False-positive for 7FaSSt with AdSubtract

Discussion in 'adware, spyware & hijack cleaning' started by Bob Miller, Dec 26, 2003.

Thread Status:
Not open for further replies.
  1. Bob Miller

    Bob Miller Registered Member

    Joined:
    Dec 26, 2003
    Posts:
    3
    Hello,

    Both AdAware and Spybot detected two modified registry keys on my XP, which they identified as belonging to the spyware bug 7FaSSt. The bad keys would reappear every time I logged back on to my file, no matter how many times I deleted them with AdAware or Spybot.

    I didn't believe I had ever been infected with 7FaSSt and couldn't find any other trace of evidence for infection.

    What I discovered was that my AdSubtract program was causing these false-positives. For those unfamiliar with it, AdSubtract is an excellent ad and popup blocker, which was recently redesigned.

    The part of AdSubtract causing the false-positives was the checkbox for "Show AdSubtract toolbar in Internet Explorer," located on the Options tab of the AdSubtract control panel. If the box was checked, it would generate the false-positives. When it was left unchecked, both Spybot and AdAware would give my machine a clean bill of health.

    I'm writing this in the hope that others will avoid the frustrating hours I spent trying to track down non-existent spyware.

    I will notify AdSubtract of this glitch, as well.

    Cheers,
    Bob Miller

    P.S. Below are the decriptions of the bug I was supposedly infected with, first from AdAware, then from Spybot...

    AdAware's description of the bug:

    Vendor: 7FaSSt
    Category: Data Miner
    Object Type: RegKey
    Size:-
    Location: Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE}\
    Last Activity: 12-25-2003
    Risk Level: Low
    Comment:
    Description:Installed by ActiveX. Installs a user ID. Tracks browser use. Records the names of folders, images and other objects on the system.
    ---------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------
    Spybot's descrition of the bug:

    Company: EMERgency Twenty Four, Inc.
    Product: 7FaSSt Search
    Threat: Browser Hijacker/BHO

    Company URL: http://www.7search.com/
    Company product URL: http://7search.com/fasstsearch.htm

    Functionality
    Search add-on for IE

    Description
    Storing the tracked data in a database is bad enough, but what is meant by the last sentence? Transfer of all data to make the search engine services available to /others/?.
    After installation, the user is asked to enter user name and email address as if that would be necessary for use.

    Privacy Statement
    From the License Agreement:
    "You are in full agreement that to gather the information necessary to provide our Information service requires our Software to gather URL and duration information of all web sites visits by the person using your computer while browsing the Internet. This information is then transferred to our database in order to provide you and other users with our 7FaSSt Search (tm) traffic reports. You are in full agreement to the transfer of any and all information necessary to provide the 7FaSSt Search(tm) services to others."
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Bob,

    The 7FaSSt hijacker uses three different CLSID's, so I wonder where that came from?

    Keep us posted,

    Pieter
     
  3. Bob Miller

    Bob Miller Registered Member

    Joined:
    Dec 26, 2003
    Posts:
    3
    Thanks, Pieter!

    The same false-positive for the "7FaSSt hijacker" occurs on my Windows 98 as on my XP, whenever the AdSubtract toolbar is activated.

    I'm loath to lay any blame for this oddity at the doorstep of AdSubtract; I have found it to be a first rate ad-blocking program.

    It's strange that both Adaware and Spybot misidentify the changed registry key as the 7FaSSt hijacker.

    For your viewing pleasure, I've attached my HijackThis! log, which I'm too inexperienced to interpret, but which might contain a clue about the cause of the false-positives.

    Cheers,
    Bob

    Logfile of HijackThis v1.97.7
    Scan saved at 8:46:06 PM, on 12/28/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Documents and Settings\Uncle Mike\Desktop\A4Proxy\A4Proxy\A4Proxy.exe
    C:\Program Files\interMute\AdSubtract\AdSub.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Uncle Mike\Desktop\Tools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1036;ftp=127.0.0.1:80;https=127.0.0.1:80
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
    O4 - Startup: A4Proxy.lnk = Uncle Mike\Desktop\A4Proxy\A4Proxy\A4Proxy.exe
    O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
    O8 - Extra context menu item: AdSubtract: Dodge Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
    O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://chsplg.charts.gc.ca/ActiveX/mgaxctrl.cab
    O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) - http://www.bluefalcon.com/software/streamer/1.5.00.01/SS_POC.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.7069444444
    O16 - DPF: {A0F909C1-1E2B-48A6-ABFE-1B2EB9A13992} (ZingBatchDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=1,1,3,10503
    O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

    ---END---
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Bob,

    The only thing even remotely resembling spyware in that log is BackWeb (Lite) that Kodak uses to auto-update their software.

    Regards,

    Pieter
     
  5. Bob Miller

    Bob Miller Registered Member

    Joined:
    Dec 26, 2003
    Posts:
    3
    Hi Pieter,

    Thanks for checking! You are most kind. I just wanted to alert everyone about the false-positive involving the AdSubtract toolbar.

    Thanks for your wonderful forum.

    Jingle Bells,
    Bob
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Anytime, Bob. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.