fcannon
join:2002-11-19
Madisonville, TN | Giant Antispware Qustion I ran giant atispyware and deleted these enteries and had to reimunise with spybot and spwareblaster. Would these be false positive.
Thanks for your time> |
|
 Logan 5Enjoying the CataclysmPremium,MVM
join:2001-05-25
Austin, TX
kudos:7 | Did you look here for answers?: »Giant Anti-Spyware |
|
|
|
fcannon
join:2002-11-19
Madisonville, TN | Is the link something else? |
|
Logan 5Enjoying the CataclysmPremium,MVM
join:2001-05-25
Austin, TX
kudos:7 Reviews:
 ·Comcast
| reply to fcannon
It shows that a few people have the EXACT SAME results that you posted in your screenshot.
Either all of you don't practice safe enough computing....or it's a FP.
Maybe since this program is pretty new to us here, you should verify that these are false positive entries over in their forums just to make sure...
My point was to show you that there are others with different configurations then you getting the same results and that should send up a red flag warning to be careful before deleting anything that might end up being critical.
Good Luck!
 |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6
2 edits | reply to fcannon
said by fcannon:
Is the link something else?
These links are certainly something else  But it will tell you what zonemap/domains is all about and why those are there since it is obvious you have other programs installed that are placing those entries in there.
Adware.CDT
»sarc.com/avcenter/venc/data/adware.cdt.html
»forums.spywareinfo.com/lofiversi···659.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
Logan 5Enjoying the CataclysmPremium,MVM
join:2001-05-25
Austin, TX
kudos:7 Reviews:
·Comcast
| reply to fcannon
Name Game  You've just succeeded in confusing me (and likely everyone else) as the 2nd link you just added completely contradicts the first.
Can you please explain why you added the 2nd link and left the 1st?
Thanks |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | The you must still be confused not understanding what you did read at those two links and still can not decide whether it is a good call out or an FP just like you were in your second post in this thread.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
Logan 5Enjoying the CataclysmPremium,MVM
join:2001-05-25
Austin, TX
kudos:7 Reviews:
·Comcast
1 edit | reply to fcannon
Well name game since you INSIST on being obtuse let me spell it out for you:
From:»forums.spywareinfo.com/lofiversi···659.html said by the 2nd post, the one from mr bones:
Leave well alone. Do not delete them.
If you open Internet Options, click the Security tab and click on the Restricted Sites icon then the button labeled 'Sites', you should see a mirror of all those sites listed under the Domains key of your registry.
Those sites listed are restricted sites that are blocked because they could potentially damage your PC or data.
From: »sarc.com/avcenter/venc/data/adware.cdt.html
said by symantec:
Adware.CDT
Last Updated on: August 09, 2004 10:28:24 AM
Type: Adware
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX
Removal: Low
Damage: Low
detection
# Intelligent Updater Definitions*
August 06, 2004
# LiveUpdate™ Definitions **
August 11, 2004*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.**
LiveUpdate definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
This threat can be detected only by Symantec products that support expanded threats. For more information on expanded threats, please go here.
summary
Behavior
Adware.CDT is an adware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Symptoms
Your Symantec program detects this threat as Adware.CDT.
Transmission
This adware component can be manually installed, or installed as a component of another program.
technical details
File names: Mediatickets.exe
When Adware.CDT is executed, it performs the following actions:
1. Displays pop-up advertisements.
2. Adds the following domains into the Trusted Sites zone for Internet Explorer:
blazefind.com
clickspring.net
flingstone.com
mt-download.com
my-internet.info
searchbarcash.com
searchmeup.cc
searchmiracle.com
skoobidoo.com
slotch.com
xxxtoolbar.com
by adding the value:
"*" = "0x00000002"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
3. Adds the IP address, 69.31.87.223, into the Trusted Sites zone for Internet Explorer, by adding the value:
"*" = "0x00000002"
":Range" = "69.31.87.223"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\ZoneMap\Ranges\Range1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\ZoneMap\Ranges\Range1
4. Allows the downloading of active content and running ActiveX scripts, and enables ActiveX controls and plug-ins by adding the values:
"MinLevel" = "Code Download"
"Safety Warning Level" = "SucceedSilent"
"Security_RunActiveXControls" = "0x01000000"
"Security_RunScripts" = "0x01000000"
"Trust Warning Level" = "No Security"
to the registry keys:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
5. Allows Internet Explorer to run .NET components regardless of whether they are signed with Authenticode, by adding the values:
"2001" = "0x00000000"
"2004" = "0x00000000"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\2
6. Attempts to fraudulently install the following trusted publishers:
CDT inc.
MediaTickets
Integrated Search Technologies
by adding the values:
"ppcimdnnnjbeahepfabjipfginloedkg egckak" = "CDT inc."
"goicfboogidikkejccmclpieicihhlpo ejemdn" = "MediaTickets"
"goicfboogidikkejccmclpieicihhlpo bihgbp" = "Integrated Search Technologies"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\
Trust Providers\Software Publishing\Trust Database\0
removal instructions
The following instructions pertain to all Symantec antivirus products that support Expanded Threat detection.
1. Update the definitions.
2. Run a full system scan.
3. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.
1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.
2. To run the scan
1. Start your Symantec antivirus program, and then run a full system scan.
2. If any files are detected as Adware.CDT and depending on which software version you are using, you may see one or more of the following options:
Note: This applies only to versions of Norton AntiVirus that support Expanded Threat detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports Expanded Threat detection, and Expanded Threat detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
* Exclude (Not recommended): If you click this button, it will set the threat so that it is no longer detectable. That is, the antivirus program will keep the expanded threat on your computer and will no longer detect it to remove from your computer.
* Ignore or Skip: This option tells the scanner to ignore the threat for this scan only. It will be detected again the next time that you run a scan.
* Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete an expanded threat. This Cancel option tells the scanner to ignore the threat for this scan only, and thus, the threat will be detected again the next time that you run a scan.
To actually delete the expanded threat:
o Click its file name (under the Filename column).
o In the Item Information box that displays, write down the full path and file name.
o Then use Windows Explorer to locate and delete the file.
If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.
* Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
o If you see a message, "Delete Failed" (or similar message), manually delete the file.
o Click the file name of the threat that is under the Filename column.
o In the Item Information box that displays, write down the full path and file name.
o Then use Windows Explorer to locate and delete the file.
If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.
3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
1. Click Start > Run.
2. Type regedit
Then click OK.
3. Navigate to and delete these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1
4. Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
5. In the right pane, delete the values:
" ppcimdnnnjbeahepfabjipfginloedkg egckak" = "CDT inc."
"goicfboogidikkejccmclpieicihhlpo ejemdn" = "MediaTickets"
"goicfboogidikkejccmclpieicihhlpo bihgbp" = "Integrated Search Technologies"
6. Navigate to the keys:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
7. In the right pane, delete the values:
"MinLevel" = "Code Download"
"Safety Warning Level" = "SucceedSilent"
"Security_RunActiveXControls" = "0x01000000"
"Security_RunScripts" = "0x01000000"
"Trust Warning Level" = "No Security"
8. Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
9. In the right pane, delete the values:
"2001" = "0x00000000"
"2004" = "0x00000000"
10. Exit the Registry Editor.
So, name game again, which one is correct? why not try and help all of us who do not have your vast stores of security knowledge and explain what your point is because your answers so far have not been very helpful to those who need it.... |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to fcannon
said by fcannon:
I ran giant atispyware and deleted these enteries and had to reimunise with spybot and spwareblaster. Would these be false positive.
Thanks for your time>
The answer is found in the first post of this thread. since he had to re imunize that list with his spybot and spyblaster it is a false positive..hard to tell for some since his screen shot does not list the compelte string.
The link you posted to a thread here at dslr..also had mention of a user who came up with the same input and determined for that reason ( he did not see it as a false positive0... so he purchased the product.;)
It is a fact that the last update of this product did have that FP problem and they are in the process of correcting it.
But if the full screen of the first post could have shown the complete path with the full last entry to the end of the field..it would have been easy to determine.
Too bad Giant does not have their own forum for help since people testing it are going to be flocking into forum like DSLR rather than email to the company. 
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
Logan 5Enjoying the CataclysmPremium,MVM
join:2001-05-25
Austin, TX
kudos:7 Reviews:
·Comcast
| reply to fcannon
Thank you......That's solid information and completely clears this up for me and those who have had this problem and cannot or are unable to sift through the tons of inaccurate/misleading information out there on the internet about this.
Wonder why then Symantec see this as such a 'threat' when there isin't one??? |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6
1 edit | reply to fcannon
It is a threat when it comes like that in factif you look close at the symantec write up, and they are different...has to do with restricted and then trusted zones....also consider if a member did not have spyblaster installed and or sybot...the issue for those people who then had Giant only installed...certainaly would not be seeing that as a false positive ever..infact it would be the actual badboy as written up by symantec.
That as you recall was the main reason even a2 came up with many of its false positives in the beginning of its development.
There is NO way a developer can design and then also test before release..his product and desing on PC's that have every known THIRD PARTY PROGRAM ALSO INSTALLED ON IT TO MAKE SURE THEY DID NOT HAVE ANY OVERLAPPING CODE" or areas of use where one could assume the other should not really be there..that would hold true for other AVs, ATs, Antispyware apps etc. etc. in this case..or just really any third party program..:)
I think you can understand that..On a clean machine with just the OS installed and then your one Security product..all is well.
But we now have users running multiple security applications all the time..either on trial..or just because the are all free..some running as resident and others just installed for on demand.
So that lays it out for ya..and for the developer..it means they all have to tighten up their code..shortening and some time adding for exceptions..so you the user, do not have to make the decision...but since there is no main clearing house where developer of these products would ever share the changes they make or the programs they write..with each other for test purposes
It a tought job to keep out of each other's stuff.
hope that helps in general terms.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
 WFOPremium
join:2001-08-27
San Ramon, CA | said by Name Game:
There is NO way a developer can design and then also test before release..his product and desing on PC's that have every known THIRD PARTY PROGRAM ALSO INSTALLED ON IT TO MAKE SURE THEY DID NOT HAVE ANY OVERLAPPING CODE" or areas of use where one could assume the other should not really be there..that would hold true for other AVs, ATs, Antispyware apps etc. etc. in this case..or just really any third party program..:)
I think you can understand that..On a clean machine with just the OS installed and then your one Security product..all is well.
But we now have users running multiple security applications all the time..either on trial..or just because the are all free..some running as resident and others just installed for on demand.
It a tought job to keep out of each other's stuff.
hope that helps in general terms.
I run Spybot and Spyware Blaster and had the same or similar FPs. I wrote to Giant's tech support. They are awesome!!! Like a new company should be, they are on top of things and this is already corrected.:) Don't be bashful! If there is a problem, write! You will have an answer in 12 hours or less. Usually less.:D |
|
