False Positive???

I ran a couple of other trojan scanners and two of them found an xxx dialer and coolwebsearch. I ran cool web shredder and it found nothing. I downloaded TDS-3 eval version and it didn't find anything either. It makes me cringe to think someone could be spying on me. Thanks

 

I hope these scanners were reputable.

I wouldn't rule out that some of them might be cleaver marketing ploys identifying something that isn't there (I ran into a scenario like this once).

 

One was Pest Patrol and the other was Xoftspy v3.1 I run spywareguard/blaster,spybot,ad-aware.They all were clean.

 

I run PestPatrol and although very sensitive to false positives it has never let me down.

 

That was one that found the coolwebsearch and xxx dialer. So you think that they are legit?

 

Yes, they are legit.

 

Hello Gigabyte and Snook, welcome!
After installing TDS, did you also get the latest update from the site and started TDS after that?
It does detect lots of dialers and cws variants, so you might have another variant. In the scanning did you check all the scanoptions and on highest sensitivity?
Best zip and send the files to submit@diamondcs.com.au to be really sure.
In the meantime please take the steps from this thread:
https://www.wilderssecurity.com/showthread.php?t=15913
First take step 2 with the HijackThis tool and post your log for the experts to review for possible illigal autostarts and more, since you are dealing with the CWS and we must make sure which version and what it did. The experts will advice which next steps to take in fixing and deleting, using CWShredder (which didn't find nothing yet you said, other version of cws maybe?), before you use the SpybotS&D and Ad-Aware again.


For the Xoftspy program see among others this discussion thread
http://www.dslreports.com/forum/remark,9877664~mode=flat?r=1

 

A dialer will only usually be detected by TDS if its a trojan dialer, which dials without your permission. Coolwebsearch is adware and you should always deal with adware with specific programs like AdAware and SpybotSD. Theres a dedicated forum here at Wilders for browser hijack cleaning help:

https://www.wilderssecurity.com/forumdisplay.php?f=26

After this, if you like just email me an ASViewer log to rule out the possibility of 99% of trojans out there Let me know if you would like me to look at your log

 

Here you go

Logfile of HijackThis v1.97.7
Scan saved at 10:37:31 AM, on 5/1/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\KODAK\HYDRA_DR\DCFSSVC.EXE
C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SIMAILPROXYSERVER.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISPAMFILTERENGINE.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISPAMFILTERENGINE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS1977[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSPC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Dcfssvc] C:\PROGRA~1\COMMON~1\KODAK\HYDRA_DR\DCFSSVC.EXE --pdr: ""C:\Program Files\Common Files\KODAK\HYDRA_DR\dcmnter.pdr""
O4 - HKLM\..\Run: [blspcloader] "C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE"
O4 - HKLM\..\Run: [SISERVICE.exe] "C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKCU\..\Run: [OPF] C:\PROGRAM FILES\OMNIQUAD\OMNIQUAD PERSONAL FIREWALL\OPF.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Stop popups from this web page - C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\denysite.htm
O8 - Extra context menu item: Block this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.blockimg.html
O8 - Extra context menu item: Allow this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.allowimg.html
O8 - Extra context menu item: Block popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.block.html
O8 - Extra context menu item: Allow popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.allow.html
O8 - Extra context menu item: Block personal info from this site - file://C:\PROGRAM FILES\GHOSTSURF\info.block.html
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\PROGRAM FILES\GHOSTSURF\info.allow.html
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.fastaccesstools.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38020.8641550926
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {8DAE7A62-4632-4691-805C-0338A5F26F9D} (Spam Arrest Email Configurator Download) - http://spamarrest.com/xcarab/10014/saclient.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

Seems that i have alot of stuff that was uninstalled,but still there?

 

Hi Gigabyte,

Your log is clean. You mentioned that some items you had removed via your Add or Remove Programs Control Panel were showing up in your log. If you post what these programs are, I will help you fix that.

Regards,
Kent

 

Omniquad is one and ghostsurf is the other.

 

Hi GigabyteCheck the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:


O4 - HKCU\..\Run: [OPF] C:\PROGRAM FILES\OMNIQUAD\OMNIQUAD PERSONAL FIREWALL\OPF.EXE

O8 - Extra context menu item: Block this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.blockimg.html
O8 - Extra context menu item: Allow this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.allowimg.html
O8 - Extra context menu item: Block popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.block.html
O8 - Extra context menu item: Allow popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.allow.html
O8 - Extra context menu item: Block personal info from this site - file://C:\PROGRAM FILES\GHOSTSURF\info.block.html
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\PROGRAM FILES\GHOSTSURF\info.allow.html

O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)

Then reboot.

Regards,

Pieter