|
|
Rank: Member
Groups: Member
Joined: 5/14/2006
Posts: 25
|
The following results have appeared in my scan: Quote:C:\WINNT\system32\clsncx22.dll detected: Trace.File.Morpheus
C:\WINNT\system32\clsnol22.dll detected: Trace.File.Morpheus NOD32, Spybot S&D and Adaware are all clean so can I assume this is a false positive?
|
|
Rank: Advanced Member
Groups: Moderation
Joined: 1/31/2006
Posts: 560
|
Both files are spywarefiles. The files come with the p2p-software "Morpheus" to your system.
It is your decision to trust morpheus or not.
Christian Peters [Support]
Emsi Software Team -
www.emsisoft.com
|
|
Rank: Member
Groups: Member
Joined: 5/14/2006
Posts: 25
|
That seems odd because although there is another p2p application installed emule; which is used to dl tv shows, which afaik isn't illegal in this country since they're paid for with your tv license, I have at no point installed or used the p2p application 'Morpheus' that's being flagged in the scan.
Unless emule is being fraudulent in it's claim to be adware and spyware free then how could I have become infected?
Also regarding this 'infection', from the following google result, it appears that the main thrust of the problem seems to be the fact that the application is used to file-share and can clog network traffic, rather than any malicious reason such as information gathering. Quote: P2P : Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX and Xolox. In an organization, can degrade network performance and consume vast amounts of storage. May create security issues as outsiders are granted access to internal files. Often bundled with Adware or Spyware.
|
|
Rank: Member
Groups: Member
Joined: 5/14/2006
Posts: 25
|
I just found this thread in the forums that seems to be suggesting that these files have nothing to do with Morpheus as I suspected, but they're still appearing as false positives in the scan.
|
|
Rank: Advanced Member
Groups: Member
Joined: 2/3/2006
Posts: 419
|
And this eTrust Spyware Encyclopedia article would suggest Christian Peters is correct:
Morpheus 1.9
|
|
Rank: Advanced Member
Groups: Member
Joined: 2/3/2006
Posts: 474
Location: South Carolina, USA
|
i would leave the files at least until you are sure that you want to remove them, and you can try to do some research on the files..
win xpsp3, kerio 2.15, antivir premium, SSM
|
|
Rank: Member
Groups: Member
Joined: 5/14/2006
Posts: 25
|
Thank you Just me, but I'm still convinced that, in this case, Christian Peters is incorrect, since there isn't now, nor ever was there any version of Morpheus installed on this machine.
I ruled out the slim possibility emule may be responsible for the files, by a-squared lumping ALL p2p apps together, when I asked on their forums and they denied any knowledge of installing them. So until Mike Jackson's query is responded to in the other thread in my last post I can only assume I was correct.
 
Seriously though, messing aside, I checked the properties of clsncx22.dll and clsnol22.dll and both have created and modified dates of 06 July 2000. I checked if any other files were created in or around that date to figure which installation may be responsible for them, and I only found clsnrn22.dll and clsnpb22.dll, both created at the same time, and all 4 files are BasicScript by Summit Software which looks like a reputable company to me. If there's a possibility that Morpheus uses these files (if it IS installed) that doesn't necessarily mean they are malicious in themselves, does it?
|
|
Rank: Member
Groups: Member
Joined: 5/14/2006
Posts: 25
|
This is the advice that I have recieved so far from Bill Fisher, President Summit Software Company: Quote:The filenames on those DLLs tell us that these dynamic link libraries were licensed for redistribution by a company known as Clearsand Corporation. I believe the company was originally known as Strata Inc. If I recall correctly, they developed some sort of multimedia authoring product. My guess is that you have their software installed on your system and that they installed our DLLs onto your system.
As it happens they make mediaforge and I have one of their products installed called Cinemaforge (v2.05) Quote:Publisher's website: http://www.mediaforge.comCinemaForge is a video- and audio-conversion and hosting utility. The application supports Flash (SWF), Flash (FLV), Motion Pictures Group (MPEG), Audio Video Interleaved (AVI), Window Media Video (WMV), Real Video (RM), QuickTime (MOV), Advanced Streaming Format (ASF), and JPEG (thumbnails). You quickly can save and load presets. It has a nice ffmpeg GUI written in MediaForge. The application has support for deinterlace, duration, cropping, automatic thumbnails, and MediaForge Plaza publishing. You can build movies from still images, and it includes advanced alpha-channel transitions between slides.
Just to make sure I have covered absolutely EVERY concieveable angle with this issue I have mailed the suspicious dll's to Bill so their authenticity can be verified as their genuine files. Is this enough to convince the a-squared team that this IS a false positive, and not an indication of Morpheus P2P app being installed? 
|
|
Rank: Newbie
Groups: Member
Joined: 3/16/2009
Posts: 1
|
I confirm what Caine says.
The scan of my PC was clear until I installed Cinemaforge, an utilty to convert different types of vidoclip-files.
Now there are these 2 files:
- clsncx22.dll
- clsnol22.dll
intalled, that a-squared detects as Morpheus. But I never installed Morpheus.
I don't know exactly if it is a false positive, or if it is the same malware that comes with the installation of Morpheus that was attached also to this other software.
I think u should analyze them to see if they are the same files
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 2/24/2006
Posts: 4,495
Location: Australia
|
Enrico Rizzato wrote:I confirm what Caine says. The scan of my PC was clear until I installed Cinemaforge, an utilty to convert different types of vidoclip-files. Now there are these 2 files: - clsncx22.dll - clsnol22.dll intalled, that a-squared detects as Morpheus. But I never installed Morpheus. I don't know exactly if it is a false positive, or if it is the same malware that comes with the installation of Morpheus that was attached also to this other software. I think u should analyze them to see if they are the same files
Hi Enrico,
Welcome to the forum.
1) You are right about “u should analyze them”- the files should be analyzed but that should be precisely files from your PC you have to send them to developers (see below). It is not possible to install any existing Software on the lab computers by EMSI. You may have another version compare to what is available for download from the site - the code of files in question could differ etc. Then you never forget that potentially any file can be poisoned by 3rd party therefore sending files are important
2) Traces are not necessarily representing danger.
Please read this EMSI article http://www.emsisoft.com/en/kb/articles/tec070120/
In addition those could be FPs so in any case it is better to check by submitting from detection list first.
You can read this thread and you find a lot of info regarding Traces; FPs; and different ways of submitting file for analysis to developers. As you will see from the notes in the link below about naming of detection- file(s) indeed may not belong to that particular software http://forum.emsisoft.com/Default.aspx?g=posts&t=4678
I suggest reading subsequent link (s) too in order to get explanation about sending files to developers
The short version of the above if you don’t want to read all:
-use “Submit as false alert” from detection list;
- old fashion way – (actually that was suggested by Christian Peters that time regarding these files) Create passworded archive (ZIP or RAR) and attach to email fp@emsisoft.com Don’t forget to supply password in the e-mail body
Finally, as he suggested in different reply regarding the matter if you trust the software you may just use White List
Please ask if you still have questions regarding file submission
My regards
XP Pro, SP3 (32-bit); a2-Free 4.5.0.21(beta); Firewall: Comodo CIS (Defense+ HIPS); Software DEP: integrated into Firewall; Anti-Malware: Mamutu 2.0.0.23 (beta); Verification Engine PlugIn (resident); AntiVirus: AVG Free (guard resident); SpyBot SD (+TeaTimer resident)
|
|
|
Guest User |