 sashwaPixie Cat Crunchin' n Foldin'Premium,Mod
join:2001-01-29
Alcatraz
kudos:15 | reply to CalamityJane
Re: Ad-Aware Sept. 12 Update - FP?? Thanks, Janie. I restored the quarantined files and waiting to hear about a fix before I put the stuff back in quarantine. |
|
| reply to dp
I seem to have a very similar problem: After I downloaded the LavaSoft AdAware new definitions today, I got this:
ArchiveData(auto-quarantine- 2006-09-12 11-18-18.bckp)
Referencefile : SE1R123 12.09.2006
======================================================
MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\John R Burns\recent\Desktop.ini
obj[2]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[3]=MRU RegReference : S-1-5-21-3818105423-895719299-1048318793-1006\software\microsoft\microsoft management console\recent file list
WIN32.TROJAN.DOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=Regkey : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
obj[4]=Regkey : interface\{48e59291-9880-11cf-9754-00aa00c00908}
obj[5]=Regkey : typelib\{48e59290-9880-11cf-9754-00aa00c00908}
obj[6]=Regkey : inetctls.inet
obj[7]=Regkey : inetctls.inet.1
obj[8]=Regkey : software\microsoft\windows\currentversion\policies\activedesktop |
|
|
|
 BuddelIf it ain't broke, don't fix it.Premium
join:2004-03-06
EU
kudos:3 | reply to dp
Same problems here. Let's hope they will soon be fixed. |
|
 onDvineDon't Litter. Spay-Neuter.Premium
join:2005-01-29
So. CA, USA
kudos:9
1 edit | reply to dp
I thought it was odd that I'd picked up stuff without going anyplace unfamiliar. Have restored the items from quarantine, as well. Thanks.
--
I base most of my fashion taste on what doesn't itch. ▪Gilda Radner |
|
approval from:
CalamityJane 
| reply to CalamityJane
Object : inetctls.inet
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
FP! These two are related to inetctls.inet and are totally valid for at least some VB & VB.Net applications, especially for developers. If you remove them, I bet your VB apps won't run, compile, and/or load properly.
I do not know about the BarginBuddy entry.
{d27cdb6e-ae6d-11cf-96b8-444553540000}
Fortunately I was thinking FPs as soon as I saw these. So I ran full bore Norton AV, SpyBot, Windows Defender, Hijack,etc., none of which found or reported these.
. |
|
| reply to onDvine
8 here - Note running IE7 RC2, Norton 360 Beta
Using definitions file:SE1R123 12.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
BargainBuddy(TAC index:8):2 total references
Win32.Trojan.Agent(TAC index:10):1 total references
Win32.Trojan.Downloader(TAC index:10):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{48e59291-9880-11cf-9754-00aa00c00908}
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{48e59290-9880-11cf-9754-00aa00c00908}
BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-527237240-1844237615-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}
Win32.Trojan.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-527237240-1844237615-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{b45ff030-4447-11d2-85de-00c04fa35c89}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet.1
BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 8 |
|
| reply to dp
so what if you've already deleted all these entries and don't have them in quarantine.
can they be replaced from another source? |
|
| Same here!
I guess XP's SystemRestore would do the trick  |
|
 antdudeA Ninja AntPremium,VIP
join:2001-03-25
United State
kudos:4
 ·RoadRunner Cable
| reply to CalamityJane
Me too just now. I ignored them after reading this forum. Thank you! 
Is it me or have there been too many FPs lately?  |
|
 mers2Premium,MVM
join:2004-03-20
USA
kudos:8 | reply to dp
FPs are the reason to always quarantine and not delete.
--
Team Discovery
|
|
| reply to CalamityJane
CalamityJane,
There is a new update out, this morning,(Europe Time), I am testing it now and will get back in a few minutes.
Normandie |
|
 kcazzieOne Of Jerry's KidsPremium
join:2000-08-13
Morton Grove, IL
2 edits | said by Normandie:CalamityJane, There is a new update out, this morning,(Europe Time), I am testing it now and will get back in a few minutes. Normandie Same here in the U.S., also testing...{New update Date is 9/13/06}
Edit; Just ended testing new update and all looks just fine on my two PCs... |
|
1 edit | reply to dp
OK, Tested the new update and all is well, no more FP as did the other update. Thanks to all that helped.
Normandie |
|
 ExidorPremium
join:2001-05-04
Brampton, ON | reply to dp
Ad-Aware Sept. 13 Update - FP??ArchiveData(Diaremover.bckp)
Referencefile : SE1R123 13.09.2006
======================================================
DIAREMOVER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863} |
|
| reply to dp
Re: Ad-Aware Sept. 12 Update - FP?? Thank you all for reporting this False positive.
This release fixes False positives in:
Adware.AdMedia
TrojanBackdoor.Serv-U
BargainBuddy
Win32.Trojan.Agent
Win32.Trojan.Downloader. |
|
BuddelIf it ain't broke, don't fix it.Premium
join:2004-03-06
EU
kudos:3 | reply to dp
~~~INFO ONLY~~~
SE1R123 13.09.2006 Is Now Available, New Definition file for Ad-Aware SE
============================================
Definition file Notification - Lavasoft News
============================================
SE1R123 13.09.2006
This fixes a False Positive in Adware.AdMedia.
This fixes a False Positive in TrojanBackdoor.Serv-U.
This fixes a False Positive in BargainBuddy.
This fixes a False Positive in Win32.Trojan.Agent.
This fixes a False Positive in Win32.Trojan.Downloader.
The MD5 checksum for the defs.ref file is 536bea2c1749341b09b2589bf3cc0143
Additional Information
============================================
You can use Webupdate to install the new reference file, or download it manually from:
»download.lavasoft.de.edgesuite.n···defs.zip
If you think something needs to be sent to us for review, visit our submission site at:
»www.lavasofthelp.net/submit/
If you have any questions, please contact us at:
»www.lavasoftsupport.com
Thanks to everybody who submitted us files for evaluation!
The Lavasoft Research & Development Team
--------------------------------------------
That was really fast. Thanks for fixing the above-mentioned false positives. |
|
 dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to Stoffe
said by Stoffe:Thank you all for reporting this False positive. This release fixes False positives in: Adware.AdMedia TrojanBackdoor.Serv-U BargainBuddy Win32.Trojan.Agent Win32.Trojan.Downloader. All good here Thanks for the quick turnaround. --
Write your questions down on the back of a $20 dollar bill and send them to me
Microsoft MVP/Windows Security 2004-2006 |
|
| reply to Buddel
I'm still a bit puzzled
I checked my statistics in ad-aware and it said;
Win32.Trojan.Agent ---- Total found 2 --- Total Removed 1
I know you've made a new Definition file, but why, originally, did it only remove one of the two it found?
and on a side note... to the posted reply of ...
quote:
mikeStrz(anon)
@someip
Same here!
I guess XP's SystemRestore would do the trick
I don't have SystemRestore active either |
|
2 edits | reply to dp
Hi,
I didn't know about the trojan downloader false positive.
In panic, I deleted the quarantine file.
I don't use System Restore, and disabled Adaware's creation of logs since the first use.
Can anyone put in rapidshare, the quarantine file of the trojan downloader false positives? that would be the job of someone from Lavasoft, since quarantines changes from user to user. Lavasoft would be kind, if created a "master" quarantine file of all the possible trojan downloader's registry entries.
Thanks a lot. |
|
 Santori3Premium
join:2002-01-04
Morton Grove, IL | reply to Exidor
Re: Ad-Aware Sept. 13 Update - FP?? DIAREMOVER
ArchiveData(Diaremover.bckp)Referencefile : SE1R123 13.09.2006====================================================== DIAREMOVER»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
I had this one too...Looks like a FP...?... |
|
