BOClean, spysweeper detects adware

Discussion in 'other anti-trojan software' started by Tony, Dec 30, 2003.

Thread Status:
Not open for further replies.
  1. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    Hi, i`ve just done a scan with webroots spysweeper, and it has come upwith a result

    Adware detected

    Adware- Type-Keenvalue

    c:\documents and settings\all users\start menu\programs\boclean\updater.lnk




    Description:

    Name:
       

    KeenValue

    Author:
       

    EUniverse, Inc.

    Category:
       

    Adware

    Threat Assessment:
       

    Low



    Description:

    KeenValue is an adware program that collects personal information and delivers advertisements to your computer.

    Characteristics:

    KeenValue displays targeted advertisements on your computer in the form of pop-up windows, pop-up slider windows, embedded advertisements, and Web links in the form of desktop icons and installation files. The adware program also collects personal information including your name, country, zip code, IP address, system settings, what software is on your computer, terms entered into search engines and Web surfing activities. In addition, KeenValue has an auto update feature that allows the program to silently update itself and install other third party software applications.

    Method of Infection:

    KeenValue is bundled with a cursor-download program from MyFreeCursors.com and the PowerSearch Toolbar by InfoBeat.

    Additional Comments:

    None.






    Now i presume that this must be a false result.

    I have also done a scan with adaware and that came up clean.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Tony,

    Welcome at Wilders. :)

    If you could send a copy of that file to the address in my profile I'd be happy to contact both developers for you.

    Regards,

    Pieter
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    BOclean was contacted and Nancy read this post when first made if that helps duplication..I know no one at the other vendor spysweeper.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi John,

    I'm sure Nancy can confirm if it is the original file and we would be sure it´s a f/p, but that would not solve the problem. More people might be in for a scare or even take a wrong turn and decide to delete the file.

    Regards,

    Pieter
     
  5. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Greetings, all ... just got in, long night last night ...

    A *.LNK file, eh? LNK files are "shortcut" files containing an icon and a pointer to where the actual file is located so that when clicked on, it runs the file. So the first step is amusing in that LNK files are not executables, but rather pointers to a file.

    So what I'd suggest is submitting a copy to webroot for evaluation (it'll help them fix their problem) and if you could, send ME a copy of that as well. Since the LNK file will point to a file called BOC4UPD.EXE (BOClean's autoupdater module) in your BOClean folder, might as well send this file along as well. Dunno if Spysweeper resolved the link, but this is the file that link would resolve to.

    Pretty sure it's a false positive though since BOClean would be a bit miffed at having one of its files tampered with. :)
     
  6. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    Thanks for all of the replies :)

    When i try and attach the file to send via email, outlook tells me that i cannot send a folder ??

    If i go straight to the file then it connects to the update.

    Mind you i`ve had a few as i finally start my holidays today, so i`m most likely making a complete plonker of myself :oops:

    Kevin, is it possible for you or anyone else (who`s a bit more computer literate than me)to download the trial version and see if the results are the same as mine.

    Thanks, if not, then i`ll try again tomorrow when i`ve a little clearer head.
     
  7. controler

    controler Guest

    I just ran a trial copy of Spysweeper and did not get the same results.
    The only thing it found was some cookies. it does not find all cookies.
    Nice looking program though ;)

    con
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Con you are one handy leghorn to have around the chicken coop to clear the Fog. :D

    Don't stand there gawkin' son, speak up. :cool:


    @ Tony


    By chance when you ran this spysweeper (and we know you have BOClean)..do you also have any other real time guards of other types of security programs running also a the same time ?


    How about a list of what you do have that might fit that category..I have an idea..but it could just be a brain fart.

    :p
     
  9. controler

    controler Guest

    hey primerose

    well ok ,, for my current config i am running XP Pro with all the updates,
    KAV Beta, A2 personal Beta and Bo Clean behind an actiontec gateway
    with internal firewall set to medium, and Look & Stop firewall.
    To run this test I installed the trial of Spysweeper but I had all other real time dissabled.

    con
     
  10. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England

    When i first scanned i had
    BOClean
    AMON (NOD32)
    Outpost firewall
    And Spysweeper of course running.

    Later there was an update for Spysweeper, so after downloading the updates i closed all running programs and did a second sweep.
    Spysweeper produced the same results.
     
  11. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    I have now sent the attachment to Kevin and await his results.

    Last night however just before shutting down the computer, i quarantined the suspected file to see if Boclean and the updater worked as normal.
    This morning a few minutes after booting up, BOClean auto update notified me that an update was available and updated as normal.

    I have now restored the file until Kevin advises what to do with it.
     
  12. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Tony,

    Humor me and turn off your AMON (NOD32) and then do exactly the same you did in the first post of this thread and see if that spyweeper still detects the same.

    Then of course I have no idea how you have BOClean set up when you are scanning with the spysweeper.

    Is BOClean also then.. at the same time.. checking on action of the spysweeper ?
     
  13. Oric48k

    Oric48k Guest

    I have the full paid for version of Spy Sweeper. It picks up my BOClean Updater.lnk file as Keen value ad-aware. I think the evaluation copy has fewer than 10,000 signatures, where as the full version with 'all' the updates has over 17,000 signatures. This may be why the evaluation copy didn't pick it up. The signature that flags up the alert is in the extra signatures( calculated guess ;) ). I am 99.99% sure of it being a FP.

    Oric
     
  14. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    I`ve received Kevins reply via email

    Thanks Kevin :)
    And thanks for everyones replies :cool:

    Happy new year.
     
  15. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Spy Sweeper has just been updated. Has the FP been resolved now?

    muf
     
  16. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    With the latest update spysweeper reports system all clean :)
     
Thread Status:
Not open for further replies.