BrowserVillage&Marketscore found by Spysweeper only?

Discussion in 'other anti-malware software' started by ronny, Sep 11, 2004.

Thread Status:
Not open for further replies.
  1. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Yesterday i did a scan with S&D 1.3, Ad-aware, pestpatrol, a² & Bazooka and to my joy they didn't find anything.
    But when i scanned with spysweeper , it found the following:

    BrowserVillage Sidebar
    HKEY_HCLASSES_ROOT\interface\{57a0e747-3863-4d20-a811-950c84f1db9b}

    HKEY_HCLASSES_ROOT\interface\{57a0e747-3863-4d20-a811-950c84f1db9b}\proxystubclsid

    HKEY_HCLASSES_ROOT\interface\{57a0e747-3863-4d20-a811-950c84f1db9b}\proxystubclsid32

    HKEY_HCLASSES_ROOT\interface\{57a0e747-3863-4d20-a811-950c84f1db9b}\typelib

    HKEY_HCLASSES_ROOT\interface\{57a0e747-3863-4d20-a811-950c84f1db9b}\typelib

    HKEY_HCLASSES_ROOT\interface\{57a0e747-3863-4d20-a811-950c84f1db9b}\typelib IIversion

    Marketscore
    HKEY_LOCAL_MACHINE\sotware\microsoft\windows\currentversion\shareddlls || c:\windows\system32\sporder.dll

    c:\documents and settings\[.....name of user...]\application data\mozilla\registry.dat

    c:\documents and settings\[.....name of other user...]\application data\mozilla\registry.dat

    Does anyone have info about it? Is this a real pest undetected by all or could it be a false positive from Spysweeper?
     
    Last edited: Sep 12, 2004
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Ronny...

    I don't know about the first lot, but the second one with sporder.dll rings a bell.

    Even though that can be related to spyware, it's also used by a lot of other programs, even MS, so do not be in a hurry to delete that.

    I think from the deep recesses of my mind, it's to do with WinSock services, something. :doubt:

    I found this, but this was just from a quick search, and not a detailed study. :)
    Just had a thought, searched my system, found 1 sporder, and it's the Winsock2 file from MS. :)

    Anyhow, someone else may help further.

    Cheers, TAS
     

    Attached Files:

    • 101.GIF
      101.GIF
      File size:
      23.4 KB
      Views:
      557
  3. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    First : i forgot a "b" in the posted CLSID's.I 've edited it (see first post).

    Thank you Tassie Devils. Yep that's the one: i have exact the same "sporder.dll" from MS.
    But why does it also mention those 2 mozilla entries o_O
    Let's hope someone here has the answer :doubt: .

    By the way, how do you make such nice pictures?Which software do you use for that?
     
    Last edited: Sep 12, 2004
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Ronny.

    As for the Mozilla alerting, I have no idea I am afraid. I would think it could be False Positives.

    What you maybe could try, seeing as you know the path of those files, is to upload a file at Jotti's and see if it detects anything. That's a place where you can upload single files and it's scanned by several leading AV's, one of which is Kaspersky which is very well up on trojans and general spyware/malware.

    JOTTI'S ONLINE MALWARE SCAN

    Simply click the 'Browse' button, navigate to the file via the path in your posting, and click 'Submit'.

    See if it detects any thing.

    TAS.

    PS.... I use HyperSnapDX5 [not freee] for all of my screen captures.

    There are plenty of free ones out there. Irfanview, SnagIt, etc...

    GOOGLE RESULTS ON SCREEN CAPTURE

    :D
     

    Attached Files:

    • 104.JPG
      104.JPG
      File size:
      33.8 KB
      Views:
      522
  5. Gianni

    Gianni Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    45
    same experience here with BrowserVillage Sidebar, detected only by SS...i suspect it could be another false positive from Spysweeper, maybe related to SpywareBlaster's protection... o_O
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hello Gianni...:)

    Thanks for the suggestion :) Don't know if he runs SWB!

    But alas, I entered each of the top CLSID's into the 'Find" option of the Internet Explorer protection lists in SpywareBlaster and came back each time with no entry.

    There was an entry for MarketScore however, ;) but his is under Mozilla registry.dat and that sporder.dll file alert is almost certain to be false if it's attributes were same as mine.

    Ronny: Apart from this detection, does there appear to be anything wrong with your PC, runs as usual, not sluggish, browses to wherever you want to go with no hiccups, nothing out of the ordinary apart from these alerts?

    TAS
     

    Attached Files:

    • 105.JPG
      105.JPG
      File size:
      45.6 KB
      Views:
      518
  7. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Spy Sweeper found BrowserVillage & Marketscore here too, and i also have Spywareblaster so you may be right Gianni.

    But, unlike you guys i removed them :doubt: well, it's running fine so far. :D
     
    Last edited: Sep 12, 2004
  8. bch

    bch Guest

    Ronny.

    I feel an apology is in order. I made my first ever posting on the Wilders site a little earlier in the Test Forum concerning this false positive. I hadn't visited this particular part of the site before making the posting and so had not seen your posting. My posting has been moved to this particular forum from the Test Forum.
     
  9. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
    Spysweeper found the same here, and i don´t use Spywareblaster o_O
     
  10. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
    What about the registry.dat in Firefox ? Spysweeper removed it. I uninstalled and reinstalled Firefox today, and no registry,dat is present o_O
     
  11. bch

    bch Guest

    SpySweeper also found Marketscore on my machine. I went to Start/Search/All Files and Folders and typed in Marketscore. It found an Internet Explorer shortcut to Marketscore which had not been on my machine prior to updating the definitions from SpySweeper. I deleted this and SpySweeper stopped flagging it.

    Ironically, I have been running SpySweepers's IE Favourites Shield and know for a fact that I did not add Marketscore to my IE Favourites list. I am the only user of this machine. It was definitely not on my machine prior to updating the definitions from SpySweeper.
     
  12. Gianni

    Gianni Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    45
    my curiosity: after removing them, did u check if there are now any unprotected items inside SpywareBlaster Status window...?

    u should read: "0 items have protection disabled"...
     
  13. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi Gianni, i just checked Spywareblaster, and it shows "0 items have protection disabled". :)
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    As for the first bunch, it's almost certainly an FP too, as I found that key in my Registry as well. Here's an export:

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}]
    @="IFlashAccessibility"
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid]
    @="{00020424-0000-0000-C000-000000000046}"
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib]
    @="{57A0E746-3863-4D20-A811-950C84F1DB9B}"
    "Version"="1.0"
    It points to this HKCR\CLSID subkey:

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}]
    @="PSOAInterface"
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer]
    @="ole2disp.dll"
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32]
    @="oleaut32.dll"
    "ThreadingModel"="Both"
    "InprocServer32"=hex(7):66,2d,2c,6e,53,6c,43,27,67,28,3d,2c,7d,3f,56,72,6b,21,\
    28,6c,4c,61,62,65,6c,43,72,65,61,74,6f,72,3e,4d,35,4b,44,59,53,55,6e,66,28,\
    48,41,2a,4c,5b,78,65,58,29,79,00,6c,2a,43,7d,5d,36,2c,29,67,28,42,6f,5b,65,\
    ,73,6e,31,72,66,47,65,6e,65,72,61,6c,46,69,6c,65,73,3e,4d,35,4b,44,59,53,\ 55,6e,66,28,48,41,2a,4c,5b,78,65,58,29,79,00,52,51,78,27,6e,75,75,27,67,28,\ 34,4f,2c,30,28,66,4c,70,66,59,50,61,69,6e,74,53,68,6f,70,50,72,6f,37,3e,4d,\ 35,4b,44,59,53,55,6e,66,28,48,41,2a,4c,5b,78,65,58,29,79,00,00
    Not spyware related...
     
  15. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Thank you all very very much for your replies. It feels good to know that there are so many people who are so kind to help and share their experiences.
    (Thank you Paul again for this forum.)

    I have send an email to Webroot and will let you know if & what they reply.

    @Tassie_Devils: No, my system seems to be working fine.That's why i was so surprised.
    Jotti's online scan could be quite useful.

    Oooo...do i hate false positives. :mad: :( They cause much psychological distress & loss of (precious) time.
     
    Last edited: Sep 13, 2004
  16. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi,

    I have also deleted BrowserVillage & Marketscore that spysweeper found. Does it gonna causes me trouble with my system? As for now, I have no problem with my system. Does that false-positive related to something important in my systemo_O? If so, how can I repared it?

    Thank you for your help,
    Atomas31
     
  17. Gianni

    Gianni Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    45
    i agree with u...check my previous experience with Amecisco Keylogger False Positive (from Webroot's SpySweeper again...) here:
    https://www.wilderssecurity.com/showthread.php?t=45723

    :D
     
  18. Gianni

    Gianni Registered Member

    Joined:
    Nov 16, 2003
    Posts:
    45
    From SS Help file:
    hope u didn't permanently delete those items from Quarantine yet... :eek:
     
    Last edited: Sep 13, 2004
  19. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Code:
    Restoring Spyware 
    When you run a sweep and remove spyware, Spy Sweeper does not permanently delete the spyware. It encrypts the spyware, copies it to the Quarantine folder, and removes it from its original location. This way, the spyware can no longer run, but you can restore it if necessary. 
    
    You may need to restore spyware if you find that a program on your computer is not working correctly after you run a sweep and remove spyware. Sometimes, the spyware is an integral part of a program and is required to run the program. If you find this to be the case, you can restore the spyware.  
    
    hope u didn't permanently delete those items from Quarantine yet...
    I didn't delete those items permanently from the Quarantine since my version 3.2 doesn't put spyware he found in Quarantine. In fact, he is permanently deleting himo_O? I check the configuration and nothing's wrong there? This seems to be a bug from the new version 3.2 that I haveo_O?

    So, to answer your question, Yes, i permanently delete those spyware cause they never get in Quarantine!?!
     
  20. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Happy to inform you that spysweeper has fixed these false positives with their latest definitions update today 14sept 2004 :)


    (Strangely enough, these 2 are still there :
    c:\documents and settings\[.....name of user...]\application data\mozilla\registry.dat
    c:\documents and settings\[.....name of other user...]\application data\mozilla\registry.dat )
     
  21. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Ronny...

    Finally a lot is sorted, :) except for those Registry.dat entries. :(

    OK, I have Spy Sweeper myself, and I shall do a scan sometime today [after update] and I also have Firefox, and SypwareBlaster.

    Now, I "know" I am clean, as I have never had SS alert before on anything [last full scan with it around 2 weeks back] and I have plenty of other layers. + have not been anywhere except forums in that time and my homepage of my state's tidal information [love fishing... :D]

    TAS
     
  22. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    As promised, did update, full scan and only found 1 thing, which it always has found... a Com.com cookie [LOL, it's an FP as it's my log-in for DiamondCS Forums].

    Report:
    Code:
    01:19 PM:  |···  Start of Session, Tuesday, 14 September 2004  ···|
    01:19 PM:  Spy Sweeper 3.0.0  (Build 118) started
    01:20 PM:  Updating spyware definitions
    01:22 PM:  Your spyware definitions have been updated.
    01:23 PM:  |···  End of Session, Tuesday, 14 September 2004  ···|
    01:26 PM:  |···  Start of Session, Tuesday, 14 September 2004  ···|
    01:26 PM:  Spy Sweeper 3.0.0  (Build 118) started
    01:26 PM:  Sweep initiated using definitions version 395
    01:26 PM:  Sweeping memory for active spyware.
    01:26 PM:  Memory sweep has completed.  Elapsed time 00:00:02
    01:26 PM:  Registry sweep initiated.
    01:26 PM:  Registry sweep completed.  Elapsed time 00:00:05
    01:26 PM:  Full sweep on all local drives initiated.
    01:26 PM:    Now sweeping drive C:
    01:27 PM:      [B]Found Cookie: Com.com Cookie, version 1, c:\documents and settings\<username>\cookies\*****@diamondcs.com[2].txt[/B]
    01:36 PM:    Found: 1 file traces.
    01:36 PM:  Full Sweep has completed.  Elapsed time 00:09:56
                 37,910 files swept
                 [B]1 spyware traces located[/B]
    01:37 PM:  Removal process initiated
    01:37 PM:    Quarantining: Com.com Cookie
    01:37 PM:      Cookie: c:\documents and settings\<username>\cookies\*****@diamondcs.com[2].txt
    01:37 PM:    Cleaning Traces
    01:37 PM:      Shredding file: c:\documents and settings\<username>\cookies\****@diamondcs.com[2].txt
    01:37 PM:      Removing file: c:\documents and settings\<username>\cookies\****@diamondcs.com[2].txt
    01:37 PM:  Removal process completed.  Elapsed time 00:00:00
               1 items (1 traces) quarantined.
    01:38 PM:  Restore from quarantine initiated
    01:38 PM:    Processing: Com.com Cookie
    01:38 PM:  Restore from quarantine completed.  Elapsed time 00:00:00
    01:41 PM:  |···  End of Session, Tuesday, 14 September 2004  ···|
    So no alerts for registry.dat from Firefox. I would be inclined to put that in the Ignore section. I have 3 registry.dat entries, all in Mozilla/Firefox/Thunderbird [email client]

    Cheers, TAS
     
  23. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Thanks TAS for the hard work ;)
     
  24. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
    I deleted the registry.dat with Spysweeper. I don´t how important it is. It didnt install with Firefox, when i installed it again
     
  25. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Ronny, no probs mate. That's what the forum is all about, getting help and helping in return, as a problem you have, someone else may and they then benefit also :D Some have deleted those by SS with no effects, and if it does screw up, simply reinstall FF.

    Webster: I was going to suggest that, as I know it can be recreated if needed by FF reinstall/themes/extensions/use, whatever creates them, but thought it should be ok as is, and seeing as you have now posted with no ill effects,..............:D

    I have 3 of those registry.dat files myself.

    Cheers, TAS
     
Thread Status:
Not open for further replies.