Topic 'Ad-Aware Sept. 12 Update - FP??' in forum 'Security'

Topic 'Ad-Aware Sept. 12 Update - FP??' in forum 'Security' - dslreports.com http://www.dslreports.com/forum/AdAware-Sept-12-Update-FP-16887509 en Tue, 18 Jun 2013 03:24:49 EDT Tue, 18 Jun 2013 03:24:49 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16906949 All good here too. :)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16906949 Fri, 15 Sep 2006 05:34:38 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16905315 http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16905315 Thu, 14 Sep 2006 22:06:14 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16901061 http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16901061 Thu, 14 Sep 2006 10:33:42 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16900279 Check for the new reference file on the updates: SE1R123 14.09.2006
»SE1R123 14.09.2006 is now availiable, new definition file for Ad]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16900279 Thu, 14 Sep 2006 06:48:37 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16898182
Diaremover
HKEY_USERS
S-1-5-21-1482476501-2139871995-682003330-1004\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

Logfile of HijackThis v1.99.1
Scan saved at 5:47:28 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\lexpps.exe
F:\WINDOWS\system32\svchost.exe
G:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\WINDOWS\system32\notepad.exe
F:\Documents and Settings\Office Admin\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16898182 Wed, 13 Sep 2006 20:50:55 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16897653 Thanks C.J. for the report, and no didn't delete that one either, so will leave it as is.

Antdude,

My detected key was using that update. Internal build 150 though, are you refering to a change in the internal build, or will it be a different definitions.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16897653 Wed, 13 Sep 2006 19:19:27 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16896892 said by Buddel:

~~~INFO ONLY~~~

SE1R123 13.09.2006 Is Now Available, New Definition file for Ad-Aware SE

============================================
Definition file Notification - Lavasoft News
============================================
SE1R123 13.09.2006Thanks. It works fine on my home machine now. :)
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check often)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16896892 Wed, 13 Sep 2006 17:16:59 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16895385 said by norwegian:

Didn't know of this issue till tonight (here), only got one serious issue, but looking at the rest here, it seems relative to a similar key :-

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Diaremover Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1935655697-1336601894-725345543-1004\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
Thanks for the reports all. I don't think we had that one last night - but it's been reported now, so please don't delete that one either until Research has had a chance to examine it.
--

It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16895385 Wed, 13 Sep 2006 13:01:06 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16894402
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Diaremover Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1935655697-1336601894-725345543-1004\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16894402 Wed, 13 Sep 2006 10:16:27 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16894266 http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16894266 Wed, 13 Sep 2006 09:54:23 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893823
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : xxx xxxxx@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:xxx xxxxx@live365.com/
Expires : 9-15-2011 7:38:32 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1

I have placed this cookie on my "ignore" list many times, but AdAware always detects it anyway.

Thanks. ]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893823 Wed, 13 Sep 2006 08:04:01 EDT Re: Ad-Aware Sept. 13 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-13-Update-FP-16893728
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Diaremover Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-242286658-708711241-2795454051-1008\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1]]> http://www.dslreports.com/forum/Re-AdAware-Sept-13-Update-FP-16893728 Wed, 13 Sep 2006 07:18:20 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893722 72267f6a-a6f9-11d0-bc94-00c04fb67863

**Yesterdays log result using definitions file:SE1R123 12.09.2006:**

quote:
Adware.AdMedia Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1708537768-1897051121-1801674531-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

**Todays log result using definitions file:SE1R123 13.09.2006:**

quote:
Diaremover Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1708537768-1897051121-1801674531-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893722 Wed, 13 Sep 2006 07:12:54 EDT Re: Ad-Aware Sept. 13 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-13-Update-FP-16893710 said by Santori3:

DIAREMOVER
ArchiveData(Diaremover.bckp)Referencefile : SE1R123 13.09.2006====================================================== DIAREMOVER»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

I had this one too...Looks like a FP...?...
I had the same thing. Probably another false positive.
--
--
Join Red Room Forum
BLOG tkjunkmail.blogspot.com
My Web Page]]> http://www.dslreports.com/forum/Re-AdAware-Sept-13-Update-FP-16893710 Wed, 13 Sep 2006 07:04:10 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893650 http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893650 Wed, 13 Sep 2006 06:24:28 EDT Re: Ad-Aware Sept. 13 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-13-Update-FP-16893643 ArchiveData(Diaremover.bckp)Referencefile : SE1R123 13.09.2006====================================================== DIAREMOVER»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

I had this one too...Looks like a FP...?...]]> http://www.dslreports.com/forum/Re-AdAware-Sept-13-Update-FP-16893643 Wed, 13 Sep 2006 06:19:49 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893586
I didn't know about the trojan downloader false positive.

In panic, I deleted the quarantine file.
I don't use System Restore, and disabled Adaware's creation of logs since the first use.

Can anyone put in rapidshare, the quarantine file of the trojan downloader false positives? that would be the job of someone from Lavasoft, since quarantines changes from user to user. Lavasoft would be kind, if created a "master" quarantine file of all the possible trojan downloader's registry entries.

Thanks a lot.]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893586 Wed, 13 Sep 2006 05:17:01 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893533
I checked my statistics in ad-aware and it said;

Win32.Trojan.Agent ---- Total found 2 --- Total Removed 1

I know you've made a new Definition file, but why, originally, did it only remove one of the two it found?

and on a side note... to the posted reply of ...

quote:
mikeStrz(anon)
@someip
Same here!

I guess XP's SystemRestore would do the trick

I don't have SystemRestore active either :D ]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893533 Wed, 13 Sep 2006 04:20:38 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893532 said by Stoffe:

Thank you all for reporting this False positive.
This release fixes False positives in:
Adware.AdMedia
TrojanBackdoor.Serv-U
BargainBuddy
Win32.Trojan.Agent
Win32.Trojan.Downloader.
All good here :) Thanks for the quick turnaround.
--
Write your questions down on the back of a $20 dollar bill and send them to me
Microsoft MVP/Windows Security 2004-2006]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893532 Wed, 13 Sep 2006 04:20:19 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893446
SE1R123 13.09.2006 Is Now Available, New Definition file for Ad-Aware SE

============================================
Definition file Notification - Lavasoft News
============================================
SE1R123 13.09.2006

This fixes a False Positive in Adware.AdMedia.
This fixes a False Positive in TrojanBackdoor.Serv-U.
This fixes a False Positive in BargainBuddy.
This fixes a False Positive in Win32.Trojan.Agent.
This fixes a False Positive in Win32.Trojan.Downloader.

The MD5 checksum for the defs.ref file is 536bea2c1749341b09b2589bf3cc0143

Additional Information
============================================
You can use Webupdate to install the new reference file, or download it manually from:
»download.lavasoft.de.edgesuite.n···defs.zip

If you think something needs to be sent to us for review, visit our submission site at:
»www.lavasofthelp.net/submit/

If you have any questions, please contact us at:
»www.lavasoftsupport.com

Thanks to everybody who submitted us files for evaluation!

The Lavasoft Research & Development Team
--------------------------------------------

That was really fast. Thanks for fixing the above-mentioned false positives.]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893446 Wed, 13 Sep 2006 03:14:35 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893437 This release fixes False positives in:
Adware.AdMedia
TrojanBackdoor.Serv-U
BargainBuddy
Win32.Trojan.Agent
Win32.Trojan.Downloader.]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893437 Wed, 13 Sep 2006 03:09:33 EDT Ad-Aware Sept. 13 Update - FP?? http://www.dslreports.com/forum/AdAware-Sept-13-Update-FP-16893436

ArchiveData(Diaremover.bckp)
Referencefile : SE1R123 13.09.2006
======================================================
 
DIAREMOVER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

]]> http://www.dslreports.com/forum/AdAware-Sept-13-Update-FP-16893436 Wed, 13 Sep 2006 03:08:47 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893394
Normandie]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893394 Wed, 13 Sep 2006 02:43:57 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893388 said by Normandie:

CalamityJane,

There is a new update out, this morning,(Europe Time), I am testing it now and will get back in a few minutes.

Normandie
Same here in the U.S., also testing...{New update Date is 9/13/06}

Edit; Just ended testing new update and all looks just fine on my two PCs... :)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893388 Wed, 13 Sep 2006 02:41:35 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893380
There is a new update out, this morning,(Europe Time), I am testing it now and will get back in a few minutes.

Normandie]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893380 Wed, 13 Sep 2006 02:36:21 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893371 --
Team Discovery
]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893371 Wed, 13 Sep 2006 02:32:14 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893177
Is it me or have there been too many FPs lately? :(]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893177 Wed, 13 Sep 2006 01:18:52 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893134
I guess XP's SystemRestore would do the trick :D]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16893134 Wed, 13 Sep 2006 01:07:27 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16892500
can they be replaced from another source?]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16892500 Tue, 12 Sep 2006 23:03:57 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16891152
Using definitions file:SE1R123 12.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
BargainBuddy(TAC index:8):2 total references
Win32.Trojan.Agent(TAC index:10):1 total references
Win32.Trojan.Downloader(TAC index:10):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{48e59291-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{48e59290-9880-11cf-9754-00aa00c00908}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-527237240-1844237615-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}

Win32.Trojan.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-527237240-1844237615-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{b45ff030-4447-11d2-85de-00c04fa35c89}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet.1

BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 8]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16891152 Tue, 12 Sep 2006 19:45:48 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16891134 Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}

FP! These two are related to inetctls.inet and are totally valid for at least some VB & VB.Net applications, especially for developers. If you remove them, I bet your VB apps won't run, compile, and/or load properly.

I do not know about the BarginBuddy entry.
{d27cdb6e-ae6d-11cf-96b8-444553540000}

Fortunately I was thinking FPs as soon as I saw these. So I ran full bore Norton AV, SpyBot, Windows Defender, Hijack,etc., none of which found or reported these.
.]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16891134 Tue, 12 Sep 2006 19:42:59 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16890159 --
I base most of my fashion taste on what doesn't itch. ▪Gilda Radner]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16890159 Tue, 12 Sep 2006 16:47:16 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16890075 http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16890075 Tue, 12 Sep 2006 16:34:51 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16890046
ArchiveData(auto-quarantine- 2006-09-12 11-18-18.bckp)
Referencefile : SE1R123 12.09.2006
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\John R Burns\recent\Desktop.ini
obj[2]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[3]=MRU RegReference : S-1-5-21-3818105423-895719299-1048318793-1006\software\microsoft\microsoft management console\recent file list

WIN32.TROJAN.DOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=Regkey : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
obj[4]=Regkey : interface\{48e59291-9880-11cf-9754-00aa00c00908}
obj[5]=Regkey : typelib\{48e59290-9880-11cf-9754-00aa00c00908}
obj[6]=Regkey : inetctls.inet
obj[7]=Regkey : inetctls.inet.1
obj[8]=Regkey : software\microsoft\windows\currentversion\policies\activedesktop]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16890046 Tue, 12 Sep 2006 16:29:40 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889994 http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889994 Tue, 12 Sep 2006 16:23:05 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889973 said by sashwa:

Janie, both those Dword values of those entries are 4.

Also, I'm not using Eric Howe's IESPYAD. I do use Spybot immunization though. So maybe Spybot has them listed too.
Ok, a 4 is good. Whatever put it there has put that site into the IE restricted zone. :) So don't "fix it", it's a FP, too.
--

It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889973 Tue, 12 Sep 2006 16:20:43 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889895
Also, I'm not using Eric Howe's IESPYAD. I do use Spybot immunization though. So maybe Spybot has them listed too. ]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889895 Tue, 12 Sep 2006 16:10:36 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889487 two three Mokey2000. The ones that are id'd as:
Win32.Trojan.Downloader

I have not seen any reports of the ones seen as Alexa being an FP

Edit: Can't count :)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889487 Tue, 12 Sep 2006 14:58:15 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889445
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{48e59291-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{48e59290-9880-11cf-9754-00aa00c00908}

Alexa Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 11

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11
--
Hybrid System, DW3000 Modem, AOL+ Grey Dish, SatMex5 1230, Gateway 66.82.156.161, 4.2.1.10, Win98se]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889445 Tue, 12 Sep 2006 14:51:50 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889218
Win32.Trojan.Agent
BargainBuddy

And additionally in Sashwa's log, these two which are probably from Eric Howe's IESPYAD in the restricted zone. I had these yesterday in the beta release and reported them, but maybe they missed my report. In any case these are FPs too, I'm pretty sure (I had the same ones)

obj[9]=Regkey : software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net

obj[10]=Regkey : software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com

Check the dword value on those keys Sash and if they are a 4 then that is ok :)
--

It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889218 Tue, 12 Sep 2006 14:19:19 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889166 http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889166 Tue, 12 Sep 2006 14:11:18 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889162
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{48e59291-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1710738407-720897496-4103935507-1005\software\classes\typelib\{48e59290-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{48e59290-9880-11cf-9754-00aa00c00908}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1710738407-720897496-4103935507-1005\software\microsoft\windows\currentversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}

Win32.Trojan.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1710738407-720897496-4103935507-1005\software\microsoft\windows\currentversion\ext\stats\{b45ff030-4447-11d2-85de-00c04fa35c89}

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet.1

BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

Win32.Trojan.Agent Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\explorer\advanced
Value : Start_ShowRun]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889162 Tue, 12 Sep 2006 14:10:56 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889059
Thanks, have restored them and now will wait and see.

Have a good day,
Normandie]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889059 Tue, 12 Sep 2006 13:55:28 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889006
Look in your quarantine list and restore them from there. I'm pretty sure these are FPs so let's wait to see before you remove anything permanently.

Open your quarantine list from the main screen. Locate the items removed on the last scan and rightclick the item in the list. Then choose *Restore selected*
--

It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16889006 Tue, 12 Sep 2006 13:49:18 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888941
Remove them from quarantine or just let them sit for awhile?

Thanks,
Jerry]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888941 Tue, 12 Sep 2006 13:41:32 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888895
ArchiveData(auto-quarantine- 2006-09-12 09-02-23.bckp)
Referencefile : SE1R123 12.09.2006
======================================================

WIN32.TROJAN.DOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
obj[1]=Regkey : interface\{48e59291-9880-11cf-9754-00aa00c00908}
obj[2]=Regkey : typelib\{48e59290-9880-11cf-9754-00aa00c00908}
obj[7]=Regkey : inetctls.inet
obj[8]=Regkey : inetctls.inet.1

ADWARE.ADMEDIA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=Regkey : S-1-5-21-1348100749-3355621399-706083027-1006\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
obj[9]=Regkey : software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
obj[10]=Regkey : software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com

BARGAINBUDDY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[4]=Regkey : S-1-5-21-1348100749-3355621399-706083027-1006\software\microsoft\windows\currentversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}
obj[11]=RegData : software\microsoft\internet explorer\main "Use Search Asst"

WIN32.TROJAN.AGENT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[5]=Regkey : S-1-5-21-1348100749-3355621399-706083027-1006\software\microsoft\windows\currentversion\ext\stats\{b45ff030-4447-11d2-85de-00c04fa35c89}
obj[12]=RegValue : software\microsoft\windows\currentversion\explorer\advanced "Start_ShowRun"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[6]=IECache Entry : Cookie:XXXXXX@apmebf.com/
--
Team Helix ~ Extended Pacific Northwest ~ Northern California]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888895 Tue, 12 Sep 2006 13:37:03 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888769
Thanks,
Normandie (formerly "GuestFromFrance")]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888769 Tue, 12 Sep 2006 13:21:47 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888736
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{48e59291-9880-11cf-9754-00aa00c00908}

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{48e59290-9880-11cf-9754-00aa00c00908}

Adware.AdMedia Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-242286658-708711241-2795454051-1008\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-242286658-708711241-2795454051-1008\software\microsoft\windows\currentversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}

Win32.Trojan.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-242286658-708711241-2795454051-1008\software\microsoft\windows\currentversion\ext\stats\{b45ff030-4447-11d2-85de-00c04fa35c89}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 6

i didn't remove anything...THANKS for heads-up! :)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888736 Tue, 12 Sep 2006 13:17:09 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888297 said by CalamityJane:

Hello GuestFromFrance,

Those are most likely false postives. Just ignore them for now until Lavasoft Research has a chance to look at these, and then issue a corrected update. :)
I got those FPs as well and removed them. Was there any problem with that?]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888297 Tue, 12 Sep 2006 12:13:39 EDT Re: Ad-Aware Sept. 12 Update - FP?? http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888283
Those are most likely false postives. Just ignore them for now until Lavasoft Research has a chance to look at these, and then issue a corrected update. :)]]> http://www.dslreports.com/forum/Re-AdAware-Sept-12-Update-FP-16888283 Tue, 12 Sep 2006 12:11:19 EDT