Hi,

We have 3 machines that Panda have quarantined the file dlltools.dll as being a 'Generic Trojan' , however when trying to find information regarding the file DLLTools.dll , I can't seem to find much at all.

I have found this...

http://www.prevx.com/avgraph/4_7/McAfee.html

http://www.prevx.com/filenames/X896815823989023816-X1/DLLTOOLS.DLL.html

Which is currently under review so isn't clear if this is a virus or not.

Does anyone know if this file is a virus and if so what it does?

Thanks,
1DMF.

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

[link http://dance-music.org]Free Electronic Dance Music Download

to add to this, I just ran the webroot AV on the computer where Panda had quarantined this DLLTools.dll file and it now claims there is another virus on the computer..

Win32.Sefnit.Gen

However, it states it is in the program files (x86) folder under centrastage, which is some software put on our computers by the IT support company.

Is this a false positive or is this a virus?

Thanks,
1DMF

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

[link http://dance-music.org]Free Electronic Dance Music Download

If it's remote control software for your IT company (which I see it is after looking), it could have triggered a warning as malware.

I would not allow that to be deleted or quarantined.

For peace of mind, run TDSSKiller, MalwareByte's Anti-mailware and GMER.  If all of those come back clean, I wouldn't worry.

Can you look at the file properties and see the manufacturer / internal name / build etc? Also try dependancy walker http://www.dependencywalker.com/, I use it to see what DLL calls etc a program / DLL makes.

Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653 is also a helpful tool. I usually leave in in a DIR on the servers I maintain for reasons like this.

In Delphi there is a tool called Winsight, to see what executeables are running, handles, hidden forms, internal exe / dll names etc, which is my favourite.

As said earlier, it could be an input hook for support.

I've quarantined the DLLTools.dll and igonored the centrastage after liaising with the support company.

I have found this webroot software to be a waste of time as it is throwing up too many false positives to be of any use.

I've not had a report from anyone with the quarantined DLLTools.ddl that something has stopped functioning, so I think we are ok.

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

[link http://dance-music.org]Free Electronic Dance Music Download

Please follow instructions on the scans I mentioned for peace of mind.  Getting second and third opinions on malware/infection status is the only way to feel comfortable.  Any one given anti-virus or anti-malware program may miss a significant percent of malware.  Therefore, you use different tools.

sorry, I failed to mention we also run Malware-bytes as standard, which didn't find anything, well apart from the group policy we have restricting staff from changing their screen saver from the corporate one, so only another false positive.

Kaspersky found nothing neither did GMER!

I appreciate no single AV product is 100% and have found that MBAM isn't as good as it used to be!

 

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

[link http://dance-music.org]Free Electronic Dance Music Download

I am not at work, but my av (F-secure) quarantined a critical app that we use yesterday.  I think that was the name it was giving. We have had this app for over 5 years so I am pretty confident it is OK. I submitted it as a false positive so will see what happens today.

F-secure has updated their definitions so my file is now detected as clean.  I ran it through VirusTotal and Panda also calls my file clean.  

You might check to see if Pandas latest def files are still flagging your file.

FYI, F-secure was flagging my file as 'Gen:Variant.Barys.2063'.  I don't know it that correlates with Pandas naming conventions at all.

 

Quote:

MBAM isn't as good as it used to be!

I would say that might not be the case but rather that malware has gotten better, especially rootkits (zero access & tdss).  Removal tools are becoming more specialized and fragmented, so there's not "one big hammer" to crush everything that pops up.