log

[meme]

i was dell forum and they told me to post my log here for false positive any help would be appreciatedMalwarebytes' Anti-Malware 1.12

Database version: 740

Scan type: Quick Scan

Objects scanned: 54198

Time elapsed: 11 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adware Remover (Rogue.AdwareRemover) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{52de9c19-11e4-dcc4-5fc8-b8ea9f0bfd06} (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Creative PlayCenter 2.0 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Common Files\Services.dll (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

[nosirrah]

http://www.google.com/search?hl=en&q=%...amp;btnG=Search

If you check google for that file path there is only a single entry , that does not look legit .

http://www.google.com/search?hl=en&q=%...amp;btnG=Search

If you google that GUID you get nothing at all .

That file name is also a reserved word and not used (by intelligent programmers at least) .

So far we are 3 for 3 that this is malware .

For me to remove this I will need a copy of that file or a link to the installer for the software that uses it .

EDIT :

It seems that in the one google result we find that file we see an expert removing it as malware .

We are 4 for 4 that it is bad now .

I also need a link to the forum thread where this was deemed a FP .

[meme]

http://www.google.com/search?hl=en&q=%...amp;btnG=Search

If you check google for that file path there is only a single entry , that does not look legit .

http://www.google.com/search?hl=en&q=%...amp;btnG=Search

If you google that GUID you get nothing at all .

That file name is also a reserved word and not used (by intelligent programmers at least) .

So far we are 3 for 3 that this is malware .

For me to remove this I will need a copy of that file or a link to the installer for the software that uses it .

EDIT :

It seems that in the one google result we find that file we see an expert removing it as malware .

We are 4 for 4 that it is bad now .

I also need a link to the forum thread where this was deemed a FP .

i am not sure what you are telling me to do could you explain could you explain a little more also here is the one that thought it was FP

sbeetle,

3 of the 4 items detected by MBAM --- the ones labeled as Heuristics.Reserved.Word.Exploit -- are related to your Creative PlayCenter 2.0 .

while i can't guarantee this, my "gut" says they're "false-positives".

I suggest you [join, if necessary, and] post this log in the MBAM f/p forum and await a response from them:

http://www.malwarebytes.org/forums/index.php?showforum=42

Solution?

[nosirrah]

I need that file .

I installed that app and that file is not there nor is the GUID .

There are multiple things wrong with that file from looking at what I see , I will list them :

A legit app does not store its dlls outside of known legit locations , the root of common files not a location you see legit files .

A legit app will have many hundreds if not thousands or even millions of hits for its components on google , this has next to nothing .

Services is a reserved word in windows and should NEVER be used by anything other than windows . Malware often uses reserved words to "look" like its part of windows .

Without the file I cant do anything more about this .

If you have deleted the file you can restore it with the quarantine tab .

If you have reinstalled the app and the file is back this is also fine .

Either way I need you to zip the file and attach it to your next post here .

[nosirrah]

http://www.google.com/search?hl=en&q=S...G=Google+Search

Please check this , creative does not have that as one of its components .

Best I can tell this IS malware that is trying to look legit .

[AdvancedSetup]

I have all the Creative Sound Blaster software installed on my system and I don't have any of these entries or files either.

The version of Media Center is quite old - go here for legitimate software Creative - Download drivers, firmware, and software updates.

If MB still shows FP from these files then we'll be glad to assist you, but as it stands it certainly does not look like valid files or entries.

.

[nosirrah]

http://www.dellcommunity.com/supportforums...ding&page=2

Found your thread .

Please link this thread to the Dell thread as well so they can see what is going on here .

[ky331]

Bruce,

I'm the one from the Dell forum who suggested the poster contact/question you here. If I've steered him/her incorrectly, and caused anyone undue concern, I certainly apologize and will stand corrected.

the poster had undergone HJT analysis at DELL back in February of '05. The entry in question appeared under O21... and the analyst at the time [it was not me] let it stand. I don't know whether it was an error or an oversight on the part of that analyst... but it's on that basis, of his allowing the entry to remain, that I was questioning whether its detection by MBAM now was a F/P.

for the HJT log from back then, see here:

http://www.dellcommunity.com/supportforums...id=72660#M33435

again, if this is malware, I do apologize to all parties involved.

[nosirrah]

Thanks for the info . I have asked a few people here that have creative software and hardware and none of them have this .

I would agree with the FP ruling if google backed it up but as you can see there is nothing at all .

Without the file to check for myself I cant do much of anything about it .

I even installed the software that the SSODL seemed to imply but did not get that file or GUID .

BTW only the def we have for this is a heuristic one that hits reserved words being misused . The CLSID and SSODL are detected as MBAM looks for load points for that file .

Unless I can get that file there is no way to be sure .

One other possible way to test this is to have the OP reinstall the exact same app and scan again .

[ky331]

we can ask if the o/p still has the file residing in quarantine.

if so, how best for him to send it to you? would it be preferable/safer that he upload to jotti and/or virustotal first?

alternatively, we can see if he still has the original installation disk available...

[JeanInMontana]

http://uploads.malwarebytes.org/ This is the Malwarebytes upload link for suspect files.

[meme]

http://uploads.malwarebytes.org/ This is the Malwarebytes upload link for suspect files.

ok i tried to upload the file but it says that either a virus scanner is blocking it or that there is 0 bytes i then went to my computer c drive program file common file and found services.dll when i put the pointer over it it says 0 bytes does that mean that nothing is in the file

[nosirrah]

How did you put the file back ?

[meme]

How did you put the file back ?

it was still in quarentine so i restored it and then went to your site and went to box 1 browsed located and tried to upload it was this right

[meme]

it was still in quarentine so i restored it and then went to your site and went to box 1 browsed located and tried to upload it was this right

i have posted a hijackthis log on the other forum should i post it here also on hijackthis page

[JeanInMontana]

Stick with your helper at the original forum and nosirrah will ask if he needs a log.