleted it.

Alan

Reply | Quote