False Positive or not?

[Buffalo]

jen wrote:
> "Buffalo" <Eric@nada.com.invalid> wrote in message
> news:gjubvu$u9l$1@news.motzarella.org...
>> MBAM lists Winnit\System32\Sysrestore.dll from Rogue.Ascentive
>> Performance
>> as malware. I submitted the file to VirusTotal and the results were
>> negative. I now have that file in quarantine.
>> Anyone have any other info on this?
>> Rogue.AscentivePerformance
>> Date spotted:
>> First seen on 2008-10-04.
>> Last seen on 2009-01-06.
>>
>> Detection statistics:
>> This object is 0.08% of all objects detected.
>> 424,252 instances detected worldwide.
>
> I think yuu mean:
> "WINNT\System32\Sysrestore.dll"
>
> SysRestore.dll is an Ascentive file and they own "finallyfast.com" (of
> the stupid, misleading, scamming TV commercials). See a review here:
> http://answers.yahoo.com/question/in...4125312AAbfMzw of
> their business practices. And yes, anti-malware alerts on Ascentive
> products. You might want to google this company before you do
> business with them...
>
> -jen
Yes, I did mean Winnt\System32\Sysrestore.dll.
The program I installed from Ascentive had a different name and it was
described as a product that would increase the performance of your computer.
Since I have the paid version of SAS and NSW and the free version of Avira,
and SpywareBlaster and the free version of MBAM
and I used Total Uninstall, I thought I would give it a go.
When I used Total Uninstall to uninstall the program, it said there was a
shared .dll and I chose not to delete it.
I think that is why that .dll was found by MBAM.
Thanks for your input.
Buffalo
PS: If I can find the name of that program, I will post back.

[Beauregard T. Shagnasty]

Buffalo wrote:

> The program I installed from Ascentive had a different name and it was
> described as a product that would increase the performance of your
> computer.

I had a look at the finallyfast.com web site several weeks ago, after
seeing their TV commercial, the one with the guy whose hair is blowing
straight back. The whole deal reeks of a scam. One of the prime reasons
is the web site (or the commercial) *do not* mention the price anywhere
I could find.

In part, it says:

"ActiveSpeed can make your Internet connection run up to 375% faster."

Yeah, right. What is 375% of a 56Kb dialup? I also send their download
file to Jotti, and some of the tests listed it as a trojan. That could
be because it is an 'installer' but who knows?

> Since I have the paid version of SAS and NSW and the free version of
> Avira, and SpywareBlaster and the free version of MBAM ...

It is sad that all of those products are necessary to keep your Windows
PC relatively free of malignant tumors - and that's only for the more
aware users. The rest live in a sewer. A couple of years ago, I got
tired of all the hassles and simply dumped Microsoft Windows. Life is
much more relaxed now.

--
-bts
-Friends don't let friends drive Windows

[Buffalo]

Beauregard T. Shagnasty wrote:
> Buffalo wrote:
>
>> The program I installed from Ascentive had a different name and it
>> was described as a product that would increase the performance of
>> your computer.
>
> I had a look at the finallyfast.com web site several weeks ago, after
> seeing their TV commercial, the one with the guy whose hair is blowing
> straight back. The whole deal reeks of a scam. One of the prime
> reasons is the web site (or the commercial) *do not* mention the
> price anywhere I could find.
>
> In part, it says:
>
> "ActiveSpeed can make your Internet connection run up to 375% faster."
>
> Yeah, right. What is 375% of a 56Kb dialup? I also send their
> download file to Jotti, and some of the tests listed it as a trojan.
> That could be because it is an 'installer' but who knows?
>
>> Since I have the paid version of SAS and NSW and the free version of
>> Avira, and SpywareBlaster and the free version of MBAM ...
>
> It is sad that all of those products are necessary to keep your
> Windows PC relatively free of malignant tumors - and that's only for
> the more aware users. The rest live in a sewer. A couple of years
> ago, I got tired of all the hassles and simply dumped Microsoft
> Windows. Life is much more relaxed now.

True.
I did do some research on Ascentive LLC and it sure sounds like a ripoff
company.
I am glad that I used Total Uninstall to monitor the install. The program I
installed was called SpeedScan_setup.exe.
I guess that if I had MBAM Pro, it would have alerted on that program (not
true, see below unless it would have during the execution on that setup
file). SAS Pro still does not alert on it, at least on sysrestore.dll.
Of course, VirusTotal also did show any hits on that particular file.
I just dl'd that setup file again and MBAM checks it as OK, as does Avira
Free,Norton, and SAS.
No, I will not use it, I just wanted to see if the setup.exe file contained
the problem .dll. The setup file is 10463kb.
VirusTotal had 2 hits on the setup.exe file but still none on the
sysrestore.dll file.
eSafe----suspicious file
Nod32--Win32/Adware.Ascentive

I guess the sysrestore.dll file gets created (or unhidden) during the setup
procedure.
No more trying speedup programs that are not recommended by others I trust.

I will delete that setup file and I will keep the
winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish to
analayze it further.

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| I will delete that setup file and I will keep the
| winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish to
| analayze it further.


Please upload the file here...
http://www.uploadmalware.com

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Buffalo]

David H. Lipman wrote:
> From: "Buffalo" <Eric@nada.com.invalid>
>
>
>
>> I will delete that setup file and I will keep the
>> winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish
>> to analayze it further.
>
>
> Please upload the file here...
> http://www.uploadmalware.com

Winnit\System32\sysrestore was submitted just now.
It is back in quarantine in MBAM now.

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| David H. Lipman wrote:
>> From: "Buffalo" <Eric@nada.com.invalid>



>>> I will delete that setup file and I will keep the
>>> winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish
>>> to analayze it further.


>> Please upload the file here...
>> http://www.uploadmalware.com

| Winnit\System32\sysrestore was submitted just now.
| It is back in quarantine in MBAM now.


MD5 of the file is 2c10b592da12118cfd3b9de0aed4540e
Thank you.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>

| Winnit\System32\sysrestore was submitted just now.
| It is back in quarantine in MBAM now.


False Positive. It is being removed from MBAM definitions.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Buffalo]

David H. Lipman wrote:
> From: "Buffalo" <Eric@nada.com.invalid>
>
>> Winnit\System32\sysrestore was submitted just now.
>> It is back in quarantine in MBAM now.
>
>
> False Positive. It is being removed from MBAM definitions.

Thank you for the follow through.
Buffalo

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| David H. Lipman wrote:
>> From: "Buffalo" <Eric@nada.com.invalid>

>>> Winnit\System32\sysrestore was submitted just now.
>>> It is back in quarantine in MBAM now.


>> False Positive. It is being removed from MBAM definitions.

| Thank you for the follow through.
| Buffalo


My pleasure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[arun11]

nice thread...