I was installing Secunia PSI (Personal Software Inspector) 1.0.

SD/AV/BG threw up an alert on trojan.pakes!SD6.

History log is attached.

I did a search on nsm4.tmp and it is malware. Its becoming very common these days for malware to masquerade as supposedly helpful software utilities.

That is interesting as Secunia is a rather reputable software supplier as it has been cited to use theirtool to use in various tech newsletters. They offer an online scan as well as the tool to download. You can check them out at secunia.com.

Basically this tool is used to check the currency of sotware such as flash, reader etc. to help prevent the mebroot infection. I did allow the process to contune and the program loaded normally. I will go back and do a scan, but I seriously think that this is a false positive.

Hi haapy,

Could you send us the file C\DOCUME~1\HAAPY\LOCALS~1\TEMP\NSM4.TMP\SYSTEM.DLL which is detected as trojan.pakes!SD6 so we can verify it. Also, if possible could you send us the installer for Secunia PSI (Personal Software Inspector) 1.0 so we can check this out.

Achen,

Attached are the latest log files and the program in question. Unfortunately, the temp files seem to be cleared out as a part of the Secunia install process.

Please note that the log files contain Browser Guard infections that I am sure are valid for I have been using them for years.

You can check out www.secunia.com for the PSI download as well.

Let me know if I can provide more information.

This is one source of the PSI info. Seems legit to me.

http://windowssecrets.com/2007/09/06/01-Unpatched-software-abounds-on-user-systems

We tested it and could not recreate the FP detection. Could you send us SYSTEM.DLL and what operating system do you have installed?

Anthony,

Attached is the DLL. The only way that I could capture it was to go to the folder once SD/AV/BG tagged it. Otherwise it is deleted as a part of the install cleanup process.

Also please review the Browser Defender parts of the log I previously sent you. All good by me. And check my prior post on this thread.

Thanks

Oh.. Windows XP SP3, no other anti-malware programs.

Anthony,

Attached is a screen shot of the alert.

Anthony,

Interesting. I uninstall the program and I get the same alert on uninstall.

Anthony,

I am OK with dumping this issue. I have uninstalled the program. In addition, per the other alerts, I reviewed them and decided that I didn't need the programs. However, it interesting to note that all the alerts that were generated were from programs that were at one time valued debugging tools. Perhaps they are too old. Time to clean up the jungle.

Regards.

This issue should be resolved shortly. Hopefully in the next update or so :)

Khim,

I never uninstalled Spyware Doctor so therefore I do not have to install it.

I am totally capable of reading Achen's responses.

I'm sorry. it was a mistake.

Best Regards

Khim

I wonder if the problem really was a false positive instead of actually being a real threat. For example, I had jmail.dll installed in my computer, the jmail installer of which I had directly downloaded from dimac.com five years ago. Amazingly, my upgrade to Norton AV 2008 detected a piece of malware which somehow was incorporated in jmail.dll since Norton also found it within the installer exe itself, and found the correct registry keys for the malware which I confirmed. Malware wasn't taken nearly as seriously five years ago as it is now. Thus, somehow, dimac allowed an infected file to make it into their installer executable which was distributed on their web site. Interestingly, dimac now makes jmail available for free and the latest version is malware free. Perhaps this is the reason why dimac quietly made the basic jmail program available for free?

Note that Malwarebytes and SD both failed to detect the trojan in the older version of jmail.dll, but Norton 2008 did. Maybe this is because users reported that older versions of jmail.dll "must" be safe since they had downloaded the installer directly from dimac? It might be worth looking into.

This particular piece of software from Secunia is very new. It was recommended by Gizmo's Tech Support Alert Newsletter in discussions on how to prevnt the Mebroot rootkit. I basically did the online scan as well as downloaded and ran the more detailed scan. Since I had no issues, I decided to remove the program.

It is odd that PCT can not duplicate the problem.

The other interesting thing is that the dll that fires off the alert (system.dll) is only temporary during the install/uninstall. It does not remain after either process is complete.

I do believe that is is an FP.

As far as the old web sites being tagged by Browser Defender and the other old pgms, I have not used them in years, so it was not worth the effort to determine good or bad.

Time to invoke my 3 year rule. If I have not used it, time to dump it. Just like the stuff in the garage.