False Positive???

Discussion in 'Trojan Defence Suite' started by Gigabyte, Apr 30, 2004.

Thread Status:
Not open for further replies.
  1. Gigabyte

    Gigabyte Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    163
    Location:
    NC,USA
    I ran a couple of other trojan scanners and two of them found an xxx dialer and coolwebsearch. I ran cool web shredder and it found nothing. I downloaded TDS-3 eval version and it didn't find anything either. It makes me cringe to think someone could be spying on me. :mad: Thanks
     
  2. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    I hope these scanners were reputable.

    I wouldn't rule out that some of them might be cleaver marketing ploys identifying something that isn't there (I ran into a scenario like this once).
     
  3. Gigabyte

    Gigabyte Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    163
    Location:
    NC,USA
    One was Pest Patrol and the other was Xoftspy v3.1 I run spywareguard/blaster,spybot,ad-aware.They all were clean.
     
  4. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    I run PestPatrol and although very sensitive to false positives it has never let me down.
     
  5. Gigabyte

    Gigabyte Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    163
    Location:
    NC,USA
    That was one that found the coolwebsearch and xxx dialer. So you think that they are legit?
     
  6. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    Yes, they are legit.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Gigabyte and Snook, welcome!
    After installing TDS, did you also get the latest update from the site and started TDS after that?
    It does detect lots of dialers and cws variants, so you might have another variant. In the scanning did you check all the scanoptions and on highest sensitivity?
    Best zip and send the files to submit@diamondcs.com.au to be really sure.
    In the meantime please take the steps from this thread:
    https://www.wilderssecurity.com/showthread.php?t=15913
    First take step 2 with the HijackThis tool and post your log for the experts to review for possible illigal autostarts and more, since you are dealing with the CWS and we must make sure which version and what it did. The experts will advice which next steps to take in fixing and deleting, using CWShredder (which didn't find nothing yet you said, other version of cws maybe?), before you use the SpybotS&D and Ad-Aware again.


    For the Xoftspy program see among others this discussion thread
    http://www.dslreports.com/forum/remark,9877664~mode=flat?r=1
     
    Last edited: May 1, 2004
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    A dialer will only usually be detected by TDS if its a trojan dialer, which dials without your permission. Coolwebsearch is adware and you should always deal with adware with specific programs like AdAware and SpybotSD. Theres a dedicated forum here at Wilders for browser hijack cleaning help:

    https://www.wilderssecurity.com/forumdisplay.php?f=26

    After this, if you like just email me an ASViewer log to rule out the possibility of 99% of trojans out there :) Let me know if you would like me to look at your log
     
  9. Gigabyte

    Gigabyte Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    163
    Location:
    NC,USA
    Here you go

    Logfile of HijackThis v1.97.7
    Scan saved at 10:37:31 AM, on 5/1/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\KODAK\HYDRA_DR\DCFSSVC.EXE
    C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE
    C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SIMAILPROXYSERVER.EXE
    C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISPAMFILTERENGINE.EXE
    C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISPAMFILTERENGINE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS1977[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
    O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSPC.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [Dcfssvc] C:\PROGRA~1\COMMON~1\KODAK\HYDRA_DR\DCFSSVC.EXE --pdr: ""C:\Program Files\Common Files\KODAK\HYDRA_DR\dcmnter.pdr""
    O4 - HKLM\..\Run: [blspcloader] "C:\PROGRAM FILES\BELLSOUTH INTERNET TOOLS\BLSLOADER.EXE"
    O4 - HKLM\..\Run: [SISERVICE.exe] "C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.exe"
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
    O4 - HKCU\..\Run: [OPF] C:\PROGRAM FILES\OMNIQUAD\OMNIQUAD PERSONAL FIREWALL\OPF.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Stop popups from this web page - C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\denysite.htm
    O8 - Extra context menu item: Block this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.blockimg.html
    O8 - Extra context menu item: Allow this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.allowimg.html
    O8 - Extra context menu item: Block popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.block.html
    O8 - Extra context menu item: Allow popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.allow.html
    O8 - Extra context menu item: Block personal info from this site - file://C:\PROGRAM FILES\GHOSTSURF\info.block.html
    O8 - Extra context menu item: Allow personal info to reach this site - file://C:\PROGRAM FILES\GHOSTSURF\info.allow.html
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: GhostSurf Privacy Center (HKLM)
    O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.fastaccesstools.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38020.8641550926
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {8DAE7A62-4632-4691-805C-0338A5F26F9D} (Spam Arrest Email Configurator Download) - http://spamarrest.com/xcarab/10014/saclient.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/bus-nacons/caller/SysQuery.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

    Seems that i have alot of stuff that was uninstalled,but still there?
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Gigabyte,

    Your log is clean. You mentioned that some items you had removed via your Add or Remove Programs Control Panel were showing up in your log. If you post what these programs are, I will help you fix that.

    Regards,
    Kent
     
  11. Gigabyte

    Gigabyte Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    163
    Location:
    NC,USA
    Omniquad is one and ghostsurf is the other.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi GigabyteCheck the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:


    O4 - HKCU\..\Run: [OPF] C:\PROGRAM FILES\OMNIQUAD\OMNIQUAD PERSONAL FIREWALL\OPF.EXE

    O8 - Extra context menu item: Block this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.blockimg.html
    O8 - Extra context menu item: Allow this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.allowimg.html
    O8 - Extra context menu item: Block popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.block.html
    O8 - Extra context menu item: Allow popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.allow.html
    O8 - Extra context menu item: Block personal info from this site - file://C:\PROGRAM FILES\GHOSTSURF\info.block.html
    O8 - Extra context menu item: Allow personal info to reach this site - file://C:\PROGRAM FILES\GHOSTSURF\info.allow.html

    O9 - Extra button: GhostSurf Privacy Center (HKLM)
    O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)

    Then reboot.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.