Trying to settle this question for good--false positive?

Hi All,
I recently restored my system to factory settings to address a couple of problems I was having. Since then, I ran a Malware Bytes Anti Malware (MBAM) full scan on the system. The following is the log from the scan. It shows that I have two infections. I have searched online extensively to determine if these are truly infections or whether they are just false positives. With all your combined expertise, please help me to decide once and for all what their true nature is. As an addition, I have SPSS loaded on my computer (I read an article somewhere where SPSS and the 2 infections were mentioned together)
Thanks a bunch.
CJ

Log:

Malwarebytes' Anti-Malware 1.38
Database version: 2377
Windows 5.1.2600 Service Pack 3

7/6/2009 10:56:45 AM
mbam-log-2009-07-06 (10-56-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150423
Time elapsed: 29 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> No action taken.

 

The best place to settle this question is the /MBAM forum/false positive pages.
A search on serauth1.dll comes up with this page.
According to the MBAM lead researcher, they are probably malware files.
Why don't you copy those two files to an usbstick amd then remove them?
Uninstall/reinstall SPSS and see if they come back again.
(Of course if SPSS is infected then this 'procedure' is not going to work).
Otherwise delete that junk.
You could also upload one of the files to VirusTotal, to have it scanned by 30+ AV's.
My guess is, it's malware.
Cheers.

 

I got the same finding from Malwarebytes and noted similar connections between these files and SPSS. In looking at the dates of creation in Windows\system32, I found these files were created around the time I installed SPSS. Then in reviewing the SPSS files under Programs, I found that all of the language entries were on the exact same date and at the same time of day as the two files in question.

This is good enough for me to conclude that these files are not Trojans but rather associated with SPSS. I had Malwarebytes Ignore them.

 

Just on a side note, where is you SPSS disc from?

Manufacturer, or company/uni disc locally copied?

I suppose you could write malware to include it if any disc is copied...

But fals posities do easily happen - that site, VirusTotal that Baserk mentioned ay be a good idea too - simply because different anti viruses work differently.

 

You're correct, although technically those two files (plus some other funky named .dll files which aren't actually .dll program files at all) are created as part of the Sentinel LM "license enablement and enforcement solution" kit SPSS licensed from Rainbow Technologies (now owned by SafeNet Inc).

You can find references to those supposedly suspicious files in these binaries, among others, under the SPSS program folder, or perhaps by other software products which also use Sentinel RMS:

echoid.exe
lsclean.exe
showlic.exe
lsapiw32.dll

Do an echoid.exe /? from a console window and you can see this is a Sentinel LM program:

Sentinel LM 7.3.0.1 Host Locking Code Information Utility
Copyright (C) 2004 Rainbow Technologies, Inc.

Or just look at the versioning info for lsapiw32.dll:

Rainbow Technologies, Inc.
LSAPIW32
7, 3, 0, 6
Integrated Client DLL
Copyright ⌐ 2004 Rainbow Technologies, Inc.
lssrv32.dll
Sentinel LM
7, 3, 0, 6

More info:
http://cogx.blogspot.com/2009/12/sentinel-lm-files-and-antimalware-false.html