 sashwa
Mod
join:2001-01-29
Alcatraz |
to CalamityJane
Re: Ad-Aware Sept. 12 Update - FP??Thanks, Janie. I restored the quarantined files and waiting to hear about a fix before I put the stuff back in quarantine. |
|
| |
to dp
I seem to have a very similar problem: After I downloaded the LavaSoft AdAware new definitions today, I got this:
ArchiveData(auto-quarantine- 2006-09-12 11-18-18.bckp)
Referencefile : SE1R123 12.09.2006
======================================================
MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\John R Burns\recent\Desktop.ini
obj[2]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[3]=MRU RegReference : S-1-5-21-3818105423-895719299-1048318793-1006\software\microsoft\microsoft management console\recent file list
WIN32.TROJAN.DOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=Regkey : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
obj[4]=Regkey : interface\{48e59291-9880-11cf-9754-00aa00c00908}
obj[5]=Regkey : typelib\{48e59290-9880-11cf-9754-00aa00c00908}
obj[6]=Regkey : inetctls.inet
obj[7]=Regkey : inetctls.inet.1
obj[8]=Regkey : software\microsoft\windows\currentversion\policies\activedesktop |
|
 BuddelIf it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU |
Buddel to dp
Premium Member
2006-Sep-12 4:34 pm
to dp
Same problems here. Let's hope they will soon be fixed. |
|
 onDvineGrown up Flower Child
Premium Member
join:2005-01-29
So. CA, USA
1 edit
1 recommendation |
onDvine to dp
Premium Member
2006-Sep-12 4:47 pm
to dp
I thought it was odd that I'd picked up stuff without going anyplace unfamiliar. Have restored the items from quarantine, as well. Thanks. |
|
|
1 recommendation |
to CalamityJane
Object : inetctls.inet
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
FP! These two are related to inetctls.inet and are totally valid for at least some VB & VB.Net applications, especially for developers. If you remove them, I bet your VB apps won't run, compile, and/or load properly.
I do not know about the BarginBuddy entry.
{d27cdb6e-ae6d-11cf-96b8-444553540000}
Fortunately I was thinking FPs as soon as I saw these. So I ran full bore Norton AV, SpyBot, Windows Defender, Hijack,etc., none of which found or reported these.
. |
|
1 recommendation |
to onDvine
8 here - Note running IE7 RC2, Norton 360 Beta
Using definitions file:SE1R123 12.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
BargainBuddy(TAC index:8):2 total references
Win32.Trojan.Agent(TAC index:10):1 total references
Win32.Trojan.Downloader(TAC index:10):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{48e59293-9880-11cf-9754-00aa00c00908}
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{48e59291-9880-11cf-9754-00aa00c00908}
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{48e59290-9880-11cf-9754-00aa00c00908}
BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-527237240-1844237615-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}
Win32.Trojan.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-527237240-1844237615-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{b45ff030-4447-11d2-85de-00c04fa35c89}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet
Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : inetctls.inet.1
BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 8 |
|
| |
puzzled-guest to dp
Anon
2006-Sep-12 11:03 pm
to dp
so what if you've already deleted all these entries and don't have them in quarantine.
can they be replaced from another source? |
|
| |
mikeStrz
Anon
2006-Sep-13 1:07 am
Same here! I guess XP's SystemRestore would do the trick  |
|
 antdudeMatrix Ant
Premium Member
join:2001-03-25
US |
to CalamityJane
Me too just now. I ignored them after reading this forum. Thank you!  Is it me or have there been too many FPs lately?  |
|
 mers2
Premium Member
join:2004-03-20
USA |
mers2 to dp
Premium Member
2006-Sep-13 2:32 am
to dp
FPs are the reason to always quarantine and not delete. |
|
| |
to CalamityJane
CalamityJane,
There is a new update out, this morning,(Europe Time), I am testing it now and will get back in a few minutes.
Normandie |
|
 kcazzieOne Of Jerry's Kids
Premium Member
join:2000-08-13
Morton Grove, IL
2 edits |
kcazzie
Premium Member
2006-Sep-13 2:41 am
said by Normandie:CalamityJane, There is a new update out, this morning,(Europe Time), I am testing it now and will get back in a few minutes. Normandie Same here in the U.S., also testing...{New update Date is 9/13/06} Edit; Just ended testing new update and all looks just fine on my two PCs... |
|
1 edit |
to dp
OK, Tested the new update and all is well, no more FP as did the other update. Thanks to all that helped.
Normandie |
|
 Exidor
Premium Member
join:2001-05-04 |
Exidor to dp
Premium Member
2006-Sep-13 3:08 am
to dp
Ad-Aware Sept. 13 Update - FP??ArchiveData(Diaremover.bckp)
Referencefile : SE1R123 13.09.2006
======================================================
DIAREMOVER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863} |
|
2 recommendations |
to dp
Re: Ad-Aware Sept. 12 Update - FP??Thank you all for reporting this False positive.
This release fixes False positives in:
Adware.AdMedia
TrojanBackdoor.Serv-U
BargainBuddy
Win32.Trojan.Agent
Win32.Trojan.Downloader. |
|
BuddelIf it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU |
Buddel to dp
Premium Member
2006-Sep-13 3:14 am
to dp
~~~INFO ONLY~~~ SE1R123 13.09.2006 Is Now Available, New Definition file for Ad-Aware SE ============================================ Definition file Notification - Lavasoft News ============================================ SE1R123 13.09.2006
This fixes a False Positive in Adware.AdMedia.
This fixes a False Positive in TrojanBackdoor.Serv-U.
This fixes a False Positive in BargainBuddy.
This fixes a False Positive in Win32.Trojan.Agent.
This fixes a False Positive in Win32.Trojan.Downloader.The MD5 checksum for the defs.ref file is 536bea2c1749341b09b2589bf3cc0143 Additional Information ============================================ You can use Webupdate to install the new reference file, or download it manually from: » download.lavasoft.de.edg ··· defs.zipIf you think something needs to be sent to us for review, visit our submission site at: » www.lavasofthelp.net/submit/If you have any questions, please contact us at: » www.lavasoftsupport.comThanks to everybody who submitted us files for evaluation! The Lavasoft Research & Development Team -------------------------------------------- That was really fast. Thanks for fixing the above-mentioned false positives. |
|
 dp
MVM
join:2000-12-08
Greensburg, PA |
to Stoffe
said by Stoffe:Thank you all for reporting this False positive. This release fixes False positives in: Adware.AdMedia TrojanBackdoor.Serv-U BargainBuddy Win32.Trojan.Agent Win32.Trojan.Downloader. All good here Thanks for the quick turnaround. |
|
| |
puzzled-guest to Buddel
Anon
2006-Sep-13 4:20 am
to Buddel
I'm still a bit puzzled I checked my statistics in ad-aware and it said; Win32.Trojan.Agent ---- Total found 2 --- Total Removed 1 I know you've made a new Definition file, but why, originally, did it only remove one of the two it found? and on a side note... to the posted reply of ... quote:
mikeStrz(anon)
@someip
Same here!
I guess XP's SystemRestore would do the trick
I don't have SystemRestore active either |
|
2 edits |
to dp
Hi,
I didn't know about the trojan downloader false positive.
In panic, I deleted the quarantine file.
I don't use System Restore, and disabled Adaware's creation of logs since the first use.
Can anyone put in rapidshare, the quarantine file of the trojan downloader false positives? that would be the job of someone from Lavasoft, since quarantines changes from user to user. Lavasoft would be kind, if created a "master" quarantine file of all the possible trojan downloader's registry entries.
Thanks a lot. |
|
 Santori3
Premium Member
join:2002-01-04
Morton Grove, IL |
to Exidor
Re: Ad-Aware Sept. 13 Update - FP??DIAREMOVER
ArchiveData(Diaremover.bckp)Referencefile : SE1R123 13.09.2006====================================================== DIAREMOVER»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
I had this one too...Looks like a FP...?... |
|
 lilhurricaneCrunchin' For Cures
Numquam oblita
join:2003-01-11
Purple Zone |
to Stoffe
Re: Ad-Aware Sept. 12 Update - FP??All fine here now..& thanks for the quick correction |
|
 FFH5
Premium Member
join:2002-03-03
Tavistock NJ |
to Santori3
Re: Ad-Aware Sept. 13 Update - FP??said by Santori3:DIAREMOVER ArchiveData(Diaremover.bckp)Referencefile : SE1R123 13.09.2006====================================================== DIAREMOVER»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»obj[0]=Regkey : S-1-5-21-357967339-2304659736-1445258045-1005\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863} I had this one too...Looks like a FP...?... I had the same thing. Probably another false positive. |
|
 BubbaGIT-R-DONE
MVM
join:2002-08-19
St. Andrews |
Bubba to dp
MVM
2006-Sep-13 7:12 am
to dp
Re: Ad-Aware Sept. 12 Update - FP??Just a tad more tweaking needed concerning Class ID 72267f6a-a6f9-11d0-bc94-00c04fb67863**Yesterdays log result using definitions file:SE1R123 12.09.2006:** quote:
Adware.AdMedia Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1708537768-1897051121-1801674531-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
**Todays log result using definitions file:SE1R123 13.09.2006:** quote:
Diaremover Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1708537768-1897051121-1801674531-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}
|
|
| |
to Santori3
Re: Ad-Aware Sept. 13 Update - FP??yep, sounds as they fixed 'old' FPs and added a NEW 1 imo...  Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Diaremover Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_USERS Object : S-1-5-21-242286658-708711241-2795454051-1008\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 1 |
|
 jmorlanHmm... That's funny.
MVM
join:2001-02-05
Pacifica, CA
Obihai OBi200
|
to dp
Re: Ad-Aware Sept. 12 Update - FP??Latest definitions fixed all my FPs except this one:
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : xxx xxxxx@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:xxx xxxxx@live365.com/
Expires : 9-15-2011 7:38:32 AM
LastSync : Hits:5
UseCount : 0
Hits : 5
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1
I have placed this cookie on my "ignore" list many times, but AdAware always detects it anyway.
Thanks. |
|
sashwa
Mod
join:2001-01-29
Alcatraz |
to dp
Thanks for the update. I'll try when I get home tonight. |
|
 norwegian
Premium Member
join:2005-02-15
Outback |
to dp
Didn't know of this issue till tonight (here), only got one serious issue, but looking at the rest here, it seems relative to a similar key :-
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Diaremover Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1935655697-1336601894-725345543-1004\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863} |
|
1 recommendation |
said by norwegian:Didn't know of this issue till tonight (here), only got one serious issue, but looking at the rest here, it seems relative to a similar key :- Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Diaremover Object Recognized! Type : Regkey Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_USERS Object : S-1-5-21-1935655697-1336601894-725345543-1004\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863} Thanks for the reports all. I don't think we had that one last night - but it's been reported now, so please don't delete that one either until Research has had a chance to examine it. |
|
antdudeMatrix Ant
Premium Member
join:2001-03-25
US
1 recommendation |
to Buddel
said by Buddel:~~~INFO ONLY~~~ SE1R123 13.09.2006 Is Now Available, New Definition file for Ad-Aware SE ============================================ Definition file Notification - Lavasoft News ============================================ SE1R123 13.09.2006 Thanks. It works fine on my home machine now. |
|
norwegian
Premium Member
join:2005-02-15
Outback |
to dp
Thanks C.J. for the report, and no didn't delete that one either, so will leave it as is.
Antdude,
My detected key was using that update. Internal build 150 though, are you refering to a change in the internal build, or will it be a different definitions.
|
|
