dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
14604
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy to norwegian

Premium Member

to norwegian

Re: SUPERAntiSpyware software

The Mad Code Hook Injector still should be detected as a "notify/warning". We see it installed with legit and non-legit programs (spyware/adware), that is why we have left it as a notify rule. It won't be removed by default, unless the users checks the box to remove it.

KAV may be detecting something in our rules. Is it warning on specific files or?

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

yes it is related to 2 files, and a Restore point, all
.exe's
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy

Premium Member

I just ran a full scan on several systems here with KAV installed and did not get the warning. Can you send me the specific files that are having the warning from KAV?

You can send them to nicks at superantispyware.com

I believe KAV is triggering incorrectly here. I would like to verify this and try to reproduce it here in our lab.

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

1 edit

dadkins

MVM

Click for full size
I just ignored these, cookies I let it remove.
As I stated earlier... archived for later installation. Well, I installed your software on my other laptop... It has ALOT of software on it... including KAV Pro 4.5.

I'll post the log here when it's finished scanning, may be a while though.
31 minutes to do a Quick Scan of 13.7GB drive.

Better overall! Thanks Nick!

spy1
Welcome to Amerika
Premium Member
join:2002-06-24
Charlotte, NC

spy1 to SUPERAntiSpy

Premium Member

to SUPERAntiSpy
said by SUPERAntiSpy:

Thanks for the report! That rule had been previously updated, did you happen to check for definition updates before scanning? Core Definition set 2815 should not have had that in there. Would you mind checking for rules updates and running the scan again?

Nick Skrepetos

Nick - Just got home, updated the program manually through the interface, got an update, did a re-scan (the "quick" one, which only took 6 minutes, BTW, on a 160GB HD {which is admittedly mostly empty} ) and got no alerts this time.

I'm a little puzzled, actually - didn't the program check itself for updates automatically when I installed it? I sure thought it did.

I'm going to close this out and run a "Complete" scan and see if the results differ and how long it takes. Pete
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy

Premium Member

It depends on when you installed. Meaning we updated the rules around 9:00am PST to 2815. I look forward to hearing your results.

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com

spy1
Welcome to Amerika
Premium Member
join:2002-06-24
Charlotte, NC

1 edit

spy1

Premium Member

"Complete" scan took around 16 minutes and came up clean, too.

I'd've taken a screenshot of it, but when you close the notification that nothing was found, the results screen exits, too. Might want to consider changing that to where the results screen stays up so that one can study on it (or take screenshots of it) before closing it separately.

BTW, I'm running a fully-updated copy of XP Pro (I have .Net on here, too) on a 1.3G processor with 1GB of RAM. Only 8.75GB of the drive is being used.

Here's the log from where I ran the first (Quick) scan:

"SUPERAntiSpyware Scan Log
Generated 03/17/2006 at 03:57 PM

Core Rules Database Version : 2814
Trace Rules Database Version: 1015

Memory threats detected : 0
Registry threats detected : 0
File threats detected : 1

Adware.FindWhatever
F:\WINDOWS\system32\msswchx.exe

Here's the log from the second (Quick) scan:

SUPERAntiSpyware Scan Log
Generated 03/17/2006 at 09:34 PM

Core Rules Database Version : 2815
Trace Rules Database Version: 1016

Memory threats detected : 0
Registry threats detected : 0
File threats detected : 0

and the one from the third (Complete) scan:

SUPERAntiSpyware Scan Log
Generated 03/17/2006 at 09:58 PM

Core Rules Database Version : 2815
Trace Rules Database Version: 1016

Memory threats detected : 0
Registry threats detected : 0
File threats detected : 0

As you can see, it was nearly 4 PM (Eastern) here when I did the first scan (with C.R.D.V 2814) - so I still don't know why - if the program checked itself for updates when I installed it (it DID do that, right?) - it started out with the 2814 defs. Maybe check the initial installation updater section?

At any rate, it's working fine with NO F/P's at the moment. Pete

P.S. - All scans were run with no browsers open - but ALL of my normal defensive programs were running resident in SYSTRAY (NOD32, SpyBlocker v.9.0,ProcessGuard v.3.200, UnhackMe 3.0 Release and TrojanHunter Guard (part of TH v.4.2 build 908).
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy

Premium Member

Thanks for the detail. The scan time seems normal on a laptop, as the drives are much slower, and the Windows folder, especially with XPSP2 takes a bulk of the scan time.

As for the rules issue, I am not sure why yours did not get the 2815 on installation. I have verified here in our tests that it does get them upon first installation.

Thank you for your other suggestion also! We have a new release coming out next week.

Nick Skrepetos
SUPERAntiSpyware.com

spy1
Welcome to Amerika
Premium Member
join:2002-06-24
Charlotte, NC

1 recommendation

spy1

Premium Member

Nick - This is a Compaq 7110US desktop computer - not a laptop. The hard-drive is a Maxtor 7200RPM Ultra ATA/133 with an 8MB cache.

Just for clarification, of course. Pete
spy1

spy1 to jbob

Premium Member

to jbob
Is there any possibility that d/l'ing and installing your program would trigger this alert from Spybot Search&Destroy?

I'm wondering specifically about the little ads for the other products you offer that come along with the program - would they install this reg key?

The reason I ask is because I never got that alert from SBS&D until this morning (the first time I've run it since installing your program). Pete
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy

Premium Member

SUPERAntiSpyware does not create any rogue keys in the registry nor place any rogue files on your file system.

I am not sure where that would have come from. Had you previously tried that product at some point and Spybots new rules now detect it?

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com

Rocky67
Pencil Neck Geek
Premium Member
join:2005-01-13
Orange, CA

Rocky67 to spy1

Premium Member

to spy1
Pete,

Try reading this, it might help you figure out what's going on: »forums.spybot.info/archi ··· 643.html

Spy4
Premium Member
join:2001-09-22
NE

Spy4 to spy1

Premium Member

to spy1
Ran Spybot with latest update after installing SuperAntispyware and result was clean.

spy1
Welcome to Amerika
Premium Member
join:2002-06-24
Charlotte, NC

1 recommendation

spy1 to jbob

Premium Member

to jbob
Nick - No, I'd never tried their product.

Grimy - Yeah, I read that when I went to post about the detection: »forums.spybot.info/showt ··· ost16212

Spy2000 - That makes me feel better, although now I still don't know why I got that detection today for the first time from SBS&D.

It no biggie - I just went ahead and let SBS&D delete it. Pete

norwegian
Premium Member
join:2005-02-15
Outback

2 edits

norwegian to jbob

Premium Member

to jbob
Click for full size
The last 2 days of scans, i am getting 2 .htm files being detected as Trojan.NewP
I restored these and scanned at Jotti, and VirusTotal and no detection of anything

I'm not sure what it is detecting. Opening then in FileAlyser shows a 404 page relating to www.w3.org/TR/html4/strict.dtd , and visit Microsoft via IIS manager and search topics "web site setup", "Common administrative tasks" and "About custom Error Messages"

Anyone else seeing this ?

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Hi Nor,

Well here's an interesting " Coincidence "

I posted in here - »New Zero Day IE Exploit In The Wild - about a w3.org entry in the MetaData i examined after DL the nice pic from the exploit www link in here - »Remote overflow in MSIE script action handlers (mshtml.dll) -

So it seems that there is some connection somewhere between, @ the very least these 2 incidents. I posted the other day, wondering why w3.org should be in that pic ? Nobody seems to have any answers, as of yet anyway !

Spanner
steviegee
join:2001-12-26
Brooklyn, NY

steviegee to jbob

Member

to jbob
Ok, so I decided to load SuperAntiSpyware (but not run it as a memory resident program). Here's the log:

Trojan.Mad Code Hook Injector
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Capabilities

Worm.Bereb
E:\WINNT\system32\TASKMGR.COM

Did I read that somewhere here the Trojan.Mad Code Hook Injector is a false positive?

As far as the Worm.Bereb goes, I searched around the web and I looked for the registry keys, directories and files that are supposedly created by this worm and suggested by Symantec. They didn't exist. They said the malware taskmgr.com file is in the Windows directory whereas mine is in the winnt/system32 directory.
(Win 2000 pro OS). In that diretory are two files similar in size with the exact same time and date:

taskmgr.com
taskmgr.exe

»securityresponse.symante ··· reb.html

»www.sophos.com/virusinfo ··· ebb.html

Another false positive?
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

1 recommendation

SUPERAntiSpy

Premium Member

Hello,

The Mad Code Hook Injector is used by BOTH legit and spyware/adware applications. That is why it is a notify/warning rule - it is not set to remove by default.

Would you mind e-mailing me the TASKMGR.COM file you are detecting? I would like to analyze it and see what is up to make sure it is not a false-positive. You can send it to nicks at superantispyware.com

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to SpannerITWks

Premium Member

to SpannerITWks
I'm not sure if all the .html files are the same, i didn't bother going in and looking at the first ones, but i clear cache, history etc, all the time, sometimes 2 or 3 times a day, so the detection is with new files each time, not old ones.

I will run another scan tonight after cleaning everything out and then do some browsing, to see if it picks up any files.

I will have a look to see if there is any similarities if it detects a .html file

It may be just a FP on a form of scripting ? I can't say.

ITICharlie1
Ass Mode
Premium Member
join:2003-01-22
Saint Louis, MO

1 edit

ITICharlie1 to jbob

Premium Member

to jbob
I just scanned with this program for the first time and here are my results...

SUPERAntiSpyware Scan Log
Generated 03/20/2006 at 04:39 PM

Core Rules Database Version : 2822
Trace Rules Database Version: 1016

Memory threats detected : 0
Registry threats detected : 23
File threats detected : 0

Trojan.Mad Code Hook Injector
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#Type
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#Start
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv#DeleteFlag
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control#ActiveService

I'm running Nod32, Trojan Hunter, and Spyware Blaster. Any thoughts?
Kiwi88
Premium Member
join:2003-05-26
Bryant, AR

Kiwi88 to jbob

Premium Member

to jbob
Don't think you will find anything scary about w3.org, it's built into the headers of many html programs, it's a consortium of web development.
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy to ITICharlie1

Premium Member

to ITICharlie1
We are seeing mixed results on the Mad Code Hook Injector. We see it clearly installed on a clean base system and installing ONLY spyware/adware components. It seems to be related to cmdService (command.exe) when we see it on spyware bases.

We also see this installed with legit applications. We are temporarily suspsending this rule/definition pending further investigation and possibly coupling it with detection of specific spyware components.

If you check for updates to the definitions in SUPERAntiSpyware, trace database version 1017 will not detect this component for now.

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com

ITICharlie1
Ass Mode
Premium Member
join:2003-01-22
Saint Louis, MO

ITICharlie1

Premium Member

said by SUPERAntiSpy:

If you check for updates to the definitions in SUPERAntiSpyware, trace database version 1017 will not detect this component for now.

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com
That is the database that is installed...
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy

Premium Member

If you look up at your scan log, you have 1016 at the time of the actual scan:

SUPERAntiSpyware Scan Log
Generated 03/20/2006 at 04:39 PM

Core Rules Database Version : 2822
Trace Rules Database Version: 1016

If you scan with 1017 installed, you won't get this detection.

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com
steviegee
join:2001-12-26
Brooklyn, NY

steviegee to SUPERAntiSpy

Member

to SUPERAntiSpy
said by SUPERAntiSpy:

Hello,

Would you mind e-mailing me the TASKMGR.COM file you are detecting? I would like to analyze it and see what is up to make sure it is not a false-positive. You can send it to nicks at superantispyware.com

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com
Just mailed it in a zipped file. I await your reply.

fgjjk
@unknown

fgjjk

Anon

I got the TASKMGR.com file too, i haven't fully deleted it, it is still in quarentene. There has been no problem with getting rid of it.

Their has been no effect on the computer.
SUPERAntiSpy
Premium Member
join:2006-03-16
Eugene, OR

SUPERAntiSpy

Premium Member

What's interesting about that file, is it appears mostly legit - but it also has some items that are no longer in AdvApi32.DLL for XP, etc. GetSiteSidFromToken

I am going to tear it apart a little tonight and see what else I can find, I will let you all know.

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com
steviegee
join:2001-12-26
Brooklyn, NY

steviegee

Member

said by SUPERAntiSpy:

What's interesting about that file, is it appears mostly legit - but it also has some items that are no longer in AdvApi32.DLL for XP, etc. GetSiteSidFromToken

Nick Skrepetos
SUPERAntiSpyware.com
»www.superantispyware.com
I'm running Windows 2000 Pro, so maybe that's the reason?

Naddie8
join:2004-12-20
Mechanicsburg, PA

Naddie8 to dadkins

Member

to dadkins
We at the Comcast forum, know that dadkins will try most anything. He is fearless!!! If he says that it is not for him, I will take his word for it. I have a whole arsenal of Anti ad-spy ware and am always on the look out for good one. I will take Dave's word for this one. I trust him better than I trust me........

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Kiwi88

Premium Member

to Kiwi88
I doubt anything scary, who knows, maybe it is a FP, but all i can think of is some of the hosts filtering maybe causing this page message to load, where an ad is ment to be ?
I doubt it's immunization, as it doesn't actually block parts of a web page, that i know, maybe someone can explain it if i have it wrong.