|
to norwegian
Re: SUPERAntiSpyware softwareThe Mad Code Hook Injector still should be detected as a "notify/warning". We see it installed with legit and non-legit programs (spyware/adware), that is why we have left it as a notify rule. It won't be removed by default, unless the users checks the box to remove it. KAV may be detecting something in our rules. Is it warning on specific files or? Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
norwegian Premium Member join:2005-02-15 Outback |
yes it is related to 2 files, and a Restore point, all .exe's |
|
|
|
I just ran a full scan on several systems here with KAV installed and did not get the warning. Can you send me the specific files that are having the warning from KAV? You can send them to nicks at superantispyware.com I believe KAV is triggering incorrectly here. I would like to verify this and try to reproduce it here in our lab. Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
dadkinsCan you do Blu? MVM join:2003-09-26 Hercules, CA 1 edit |
I just ignored these, cookies I let it remove. |
As I stated earlier... archived for later installation. Well, I installed your software on my other laptop... It has ALOT of software on it... including KAV Pro 4.5. I'll post the log here when it's finished scanning, may be a while though. 31 minutes to do a Quick Scan of 13.7GB drive. Better overall! Thanks Nick! |
|
spy1Welcome to Amerika Premium Member join:2002-06-24 Charlotte, NC |
to SUPERAntiSpy
said by SUPERAntiSpy:Thanks for the report! That rule had been previously updated, did you happen to check for definition updates before scanning? Core Definition set 2815 should not have had that in there. Would you mind checking for rules updates and running the scan again? Nick Skrepetos Nick - Just got home, updated the program manually through the interface, got an update, did a re-scan (the "quick" one, which only took 6 minutes, BTW, on a 160GB HD {which is admittedly mostly empty} ) and got no alerts this time. I'm a little puzzled, actually - didn't the program check itself for updates automatically when I installed it? I sure thought it did. I'm going to close this out and run a "Complete" scan and see if the results differ and how long it takes. Pete |
|
|
It depends on when you installed. Meaning we updated the rules around 9:00am PST to 2815. I look forward to hearing your results. Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
spy1Welcome to Amerika Premium Member join:2002-06-24 Charlotte, NC 1 edit |
spy1
Premium Member
2006-Mar-17 10:44 pm
"Complete" scan took around 16 minutes and came up clean, too. I'd've taken a screenshot of it, but when you close the notification that nothing was found, the results screen exits, too. Might want to consider changing that to where the results screen stays up so that one can study on it (or take screenshots of it) before closing it separately. BTW, I'm running a fully-updated copy of XP Pro (I have .Net on here, too) on a 1.3G processor with 1GB of RAM. Only 8.75GB of the drive is being used. Here's the log from where I ran the first (Quick) scan: "SUPERAntiSpyware Scan Log Generated 03/17/2006 at 03:57 PM Core Rules Database Version : 2814 Trace Rules Database Version: 1015 Memory threats detected : 0 Registry threats detected : 0 File threats detected : 1 Adware.FindWhatever F:\WINDOWS\system32\msswchx.exe Here's the log from the second (Quick) scan: SUPERAntiSpyware Scan Log Generated 03/17/2006 at 09:34 PM Core Rules Database Version : 2815 Trace Rules Database Version: 1016 Memory threats detected : 0 Registry threats detected : 0 File threats detected : 0 and the one from the third (Complete) scan: SUPERAntiSpyware Scan Log Generated 03/17/2006 at 09:58 PM Core Rules Database Version : 2815 Trace Rules Database Version: 1016 Memory threats detected : 0 Registry threats detected : 0 File threats detected : 0 As you can see, it was nearly 4 PM (Eastern) here when I did the first scan (with C.R.D.V 2814) - so I still don't know why - if the program checked itself for updates when I installed it (it DID do that, right?) - it started out with the 2814 defs. Maybe check the initial installation updater section? At any rate, it's working fine with NO F/P's at the moment. Pete P.S. - All scans were run with no browsers open - but ALL of my normal defensive programs were running resident in SYSTRAY (NOD32, SpyBlocker v.9.0,ProcessGuard v.3.200, UnhackMe 3.0 Release and TrojanHunter Guard (part of TH v.4.2 build 908). |
|
|
Thanks for the detail. The scan time seems normal on a laptop, as the drives are much slower, and the Windows folder, especially with XPSP2 takes a bulk of the scan time.
As for the rules issue, I am not sure why yours did not get the 2815 on installation. I have verified here in our tests that it does get them upon first installation.
Thank you for your other suggestion also! We have a new release coming out next week.
Nick Skrepetos SUPERAntiSpyware.com |
|
spy1Welcome to Amerika Premium Member join:2002-06-24 Charlotte, NC
1 recommendation |
spy1
Premium Member
2006-Mar-17 11:12 pm
Nick - This is a Compaq 7110US desktop computer - not a laptop. The hard-drive is a Maxtor 7200RPM Ultra ATA/133 with an 8MB cache. Just for clarification, of course. Pete |
|
spy1 |
spy1 to jbob
Premium Member
2006-Mar-18 12:18 pm
to jbob
Is there any possibility that d/l'ing and installing your program would trigger this alert from Spybot Search&Destroy? I'm wondering specifically about the little ads for the other products you offer that come along with the program - would they install this reg key? The reason I ask is because I never got that alert from SBS&D until this morning (the first time I've run it since installing your program). Pete |
|
|
SUPERAntiSpyware does not create any rogue keys in the registry nor place any rogue files on your file system. I am not sure where that would have come from. Had you previously tried that product at some point and Spybots new rules now detect it? Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
Rocky67Pencil Neck Geek Premium Member join:2005-01-13 Orange, CA |
to spy1
Pete, Try reading this, it might help you figure out what's going on: » forums.spybot.info/archi ··· 643.html |
|
Spy4 Premium Member join:2001-09-22 NE |
Spy4 to spy1
Premium Member
2006-Mar-18 1:11 pm
to spy1
Ran Spybot with latest update after installing SuperAntispyware and result was clean. |
|
spy1Welcome to Amerika Premium Member join:2002-06-24 Charlotte, NC
1 recommendation |
spy1 to jbob
Premium Member
2006-Mar-18 1:45 pm
to jbob
Nick - No, I'd never tried their product. Grimy - Yeah, I read that when I went to post about the detection: » forums.spybot.info/showt ··· ost16212Spy2000 - That makes me feel better, although now I still don't know why I got that detection today for the first time from SBS&D. It no biggie - I just went ahead and let SBS&D delete it. Pete |
|
norwegian Premium Member join:2005-02-15 Outback 2 edits |
to jbob
The last 2 days of scans, i am getting 2 .htm files being detected as Trojan.NewP I restored these and scanned at Jotti, and VirusTotal and no detection of anything I'm not sure what it is detecting. Opening then in FileAlyser shows a 404 page relating to www.w3.org/TR/html4/strict.dtd , and visit Microsoft via IIS manager and search topics "web site setup", "Common administrative tasks" and "About custom Error Messages" Anyone else seeing this ? |
|
|
Hi Nor, Well here's an interesting " Coincidence " I posted in here - » New Zero Day IE Exploit In The Wild - about a w3.org entry in the MetaData i examined after DL the nice pic from the exploit www link in here - » Remote overflow in MSIE script action handlers (mshtml.dll) - So it seems that there is some connection somewhere between, @ the very least these 2 incidents. I posted the other day, wondering why w3.org should be in that pic ? Nobody seems to have any answers, as of yet anyway ! Spanner |
|
|
to jbob
Ok, so I decided to load SuperAntiSpyware (but not run it as a memory resident program). Here's the log: Trojan.Mad Code Hook Injector HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Capabilities Worm.Bereb E:\WINNT\system32\TASKMGR.COM Did I read that somewhere here the Trojan.Mad Code Hook Injector is a false positive? As far as the Worm.Bereb goes, I searched around the web and I looked for the registry keys, directories and files that are supposedly created by this worm and suggested by Symantec. They didn't exist. They said the malware taskmgr.com file is in the Windows directory whereas mine is in the winnt/system32 directory. (Win 2000 pro OS). In that diretory are two files similar in size with the exact same time and date: taskmgr.com taskmgr.exe » securityresponse.symante ··· reb.html» www.sophos.com/virusinfo ··· ebb.htmlAnother false positive? |
|
1 recommendation |
Hello, The Mad Code Hook Injector is used by BOTH legit and spyware/adware applications. That is why it is a notify/warning rule - it is not set to remove by default. Would you mind e-mailing me the TASKMGR.COM file you are detecting? I would like to analyze it and see what is up to make sure it is not a false-positive. You can send it to nicks at superantispyware.com Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
norwegian Premium Member join:2005-02-15 Outback |
to SpannerITWks
I'm not sure if all the .html files are the same, i didn't bother going in and looking at the first ones, but i clear cache, history etc, all the time, sometimes 2 or 3 times a day, so the detection is with new files each time, not old ones.
I will run another scan tonight after cleaning everything out and then do some browsing, to see if it picks up any files.
I will have a look to see if there is any similarities if it detects a .html file
It may be just a FP on a form of scripting ? I can't say. |
|
ITICharlie1Ass Mode Premium Member join:2003-01-22 Saint Louis, MO 1 edit |
to jbob
I just scanned with this program for the first time and here are my results...
SUPERAntiSpyware Scan Log Generated 03/20/2006 at 04:39 PM
Core Rules Database Version : 2822 Trace Rules Database Version: 1016
Memory threats detected : 0 Registry threats detected : 23 File threats detected : 0
Trojan.Mad Code Hook Injector HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#Type HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#Start HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#DeleteFlag HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Capabilities HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control#ActiveService
I'm running Nod32, Trojan Hunter, and Spyware Blaster. Any thoughts? |
|
Kiwi88 Premium Member join:2003-05-26 Bryant, AR |
to jbob
Don't think you will find anything scary about w3.org, it's built into the headers of many html programs, it's a consortium of web development. |
|
|
to ITICharlie1
We are seeing mixed results on the Mad Code Hook Injector. We see it clearly installed on a clean base system and installing ONLY spyware/adware components. It seems to be related to cmdService (command.exe) when we see it on spyware bases. We also see this installed with legit applications. We are temporarily suspsending this rule/definition pending further investigation and possibly coupling it with detection of specific spyware components. If you check for updates to the definitions in SUPERAntiSpyware, trace database version 1017 will not detect this component for now. Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
ITICharlie1Ass Mode Premium Member join:2003-01-22 Saint Louis, MO |
said by SUPERAntiSpy:If you check for updates to the definitions in SUPERAntiSpyware, trace database version 1017 will not detect this component for now. Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com That is the database that is installed... |
|
|
If you look up at your scan log, you have 1016 at the time of the actual scan: SUPERAntiSpyware Scan Log Generated 03/20/2006 at 04:39 PM Core Rules Database Version : 2822 Trace Rules Database Version: 1016If you scan with 1017 installed, you won't get this detection. Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
|
to SUPERAntiSpy
said by SUPERAntiSpy:Hello, Would you mind e-mailing me the TASKMGR.COM file you are detecting? I would like to analyze it and see what is up to make sure it is not a false-positive. You can send it to nicks at superantispyware.com Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com Just mailed it in a zipped file. I await your reply. |
|
|
fgjjk
Anon
2006-Mar-20 8:34 pm
I got the TASKMGR.com file too, i haven't fully deleted it, it is still in quarentene. There has been no problem with getting rid of it.
Their has been no effect on the computer. |
|
|
What's interesting about that file, is it appears mostly legit - but it also has some items that are no longer in AdvApi32.DLL for XP, etc. GetSiteSidFromToken I am going to tear it apart a little tonight and see what else I can find, I will let you all know. Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com |
|
|
said by SUPERAntiSpy:What's interesting about that file, is it appears mostly legit - but it also has some items that are no longer in AdvApi32.DLL for XP, etc. GetSiteSidFromToken Nick Skrepetos SUPERAntiSpyware.com » www.superantispyware.com I'm running Windows 2000 Pro, so maybe that's the reason? |
|
Naddie8 join:2004-12-20 Mechanicsburg, PA |
to dadkins
We at the Comcast forum, know that dadkins will try most anything. He is fearless!!! If he says that it is not for him, I will take his word for it. I have a whole arsenal of Anti ad-spy ware and am always on the look out for good one. I will take Dave's word for this one. I trust him better than I trust me........ |
|
norwegian Premium Member join:2005-02-15 Outback |
to Kiwi88
I doubt anything scary, who knows, maybe it is a FP, but all i can think of is some of the hosts filtering maybe causing this page message to load, where an ad is ment to be ? I doubt it's immunization, as it doesn't actually block parts of a web page, that i know, maybe someone can explain it if i have it wrong. |
|