False Positive or not?

[Beauregard T. Shagnasty]

Buffalo wrote:

> The program I installed from Ascentive had a different name and it was
> described as a product that would increase the performance of your
> computer.

I had a look at the finallyfast.com web site several weeks ago, after
seeing their TV commercial, the one with the guy whose hair is blowing
straight back. The whole deal reeks of a scam. One of the prime reasons
is the web site (or the commercial) *do not* mention the price anywhere
I could find.

In part, it says:

"ActiveSpeed can make your Internet connection run up to 375% faster."

Yeah, right. What is 375% of a 56Kb dialup? I also send their download
file to Jotti, and some of the tests listed it as a trojan. That could
be because it is an 'installer' but who knows?

> Since I have the paid version of SAS and NSW and the free version of
> Avira, and SpywareBlaster and the free version of MBAM ...

It is sad that all of those products are necessary to keep your Windows
PC relatively free of malignant tumors - and that's only for the more
aware users. The rest live in a sewer. A couple of years ago, I got
tired of all the hassles and simply dumped Microsoft Windows. Life is
much more relaxed now.

--
-bts
-Friends don't let friends drive Windows

[Buffalo]

Beauregard T. Shagnasty wrote:
> Buffalo wrote:
>
>> The program I installed from Ascentive had a different name and it
>> was described as a product that would increase the performance of
>> your computer.
>
> I had a look at the finallyfast.com web site several weeks ago, after
> seeing their TV commercial, the one with the guy whose hair is blowing
> straight back. The whole deal reeks of a scam. One of the prime
> reasons is the web site (or the commercial) *do not* mention the
> price anywhere I could find.
>
> In part, it says:
>
> "ActiveSpeed can make your Internet connection run up to 375% faster."
>
> Yeah, right. What is 375% of a 56Kb dialup? I also send their
> download file to Jotti, and some of the tests listed it as a trojan.
> That could be because it is an 'installer' but who knows?
>
>> Since I have the paid version of SAS and NSW and the free version of
>> Avira, and SpywareBlaster and the free version of MBAM ...
>
> It is sad that all of those products are necessary to keep your
> Windows PC relatively free of malignant tumors - and that's only for
> the more aware users. The rest live in a sewer. A couple of years
> ago, I got tired of all the hassles and simply dumped Microsoft
> Windows. Life is much more relaxed now.

True.
I did do some research on Ascentive LLC and it sure sounds like a ripoff
company.
I am glad that I used Total Uninstall to monitor the install. The program I
installed was called SpeedScan_setup.exe.
I guess that if I had MBAM Pro, it would have alerted on that program (not
true, see below unless it would have during the execution on that setup
file). SAS Pro still does not alert on it, at least on sysrestore.dll.
Of course, VirusTotal also did show any hits on that particular file.
I just dl'd that setup file again and MBAM checks it as OK, as does Avira
Free,Norton, and SAS.
No, I will not use it, I just wanted to see if the setup.exe file contained
the problem .dll. The setup file is 10463kb.
VirusTotal had 2 hits on the setup.exe file but still none on the
sysrestore.dll file.
eSafe----suspicious file
Nod32--Win32/Adware.Ascentive

I guess the sysrestore.dll file gets created (or unhidden) during the setup
procedure.
No more trying speedup programs that are not recommended by others I trust.

I will delete that setup file and I will keep the
winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish to
analayze it further.

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| I will delete that setup file and I will keep the
| winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish to
| analayze it further.


Please upload the file here...
http://www.uploadmalware.com

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Buffalo]

David H. Lipman wrote:
> From: "Buffalo" <Eric@nada.com.invalid>
>
>
>
>> I will delete that setup file and I will keep the
>> winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish
>> to analayze it further.
>
>
> Please upload the file here...
> http://www.uploadmalware.com

Winnit\System32\sysrestore was submitted just now.
It is back in quarantine in MBAM now.

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| David H. Lipman wrote:
>> From: "Buffalo" <Eric@nada.com.invalid>



>>> I will delete that setup file and I will keep the
>>> winnit\system32\sysrestore.dll in MBAM's quarantine in case I wish
>>> to analayze it further.


>> Please upload the file here...
>> http://www.uploadmalware.com

| Winnit\System32\sysrestore was submitted just now.
| It is back in quarantine in MBAM now.


MD5 of the file is 2c10b592da12118cfd3b9de0aed4540e
Thank you.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>

| Winnit\System32\sysrestore was submitted just now.
| It is back in quarantine in MBAM now.


False Positive. It is being removed from MBAM definitions.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Buffalo]

David H. Lipman wrote:
> From: "Buffalo" <Eric@nada.com.invalid>
>
>> Winnit\System32\sysrestore was submitted just now.
>> It is back in quarantine in MBAM now.
>
>
> False Positive. It is being removed from MBAM definitions.

Thank you for the follow through.
Buffalo

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| David H. Lipman wrote:
>> From: "Buffalo" <Eric@nada.com.invalid>

>>> Winnit\System32\sysrestore was submitted just now.
>>> It is back in quarantine in MBAM now.


>> False Positive. It is being removed from MBAM definitions.

| Thank you for the follow through.
| Buffalo


My pleasure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp