False-positive for 7FaSSt with AdSubtract

Hello,

Both AdAware and Spybot detected two modified registry keys on my XP, which they identified as belonging to the spyware bug 7FaSSt. The bad keys would reappear every time I logged back on to my file, no matter how many times I deleted them with AdAware or Spybot.

I didn't believe I had ever been infected with 7FaSSt and couldn't find any other trace of evidence for infection.

What I discovered was that my AdSubtract program was causing these false-positives. For those unfamiliar with it, AdSubtract is an excellent ad and popup blocker, which was recently redesigned.

The part of AdSubtract causing the false-positives was the checkbox for "Show AdSubtract toolbar in Internet Explorer," located on the Options tab of the AdSubtract control panel. If the box was checked, it would generate the false-positives. When it was left unchecked, both Spybot and AdAware would give my machine a clean bill of health.

I'm writing this in the hope that others will avoid the frustrating hours I spent trying to track down non-existent spyware.

I will notify AdSubtract of this glitch, as well.

Cheers,
Bob Miller

P.S. Below are the decriptions of the bug I was supposedly infected with, first from AdAware, then from Spybot...

AdAware's description of the bug:

Vendor: 7FaSSt
Category: Data Miner
Object Type: RegKey
Size:-
Location: Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE}\
Last Activity: 12-25-2003
Risk Level: Low
Comment:
Description:Installed by ActiveX. Installs a user ID. Tracks browser use. Records the names of folders, images and other objects on the system.
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
Spybot's descrition of the bug:

Company: EMERgency Twenty Four, Inc.
Product: 7FaSSt Search
Threat: Browser Hijacker/BHO

Company URL: http://www.7search.com/
Company product URL: http://7search.com/fasstsearch.htm

Functionality
Search add-on for IE

Description
Storing the tracked data in a database is bad enough, but what is meant by the last sentence? Transfer of all data to make the search engine services available to /others/?.
After installation, the user is asked to enter user name and email address as if that would be necessary for use.

Privacy Statement
From the License Agreement:
"You are in full agreement that to gather the information necessary to provide our Information service requires our Software to gather URL and duration information of all web sites visits by the person using your computer while browsing the Internet. This information is then transferred to our database in order to provide you and other users with our 7FaSSt Search (tm) traffic reports. You are in full agreement to the transfer of any and all information necessary to provide the 7FaSSt Search(tm) services to others."

 

Hi Bob,

The 7FaSSt hijacker uses three different CLSID's, so I wonder where that came from?

Keep us posted,

Pieter

 

Thanks, Pieter!

The same false-positive for the "7FaSSt hijacker" occurs on my Windows 98 as on my XP, whenever the AdSubtract toolbar is activated.

I'm loath to lay any blame for this oddity at the doorstep of AdSubtract; I have found it to be a first rate ad-blocking program.

It's strange that both Adaware and Spybot misidentify the changed registry key as the 7FaSSt hijacker.

For your viewing pleasure, I've attached my HijackThis! log, which I'm too inexperienced to interpret, but which might contain a clue about the cause of the false-positives.

Cheers,
Bob

Logfile of HijackThis v1.97.7
Scan saved at 8:46:06 PM, on 12/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Documents and Settings\Uncle Mike\Desktop\A4Proxy\A4Proxy\A4Proxy.exe
C:\Program Files\interMute\AdSubtract\AdSub.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Uncle Mike\Desktop\Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1036;ftp=127.0.0.1:80;https=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - Startup: A4Proxy.lnk = Uncle Mike\Desktop\A4Proxy\A4Proxy\A4Proxy.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Dodge Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://chsplg.charts.gc.ca/ActiveX/mgaxctrl.cab
O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) - http://www.bluefalcon.com/software/streamer/1.5.00.01/SS_POC.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.7069444444
O16 - DPF: {A0F909C1-1E2B-48A6-ABFE-1B2EB9A13992} (ZingBatchDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=1,1,3,10503
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

---END---

 

Hi Bob,

The only thing even remotely resembling spyware in that log is BackWeb (Lite) that Kodak uses to auto-update their software.

Regards,

Pieter

 

Hi Pieter,

Thanks for checking! You are most kind. I just wanted to alert everyone about the false-positive involving the AdSubtract toolbar.

Thanks for your wonderful forum.

Jingle Bells,
Bob

 

Anytime, Bob.

Regards,

Pieter