dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8856
Gem
Premium Member
join:2005-09-10

1 recommendation

Gem to abcGuY

Premium Member

to abcGuY

Re: AdAware - trying to download today's defs...

said by abcGuY:

I've been getting the SpywareNO as well. However other scanners like spysweeper, ewido, spybot have not picked it up when i scanned. Is anyone 100% sure that this is a false positive?

Also i am unable to delete the reg keys using Ad-aware.
If it is the FP, it doesn't hurt much to let AdAware remove the registry keys and quarantine them. You can always add them back if desired.

If AdAware can't delete the items or if they automatically come back, you may have the real thing on your computer.

If you Google the items found, the results will show you what the real Spyware No is and what else it adds to your computer. If none of the other files shown are added on your machine it might be that you have the FP instead.

Either way, you could send the AdAware log to LS Steve (see his post above) or email them to research@lavasoft.de (check address from Steve's post).

And you could post a list of the registry keys found in your scan here for someone to examine. If you do, they may want you to later post the values in the keys as well.

I don't think the key values show up in the AdAware logs, but if you are comfortable with the registry you can export a copy of the keys to your MyDocuments (or whatever folder).

Then change the extension of the files from ".reg" to ".txt". Once changed, you can open the files as text documents and post the contents here in your message.
abcGuY
join:2005-03-11
Scarborough, ON

abcGuY

Member

SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-854245398-1960408961- 839522115-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

SpywareNo Object Recognized!
Type : RegData
Data : 2
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\general
Value : WallpaperStyle
Data : 2

SpywareNo Object Recognized!
Type : RegData
Data : 2
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : control panel\desktop
Value : WallpaperStyle
Data : 2

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\components
Value : GeneralFlags
Data : 0

Thanks gem. If anyone wants to help here are the items detected by Ad-aware.
Gem
Premium Member
join:2005-09-10

Gem

Premium Member

said by abcGuY:

SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-854245398-1960408961- 839522115-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

Thanks gem. If anyone wants to help here are the items detected by Ad-aware.
Okay, if you are comfortable with the registry, export the above key to your my documents folder.

Then change the extension to a ".txt" file.

Then open in notepad. Then cut and paste it into a new post and post it here.

It will be awhile before I can get back to the computer to compare the contents of your file with mine and let you know the result.
abcGuY
join:2005-03-11
Scarborough, ON

abcGuY

Member

Key Name: HKEY_USERS\S-1-5-21-854245398-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72267F6A-A6F9-11D0-BC94-00C04FB67863}
Class Name:
Last Write Time: 10/2/2006 - 21:49

Key Name: HKEY_USERS\S-1-5-21-854245398-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72267F6A-A6F9-11D0-BC94-00C04FB67863}\iexplore
Class Name:
Last Write Time: 10/2/2006 - 21:54
Value 0
Name: Type
Type: REG_DWORD
Data: 0x1

Value 1
Name: Count
Type: REG_DWORD
Data: 0xa

Value 2
Name: Time
Type: REG_BINARY
Data:
00000000 d6 07 02 00 06 00 0b 00 - 02 00 36 00 17 00 4b 03 Ö.........6...K.

Corrine
Premium Member
join:2004-08-27

Corrine to Buddel

Premium Member

to Buddel

Active Desktop.

You may want to take a look at the regedit by LonnyRJones (Post #27) here: »forums.spybot.info/showt ··· post2137

If you are going to edit the registry, be sure to back it up first:

Please back up the registry before editing.

Windows 95, Windows 98, and Windows Me: »support.microsoft.com/de ··· d=322754
Windows NT 4.0: »support.microsoft.com/de ··· d=323170
Windows 2000: »support.microsoft.com/de ··· d=322755
Windows XP and Windows Server 2003: »support.microsoft.com/de ··· d=322756

parputt
Premium Member
join:2001-11-25
New Iberia, LA

parputt to Corrine

Premium Member

to Corrine

Re: AdAware - trying to download today's defs...

said by Corrine:

Just for kicks, I updated and ran a scan. Steve, I can assure you that I do not have SpywareNo on my system. But the latest Def File thinks that I do.

Sorry, smells like a f/p to me.

I got the same thing and am as sure as Corrine that my system is clean. I say f/p also.
Gem
Premium Member
join:2005-09-10

1 edit

Gem to abcGuY

Premium Member

to abcGuY
abcGuY,
Three of the four registry entries AdAware identified on your computer as Spyware No
are the same as the three that were identified by AdAware on my own.

One of those is the key:
"HKEY_USERS\S-1-5-21-xxx\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{72267F6A-A6F9-11D0-BC94-00C04FB67863}\iexplore"

The values we have for the key are also the same, although the content is different.

In my case, I believe it is a false positive because:

1) none of the other malware scanners, including those you named, picked up "Spyware NO",
2) the computer is not misbehaving in any way, and
3) none of the files related to Spyware No as reported in the various online virus and
malware encyclopedias found by Google are present on the computer.

You might therefore, want to Google the partial registry entry for
"{72267F6A-A6F9-11D0-BC94-00C04FB67863}"
and compare what you have with what is found there.

If you have none of the misbehavior described, and none of the related files,
you could choose to have AdAware ignore the item for now.

OR:

Ask the mods to allow you to start a new thread to get more attention on your item, OR

IM Corrine and ask her what she is recommending with the registry modification to the
Active Desktop keys as shown in the link she posted in her reply.

[LS SteveJ's post earlier indicated part of the issues with the possible False Positive
associated with Spyware No had to do with Active Desktop]

{edited in attempt to get this to display on standard screen without horizontal scrolling}

Corrine
Premium Member
join:2004-08-27

Corrine

Premium Member

said by Gem:

abcGuY,
IM Corrine and ask her what she is recommending with the registry modification to the
Active Desktop keys as shown in the link she posted in her reply.
Well, no, I wouldn't suggest that as I don't provide advice via PM. I also do not recommend registry edits without a backup. I do trust a recommendation made by Lonny. He is very knowledgeable. Another alternative is provided in the link below.

Kellys Korner, "16. Active Desktop - Enable or Disable" at »www.kellys-korner-xp.com ··· eaks.htm

If you are not having problems with your PC, your desktop has not been hijacked, then either add the two AAW findings to the ignore list or wait for the next update. On the other hand, if you would like an Ad-Aware log reviewd, we would be happy to take a look. You can also post a HijackThis log in the new cleanup forum »Security Cleanup

Jimbo406
Premium Member
join:2001-01-07
New York, NY

1 recommendation

Jimbo406 to Buddel

Premium Member

to Buddel
Count me in as well:

SPYWARENO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : S-1-5-21-1606980848-682003330-839522115-1004\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
abcGuY
join:2005-03-11
Scarborough, ON

1 recommendation

abcGuY to Buddel

Member

to Buddel
Corine, I tried the recommendations by Lonny. They didn't work. So i will try the ones by Kellys Korner soon and i will post back with a reply.

I am not having any noticable problems with my PC and i can freely change my wallpaper.

Corrine
Premium Member
join:2004-08-27

Corrine to Profixer

Premium Member

to Profixer
said by Profixer:

We will adjust our definitions accordingly... thanks guys!
Thanks, Steve. There's been several posts at Castle Cops as well as a couple at Freedomlist with the f/p as well.

McFirefox
@dialin.msh.de

McFirefox to Buddel

Anon

to Buddel
Could be it's a fault of Ad-Aware.
If spywareno hides the desktop icons it sets the registry entry to hidden. If that part of action is used to identify spywareno, all see a trojan who have hidden desktop icons. As I do. See also »www.microsoft.com/commun ··· &m=1&p=1

fatdcuk
Premium Member
join:2005-02-20
England

fatdcuk to Profixer

Premium Member

to Profixer
Here's some more user's that have been spooked by this F/p
»www.spywarewarrior.com/v ··· ghlight=

HTH:)

bettywont
Premium Member
join:2004-09-11
Montreal, QC

bettywont

Premium Member

Many thanks 4 your post.After checking the registry I was
pretty sure it was a f/p now I can sleep.
Thanks again!!!!

Corrine
Premium Member
join:2004-08-27

1 recommendation

Corrine

Premium Member

Good. We wouldn't want anyone losing any sleep, although I am receiving a lot of questions on when it will be fixed. I guess this is effecting more folks than expected.

winchester73
join:2003-08-08
Chapel Hill, NC

winchester73

Member

quote:
I guess this is effecting more folks than expected
Perhaps any Plus or Pro users could ask the Lavasoft support people about an expected "fix" date? The users of the free program don't have that ability with their forum closed.

Corrine
Premium Member
join:2004-08-27

1 recommendation

Corrine

Premium Member

Sorry to be a nag about this . . . but I will be anyway.

A lot of HJT logs are being needlessly analyzed with folks going through the full smitRem© fix. Since the volunteers are spread pretty thin as it is, the sooner this is fixed, the better for those of us trying to help.

Thanks, Steve.

Jimbo406
Premium Member
join:2001-01-07
New York, NY

Jimbo406 to Buddel

Premium Member

to Buddel
Here is the reply I received from Lavasoft today:

Dear Customer,

I would first suggest you make sure you are using the latest build of Ad-Aware. Look in the lower right corner of Ad-Aware SE and it should say "build 1.06r1".

Second; make sure you are running with the latest definition file. The name of the latest definition file is displayed to the right of our main page at »www.lavasoft.com/

The third thing to do is to perform a Full system scan. Before you perform the scan, please do the following;

Start Ad-Aware

Click on Settings (Gear button up in the right corner)

Click on Tweak

Expand the "Log files" option

Enable "Include Module list in log file"

Click on proceed.

Click on Scan Now

Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.

Now you're all set to perform the full system scan.

If the problem still persists, Please reply to this e-mail with the latest logfile from a full system scan attached.

Regards

Jessica
Lavasoft Support

I have also referred them to this URL and string to see numerous other people getting the same results.
Gem
Premium Member
join:2005-09-10

Gem

Premium Member

said by Jimbo406:

I have also referred them [Lavasoft] to this URL and string to see numerous other people getting the same results.
At least you got a response Jimbo,

I emailed Lavasoft this message on 2-9-2006:
To : research@lavasoft.de
Subject : Possible "spyware NO" false positive 2-9-2006

Here are the results of my AdAware scan after the 2-8-2006 update.

It reports 3 new critical objects as "spyware no" items. Would you please advise if these objects are legit malware or false positives?

My desktop and wall paper are the same as they have always been with no problems. Active Desktop is "ON" and I use a utility to save my desktop icon arrangement. Hence the question before removing the items found.

Please advise.

Thank you.

no response was received

fatdcuk
Premium Member
join:2005-02-20
England

fatdcuk to Profixer

Premium Member

to Profixer
Steve i think you need to somehow escalate this information in the comapny because it is causing bad PR for Lavasoft especially if a paying customer has kept waiting so long for e-mail support.
Gem
Premium Member
join:2005-09-10

Gem

Premium Member

said by fatdcuk:

Steve i think you need to somehow escalate this information in the comapny because it is causing bad PR for Lavasoft especially if a paying customer has kept waiting so long for e-mail support.
fcukdat,

I'm not a paying customer, just someone who alerted the
company to a potential problem with their program and
indicated what might be related to the source of the
problem if there was one.

Corrine
Premium Member
join:2004-08-27

Corrine to Jimbo406

Premium Member

to Jimbo406
Hi, Jimbo40. Perhaps the support desk folks have not been told about the f/p.
Corrine

Corrine to Gem

Premium Member

to Gem
Gem, the best way to do that is to participate in the beta testing of the definition files. You can then report problems directly to LS Research.
Gem
Premium Member
join:2005-09-10

1 edit

Gem

Premium Member

said by Corrine:

the best way to do that is to participate in the beta testing of the definition files. You can then report problems directly to LS Research.
Got that.

Corrine
Premium Member
join:2004-08-27

Corrine to Buddel

Premium Member

to Buddel
SE1R92 14.02.2006 has been released. Please confirm that this solves this issue.

Thank you, Steve.
Gem
Premium Member
join:2005-09-10

1 edit

Gem

Premium Member

Click for full size
No Problems!
said by Corrine:

SE1R92 14.02.2006 has been released. Please confirm that this solves this issue.
The new update appears to resolve the issue here.

winchester73
join:2003-08-08
Chapel Hill, NC

winchester73

Member

3 days to fix?
Andy_veal
join:2005-11-03
England

2 edits

Andy_veal

Member

said by winchester73:

3 days to fix?
Glad it didn't turn into another "WhenU"
SpyDie1
join:2005-02-15

SpyDie1 to winchester73

Member

to winchester73
Software upgrade? Maintenance perhaps?
zipperman1
Just An Old Geezer
join:2003-09-19
Canada

zipperman1 to Buddel

Member

to Buddel
I get instant notification if 14 days go by.
Its in the options to select # of days and is always quick
for me.