Caspr1.dll

Discussion in 'NOD32 version 2 Forum' started by FanJ, Dec 19, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Hi.

    I got the following warning from NOD32 version 2 about a file Caspr1.dll

    (my system: W 98 SE Dutch)

    Scanning Log
    NOD32 version 1.583 (20031219)
    Command line: C:\WINDOWS\Caspr1.dll
    Checking CRC of the NOD32.EXE file: status OK
    Operating memory is OK.

    date: 19.12.2003 time: 18:51:57
    Scanned disks, directories and files: C:\WINDOWS\Caspr1.dll
    C:\WINDOWS\Caspr1.dll - probably unknown CRYPT.WIN32 virus

    number of files scanned: 1
    number of viruses found: 1
    time of termination: 18:51:58 total scanning time: 1 sec (00:00:01)

    [hr]

    I have the following three related files.
    NOD32 gave only that warning about the second file: Caspr1.dll

    C:\WINDOWS\Caspr.exe
    Size 3584
    MD5 7bab2a9cfbc1efa2057663ff3bfd1cef

    C:\WINDOWS\Caspr1.dll
    Size 22016
    MD5 9376b89382a44899d9c1d86a00ce0cb4

    C:\WINDOWS\Caspr2.dll
    Size 39936
    MD5 f2d7ed3d8b28a9d85114448dde3253b8


    At the moment I don't know how these files came on my system. I'm still trying to found out.
    Those files came yesterday evening (Dutch time) for the first time on my system.
    I tend to think that I'm usually well protected, but.... o_O

    If anyone knows about a legitimate program that uses those files, please let me know !!!


    The PestPatrol site gives info about files with the same name, but those files have different MD5 checksums:

    http://research.pestpatrol.com/Search/FileInfoResults.asp?MD5=cc2e765c9c5ea1c1210259b76f9c2d85

    http://www.pestpatrol.com/PestInfo/c/caspr_1_012.asp


    If ESET would like to check those files, I could email them.

    Any other info about those files would be highly appreciated !!!

    Thanks !
    Cheers, Jan.
     
  2. FanJ

    FanJ Guest

    BTW: KAV gives no warning about these files.
     
  3. Godzilla

    Godzilla AV Expert

    Joined:
    Nov 1, 2003
    Posts:
    63
    This is correct. If i remember right, these are ASPack / ASProtect Unpack Emulator Files.
    Means it's some kind of a generic unpacker. The DLL's doing the Hook Stuff and the Exe is the Main Executable.

    So nothing to worry about.

    Regards,
    Michael
     
  4. FanJ

    FanJ Guest

    Thanks Michael !!!

    I wished I knew how I got those files...... :rolleyes: :oops:
     
  5. NewNOD

    NewNOD Guest

    The only information outside PestPatrol's site I could find indicates that crackers / hackers supply these files with their warez and it's used as part of the process by which others install the pirated software on their machines (part of generating a bogus serial or bypassing the trial periods, etc.)

    Not implying anything here, just what I found.
     
  6. FanJ

    FanJ Guest

    ~grin~ Thanks NewNod.
    As far as I know I don't have bogus serial numbers nor pirated software here ;)
    I paid a small fortune for my (and others) software ;)
    And before I forget it: I did inherit (if that is the right English word) 2 programs from a very dear and beloved friend who passed away so sadly a few years ago; but that inheritance is -as far as I know- legal in my country.
     
  7. NewNOD

    NewNOD Guest

    FanJ wrote:
    Thanks for taking my post in the spirit in which it was intended. I thought it could be taken the wrong way, but I was just trying to add to what has been discussed so far.

    I'm sure someone else will find other uses for the file which will correctly explain how it ended up on your PC and report those also.

    See ya. :)
     
  8. FanJ

    FanJ Guest

    Hi,

    What I more or less expected, knowing what I did at that time, seems to be the case:
    those 3 files are related to a program upgrade of the AT The Cleaner 4 Pro.

    I wrote: "What I more or less expected".
    For myself it was just the only explanation having suddenly those files on my system, but proving it was another thing......

    Before I started this thread, I had a little contact but I did something wrong: I didn't contact Daniel from MooSoft (The Cleaner).
    I apologize for the confusion.
    However I still have to make absolutely sure that those 3 files are indeed coming from The Cleaner.
    But my contact surely points me in that way.

    May I kindly ask ESET to contact Daniel (developper of The Cleaner) to solve the issue about that warning?
    If ESET doesn't have the email-addy of Daniel, please contact Paul Wilders; I'm sure Paul will bring the two parties together on this ;)
    ESET could also send me an IM on this board, but I have on and off serious problems to get on-line and at the moment I simply cannot predict when I'm on-line; sorry for that.

    Cheers, Jan.
     
  9. FanJ

    FanJ Guest

    Hi,

    I've send an email with link to this thread to support of MooSoft and ESET, and to Paul.

    Within 15 minutes (kudos to you Daniel !!!!! :D ;) ) I got a reply from Daniel that it is indeed a false positive.

    If I'm allowed to quote Daniel:
    "The file is part of a harmless Aspack unpacker."

    Cheers, Jan.
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    Why you don't send this DLL file to samples@eset.com ?
    If you want, send me it to me, and I'll send it directly to ESET, I know some guys from ESET, I can send it for that ESET fix the false alarm or add the new virus, but I believe that it's a false alarm.
    Thanks.
     
  11. FanJ

    FanJ Guest

    Hi Sir-carew,

    Thanks for your offer ;)

    Several hours ago I had contact with Paul and a Moosoft-forum-mod.
    And I hate to say it, but I don't have very good experiences with ESET support.....
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    off topic comments splitted and removed. Please stay on topic

    paul
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    The files in question will be examined by Eset and if needed will be addressed.

    regards.

    paul
     
  14. FanJ

    FanJ Guest

    File (zipped) has been send to Kirk (ESET).
     
  15. FanJ

    FanJ Guest

    The situation a few days later:

    (Yes, I know the Holiday season is here or at least coming.
    Yes, I know there was a weekend between my first posting in this thread and this one.)

    Two definition-updates later: still no fix for it.
    Although I did send the file to Kirk (ESET): no reply from him.
    Neither did I get any other reply from any other ESET-person, nor from Paul.
    I do see about 13 ESET-moderators at this ESET-forum, but none of them replied in this thread.


    Some other personal notes:
    I am willing to give ESET a little more time.
    But I am far from happy about this whole situation.
    Combine that was some other things:
    1- one posting from me at this ESET-board a while back was removed by a, to me unknown, person without even having the decency to tell me why.
    2- another posting from me here at the ESET-forum is still un-replied by ESET.


    As a customer of ESET I want a full explanation, either here or in private; and I want to get that explanation from ESET.
    And I also would like to see a fix about that caspr1.dll file.


    Depending on how satisfied I am with the answer(s) (and make no mistake: it is my and only my personal prerogative to judge it as customer), I will decide whether I will switch to another resident AV and/or to drop NOD32 completely.

    Did the message come clear that I'm not happy about this whole situation?

    Regards, FanJ.
     
  16. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I understand your situation, however NOD is a good AV.
    If you want, send me it DLL file and I will send it directly to a friend that analyze files at ESET.
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Can't argue that, Jan ;)

    A calculated guess: priority on real and new nasties first, false positives later.

    Jan, countless people submit files - and no one ever gets an answer. That's overall not the way it works. You have complained about this on many ocassions, not only in regard to Eset. All one can and should expect, is seeing a submitted real new nastie databased. Time spent on "thank you" emails is time lost in the Labs - it's as simple as that.

    Any reason why they should? It's a Lab issue, no more, no less.

    That's your perogative no doubt.

    It's of no importance who has removed a post - that's a moderator and/or staff issue. In case a post goes off topic for example, removal most probably will be the result - see my post above.

    By all means bump the thread in question; without that it's impossible to know what post you are referring to.

    A full explanation concerning?

    Seems a reasonable request ;)

    Well, as I see it, it boils down to one issue: having the false positive fixed. But then again: you are absolutely right: it is your perogative wether or not to switch - no one will question that.

    It does indeed.

    regards.

    paul
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'm a little confused as to why Eset should bother to fix this at all.

    Since the files being "alerted" on by NOD are "part of the new Aspack unpacker" that The Cleaner is using, can't you simply have NOD "Exclude" those specific (the ones in the The Cleaner folder) files?

    I mean, isn't it true that Aspack can be used for malicious purposes? (And, no, I'm not saying that has anything to do with Moosoft's use of them - quite the opposite!).

    IOW, if NOD "corrects" this def to exclude ASPACK - wouldn't anything ASPACK-related then be able to get by NOD?

    It would just seem easier (and safer) to exclude those specif files within the The Cleaner folder itself - that way, anything else using ASPACK would stil be alerted on (as it should be).

    I'm probably expressing myself unclearly here - but are you at least getting my drift? pete
     
  19. FanJ

    FanJ Guest

    Latest posting from me here in this thread:

    Sir-Carew:

    Thanks again for your kind offer.
    Having send the file to Kirk has to be sufficient in my humble opinion.


    Paul,


    In case you missed it: I talked about "decency" to notify me in case a posting from me has been deleted.

    Quote:
    "You have complained about this on many ocassions, not only in regard to Eset."
    I always thought that I was doing something "good" when I mentioned that company A was alerting about a certain file from company B.
    Obviously I wasn't.
    So I will not do that anymore, neither here nor in private to the companies involved.
    So everybody on his (her) own will discover those things and decide what to do about it.
    And yes, I do know that false positives can happen; I have no problem with that! I only tried to make folks and companies aware of it when I did see it happen so both companies involved could solve it; that's all.


    Pete,

    Yes I'm aware of that.
    It's up to both parties involved to react, in my humble opinion; besides there is this exclusion issue....


    In general:
    I've had it. You will not see me in a long time here at the board back.

    Wishing everyone (and I do mean that) a really fine and nice Christmas.

    Regards, FanJ.
     
  20. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Jan,

    I've noticed that, Jan and replied to that one.

    I'm confused here. Of course anyone who does submits suspicious files to AV/AT companies or alerting them is doing the good thing. I merely explained as of why expecting a "thank you" email is a wrong assumption.

    I'm sorry to hear so, since as stated above that's a good thing to do.

    I must confess the reason for this is a mystery to me, but so be it.

    Best wishes to you as well, Jan.

    regards.

    paul
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Hello,
    due to the time shift between Slovakia and the USA, the response might not have been immediate. As soon as we got the sample, we analyzed it and came to preliminary conclusion that the file was actually a false positive. We will conduct further analysis and remedy it in a virus signature database update.
     
  22. FanJ

    FanJ Guest

    Thanks a lot Marcos !
    I understand about the time-shift.

    Once again I was far too unfriendly and I did let impatience taken over me :oops:

    I also got a very kind email from Anton.
    Many thanks Anton !!!

    I want to apologize to ESET, to Paul and the whole team, and to all here at the board.

    Peace !

    Best regards, Jan (who is feeling ashamed about himself).
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi FanJ,

    Happens to the best of us. (As you have demonstrated)
    Don't worry about it. :)

    Regards,

    Pieter
     
  24. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi FanJ,

    Anyone who frequents these forums knows you are a kind, goodhearted person. And just like the rest of us, you are human. That means there are good moments and bad moments. They call that life.

    Have a safe and joyful holiday season!
     
  25. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    And see - I was wrong - they can "fix" it!

    Shame on me and kudo's to jan for sticking it out!

    Have a cookie! Pete
     
Thread Status:
Not open for further replies.