I did a scan of my system with PestPatrol, which found the following pests. But no other security programs (Adaware 6, SpybotS&D, SpySweeper, a², Bazooka - adviced to me by my friend) on my computer found any of them. Neither did Kaspersky Antivirus. So I am worried they might be false positives.

-Pest: Xupiter.Orbitexplorer
Pest Info: Category: Homepage Hijacker Author: [Xupiter.com] Release Date:
5/23/2004 0:00:00 Background Info: Click here
File Info: In File: C:\WINDOWS\system32\msxml3.dll PVT: -2060094940 MD5:
172ed2b7122c60e0e4e53466b2a6e73e Date: 11/09/2002 14:00:00 File Analysis:
Look up with MD5 (recommended) or PVT.
Certainty: Confirmed Threatens: Liability Risk: Moderate - this file can be
executed! Advice: Delete or quarantine
Action: Ignored
~~~
Pest: Xupiter.Orbitexplorer
Pest Info: Category: Homepage Hijacker Author: [Xupiter.com] Release Date:
5/23/2004 0:00:00 Background Info: Click here
File Info: In File: C:\WINDOWS\system32\dllcache\msxml3.dll PVT: -2060094940
MD5: 172ed2b7122c60e0e4e53466b2a6e73e Date: 11/09/2002 14:00:00 File
Analysis: Look up with MD5 (recommended) or PVT.
Certainty: Confirmed Threatens: Liability Risk: Moderate - this file can be
executed! Advice: Delete or quarantine
Action: Ignored

Pest: AdShooter.SearchForIt
Pest Info: Category: Adware Background Info: Click here
File Info: In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet
explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}
|compatibility flags
Certainty: Confirmed Threatens: Confidentiality, Liability Risk: Low. Advice: Delete
or ignore
Action: Ignored
~~~
Pest: AdShooter.SearchForIt
Pest Info: Category: Adware Background Info: Click here
File Info: In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet
explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}
Certainty: Confirmed Threatens: Confidentiality, Liability Risk: Low. Advice: Delete
or ignore
Action: Ignore

Can anyone help me with this? Thank you very much :).

PS: I have also send this info to PestPatrol Customer Service.

Hi,

I'm sorry to say it: PestPatrol is "well" (....) known for its false positives >:(

I really would advice to check and check again its alerts before letting it delete its alerts.
Never ever rely on it without having cross-checked its alerts !
It is simply the truth.
Why this program has 3 stars at the Wilders-org site is simply completely unclear to me.


Well, lets have a look at this one:

Pest: AdShooter.SearchForIt
Pest Info: Category: Adware Background Info: Click here
File Info: In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet
explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}
|compatibility flags

Yep, I too got this one (with lots of other false positives but that's another story...).

OK, let's have a look at the CLSID list from TonyKlein (a well known expert!!!) at ComputerCops:
http://computercops.biz/CLSID.html
I put in that CLSID {c109664b-ceb1-420b-b353-d55a561536dd}
Let it do a search; you will get what my screenshot is showing you.
What you see there, is that it is related to a file SYSsfitb.dll
Well, I did a search on my system for that file: it simply is NOT on my system (W 98 SE).
I rechecked by searching the database of my File-Integrity-Checker NISFileCheck: that file does NOT exist on my system.

So what we've got here, is that this program PestPatrol forgot to search whether that file exists on your system.


I'll ask TonyKlein to have a look at this thread, if he has the time and would like to do so.

Hi ragna

The first two (Pest: Xupiter) look like false/positives as the 'msxml3.dll' is a Microsoft file: http://support.microsoft.com/default.aspx?scid=kb;EN-US;269238

You can check the file by right-clicking on it and choosing 'properties' to verify who created it and when.

The second two (Pest: AdShooter) may not be false as the CLSID {c109664b-ceb1-420b-b353-d55a561536dd} does belong to the AdShooter toolbar: http://computercops.biz/clsid-899.html

You might want to email PestPatrol with your scan results and see what they say first before doing anything.

Regards,

snap

LOL! Hi Jan. :D

-{ Quote: "LOL! Hi Jan. :D" }-

Hey Snap :D

;D ;D ;D

Well, I might have been completely wrong with what I posted.
I take my words back, and apologize for my posting.

I don't understand it anymore.
I'll better leave these things to others.

I guess this thread perfectly illustrates why Pest Patrol is useless except in the hands of a real expert who is current with spyware/adware, who probably wouldn't need it anyway.

Out of 3 detections, 2 are false positives. The danger is that a newbie would completely trust it and damage his system by removing them all.

While even someone more experienced (or someone VERY experienced but who hasn't kept up with the latest malware lol )might after dismissing yet another of the numerous false positive, go the opposite route and dismiss them all as false positives hence missing the occasional/rare time when it's correct. This is almost as bad.

Well,
I have looked at that registry-key on my (Dutch) W 98 SE system.

Indeed the key is there, and here are its values:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C109664B-CEB1-420B-B353-D55A561536DD}

Naam Gegevens
(Standaard) (geen waarde ingesteld)
Compatibility Flags 0x00000400 (1024)

(sorry, I have the Dutch version of Windows)

I have to leave it further to those who might understand it.

I am also getting the following detections/FPs with Pest Patrol. All are adware. Anyone else getting any of these in their scans?



1. AdShooter.SearchForIt (2 in Registry-same as above)

2. I-Lookup (1 in reg- HKEY_LOCAL_MACHINE\software\classes\interface\
{e7bc43a2-ba86-11cf-84b1-cbc2da68bf6c})

3. SpediaBar (1 in reg- HKEY_LOCAL_MACHINE\software\stdllupdt)

4. VX2 (4 in reg- HKEY_USERS\default\software\microsoft\currentversion\internet settings\zonemap\domains\vx2.com)

5. Spyster 1.0.19 (1 in c:\windows\setup1.exe )

6. EUniverse Directory (3 in c:\program files\earthlink\total access\fast lane )

Thank you FanJ, Snapdragin,... :-*
I am still waiting on pestpatrol' s answer.I am certainly gonna let you know their answer.
Yes Justhelping it is indeed very frustrating to be not able to rely on your bought software.
Luckily there are forums like this ;)

I've seen
Backdoor.Noknok
from pest patrol and A2
I think sbs&d takes care of it so it is on the back burner
there are two versions at least
I did not find the file with a search but have not checked the registry yet

Wyrmrider

-{ Quote: "Well,
I have looked at that registry-key on my (Dutch) W 98 SE system.

Indeed the key is there, and here are its values:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C109664B-CEB1-420B-B353-D55A561536DD}

Naam Gegevens
(Standaard) (geen waarde ingesteld)
Compatibility Flags 0x00000400 (1024)

(sorry, I have the Dutch version of Windows)

I have to leave it further to those who might understand it." }-


Hmmm ::)

Here we go again:

Have a look at this site:
http://www.winguides.com/registry/display.php/1188/

What that page explains, is that a kill bit has been set for an ActiveX Control when the DWORD is 1024.
And that is exactly what has happened on my machine !

At the moment I have not looked which program has set that kill bit, but I suppose it is either SpywareBlaster or SpywareGuard.

So: it looks to me that it IS a false positive (well, at least on my machine where the DWORD for that ActiveX CLSID is indeed 1024)!

-{ Quote: "I am also getting the following detections/FPs with Pest Patrol. All are adware. Anyone else getting any of these in their scans?



1. AdShooter.SearchForIt (2 in Registry-same as above)" }-

I have them too.
False positive if the DWORD is 1024, as explained above.

-{ Quote: "
2. I-Lookup (1 in reg- HKEY_LOCAL_MACHINE\software\classes\interface\
{e7bc43a2-ba86-11cf-84b1-cbc2da68bf6c})" }-

I have it too.
I'm not sure about this one at the moment.

-{ Quote: "
3. SpediaBar (1 in reg- HKEY_LOCAL_MACHINE\software\stdllupdt)
" }-

I didn't get this alert.
I don't know.

-{ Quote: "
4. VX2 (4 in reg- HKEY_USERS\default\software\microsoft\currentversion\internet settings\zonemap\domains\vx2.com)" }-

I have those 4 alerts too.
All are false positives if the DWORD is 4.
They are put there by IE-SPYAD.
A known problem with PestPatrol; similar things have been posted several times and many months ago...
On my W 98 SE machine for example:
HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vx2.com

-{ Quote: "
5. Spyster 1.0.19 (1 in c:\windows\setup1.exe )" }-

I have that alert too.
False positive:
A legitimate file from Microsoft:
Visual Basic 6.0 Setup Toolkit.
My version: 6.00.9782
MD5 checksum of my version:
C6264B17629F6F9F0BD2BA7671CEFF69

-{ Quote: "
6. EUniverse Directory (3 in c:\program files\earthlink\total access\fast lane )" }-

I didn't get that alert.
I don't know.

BTW:
I myself got several other alerts too....

Thanks for your reply FanJ. I really appreciate your post. Now i know at least some of them are FPs. The last one i posted, 'EUniverse Directory' i think was part of Earthlink that was left over from when i used to have it. Not sure about SpediaBar. Is Pest Patrol ever going to get rid of their FP problems? Sometimes i wonder why i continue to use it at all. Hopefully your detections, the ones you didn't post, are just FPs too.

I am not too sure on the false positive theory. I am also running Spyware Blaster on my system (XP Home), I set it to protect against SearchForIt Tool Bar. Everytime I reboot and check it, the protection has been turned off. The only thing Pest Patrol had listed that I found on my machine was the Active X registry entry. I delete it and it comes back when I reboot. I have yet to have Pest Patrol reply to any of 5 different inquiries

-{ Quote: "I have yet to have Pest Patrol reply to any of 5 different inquiries" }-
I used to be be betatester for pest patrol for lost all interest when they dedcided to shut down their forums.

FanJ, Please elaborate on the "checksum" you mentioned for setup1.exe. Are you testing whether the file has been compromised? How does one determine if it is an unaltered MS file or compromised?

Pest Patrol gave me a warning about Spyster 1.0.19 in this file, which shows to have been created in April of this year, well after I bought and set up the computer, therefore a bit concerned.

Thanks.

I just scanned and pestpatrol came up with the same thing on that Spyster 1.0.19. I have always stood up for pestpatrol but these last updates are fps galore. I havent had this problem before. And for some reason they stopped updating like they use to. And its taking them longer to answere techsupport, use to you would get a response back within 24 hours from my experience but not now. And the site is still not done. Maybe they working thier butt off on version 5 of home edition and gonna straightened everything up. I hope pestpatrol is looking at these post, hope someone is pointing them to these post. Gonna get get it for another year and just see what happens.

-{ Quote: "Gonna get get it for another year and just see what happens." }-
Hi dread,
I really can not recommend it. I purchased several licenses in the past (now expiring) and I won't renew. I personally experienced several false positives. Prior to my discovering that it is a false positive glutten, I trusted it. Who knows how much trouble it caused by deleting necessary components and such?
I thought maybe it was just me, but once I saw how many others were having the same problems, then I knew it was PP.
If it was just a few, it could be a fluke. They have a bad track record. Inexcusable.
They should call it FalsePositivePatrol (or FalsePositivePlus) :P

As dread as mentioned he is the no 1 fan of pest patrol on these forums.

See for example http://www.wilderssecurity.com/showthread.php?t=33649
, or look at all the posts he has made, many of them mention pest patrol.

http://www.wilderssecurity.com/search.php?searchid=79610

Hence to hear that even he is having second thoughts does not look good for pest patrol. But then again, despite all his problems he is still renewing for another year......

Yes I am. I am hopeing when version 5 comes out they will go back to updating normally like they use to and they get things fixed. They did increase some of thier teams or that was something someone siad on this forum one time if I remember correctly. Growing pains mabye? Every company runs into problems sooner or later. And I still say it can detect things the other guys miss despite the fps. Renewing dont cost that much anyway. And I will have a whole year to see if they change. And like I siad I havent had all these fps till the last several updates, I dont know whats going on with them. But I am seeing the fp side of it that people has posted on here. Thankfully I usually know what they are or can find out real quick. Like I siad before I hope they are looking at these post.

-{ Quote: "FanJ, Please elaborate on the "checksum" you mentioned for setup1.exe. Are you testing whether the file has been compromised? How does one determine if it is an unaltered MS file or compromised?

Pest Patrol gave me a warning about Spyster 1.0.19 in this file, which shows to have been created in April of this year, well after I bought and set up the computer, therefore a bit concerned.

Thanks." }-

Hi Odyssey,

My remark about that checksum makes not much sense :-[ : as far as I was able to see the MS-site doesn't give its MD5 checksum (but I could be wrong here... :-[ ).
Thanks for your question !

PS: I still tend to think that it is a false positive (at least I myself have not let PP remove it).

-{ Quote: "Like I siad before I hope they are looking at these post." }-

I bet they are too busy looking at all the complains in their own forum (if they had one that is).

I had trouble with a software from the Spysweeper people and never got hardly any good support whatsoever!! I've never(except once) been treated SO Horrible from anyone before!! They Don't Deserve any $$$$$ from us at all!! Who cares if they have a Free download. If they Don't back there product they are Not worth there grain in salt. Period. Thank you.
I also once tried Pest Patrol and then I downloaded another anti-spyware software and it caught a spyware that Pest Patrol downloaded on my PC when I downloaded it!!! Because my PC was Clean Before I downloaded Pest Patrol! ???

-{ Quote: "I also once tried Pest Patrol and then I downloaded another anti-spyware software and it caught a spyware that Pest Patrol downloaded on my PC when I downloaded it!!! Because my PC was Clean Before I downloaded Pest Patrol! ???" }-

Hi rrainbow,

As far as I remember that never happened to me.

With all due respect :
I think it would be better to come with some prove of your statement.

Regards, Jan.

I ran the online scanner yesterday and got the same entry for VX2 that is there because IE Spyad put it in the restricted zone. I got another hit for something I forgot, but it was a killbit set by SpywareBlaster. There were a couple more results attributed to various protections that I use. So Pest Patrol remains false positive king for me.

I will say that they don't add spyware, so I agree that someone better have proof before say that. They may suck, but they aren't malware pushers.

-{ Quote: "I ran the online scanner yesterday and got the same entry for VX2 that is there because IE Spyad put it in the restricted zone. I got another hit for something I forgot, but it was a killbit set by SpywareBlaster. There were a couple more results attributed to various protections that I use. So Pest Patrol remains false positive king for me.

I will say that they don't add spyware, so I agree that someone better have proof before say that. They may suck, but they aren't malware pushers." }-

In my book, Pest patrol shouldn't count as a trustworthy scanner any more, given the insane levels of false positives unmatched by any other product.
A level that has being consistently maintainined for years.

Perhaps false positives work as goad to purchase?

Time to remove them from http://www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy
as a trustworthy scanner?

Lol thats a joke Ronin cuase of Perhaps false positives work as goad to purchase? Bs. They tell you it happens. You can sumbit you log and they will try to fix the false positives. Now I will say I am unhappy with techsupports response now these days they dont get back with as fast as they use to. But Perhaps false positives work as goad to purchase? bs read http://research.pestpatrol.com/Analyses/FalseAlarms.asp they know it happens and they tell you it will happen. Email them and tell them you want to be a beta tester and test for fasle alarms. And from what I see from these forums Spy Sweeper is just as bad about false positives and they dont have no system to reports false positives. So if you gonna sit here and say about removing pp for false positives as goad to purchase you need to include Spy Sweeper cuase its just as bad.

Hi Dread,

Thanks for that link !
I didn't know that that page existed at the PP-site :-[

(I hope it will be maintained and will give correct info ;) ).

-{ Quote: "...I am certainly gonna let you know their answer..." }-
And they did!
They told me that the last set of scan strings they released had quite a few false alarms. But they just released new ones that should have resolved most of the issues and that i should run PPUpdater.
I did and i am glad that indeed these false positives are gone :) .
Although it seems that i now have another , but not certain. Gonna take a closer look at it later when i have some time.
Still glad that the support of Pestpatrol answered my email ---> perhaps the program has false positives but luckily it has also good support it seems ;) .

-{ Quote: "Lol thats a joke Ronin cuase of Perhaps false positives work as goad to purchase?

" }-

Dread, nice to see the no 1 fan of Pest Patrol is still around. Still holding strong in your faith despite the setbacks?

-{ Quote: "
Bs. They tell you it happens. You can sumbit you log and they will try to fix the false positives. Now I will say I am unhappy with techsupports response now these days they dont get back with as fast as they use to. But Perhaps false positives work as goad to purchase? bs read " }-

Actually that was the term used by the page I referenced, it was not my phrase. I advance it has a possibility only because the number and frequently of FPs are so high.

-{ Quote: "

http://research.pestpatrol.com/Analyses/FalseAlarms.asp they know it happens and they tell you it will happen." }-

Funny, this link isn't more widely known. I supposed the No1 Pest Patrol fan like yourself would know about it. But the rest of us wouldn't. So it might indeed still accomplish it purpose of scaring newbies.

-{ Quote: "
Email them and tell them you want to be a beta tester and test for fasle alarms. " }-

Sigh, I have being testing Pest Patrol on and off for months, and never once did it give me zero-false positive. Not once. Typically, it says I have about 5-10 pieces of adware and keyloggers and the type detected keeps changing. I guess there must be a really busy hacker on my computer :P
-{ Quote: "
And from what I see from these forums Spy Sweeper is just as bad about false positives and they dont have no system to reports false positives. So if you gonna sit here and say about removing pp for false positives as goad to purchase you need to include Spy Sweeper cuase its just as bad." }-

Yes, Spy sweeper is almost but not quite as bad. But we are talking abt Pest Patrol here.

It's a very weak defence if your only defence is to point out that another product is just as bad lol.

BTW I know even Spybot ,ad-aware is not immune to false positives. Typically I get about 1 every time and that is with beta signatures! That is loads better than Pest Patrol.

Ok, this seems be to a neverending story ;) . I updated the program, ran another scan, and some of the former entries are gone now. But... here are some other entries no other anti-spyware program can find:

- NetSpy KeyLogger: C:\Windows\uninst.exe :o (this seems weird cause it is from InstallShieldCorporation)

- MC 30 Day: C:\Program Files\RealAlternative\RealMedia Browser (i am quite certain this is a fp, cause a friend of mine told me that this has been known as a fp)

- System Soap Pro (at several places)

- Save Now: C:\Windows\Lastgood\System32\msvcirt.dll (but this is from Microsoft Corporation!! :o )

- BonziBuddy: C:\Windows\Lastgood\speech\... (several .dll there) (all MS Corporation too)

I send the log again to Pestpatrol, but submit the files here because they might be helpful for others.

-{ Quote: "- BonziBuddy: C:\Windows\Lastgood\speech\... (several .dll there) (all MS Corporation too)" }-
Hi Ragna,

It may be a false positive, but if it is really a BonziBuddy component, then it would be good to get rid of.
That's what I don't like about PP, you can't trust it and always have to double check everything.

-{ Quote: "... but if it is really a BonziBuddy component, then it would be good to get rid of..." }-
Now you 've got me scared :( !
How do i know if these are false or real alarms!?
Anxious waiting on an answer on my email to Pestpatrol, or is there someone here who could help... ;)

Well, i am also getting that Netspy keylogger in C:\WINDOWS\uninst.exe. I've seen others list it as well, so i'm pretty sure it's a FP. But i'm not getting any of the others you listed Ragna.

I am getting VX2 (4 entries found in registry) though, along with Netspy keylogger. It may depend on whether you have programs like IE-Spyad, SpywareBlaster, a host file, ect... I pretty sure VX2 is caused by IE-Spyad.

Hmm this is Bonzi Buddy we are talking about right not some stealthy keylogger?

One would think that if one was really infected by it, one would know with all the popups and ads?

So maybe to be charitable Pest patrol is picking up on some harmless left over residue?

OS: Windows XP
Product Edition: Evaluation
PestPatrol version: 07/06/2004 4.4.3.24
PPServer.dll version: 26/01/2003
PPMemCheck version: 02/04/2004
PestPatrolCL version: 07/06/2004 4.4.3.19
PPUpdater version: 03/05/2004 4.4.3.36
PPfile.dat version: 11/08/2004
PPInfo.dat version: 11/08/2004
Spyware.dat version: 11/08/2004

Pests found:
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\clsid\{71a2702f-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27032-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27034-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fd2-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fd4-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fd5-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fd6-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fd7-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fd9-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fdb-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fdd-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fde-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fe0-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fe1-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fe2-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fe4-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fe5-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fe7-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{065e6fe8-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{62fcac31-2581-11d2-baf1-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a2702e-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a27031-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a27033-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a27036-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\typelib\{065e6fd1-1bf9-11d2-bae8-00104b9e0792},na,na,19/08/2004,00-00-00-00-00-00,ITA
BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\typelib\{71a2702d-c7d8-11d2-bef8-525400dfb47a},na,na,19/08/2004,00-00-00-00-00-00,ITA
CGI-Bin Spyware Cookie,C:\Documents and Settings\Windows XP\Cookies\windows xp@cgi-bin[1].txt,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\anigifctrl.anigif,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\anigifppg.anigifppg,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\anigifppg.anigifppg.1,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\anigifppg.anigifppg\curver,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\anigifppg2.anigifppg2,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\anigifppg2.anigifppg2.1,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\anigifppg2.anigifppg2\curver,na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\clsid\{61ab12e1-a5ff-11d1-b2e9-444553540000},na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\clsid\{6dc82d15-92f2-11d1-a255-00a0c932c7df},na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\clsid\{82351441-9094-11d1-a24b-00a0c932c7df},na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\interface\{5252ac41-94bb-11d1-b2e7-444553540000},na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\interface\{82351440-9094-11d1-a24b-00a0c932c7df},na,na,19/08/2004,00-00-00-00-00-00,ITA
Download Accelerator Plus,HKEY_LOCAL_MACHINE\software\classes\typelib\{82351433-9094-11d1-a24b-00a0c932c7df},na,na,19/08/2004,00-00-00-00-00-00,ITA
GnucDNA,C:\WINDOWS\system32\gnucdna.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Grokster,HKEY_CLASSES_ROOT\appid\altnet signing module.exe|appid,na,na,19/08/2004,00-00-00-00-00-00,ITA
Grokster,HKEY_CLASSES_ROOT\appid\{8b0fef15-54dc-49f5-8377-8172de975f75},na,na,19/08/2004,00-00-00-00-00-00,ITA
Grokster,HKEY_CLASSES_ROOT\clsid\{e813099d-5529-47f4-9b37-4afafcb00a43},na,na,19/08/2004,00-00-00-00-00-00,ITA
Grokster,HKEY_CLASSES_ROOT\interface\{ad5bc1f0-72d8-44b3-8e3d-8e8fecce43fb},na,na,19/08/2004,00-00-00-00-00-00,ITA
Grokster,HKEY_CLASSES_ROOT\interface\{e813099d-5529-47f4-9b37-4afafcb00a43},na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_CURRENT_USER\software\kazaa,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\classes\appid\{8b0fef15-54dc-49f5-8377-8172de975f75},na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\in|b0seconds,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\in|b1,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\lastestimate|b,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\lastestimate|time,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\out|b0,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\out|b0seconds,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\out|b1,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\cloudload|sharedir,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\connectioninfo,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\connectioninfo|kazaanet,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\localcontent|databasedir,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa\localcontent|downloaddir,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa|listenport,na,na,19/08/2004,00-00-00-00-00-00,ITA
KaZaA,HKEY_LOCAL_MACHINE\software\kazaa|tmp,na,na,19/08/2004,00-00-00-00-00-00,ITA
Lop.com,C:\WINDOWS\system32\fmgkiw.dll,-308992934,8ce0248ad6c4d80cb3f280f2b24db764,19/08/2004,00-00-00-00-00-00,ITA
Morpheus,HKEY_LOCAL_MACHINE\software\classes\morpheus|url protocol,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\beegd10.ocx,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\clsncx22.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\clsnol22.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\clsnpb22.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\clsnrn22.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\decln.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\declw.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\mfimage.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\npmirage.dll,na,na,19/08/2004,00-00-00-00-00-00,ITA
Morpheus 1.9,C:\WINDOWS\system32\s4setp.exe,na,na,19/08/2004,00-00-00-00-00-00,ITA
NetSpy KeyLogger,C:\WINDOWS\uninst.exe,-1994962759,72827d5d38d38a46231cb38e1f3fc5e3,19/08/2004,00-00-00-00-00-00,ITA
Online-Dialer,HKEY_CLASSES_ROOT\clsid\{02c20140-76f8-4763-83d5-b660107b7a90},na,na,19/08/2004,00-00-00-00-00-00,ITA
TOPicks,HKEY_LOCAL_MACHINE\software\classes\appid\altnet signing module.exe|appid,na,na,19/08/2004,00-00-00-00-00-00,ITA
TOPicks,HKEY_LOCAL_MACHINE\software\classes\clsid\{e813099d-5529-47f4-9b37-4afafcb00a43},na,na,19/08/2004,00-00-00-00-00-00,ITA
TOPicks,HKEY_LOCAL_MACHINE\software\classes\interface\{ad5bc1f0-72d8-44b3-8e3d-8e8fecce43fb},na,na,19/08/2004,00-00-00-00-00-00,ITA
TOPicks,HKEY_LOCAL_MACHINE\software\classes\interface\{e813099d-5529-47f4-9b37-4afafcb00a43},na,na,19/08/2004,00-00-00-00-00-00,ITA
Unknown BHO,C:\WINDOWS\downlo~1\wmv9vcm.inf,na,na,19/08/2004,00-00-00-00-00-00,ITA
WebDialer,HKEY_CLASSES_ROOT\interface\{abc7630f-71ce-4a96-9aa6-0469457b9ba3},na,na,19/08/2004,00-00-00-00-00-00,ITA
WebDialer,HKEY_CLASSES_ROOT\typelib\{8512b008-b0aa-451f-a744-a289fd8ffde6},na,na,19/08/2004,00-00-00-00-00-00,ITA
WurldMedia,HKEY_LOCAL_MACHINE\software\morp,na,na,19/08/2004,00-00-00-00-00-00,ITA
WurldMedia.Mo,C:\WINDOWS\system32\moconfig.exe,na,na,19/08/2004,00-00-00-00-00-00,ITA
XoloX,HKEY_CLASSES_ROOT\clsid\{f02c0ae1-d796-42c9-81e1-084d88f79b8e},na,na,19/08/2004,00-00-00-00-00-00,ITA
XoloX,HKEY_CLASSES_ROOT\typelib\{2850bdc7-2330-4e31-9fa0-88268846539a},na,na,19/08/2004,00-00-00-00-00-00,ITA

Are they FP?

better to scan your system with spybot AND adaware in safe mode, this should give you a fair idea on any malware on your machine...

beginning boot process press F8 and choose safe mode, then let adaware se and spybot (updated) run.

I have a theory on all of this. It concerns the sale of PestPatrol. I started a thread here:
http://www.wilderssecurity.com/showthread.php?p=239778#post239778

John
Luv2BSecure

.

I never installed those softwares.

In order, in a formatted pc:
- windows xp
- office
- msn messenger
- windows update
- zone alarm
- my-etrust
- spybot search and destroy
- pestpatrol
- adware

Then I've scanned my pc.

Hello icio, i also found the following "BonziBuddy" 's on one comp but not on others.I asked Pestpatrol for more info but their reponse was vague.So i am trying to send them another e-mail.

No other scanner found this! ???
Now i really really want to learn what this 8 entries are.Does ANYONE here know this?
I would be very grateful ! :-* ;D


BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\clsid\{71a2702f-c7d8-11d2-bef8-525400dfb47a}

BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27032-c7d8-11d2-bef8-525400dfb47a}

BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27034-c7d8-11d2-bef8-525400dfb47a]

BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a2702e-c7d8-11d2-bef8-525400dfb47a}

BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a27031-c7d8-11d2-bef8-525400dfb47a}

BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a27033-c7d8-11d2-bef8-525400dfb47a}

BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

BonziBuddy,HKEY_LOCAL_MACHINE\software\classes\typelib\{71a2702d-c7d8-11d2-bef8-525400dfb47a}

I have Pest Patrol and i am not finding BonziBuddy in any of my scans. It may depend which programs you have installed on your computer.

you might look here BonziBuddy removal info (http://www.pchell.com/support/bonzibuddy.shtml)

-{ Quote: "you might look here BonziBuddy removal info (http://www.pchell.com/support/bonzibuddy.shtml)" }-
Thank you Jack Black.
Thanks Bigc73542, but i already found that site ;) .The strange thing is that i have NEVER installed that BonziBuddy program on any of my pc's. More, when i try to install it (to be able to remove it) , i can't because my protection doesn't allow me that :D .
So because of that & because no other spywarescanner detects this 8 CLSID i am curious what they are .I checked on the site of pestpatrol but there they say they are CLSID's connected to BonziBuddy.
Is there no way that i can see which program is connected to these CLSID?

I still think your finding a False Positive, because i've heard so many people complain of detecting BonziBuddy who have Pest Patrol. But i still don't know what installed program is causing the false positive. Let's see i have Spybots protection enabled, so it's not that. I also have IESpyad, so you could rule that one out. SpywareBlaster is another i have, so it's not that either. Do you have any other programs that protect you against spyware/adware?

-{ Quote: "I still think your finding a False Positive, because i've heard so many people complain of detecting BonziBuddy .... Do you have any other programs that protect you against spyware/adware?" }-
First & most important: thank you for the time you spend trying to help ;)
Well i have also the spyware blocklist installed:
http://www.spywareguide.com/blockfile.php
but when i open it with notepad, i don't find those CLSID's there although there is one different CLSID for bonzybuddy.

Ok, did you just install the minimal version? Because i am going to download it and install. I will then do a Pest Patrol scan to see if it detects Bonzi Buddy.

Jack, i installed the "experts package".

Just to let you know before you replied i downloaded and merged the minimal files with my reg. I ran two Pest Patrol scans (restart between each) and did not find Bonzi Buddy. I will try the expert download too. One other thing is your Pest Patrol fully up to date? My last PP update was on 8-30-04.

-{ Quote: "... is your Pest Patrol fully up to date? My last PP update was on 8-30-04." }-
Yep, i update the program always before i do a scan:

PestPatrolCL version: 06/07/2004
PPUpdater version: 05/03/2004
PPfile.dat version: 08/25/2004
PPInfo.dat version:08/25/2004
Spyware.dat version:08/25/2004

There must be a way that we could see which program corresponds with those CLSID 's on this comp :-\

I downloaded and installed the experts package. I uninstalled the minimal version first w/ GoBack, because i didn't see any way to uninstall it. I again ran the Pest Patrol scan and didn't find BonziBuddy, just the regular FPs i normally get (VX2).

So i would say it must be something else. As far as finding a way to determine which program corresponds with the CLSID's, i'm not sure maybe someone will post who knows a way.

Can you think of any other programs you installed just previous to the detections with Pest Patrol?

-{ Quote: "
Can you think of any other programs you installed just previous to the detections with Pest Patrol?" }-
Yes! I 've found it.Two days ago i installed a trial from a ( shame on me :-[ )
pornsnatcherprogram. If i say that i was just curious about it, i guess nobody here would believe me :P .Well i have now uninstalled it (didn't liked the ugly things it found on the net anyway) and indeed those 8 entries are gone.
So although it wasn't theBonzybuddyprogram, it seems NOT to be a false positive!
So i apologize to pestpatrol.

Jack Black can i buy you a tasty Belgium beer or do you prefer chocolate?
Thanks again.

Good job Ronny, it seems you figured it out all yourself, all i did was give you some hints. But i am glad you solved the problem and i know the feeling of figuring out a troublesome problem like that, feels good. I celebrate with you in your triumph! :)

We're not using PestPatrol but the Yahoo toolbar "Anti-Spy" just detected that guid in the registry - we've found that that guid is also used by "ssubtmr6.dll" - a "subclassing and timer assistant" required by many of the controls available on the vbAccelerator website. Definitely not spyware.

You might want to search your hard drive for this dll.