SpyDLLRemover trying to modify executables and DLLs it looks at

Discussion in 'malware problems & news' started by turtlesoup, Jul 19, 2011.

Thread Status:
Not open for further replies.
  1. turtlesoup

    turtlesoup Registered Member

    Joined:
    Jul 16, 2011
    Posts:
    10
    I just tried out this program, and while looking through its "Process Viewer" tab, when I click on any process, and then double click on any DLL, Online Armor flags SpyDLLRemover as trying to modify that DLL.

    See this screenshot for an example:

    http://img708.imageshack.us/img708/3228/spydllremover.png

    SpyDLLRemover does this for any DLL you double click on. It also seems it tries to modify the executable file of a process when you double click on the process, or click on the "Process Info" button for a process.

    SpyDLLRemover tries to make these modifications completely without any sort of prompt or warning. If it weren't for OA watching my back, I'd never know it was doing this.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    that sound like that SpyDLLRemover is doing its job of trying to detect malware (assuming that is the same app i just gogled) just as OA is intercepting it doing so
     
  3. turtlesoup

    turtlesoup Registered Member

    Joined:
    Jul 16, 2011
    Posts:
    10
    How does modifying executables and DLLs detect malware?

    Also, if this was really what it was trying to do, why didn't it try to do this for every executable or DLL on the system rather than just those I double click on?

    Most importantly, why doesn't it warn or otherwise inform the user of what it's doing?
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    that app needs to access the file to inspect somehow, it is OA that saying that app is modifying. That is OA interpretation. If you don't trust the app (SpyDLLRemover) then don't use it.
     
  5. turtlesoup

    turtlesoup Registered Member

    Joined:
    Jul 16, 2011
    Posts:
    10
    OA is not reporting read-only access, it is reporting write access.

    I suppose OA could be wrong about this being write access when it's just read-only access, but then why is it flagging just SpyDLLRemover and not every program that tries read-only access? Furthermore, what proof is there that this is just read-only access?

    I've used dozens of apps under OA, and almost none of them (including antivirus and anti-rootkit apps) ever try to modify DLLs or executables they didn't themselves create (especially not any DLLs or executables under c:\windows).

    That goes without saying.

    I won't use any app whose behavior is suspicious, and I'm very glad OA is there to alert me of and allow me to block such suspicious behavior.
     
    Last edited: Jul 19, 2011
Loading...
Thread Status:
Not open for further replies.