Possible false positives - one of them from Creative Technology

[Googolplex]

Just ran this scan and got the following detections. I've had this PC about half a year and Malwarebytes (free) on it the whole time. This is the first scan w/any detections. They are quarantined now. 

One of them was CTOPT399.dll, which according to the below site is from Creative Technology, the maker of the Sound Blaster card lineup. I installed a Sound Blaster GC7, along with the Creative app for it, a few weeks ago. So I'm wondering if that is related.

As for the registry keys, I am not sure if they're related to Creative or not, I haven't been able to find any sources that say what they are. If anyone has tips on how I can find what programs they're associated with, I'd appreciate it.

What is CTOPT399.dll? (freefixer.com)
 

https://www.freefixer.com/library/file/CTOPT399.dll-121493/

___________________________________________________________________________________________

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/11/22
Scan Time: 4:30 PM
Log File: a8bb2d28-e9cd-11ec-812e-30d042f6f817.json

-Software Information-
Version: 4.5.9.198
Components Version: 1.0.1699
Update Package Version: 1.0.56071
License: Free

-System Information-
OS: Windows 10 (Build 19044.1706)
CPU: x64
File System: NTFS
User: Vega3\David

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 288951
Threats Detected: 11
Threats Quarantined: 0
Time Elapsed: 3 min, 54 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 9
Malware.Heuristic.1001, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0DC39FF3-7F96-405e-BC77-1323866D97CF}, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\CLASSES\CLSID\{0DC39FF3-7F96-405e-BC77-1323866D97CF}, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{0DC39FF3-7F96-405E-BC77-1323866D97CF}, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\CLASSES\CLSID\{0DC39FF3-7F96-405e-BC77-1323866D97CF}\InprocServer32, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\CLASSES\TYPELIB\{22E0CB87-9325-4B0F-8ECC-21B271EC81AA}, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{22E0CB87-9325-4B0F-8ECC-21B271EC81AA}, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{22E0CB87-9325-4B0F-8ECC-21B271EC81AA}, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0DC39FF3-7F96-405e-BC77-1323866D97CF}\InprocServer32, No Action By User, 1000001, 0, , , , , , 
Malware.Heuristic.1001, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{0DC39FF3-7F96-405e-BC77-1323866D97CF}\InprocServer32, No Action By User, 1000001, 0, , , , , , 

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Malware.Heuristic.1001, C:\WINDOWS\SYSTEM32\CTOPT399.DLL, No Action By User, 1000001, 0, , , , , 82B8AEBCAE69A1E4D0DDF70E7C14EF58, 00231DFFF3CD4475CD9A784A726B130FC9555CA1CD459ECD1525AC4B75F85203
Malware.Heuristic.1001, C:\WINDOWS\SYSWOW64\CTOPT399.DLL, No Action By User, 1000001, 0, 1.0.56071, 0000000000000000000003E9, dds, 01811284, 32F33750CED941C4AA4E7D70AC695413, 28891DF233CABBB726CD323585ED088882E0E05A07D83D7C95666432CAB7A86A

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

 

Edited June 16, 2022 by AdvancedSetup
Disabled live hyperlink

[Maurice Naggar]

hello @Googolplex  

As starter steps, lets be sure this pc has the very latest release version of Malwarebytes.  Then set some adjustments.  Then do a new scan.

[  1  ]

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

[  2   ]

Some adjustments.

Start Malwarebytes for Windows.  Click the Settings icon.  Click the tab marked  SECURITY

 

Under the section "SCan options"

scroll down to "Use expert system algorithms to identify malicious files".  See that it is set to the far left  ( OFF position).

[  3  ]

Click the small x  on the bar titled "Settings" to exit this section.

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉  Please just only attach reports as we go alog.

[Porthos]

Quote

Malware.Heuristic.1001

This is a False positive. Please turn off the above non default setting.

[Googolplex]

Thank you both for your help. Yes I had previously enabled the rootkits and expert algorithms options when I ran the scan I originally posted. Very good to know I should keep them off.

I've attached the report of the scan I just ran w/those options off. No detections this time.

Should I un-quarantine the previously found items, and if so, how do I do that?

Malwarebytes scan 6-12-22.txt

[Maurice Naggar]

Alright. Good scan.  and yes indeed, you ought not to have ticked the line for "expert system algorithm". That is settled.

Now then, just what are in "Quarantine" ?  Before you do anything, I need to know what is there in Quarantine ?

[Maurice Naggar]

Your first report of today had put nothing in quarantine. The last scan ( also) put nothing in quarantine.  I would like to see what if anything is actually in Quarantine before you do anything on your own.

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply 😀

Edited June 12, 2022 by Maurice Naggar

[Maurice Naggar]

@Googolplex Good morning. How is the situation?

[Googolplex]

Hello, tried to attach file yesterday but kept getting error msg about my post wording being spam-like. Had to submit a separate ticket.

[Googolplex]

And that time it actually let me post... here are the results from yesterday, which include the items in quarantine. 

mbst-grab-results (6-12-22).zip

[Maurice Naggar]

Hello.
Please do this special search.
There is the FRSTENGLISH.exe tool on the Downloads folder. We will use that to do a search.
Find & then start FRSTENGLISH
Type the following ( better yet, use COPY then Paste) into the search box exactly as shown then press the Search Files button

SearchAll: CTOPT399.dll

Please wait while the program searches for all entries relating to this , when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.
 

[Googolplex]

16 hours ago, Maurice Naggar said:

Hello.
Please do this special search.
There is the FRSTENGLISH.exe tool on the Downloads folder. We will use that to do a search.
Find & then start FRSTENGLISH
Type the following ( better yet, use COPY then Paste) into the search box exactly as shown then press the Search Files button

SearchAll: CTOPT399.dll

Please wait while the program searches for all entries relating to this , when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.
 

I tried running FRSTENGLISH and got the error "this app can't run on your PC. To find a version for your PC, check with the software publisher"

I have Windows 10, 64 bit

[Maurice Naggar]

Hello. You may need to temporarily turn Off the antivirus app on this Windows, first, in order to run the FRSTENGLISH. It may also possibly be the Windows Smartscreen that is the one interfering. FRST64 / FRSTENGLISH is a safe tool. IF it becomes needed, you can simply download & save a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

1. Locate the file you downloaded on your computer.
   Downloaded files are often saved to the Downloads folder.
    
2. Double-click the downloaded file to run the Farbar Recovery Scan Tool.
   
   
    
3. A Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
   Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?
   
        a.  Click More info.
   
   
        b.  Click Run anyway.
   
   
4. When the User Account Control window appears, click Yes.
   
   
   
    
5. To accept the Disclaimer of warranty, click Yes.
   
   

[Googolplex]

Search.txt

Here it is. I was able to run FRST64 and here's what it came up with... nothing?

[Maurice Naggar]

Hi. Alright. It seems the DLL and related are not now on the system. And because their removal was a false positive, then go ahead and Restore all the items that are now In Quarantine. See this guide https://support.malwarebytes.com/hc/en-us/articles/360038479214-Restore-or-delete-quarantined-items-in-Malwarebytes-for-Windows

[Googolplex]

Thank you so much. I just restored all the quarantined items, ran a scan that had no detections, then for good measure I rebooted my PC and ran another scan, still no detections (and a much faster scan that time). 

Really appreciate your help with this. Take care and keep doing the good work you're doing.

[Maurice Naggar]

You are very welcome. I am glad to have worked with you.

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go the  folder where you saved FRST64. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice