F-Secure identifies BargainBuddy malware

Discussion in 'other anti-virus software' started by alexei, Sep 13, 2006.

Thread Status:
Not open for further replies.
  1. alexei

    alexei Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    13
    Hi,

    My F-Secure AV software identified Bargain Buddy and Adware.AdMedia last night, so I quarantined and subsequently deleted them (from within F-Secure).

    However, when I searched here, I found that these 2 items are listed as 'false positives' in the latest definitions for Adaware. I believe F-Secure uses the Adaware engine for the Spyware check.

    I've since done a check with Trend Micro online scan and all seems fine, but I'm wondering what damage I might have done, by deleting these files - assuming that they were indeed false positives.

    Can anyone advise?
    Thanks,

    Alex.
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Can't you restore them via the F-Secure GUI?
     
  3. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    AsAware identified those also, and when I ran a scan with F-Secure it did the same. F-Secure uses AdAware as its anti spyware module, I feel pretty sure.

    Having been warned I did not delete them. AdAware updated again today, and maybe they fixed those FPs.

    Best,
    Jerry
     
  4. alexei

    alexei Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    13
    Nope. I've checked and I definitely deleted them from quarantine.

    So does anybody know if I may have damaged my system and if so, how?

    I'm a relatively new user to F-Secure (< 1 month) and have never encountered any malware or viruses with it, let alone false positives.
     
  5. alexei

    alexei Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    13
    I set a System Restore checkpoint the day before this happened. If I restore to that point, will the deleted files be restored?

    I could then update all my AV definitions and run a fresh scan.

    If they're false positives, I suppose they would beidentified correctly now.
     
  6. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
  7. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    The system restore will only restore a certain set of files such as .exe .dll etc.
    see list..
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sr/sr/monitored_file_extensions.asp

    It doesnt back everything up so the files you deleted may still be gone.However if they are critical files then system restore should restore them.
    ellison
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hello alexei,

    If you take a look at your F-Secure scan results or if you can recall if the below registry locations were reported as Bargain Buddy and Adware.AdMedia....then you will have no worries because you have deleted those registry items. That registry location is in regards to statistics of addons of BHO's, browser extensions or ActiveX controls and can be deleted if one so chooses without any adverse effect.

    Adaware False Posiitves:
     
  9. alexei

    alexei Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    13
    Hi,

    I saved the report at the time, before deleting the files.

    There's a lot of information and I don't have enough knowledge about the registry to know if it's okay to have deleted these entries.

    Thanks.


    BargainBuddy (Malware)

    * REGKEY:HKCR\clsid\{48e59293-9880-11cf-9754-00aa00c00908}
    REGKEY:HKCR\interface\{48e59291-9880-11cf-9754-00aa00c00908}
    REGKEY:HKCR\typelib\{48e59290-9880-11cf-9754-00aa00c00908}
    REGKEY:HKCR\inetctls.inet
    REGKEY:HKCR\inetctls.inet.1
    * REGKEY:HKCR\clsid\{48e59293-9880-11cf-9754-00aa00c00908}
    REGKEY:HKCR\inetctls.inet
    REGKEY:HKCR\inetctls.inet.1
    REGKEY:HKCR\interface\{48e59291-9880-11cf-9754-00aa00c00908}
    REGKEY:HKCR\typelib\{48e59290-9880-11cf-9754-00aa00c00908}
    Action: quarantined

    Adware.AdMedia (Data miner)

    * REGKEY:HKU\S-1-5-21-1202660629-1425521274-682003330-1003\software\microsoft\windows\currentversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}
    REGKEY:HKU\.DEFAULT\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-19\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-20\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-21-1202660629-1425521274-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-18\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\.DEFAULT\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com
    REGKEY:HKU\S-1-5-19\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com
    REGKEY:HKU\S-1-5-20\software\microsoft\windows\currentv
    * REGKEY:HKU\.DEFAULT\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-19\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-20\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-21-1202660629-1425521274-682003330-1003\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\S-1-5-18\software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net
    REGKEY:HKU\.DEFAULT\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com
    REGKEY:HKU\S-1-5-19\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com
    REGKEY:HKU\S-1-5-20\software\microsoft\windows\currentversion\internet settings\zonemap\domains\mmohsix.com
    REGKEY:HKU\S-1-5-21-1202660629-1425521274-682003330-1003\software\microsoft\windows\currentvers Action: quarantined
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    As noted above....those registry entries you are showing were false positives and you did not do any real harm by deleting them if they no longer are available via quarantine.

    The other internet settings\zonemap\domains entries you are showing were also False positives in AdAware's Sept. 12 Update and I would assume F-Secure if it indeed uses the Adaware engine. They were found to be Restricted Site entries placed there possibly by programs such as Spybot's Immunization, Spywareblaster....etc. Those can be added back by using what ever program you use that places Restricted Site entries into Internet Explorer if that's the case.

    Related thread on another Forum---> Ad-Aware Sept. 12 Update - FP??
     
  11. alexei

    alexei Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    13
    That's re-assuring to know.

    I use Spyware Blaster, Spybot and SpywareGuard, so I've updated definitions for all of them.

    Thanks for your help!
     
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Glad you got it sorted out and you are very Welcome.
     
Loading...
Thread Status:
Not open for further replies.