dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2889

altermatt
Premium Member
join:2004-01-22
White Plains, NY

altermatt

Premium Member

Spywareinfo's online scan?

A family member is a techie by career, and was on the phone with MS regarding the hosing of his machine (no RealTek) by the latest patch, and the MS rep told him to run the online spyware scan at »www.spywareinfo.com/xscan.php . He's VERY security savvy, running well-thought of apps (including Webroot SpySweeper) which have never found anything, yet that scan found a bunch of stuff. He thought that meant it was good and suggested I try.

I'm even more careful and have never had an infection of any kind. So I ran the scan (not the installable ActiveX control but the non-downloadable one) and was disturbed to find it popped up with a bunch of suspeicious files it wanted to fix. Including saying it detected HotBar in---get this---a shortcut on my desktop! That's just silly, but the other "detections" were in CLSID's, etc. and more troublesome. It also said it detected the service IPRIP running (which can be a backdoor), but there is no such service running anywhere.

I didn't trust this enough to let it "fix" things. I can't believe all the top security software all miss these things and this online scan suddenly finds them. Does anyone have experience with this tool and can comment? If they're legit, and SpySweeper, SAV, KAV, BOClean, etc. are all missing these, it would certainly indicate a problem! Color me doubtful, but open to learning.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

Thanks for the link altermatt.

Gave the activex a run, and found it requires just to download

mscoree.dll
mscorie.dll
wmhelper.dll
javacypt.dll
msjava.dll

Then once installed, ran the tool and it found has the same detection of Smiley that has been around for as long as I can remember. Here's a link at Kaspersky about it

»forum.kaspersky.com/lofi ··· 138.html

I would like to know more on this. It hasnt found anything else, nor has anything else found this Smiley adware in all the tested software that has run here.

The program it came from seems a really good tool for keeping cleaning maintainance done, but spyware scanner, not so sure. I'll wait till someone with more knowledge on this subject can comment before passing judgement.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

2 edits

dadkins to altermatt

MVM

to altermatt
X-Cleaner?
Get the free version and run it from on your machine:

»www.techspot.com/downloa ··· ree.html

BTW, the X-Cleaner scan that you linked to at SpywareInfo... it found Proven Tactics(Comcast Toolbar) - nothing else.
I'm ok with that.
The freeware X-Cleaner has been in my toolbox for years.

altermatt
Premium Member
join:2004-01-22
White Plains, NY

altermatt

Premium Member

said by dadkins:

X-Cleaner?
Get the free version and run it from on your machine:
Well, the site says this tool is exactly the same as the free version of x-cleaner, so my concerns and original question still stands: since every other security app finds nothing, nada, on any of the three machines (all very securely run) tested, and this tool finds lots of very strange and scary stuff (including HotBar in a shortcut, which as far as I know is impossible), is this really a reliable tool? And if so, why isn't this making headline news that all the well-known apps are missing so many things? I'm used to different apps sometimes picking up one or two things another app doesn't, but this was really over-the-top.

So open to assessments of how likely it is that what they found is really malware especially considering the anomalies I mention in the first post. Thanks.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

2 edits

dadkins

MVM

Click for full size
Proven Tactics - Comcast Toolbar
*Here* it finds only the Proven Tactics BHO - aka the Comcast Toolbar. I have the Comcast Toolbar... I installed it.
Nothing else is found.

I can't call it on the other apps, but I have used X-Cleaner for years. Since X-Cleaner gives you the path, look for them manually and see if they are there.

»www.spywareguide.com/pro ··· 6&from=4

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 recommendation

Name Game to altermatt

Premium Member

to altermatt
I ran it for you in the active X..found nothing on my winxp Sp2 laptop.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins

MVM

said by Name Game:

I ran it for you in the active X..found nothing on my winxp Sp2 laptop.
Yep!

norwegian
Premium Member
join:2005-02-15
Outback

1 recommendation

norwegian to dadkins

Premium Member

to dadkins
said by dadkins:

Since X-Cleaner gives you the path, look for them manually and see if they are there.
This has to be a bonus. Something I like too.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to altermatt

Premium Member

to altermatt
RIP

»www.vernalex.com/tools/s ··· Listener
Name Game

Name Game to altermatt

Premium Member

to altermatt
Hotbar has lots of desktop stuff BTW

»www.google.com/search?hl ··· e+Search

bettywont
Premium Member
join:2004-09-11
Montreal, QC

bettywont to altermatt

Premium Member

to altermatt
I find it odd MS is not recommending their own ''WINDOWS DEFENDER''I personally have a list of trusted Spyware detection programs and have tested many that gave false positives.The one that had the most F/P'S in my testing, is SPYWARE DOCTOR,it would be interesting to see what they detected for analogy;Please post the comparisons if you wish to.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

3 edits

dadkins to Name Game

MVM

to Name Game
said by Name Game:

Hotbar has lots of desktop stuff BTW

»www.google.com/search?hl ··· e+Search
Also, I think Oberon Media (free games) are owned/partnered with HotBar...\

»www.hotbargames.com/priv ··· cy&lc=en

Play freebie games?
Get them at MSN? Pogo? Verizon?
»corp.oberon-media.com/gc_5.asp

That would be your HotBar.

Elite
Kiss My Ass
join:2002-10-03
New Haven, CT
Synology RT2600ac
TP-Link TC-7650
ARRIS SB8200

1 edit

Elite to altermatt

Member

to altermatt
This program is crap. I've never seen something produce so many FPs before. On my very secure setup, with an install of Windows from under a month ago, it supposedly thought I had BonzaiBuddy installed according to a CSLID it found. Scans with Both Ad-aware and Super Antispyware bring back 0 results. Googling of the CLSID it detected shows it to be a former FP with a few products, including Ad-Aware.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins

MVM

Odd, didn't find that here...
3 month old computer here with ALL updates.

Do you have the entire path to this supposed nasty?

Elite
Kiss My Ass
join:2002-10-03
New Haven, CT
Synology RT2600ac
TP-Link TC-7650
ARRIS SB8200

2 edits

Elite to altermatt

Member

to altermatt
There was no path. Just a few reg keys. Checked out the reg keys, they don't point anywhere.
For anyone interested:
Detected BonziBuddy:
CLSIDs (1) :
{decc98e1-ec4e-11d2-93e5-00104b9e078a}

Registry Keys (2) :
HKEY_CLASSES_ROOT\interface\{decc98e1-ec4e-11d2-93e5-00104b9e078a}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{decc98e1-ec4e-11d2-93e5-00104b9e078a}

Both these CSLIDs have 1 key called "ISSImage", then there are a few subkeys under the CSLIDs with just as little data. No paths or files at all.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins

MVM

Don't know what to tell you friend... X-Cleaner finds nothing out of the ordinary here except the Comcast Toolbar... that's here on purpose.

Those keys don't exist here. On any of my machines.

altermatt
Premium Member
join:2004-01-22
White Plains, NY

altermatt

Premium Member

Thanks to all for the varying responses. Apparently, some are finding a lot of false positives, others have no problem whatsoever. I got curious when he reported a bunch of stuff found on his machine when I know he's pretty careful, so thought I'd use it on mine, figuring NOTHING would come up, and was distressed to see a LOT of strange stuff (well, I consider 5 a lot!). And when one was to a SHORTCUT (not to the game itself, which I could understand, but to the shortcut to the folder in which the game LINK is (didn't peep on the folder that the game actually is in, just the one with the shortcut to the folder with the shortcut!), I got suspeicious.

I don't have IPRIP running, either, though I know it can be both a legit service and a nasty---it just isn't listed in my Services.

And the rest were CLSIDs that were indicating VERY bad (and well-known) trojans and backdoors that I would have expected one of the security apps here to have picked u long before this. I'm really hesitant to trust these, since they look like FPs, yet it bothers me to think I've got anything nasty here when I'm so careful!

Hence, still open to hearing more, and will run the tool again from an admin account instead of a power user in case the FPs were due to not being able to access everything in the reg. (doubtful, but worth a try).

Thanks!!
altermatt

altermatt

Premium Member

LATE UPDATE: Despite finding reports elsewhere of FPs with this tool (I always check here first ), the assurances of some here made me decide to try running the scan agai, from my admin account, and letting it fix everything. Of course, I did a True Image first , as well as letting it make a Restore Point.

Each time it found a CLSID with a supposed nasty in there, I let it "Remove", carefully copying the info to a notepad file just in case. The only thing I wouldn't let it do is the "IPRIP" service---I do have RIP Listener (a standard MS service) listed in services, but it is disabled and not running, and there is no "IPRIP" listed as such. And I just didn't trust it to remove an entire service, especially one that doesn't exist. But when it said it found When UU control and CoolWebSearch in CLSIDs (again, common yet never found here by any other tool), I let it go ahead and remove; same with the supposed HotBar it found in the LINK to the games folder on my desktop (not in the games folder itself, which contains mainly boring common games).

To its credit, so far nothing seems broken. The only negative is that it said it had to reboot and did so before I could save my notepad file, so my "failsafe" listing of all changes was gone. I redid the scan and all it found was the SweetBar in IPRIP thing, which I left alone until I can do some more research on why this should show up.

Thanks all for your help. Any further comments, pro or con, greatly appreciated. I still think this gives a lot of FPs, and am leery of recommending it to rookies who might not be comfortable researching each thing and being careful to do this with belt and suspenders.
Just Bob
Premium Member
join:2000-08-13
Spring Hill, FL

Just Bob

Premium Member

You may want to look this over and see if you have any of the files or registry entries. If you do, I'd recommend taking your problem to the cleanup forum.
»www.sarc.com/avcenter/ve ··· gof.html

superspy2000
@5-13.keymachine.de

1 recommendation

superspy2000 to dadkins

Anon

to dadkins
Hey Dadkins isn't that download of X-cleaner free a bit old now? Here: »www.techspot.com/downloa ··· ree.html
I think the latest so-called free versions are 30 day trial though, so maybe that's why your recommending an older free version?

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 recommendation

Name Game to altermatt

Premium Member

to altermatt
said by altermatt:

LATE UPDATE: Despite finding reports elsewhere of FPs with this tool (I always check here first ), the assurances of some here made me decide to try running the scan agai, from my admin account, and letting it fix everything. Of course, I did a True Image first , as well as letting it make a Restore Point.

Each time it found a CLSID with a supposed nasty in there, I let it "Remove", carefully copying the info to a notepad file just in case. The only thing I wouldn't let it do is the "IPRIP" service---I do have RIP Listener (a standard MS service) listed in services, but it is disabled and not running, and there is no "IPRIP" listed as such. And I just didn't trust it to remove an entire service, especially one that doesn't exist. But when it said it found When UU control and CoolWebSearch in CLSIDs (again, common yet never found here by any other tool), I let it go ahead and remove; same with the supposed HotBar it found in the LINK to the games folder on my desktop (not in the games folder itself, which contains mainly boring common games).

To its credit, so far nothing seems broken. The only negative is that it said it had to reboot and did so before I could save my notepad file, so my "failsafe" listing of all changes was gone. I redid the scan and all it found was the SweetBar in IPRIP thing, which I left alone until I can do some more research on why this should show up.

Thanks all for your help. Any further comments, pro or con, greatly appreciated. I still think this gives a lot of FPs, and am leery of recommending it to rookies who might not be comfortable researching each thing and being careful to do this with belt and suspenders.
I suggest to you the following:

1.If you would have let X-cleaner do everything it called out it would not have broken your system.
2, Even though you have all those other Security products mentions that you felt had done a good job in protecting you and therefore x-cleaner was full of beans..I suggest to you that all the security products and after the fact scanners you do have that might have cleaned up malware or a badboy in the past..all some really do is DISABLE the crap so it does NOT run..that is their main job...and in doing so they still leave bits of crap from the original exploit on your PC..some clean up more of it than others..so continue your research..but I think you will find the bits it called out were legit..but not really active. In the past people have found the same scenario matching off LavaSoft Adaware against Sypbot S&D.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins to altermatt

MVM

to altermatt
^^^What Name Game Said!^^^

Likely traces that were leftover form a previous cleaning by - ???.

I still feel it is a good idea to have *ALL* the bad guys - and ALL the traces(running or not) removed from the machine(s)

*MY* scan found a toolbar that *I* put on here - Good Lookin Out!
NOTHING else is found on here...

I can uninstall the toolbar and it will find nada.

altermatt
Premium Member
join:2004-01-22
White Plains, NY

2 recommendations

altermatt to Name Game

Premium Member

to Name Game
said by Name Game:

If you would have let X-cleaner do everything it called out it would not have broken your system.
As I mentioned, I DID let it remove everything except the IPRIP, and yes, everything seems to be working fine.
said by Name Game:

all some really do is DISABLE the crap so it does NOT run...and in doing so they still leave bits of crap from the original exploit on your PC..I think you will find the bits it called out were legit..but not really active.
That's a good take on this; thanks! From what you say, chances are these were "traces" that weren't harmful, but I'm glad to have them off the system anyway. So I'm feeling better about this tool, definitely. That said, would still be careful recommending this to rookies who might not be willing to think before removing, including doing a bit of research, and who might not have an image and/or system restore at the ready.

Again, thanks all.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 recommendation

Name Game

Premium Member

said by altermatt:
said by Name Game:

If you would have let X-cleaner do everything it called out it would not have broken your system.
As I mentioned, I DID let it remove everything except the IPRIP, and yes, everything seems to be working fine.
said by Name Game:

all some really do is DISABLE the crap so it does NOT run...and in doing so they still leave bits of crap from the original exploit on your PC..I think you will find the bits it called out were legit..but not really active.
That's a good take on this; thanks! From what you say, chances are these were "traces" that weren't harmful, but I'm glad to have them off the system anyway. So I'm feeling better about this tool, definitely. That said, would still be careful recommending this to rookies who might not be willing to think before removing, including doing a bit of research, and who might not have an image and/or system restore at the ready.

Again, thanks all.
And for that reason..many of us like the download and installed type programs..and especially those that will do an autobackup of what you do decided to delete..in a .reg file..that can then be clicked on to reinstall or repair.

Some are not foolproof..but it beats hunting on the internet to find a missing .dll etc.

anony101
@bellsouth.net

1 recommendation

anony101 to altermatt

Anon

to altermatt
For the record, I ran the activex control from a 3 year old clean windows installation and it found nothing.

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

Woody79_00

Premium Member

If you really wanna know if your Machine is infected with anything or not, i would scan with this online tool

then go to »www.emsisoft.com/en/soft ··· re/free/ and download a2 free edition

it has over 660,000+ malware/rootkits/spyware/trojans in it's most cureent database

if A2 doesn't return any results, then your machine is clean. A2 is primarily an Anti-Trojan/anti-rootkit, but it does have a comprehensive Antispyware, as well as it's "trace" scanning is superb, and it's herustics will report suspicious files, and if you wish you can submit them and A2 team will respond promptly if it's bad or not

i have been using A2 for years, it's that good of a product. i have worked on many machines where Kaspersky, Mcafee, symantec, Spy-bot, and every other Program out there says the machine is clean, yet the machine is running terribly, run A2 on the machine it finds everthting the others won't and fixes it like new. It is awesome, i am running the paid version next to Mcafee and i must say, it is an excellent set up

The only difference btween the free version and paid version is "Real-time protection" the free version uses the same egine and database updates as the paid version

download and install A2 update it, and run a deep scan on your PC and posts the results or let me know if A2 finds anything

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins

MVM

AVG/Ewido has 735, 319 currently... but -

No single security app catches 100%.
No single security app will detect all traces.
This is why *I* scan with a boatload of scanners weekly. I'm more likely to *NOT* have malware than most.

Running, dormant, archived, traces, whatever... it all gets removed!

YMMV.
Mowergun
join:2004-02-15
Charleston, IL

Mowergun to altermatt

Member

to altermatt
May I suggest an experiment? With current updates, make sure that full immunization is applied by both Spywareblaster and Spybot S&D. Then run Xcleaner and let it fix all that it finds. Then open Spywareblaster and Spybot S&D in turn and check to see if any immunization has been removed.
Mowergun

Mowergun

Member

The point of my suggested experiment is to see if Xcleaner is mis-identifying kill bits as malicious cslid's.

Elite
Kiss My Ass
join:2002-10-03
New Haven, CT

Elite to altermatt

Member

to altermatt
Still convinced that what it found on my machine was an FP, minus the fact that nobody else has the same FP.

In regedit do a search for the string "ISSImage". Anything come up?