MicrosoftAntiSpyware Beta 1

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

Does anyone out there know why a scan should find
SCRRUN.DLL and identify it as Spyware "Specrem (Rat)".
The file SCRRUN.DLL is from Microsoft and included with
the OS.
 
What OS version? I don't get this alert on any XP or Windows 2000 system
I've seen.

FWIW, here's the result of tools, advanced tools, advanced file analyzer for
the version of that file I have in \windows\system32 on XP, Service Pack 2:

If you tell me which OS version and Service pack level, I might be able to
find one that should match yours, if this one isn't the same.

------------------------
Detailed File Analysis

Display name: Microsoft (r) Script Runtime

Name: scrrun.dll

Description: Microsoft (r) Script Runtime

Publisher: Microsoft Corporation

Path: E:\WINDOWS\system32\scrrun.dll

Version: 5.6.0.8820

Size: 151552 bytes

Copyright: Copyright © Microsoft Corp. 2002

Create date: Friday July 16, 2004

Access date: Monday February 7, 2005

Modified date: Wednesday August 4, 2004

MD5: 214577b79cf59e2fc9addd9598c0aeb8

This file is a registered COM object

CLSID: {0CF774D0-F077-11D1-B1BC-00C04F86C324}

CLSID name: Microsoft (r) Script Runtime

CLSID ProgID: HTML.HostEncode

CLSID: {0CF774D1-F077-11D1-B1BC-00C04F86C324}

CLSID name: Microsoft (r) Script Runtime

CLSID ProgID: ASP.HostEncode

CLSID: {0D43FE01-F093-11CF-8940-00A0C9054228}

CLSID name: Microsoft (r) Script Runtime

CLSID ProgID: Scripting.FileSystemObject

CLSID: {32DA2B15-CFED-11D1-B747-00C04FC2B085}

CLSID name: Microsoft (r) Script Runtime

CLSID ProgID: Scripting.Encoder

CLSID: {85131630-480C-11D2-B1F9-00C04F86C324}

CLSID name: Microsoft (r) Script Runtime

CLSID ProgID: JSFile.HostEncode

CLSID: {85131631-480C-11D2-B1F9-00C04F86C324}

CLSID name: Microsoft (r) Script Runtime

CLSID ProgID: VBSFile.HostEncode

CLSID: {EE09B103-97E0-11CF-978F-00A02463E06F}

CLSID name: Microsoft (r) Script Runtime

CLSID ProgID: Scripting.Dictionary
 
Hi, Bill, thanks for taking an interest. I am running XP
Pro Version 2002 with SP2.
I am an experienced computer user but new to SpyWare
progs. I am very careful which web sites I visit and
never download freeware. But I trust Microsoft and
downloaded and installed "Microsoft Anti SpyWare Beta 1" a
few days ago. A full scan found nothing and I was pleased
about that but not surprised. However running a scan a
couple of days later it came up with one item:- Detected
SpyWare on your System: "Specrem (RAT)". I did not remove
it but went to look at all detected locations, and right
enough SCRRUN.DLL is part of Windows XP OS in
Windows/System32/. It's on the XP install CD in a CAB
file. I guess it is a legitimate file; my question is why
does MS SpyWare Prog identify it as a "Severe threat"?
Looking at the file in tools, advanced tools, advanced
file analyser it appears to be the same as yours.
OK thanks for your time.

All The Best. Dave.

Detailed File Analysis
Display name: Microsoft (r) Script Runtime
Name: scrrun.dll
Description: Microsoft (r) Script Runtime
Publisher: Microsoft Corporation
Path: G:\WINDOWS\system32\scrrun.dll
Version: 5.6.0.8820
Size: 151552 bytes
Copyright: Copyright © Microsoft Corp. 2002
Create date: Thursday August 23, 2001
Access date: Thursday February 10, 2005
Modified date: Tuesday August 3, 2004

MD5: 214577b79cf59e2fc9addd9598c0aeb8

This file is a registered COM object

CLSID: {0CF774D0-F077-11D1-B1BC-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: HTML.HostEncode

CLSID: {0CF774D1-F077-11D1-B1BC-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: ASP.HostEncode

CLSID: {32DA2B15-CFED-11D1-B747-00C04FC2B085}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: Scripting.Encoder

CLSID: {85131630-480C-11D2-B1F9-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: JSFile.HostEncode

CLSID: {85131631-480C-11D2-B1F9-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: VBSFile.HostEncode

CLSID: {EE09B103-97E0-11CF-978F-00A02463E06F}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: Scripting.Dictionary
 
Thanks for confirming that the files are the same. It looks like this is a
false positive, and, presumably, one fixed in later definitions, because I
haven't seen it.

What definition version was in place at the time of the detection, if you
remember?

I think the comparison is enough to prove your file safe (unless mine is
infected too--and I've had no alarms.) It is slightly puzzling that you get
an alarm for a file identical to mine--unless there is some other invisible
co-determinant in the detection. I hope that is the definition version
involved--i.e. this is a false positive now fixed.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi, Bill, thanks for taking an interest. I am running XP
Pro Version 2002 with SP2.
I am an experienced computer user but new to SpyWare
progs. I am very careful which web sites I visit and
never download freeware. But I trust Microsoft and
downloaded and installed "Microsoft Anti SpyWare Beta 1" a
few days ago. A full scan found nothing and I was pleased
about that but not surprised. However running a scan a
couple of days later it came up with one item:- Detected
SpyWare on your System: "Specrem (RAT)". I did not remove
it but went to look at all detected locations, and right
enough SCRRUN.DLL is part of Windows XP OS in
Windows/System32/. It's on the XP install CD in a CAB
file. I guess it is a legitimate file; my question is why
does MS SpyWare Prog identify it as a "Severe threat"?
Looking at the file in tools, advanced tools, advanced
file analyser it appears to be the same as yours.
OK thanks for your time.

All The Best. Dave.

Detailed File Analysis
Display name: Microsoft (r) Script Runtime
Name: scrrun.dll
Description: Microsoft (r) Script Runtime
Publisher: Microsoft Corporation
Path: G:\WINDOWS\system32\scrrun.dll
Version: 5.6.0.8820
Size: 151552 bytes
Copyright: Copyright © Microsoft Corp. 2002
Create date: Thursday August 23, 2001
Access date: Thursday February 10, 2005
Modified date: Tuesday August 3, 2004

MD5: 214577b79cf59e2fc9addd9598c0aeb8

This file is a registered COM object

CLSID: {0CF774D0-F077-11D1-B1BC-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: HTML.HostEncode

CLSID: {0CF774D1-F077-11D1-B1BC-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: ASP.HostEncode

CLSID: {32DA2B15-CFED-11D1-B747-00C04FC2B085}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: Scripting.Encoder

CLSID: {85131630-480C-11D2-B1F9-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: JSFile.HostEncode

CLSID: {85131631-480C-11D2-B1F9-00C04F86C324}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: VBSFile.HostEncode

CLSID: {EE09B103-97E0-11CF-978F-00A02463E06F}
CLSID name: Microsoft (r) Script Runtime
CLSID ProgID: Scripting.Dictionary
 
Hi, Bill,
Thanks for your reply.
I have not removed the SCRRUN.DLL file, and every time I
run a SpyWare scan only one threat is found and it
is "Specrem (RAT)" and points to SCRRUN.DLL as the
threat. I have not yet updated MicrosoftAntiSpyware Beta1
since my original download 5 days ago. I will check for
updates today and try a new scan. Meanwhile diagnostics
info as follows:-

Microsoft AntiSpyware version 1.0.501
Windows OS: XP
Windows OS Version Info: 148
Windows OS Major Version: 5
Windows OS Minor Version: 1
Windows OS Build: 2600
Current Path: G:\Program Files\Microsoft AntiSpyware
Install Path: G:\Program Files\Microsoft AntiSpyware\
Session.RunMode: 5
Session.TimeBombDaysRemaining: 170
Session.TimeBombExpirationDate: 31/07/2005
Real-time protection running: True
Real-time protection enabled: True
Security Agents Application Enabled: True
Security Agents Internet Enabled: True
Security Agents System Enabled: True
Security Agents Checkpoints: 59
Definitions Update Date: 03/02/2005 13:22:23
AutoUpdater Enabled: 0
AutoUpdater AutoApply Enabled: 0
Definitions Increment Version: 38/38
Definitions ThreatAuditThreatData: 1215017
Definitions ThreatAuditScanData: 2103732
Definitions DeterminationData: 113316
Software Update Check Date:
AutoUpdater Software Enabled: 1
TotalThreatsDetected: 3
TotalScansRun: 4
LastScanDate: 10/02/2005 05:51:04
Is US Locale: False
Locale Language: English (United Kingdom):English (0809)
Locale Country: United Kingdom:United Kingdom (44)
Processor Identifier: x86 Family 6 Model 8 Stepping 1
Processor Name: AMD Athlon(tm) XP 2000+
IE Version: 6.0.2900.2180
msvbvm60.dll: 6.0.96.90
vbscript.dll: 5.6.0.8820
gcUnCompress.dll: 1.1.0.0
gcmd5query.dll: 1.0.0.1
openports.dll:
SDelete.dll:
gcASSoapLib.dll: 1.0.0.501
gcPorttoProcess.dll:
gcTCPObjLib.dll: 1.0.0.501
gcasDtServ.exe: 1.0.0.501
gcAntiSpywareLibrary.dll: 1.0.0.501
gcIPtoHostQueue.exe: 1.0.0.501
gcasServ.exe: 1.0.0.501
gcasServAlert.exe: 1.0.0.501
gcasServHook.dll:
gcASHashLibrary.dll:
gcASThreatAudit.dll: 1.0.0.501
gcASCleaner.exe: 1.0.0.501
GIANTAntiSpywareUpdater.exe: 1.0.0.501
gcASPrivacyLib.dll: 1.0.0.501
gcASShredCtxShell.dll:
gcasSWUpdater.exe: 1.0.0.501
gcSoftwareUpdateLib.dll: 1.0.0.501
GIANTSpywareScan.exe:
gcasDtServ Status: Loaded
gcasDtServ IsAuthorized: True
gcAntiSpywareLibrary Status: Loaded
gcAntiSpywareLibrary IsAuthorized: True
gcASThreatAudit Status: Loaded
gcASThreatAudit IsAuthorized: True
Now: 11/02/2005 06:56:31
 
Back
Top