Spyware Doctor False positive

[Holden4th]

MY freeware copy of spyware doctor picked this up during a scan and despite running NOD32 as well as Ewido in safe mode with System restore turned off both failed to find it. A quick google confirmed that this is definitely a trojan though exactly what it does I'm not sure.

[The Hammer]

Quote:

Originally Posted by Holden4th

MY freeware copy of spyware doctor picked this up during a scan and despite running NOD32 as well as Ewido in safe mode with System restore turned off both failed to find it. A quick google confirmed that this is definitely a trojan though exactly what it does I'm not sure.

Upload the file here. http://virusscan.jotti.org/ It may be a FP. Or you could try here: http://www.virustotal.com/flash/index_en.html

[Bubba]

If you can reproduce this find or if you have it available would you mind showing the location SpywareDoctor found this possible malware Please.

[Holden4th]

Quote:

Originally Posted by Bubba

If you can reproduce this find or if you have it available would you mind showing the location SpywareDoctor found this possible malware Please.

I've restored from quarantine and this is what shows up in the log

Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32 High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\Programmable High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32 High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\Programmable High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID High
Trojan.Repsamo HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved##{5E2121EE-0300-11D4-8D3B-444553540000} High

These were all in the registry.

What is this?

[rumpstah]

Hi Holden4th:

If you have (had) an ATI video card, then this is most likely a false positive.

Do not worry, you are not infected, those registry keys are merely used by ATI's menu.

All they change is when one right clicks on the desktop one no longer sees the option for ATI Catalyst Control Center, that is all.

Quote:

Originally Posted by Holden4th

I've restored from quarantine and this is what shows up in the log

Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32 High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\Programmable High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib High
Trojan.Repsamo HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32 High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\Programmable High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib High
Trojan.Repsamo HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID High
Trojan.Repsamo HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved##{5E2121EE-0300-11D4-8D3B-444553540000} High

These were all in the registry.

What is this?

[Holden4th]

Yes, I do have an ATI video card. After I deleted the (repsamo) files from my registry my ATI Catalyst Control desktop icon wouldn't work - not surprising considering. This prompted me to go to the ATI website and upgrade to the latest drivers so there is a positive spin off for all this.

Thanks for your help.

[Bubba]

Quote:

Originally Posted by Holden4th

This prompted me to go to the ATI website and upgrade to the latest drivers so there is a positive spin off for all this.

Glad it all worked out for ya. I have also taken the Liberty to edit the title and move the thread to a more appropriate Forum in hopes that the Spyware Doctor folks will drop by and notice the False positive you have found.

It seems other Anti-Spyware programs have had ATI False positive issues in the past reported on other Forums but with different names.

MS Antispyware F/P?

Mzs.spoolserver32, probable false positive

[pctools]

Hi all,

I am from PC Tools, maker of Spyware Doctor.

Apologies for any inconviences caused due to the false positive. Thank you all for highlighting this as we take false positives seriously.

We have fixed this issue with our latest live update: Refdb 3.03130

If you are a registered customer, simply perform a Live Update within Spyware Doctor to ensure you have the latest update. Then perform a full scan and fix checked.

However if you are using the free version, the updates are two versions behind. Please be patient as we have regular updates.

Should you still have further problems with Spyware Doctor, you can also contact us directly at: http://www.pctools.com/contact/suppo...pyware-doctor/

Thank you.

Regards,

PC Tools