Bart Posted December 12, 2009 My daily SAS run just quaranteened and removed these: NTICDMK32.dll NTIDBD32.dll NTIEMBED.dll NTIMPEG2.dll What are these? Famous last words, but I don't think I go to any questionable sites. Where might they come from? Can I rest easy that SAS has removed any threat they might present? Thanks, Bart Share this post Link to post Share on other sites
Nightcap Posted December 13, 2009 Do you have any NTI software installed? I had SAS flag NTIBUN4.DLL today and that file is part of NTI's Backup NOW! software that is installed on that PC. My guess is that there's some code in those DLLs that triggers SAS, so I'm thinking false positive. To be sure do like I did and send the quarantined files to SuperAntiSpyware. Use the button in the Quarantined Items window to do that. It's very simple and it will improve the definitions. Share this post Link to post Share on other sites
Bart Posted December 13, 2009 Thanks for the reply. I don't knowingly use NTI. My backup software is Acronis. How do I access the quarantined window in order to send off the files? Bart Share this post Link to post Share on other sites
wighty44 Posted December 13, 2009 I also had SAS quarantine NTIEMBED.DLL as a virus. Not knowing what the file was used for, I searched for NTI*.*. What I found were several files in Windows folders [c]and one GIF file [ntimage.gif]. Viewing that file showed a faint WINDOWS XP logo. I aslo found NTIAspi.dll in a Realplayer\CDBurning folder. I hope SAS tech support resolves this issue before my sysyem needs to use NTIEMBED.DLL ... Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 13, 2009 If they are submitted in our false positive reporting, we will analyze the files and remove them if necessary, thank you for taking the time to report them! Share this post Link to post Share on other sites
wighty44 Posted December 13, 2009 Is there a way a SAS Pro user can tell if a suspected FP item has been submitted to the false positive reporting system? Share this post Link to post Share on other sites
Nightcap Posted December 13, 2009 How do I access the quarantined window in order to send off the files? Bart, after the scan you should see the Quarantined Items window. On the right are 4 buttons: Trust/Allow Item(s) Manage Allowed Items Report False Positive... Explain Detected Item Select the item(s) that you think to be a false positive. Click the Report False Positive... button and follow the instructions in the window that shows. HTH Nightcap Share this post Link to post Share on other sites
Bart Posted December 13, 2009 Thanks, Nitecap. When that scan finished, since it said the four items had been quarantined and deleted I clicked on Finish so everything closed down. Is it possible to find those files now, given that SAS said they were deleted? I can't find them via my Explorer. Bart Share this post Link to post Share on other sites
Nightcap Posted December 14, 2009 Bart, when you go to Main Menu (click twice on the "bug" in the system tray) and click the "Manage Quarantine" button, you can see what files are in quarantine. In quarantine means that they are no longer in the folder they used to be, but kept in a "safe place" managed by SAS. If you really did delete the quarantined files, than there's no way for you to send them to SuperAntiSpyware or to restore them if they turn out to be false positives. In the case SAS finds a threat on my PCs, I always quarantine it and let it sit there until I'm absolutely sure it isn't a false positive. Files in quarantine don't pose a threat anymore so it's safe to keep them there. If it turns out to be a false positive I can easily restore the file(s) and there's no harm done to my computer. Nightcap Share this post Link to post Share on other sites
Bart Posted December 14, 2009 Nightcap, I do find them via Manage Quarantine, but my options there are Restore or Remove. How would I send them for false positive analysis? I have the feeling that once I closed the scan the other day that found and quarantined them, I can't get to the screen that offers the option to send away for analysis. Is that right? After hearing in this thread that several others are getting what appears to be false positives, I am not all that keen to do so. Just asking for next time... Thanks, Bart Share this post Link to post Share on other sites
Nightcap Posted December 14, 2009 Bart, are you using the free version of SAS? Share this post Link to post Share on other sites
Nightcap Posted December 14, 2009 jayt36, I restored the quarantined Backup NOW! DLL and the application is working again like always. Strange that a restore wouldn't work for you. Even if some registry values were deleted during the quarantine, restoring should put those back too. Glad you got it working again though. Share this post Link to post Share on other sites
Bart Posted December 14, 2009 No, I have the paid version of SAS. Share this post Link to post Share on other sites
Nightcap Posted December 15, 2009 Me too Bart, so now I'm really stumped why you're not seeing those 4 buttons. Maybe someone else can explain that? Share this post Link to post Share on other sites
Bart Posted December 15, 2009 Thanks, guys. I'm going to pass on the restore and not send away for analysis. The four flagged items have not showed up again. If they do I will follow the instructions you all have given me. Thanks again, Bart Share this post Link to post Share on other sites