Malware ID conflicts

[StarHopper]

Hi;
Noob here, tho I've been an SBD&S client for a few years now. I've had items of concern previously but never asked here (didn't know the forum existed until about an hour ago)....but this morning I encountered something that's made me finally look for some assistance. It's a bit long winded, as it's a potentially complex issue, so please forgive that - I just wanted to ensure as much detail as possible. Also, being inexperienced here I'm not sure this is the "correct" forum section, so begging pardon for that too if I'm out of place.

And with that, here goes with my problem:

After running the latest security updates yesterday, this morning when I started my computer I got an alert from Spybot Search & Destroy it had detected a threat; eg "...has encountered and terminated a process that is listed as part of a malicious software." -- and listed it as follows:

Process ID: 2932
Identified as: Win32.GBDialer.j
Filename: msfeedssync.exe
Found in: C:\WINDOWS\system32\

I opened Windows Explorer and indeed found that file there under system32\....and showing a 'last modified' time & date of this morning. I don't know if the modification time/date was due to the action of Spybot S&D or not - and am curious about that.

I got online & Google'd "msfeedssync", and saw some statements about it being a Dialer & what it does, but also other statements saying it is not a virus....some saying it is malicious & some saying it's not. Best scenario would be to Google it yourself & you can see first-hand what I encountered. Basically, I was left confused. And of course, concerned.

I have several anti-malware apps installed, so due to my concern about this app being potentially harmful, (I just got thru one awful virus ordeal in January that was quite difficult - and expensive - to get cleaned, DESPITE all these installed safeguards) I decided to run scans on my Windows\System32 folder, where this app was seen. I scanned it with Symantec AntiVirus, Malwarebytes Anti-Malware, and Webroot AntiVirus with Spysweeper. All 3 reported no malicious items were detected.

At this point, I still don't know what to believe. There seems to be a pretty good concensus on the Web it's not a good thing. Why does Spybot S&D declare this as malicious, & the other three do not? I see (with Windows Explorer) the file/.exe application is still there, and I wonder if I should delete it. Of additional concern is, right alongside this .exe file are two other very similarly named .dll files: msfeeds.dll (581 Kb) and msfeedsbs.dll (54 Kb), and both date/time stamped identically, & which coincides with the time I got the bad virus infestation. Should I delete those two also? And why did SBS&D not detect or report those as undesirables, if they are in fact a part of what it did detect?

I would appreciate your insights & advice as to what I should do. In the meantime, I am preparing to rename all 3 by adding "!!!!!x" to the front of their filenames, so it'll hopefully keep them from being activated by something else, plus so they'll stand out for re-finding later if I need to delete them; and as another test to see if something re-installs the files under their correct name.

Thank you for your time & patience,
StarHopper
3/10/2010

[Zenobia]

Hi,there.

Here is a description of msfeedssync.exe,which Spybot identified as Win32.GBDialer.j
http://searchtasks.answersthatwork.c...le=Msfeedssync

And for the other two .dll files you are concerned about:
Here is a description of msfeeds.dll (Microsoft Feeds Manager )
http://www.liutilities.com/products/...brary/msfeeds/

Here is a description of msfeedsbs.dll (Microsoft Feeds Background Task Scheduling)
http://www.liutilities.com/products/...ary/msfeedsbs/

Based on that,I'd suggest going to the false positives forum,and finding out whether Teatimer has misidentified a legitimate process as malware or not.

Here is a sticky on how to report possible false positives:
http://forums.spybot.info/showthread.php?t=19117

And here is the false positives forum:
http://forums.spybot.info/forumdisplay.php?f=16

[StarHopper]

Thanks for the response, Zenobia.
Haven't read the supplied info yet but looks interesting & am about to do so.
Also thanks for putting me on the 'path of righteousness'. ~8)
~S*H

[Addendum]:
Have now read the first 3 links....and for benefit of anyone following this thread:
First link re defining of Msfeedssync.exe states:

"Description : Microsoft Feeds Synchronization task found on PCs with Internet Explorer 7 and which automatic RSS Feeds synchronization turned ON. This task starts up at the intervals specified in Internet Explorer 7 and checks for updates to your RSS feeds. Once it has updated your RSS feeds, it terminates."

First noted, Msfeedssync.exe apparently is a legitimate app, hence a visit to check/report false positives seems to be in order, & I will do so.

2nd note: I have Internet Explorer 8 installed, not 7....so something's amiss there also.
~S*H

[Zenobia]

You're welcome.