Gem Premium Member join:2005-09-10
1 recommendation |
Gem to abcGuY
Premium Member
2006-Feb-10 6:40 pm
to abcGuY
Re: AdAware - trying to download today's defs...said by abcGuY:I've been getting the SpywareNO as well. However other scanners like spysweeper, ewido, spybot have not picked it up when i scanned. Is anyone 100% sure that this is a false positive?
Also i am unable to delete the reg keys using Ad-aware. If it is the FP, it doesn't hurt much to let AdAware remove the registry keys and quarantine them. You can always add them back if desired. If AdAware can't delete the items or if they automatically come back, you may have the real thing on your computer. If you Google the items found, the results will show you what the real Spyware No is and what else it adds to your computer. If none of the other files shown are added on your machine it might be that you have the FP instead. Either way, you could send the AdAware log to LS Steve (see his post above) or email them to research@lavasoft.de (check address from Steve's post). And you could post a list of the registry keys found in your scan here for someone to examine. If you do, they may want you to later post the values in the keys as well. I don't think the key values show up in the AdAware logs, but if you are comfortable with the registry you can export a copy of the keys to your MyDocuments (or whatever folder). Then change the extension of the files from ".reg" to ".txt". Once changed, you can open the files as text documents and post the contents here in your message. |
|
abcGuY join:2005-03-11 Scarborough, ON |
abcGuY
Member
2006-Feb-10 7:49 pm
SpywareNo Object Recognized! Type : Regkey Data : TAC Rating : 7 Category : Misc Comment : Rootkey : HKEY_USERS Object : S-1-5-21-854245398-1960408961- 839522115-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
SpywareNo Object Recognized! Type : RegData Data : 2 TAC Rating : 7 Category : Misc Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\desktop\general Value : WallpaperStyle Data : 2
SpywareNo Object Recognized! Type : RegData Data : 2 TAC Rating : 7 Category : Misc Comment : Rootkey : HKEY_CURRENT_USER Object : control panel\desktop Value : WallpaperStyle Data : 2
SpywareNo Object Recognized! Type : RegData Data : 0 TAC Rating : 7 Category : Misc Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\desktop\components Value : GeneralFlags Data : 0
Thanks gem. If anyone wants to help here are the items detected by Ad-aware. |
|
Gem Premium Member join:2005-09-10 |
Gem
Premium Member
2006-Feb-10 9:37 pm
said by abcGuY:SpywareNo Object Recognized! Type : Regkey Data : TAC Rating : 7 Category : Misc Comment : Rootkey : HKEY_USERS Object : S-1-5-21-854245398-1960408961- 839522115-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
Thanks gem. If anyone wants to help here are the items detected by Ad-aware. Okay, if you are comfortable with the registry, export the above key to your my documents folder. Then change the extension to a ".txt" file. Then open in notepad. Then cut and paste it into a new post and post it here. It will be awhile before I can get back to the computer to compare the contents of your file with mine and let you know the result. |
|
abcGuY join:2005-03-11 Scarborough, ON |
abcGuY
Member
2006-Feb-10 9:55 pm
Key Name: HKEY_USERS\S-1-5-21-854245398-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72267F6A-A6F9-11D0-BC94-00C04FB67863} Class Name: Last Write Time: 10/2/2006 - 21:49
Key Name: HKEY_USERS\S-1-5-21-854245398-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72267F6A-A6F9-11D0-BC94-00C04FB67863}\iexplore Class Name: Last Write Time: 10/2/2006 - 21:54 Value 0 Name: Type Type: REG_DWORD Data: 0x1
Value 1 Name: Count Type: REG_DWORD Data: 0xa
Value 2 Name: Time Type: REG_BINARY Data: 00000000 d6 07 02 00 06 00 0b 00 - 02 00 36 00 17 00 4b 03 Ö.........6...K. |
|
Corrine Premium Member join:2004-08-27 |
to Buddel
Active Desktop.You may want to take a look at the regedit by LonnyRJones (Post #27) here: » forums.spybot.info/showt ··· post2137If you are going to edit the registry, be sure to back it up first: Please back up the registry before editing. Windows 95, Windows 98, and Windows Me: » support.microsoft.com/de ··· d=322754Windows NT 4.0: » support.microsoft.com/de ··· d=323170Windows 2000: » support.microsoft.com/de ··· d=322755Windows XP and Windows Server 2003: » support.microsoft.com/de ··· d=322756 |
|
parputt Premium Member join:2001-11-25 New Iberia, LA |
to Corrine
Re: AdAware - trying to download today's defs...said by Corrine:Just for kicks, I updated and ran a scan. Steve, I can assure you that I do not have SpywareNo on my system. But the latest Def File thinks that I do. Sorry, smells like a f/p to me. I got the same thing and am as sure as Corrine that my system is clean. I say f/p also. |
|
Gem Premium Member join:2005-09-10 1 edit |
Gem to abcGuY
Premium Member
2006-Feb-11 12:18 am
to abcGuY
abcGuY, Three of the four registry entries AdAware identified on your computer as Spyware No are the same as the three that were identified by AdAware on my own.
One of those is the key: "HKEY_USERS\S-1-5-21-xxx\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ {72267F6A-A6F9-11D0-BC94-00C04FB67863}\iexplore"
The values we have for the key are also the same, although the content is different.
In my case, I believe it is a false positive because:
1) none of the other malware scanners, including those you named, picked up "Spyware NO", 2) the computer is not misbehaving in any way, and 3) none of the files related to Spyware No as reported in the various online virus and malware encyclopedias found by Google are present on the computer.
You might therefore, want to Google the partial registry entry for "{72267F6A-A6F9-11D0-BC94-00C04FB67863}" and compare what you have with what is found there.
If you have none of the misbehavior described, and none of the related files, you could choose to have AdAware ignore the item for now.
OR:
Ask the mods to allow you to start a new thread to get more attention on your item, OR
IM Corrine and ask her what she is recommending with the registry modification to the Active Desktop keys as shown in the link she posted in her reply.
[LS SteveJ's post earlier indicated part of the issues with the possible False Positive associated with Spyware No had to do with Active Desktop]
{edited in attempt to get this to display on standard screen without horizontal scrolling} |
|
Corrine Premium Member join:2004-08-27 |
Corrine
Premium Member
2006-Feb-11 9:17 am
said by Gem:abcGuY, IM Corrine and ask her what she is recommending with the registry modification to the Active Desktop keys as shown in the link she posted in her reply. Well, no, I wouldn't suggest that as I don't provide advice via PM. I also do not recommend registry edits without a backup. I do trust a recommendation made by Lonny. He is very knowledgeable. Another alternative is provided in the link below. Kellys Korner, "16. Active Desktop - Enable or Disable" at » www.kellys-korner-xp.com ··· eaks.htmIf you are not having problems with your PC, your desktop has not been hijacked, then either add the two AAW findings to the ignore list or wait for the next update. On the other hand, if you would like an Ad-Aware log reviewd, we would be happy to take a look. You can also post a HijackThis log in the new cleanup forum » Security Cleanup |
|
Jimbo406 Premium Member join:2001-01-07 New York, NY
1 recommendation |
to Buddel
Count me in as well:
SPYWARENO »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[0]=Regkey : S-1-5-21-1606980848-682003330-839522115-1004\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863} |
|
abcGuY join:2005-03-11 Scarborough, ON
1 recommendation |
to Buddel
Corine, I tried the recommendations by Lonny. They didn't work. So i will try the ones by Kellys Korner soon and i will post back with a reply.
I am not having any noticable problems with my PC and i can freely change my wallpaper. |
|
Corrine Premium Member join:2004-08-27 |
to Profixer
said by Profixer:We will adjust our definitions accordingly... thanks guys! Thanks, Steve. There's been several posts at Castle Cops as well as a couple at Freedomlist with the f/p as well. |
|
|
McFirefox to Buddel
Anon
2006-Feb-12 9:28 am
to Buddel
Could be it's a fault of Ad-Aware. If spywareno hides the desktop icons it sets the registry entry to hidden. If that part of action is used to identify spywareno, all see a trojan who have hidden desktop icons. As I do. See also » www.microsoft.com/commun ··· &m=1&p=1 |
|
fatdcuk Premium Member join:2005-02-20 England |
to Profixer
Here's some more user's that have been spooked by this F/p » www.spywarewarrior.com/v ··· ghlight=HTH:) |
|
|
bettywont Premium Member join:2004-09-11 Montreal, QC |
Many thanks 4 your post.After checking the registry I was pretty sure it was a f/p now I can sleep. Thanks again!!!! |
|
Corrine Premium Member join:2004-08-27
1 recommendation |
Corrine
Premium Member
2006-Feb-12 8:56 pm
Good. We wouldn't want anyone losing any sleep, although I am receiving a lot of questions on when it will be fixed. I guess this is effecting more folks than expected. |
|
|
quote: I guess this is effecting more folks than expected
Perhaps any Plus or Pro users could ask the Lavasoft support people about an expected "fix" date? The users of the free program don't have that ability with their forum closed. |
|
Corrine Premium Member join:2004-08-27
1 recommendation |
Corrine
Premium Member
2006-Feb-13 12:11 pm
Sorry to be a nag about this . . . but I will be anyway. A lot of HJT logs are being needlessly analyzed with folks going through the full smitRem© fix. Since the volunteers are spread pretty thin as it is, the sooner this is fixed, the better for those of us trying to help. Thanks, Steve. |
|
Jimbo406 Premium Member join:2001-01-07 New York, NY |
to Buddel
Here is the reply I received from Lavasoft today: Dear Customer, I would first suggest you make sure you are using the latest build of Ad-Aware. Look in the lower right corner of Ad-Aware SE and it should say "build 1.06r1". Second; make sure you are running with the latest definition file. The name of the latest definition file is displayed to the right of our main page at » www.lavasoft.com/The third thing to do is to perform a Full system scan. Before you perform the scan, please do the following; Start Ad-Aware Click on Settings (Gear button up in the right corner) Click on Tweak Expand the "Log files" option Enable "Include Module list in log file" Click on proceed. Click on Scan Now Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat. Now you're all set to perform the full system scan. If the problem still persists, Please reply to this e-mail with the latest logfile from a full system scan attached. Regards Jessica Lavasoft Support I have also referred them to this URL and string to see numerous other people getting the same results. |
|
Gem Premium Member join:2005-09-10 |
Gem
Premium Member
2006-Feb-13 7:58 pm
said by Jimbo406:I have also referred them [Lavasoft] to this URL and string to see numerous other people getting the same results. At least you got a response Jimbo, I emailed Lavasoft this message on 2-9-2006: To : research@lavasoft.de Subject : Possible "spyware NO" false positive 2-9-2006
Here are the results of my AdAware scan after the 2-8-2006 update.
It reports 3 new critical objects as "spyware no" items. Would you please advise if these objects are legit malware or false positives?
My desktop and wall paper are the same as they have always been with no problems. Active Desktop is "ON" and I use a utility to save my desktop icon arrangement. Hence the question before removing the items found.
Please advise.
Thank you. no response was received |
|
fatdcuk Premium Member join:2005-02-20 England |
to Profixer
Steve i think you need to somehow escalate this information in the comapny because it is causing bad PR for Lavasoft especially if a paying customer has kept waiting so long for e-mail support. |
|
Gem Premium Member join:2005-09-10 |
Gem
Premium Member
2006-Feb-13 8:48 pm
said by fatdcuk:Steve i think you need to somehow escalate this information in the comapny because it is causing bad PR for Lavasoft especially if a paying customer has kept waiting so long for e-mail support. fcukdat, I'm not a paying customer, just someone who alerted the company to a potential problem with their program and indicated what might be related to the source of the problem if there was one. |
|
Corrine Premium Member join:2004-08-27 |
to Jimbo406
Hi, Jimbo40. Perhaps the support desk folks have not been told about the f/p. |
|
Corrine |
to Gem
Gem, the best way to do that is to participate in the beta testing of the definition files. You can then report problems directly to LS Research. |
|
Gem Premium Member join:2005-09-10 1 edit |
Gem
Premium Member
2006-Feb-13 9:56 pm
said by Corrine:the best way to do that is to participate in the beta testing of the definition files. You can then report problems directly to LS Research. Got that. |
|
Corrine Premium Member join:2004-08-27 |
to Buddel
SE1R92 14.02.2006 has been released. Please confirm that this solves this issue. Thank you, Steve. |
|
Gem Premium Member join:2005-09-10 1 edit |
Gem
Premium Member
2006-Feb-14 8:06 am
No Problems! |
said by Corrine:SE1R92 14.02.2006 has been released. Please confirm that this solves this issue. The new update appears to resolve the issue here. |
|
|
3 days to fix? |
|
2 edits |
Glad it didn't turn into another "WhenU" |
|
|
to winchester73
Software upgrade? Maintenance perhaps? |
|
|
to Buddel
I get instant notification if 14 days go by. Its in the options to select # of days and is always quick for me. |
|