False positives from PestPatrol?

Discussion in 'other anti-malware software' started by ragna, Jul 25, 2004.

Thread Status:
Not open for further replies.
  1. ragna

    ragna Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    12
    Location:
    Belgium
    I did a scan of my system with PestPatrol, which found the following pests. But no other security programs (Adaware 6, SpybotS&D, SpySweeper, a², Bazooka - adviced to me by my friend) on my computer found any of them. Neither did Kaspersky Antivirus. So I am worried they might be false positives.

    -Pest: Xupiter.Orbitexplorer
    Pest Info: Category: Homepage Hijacker Author: [Xupiter.com] Release Date:
    5/23/2004 0:00:00 Background Info: Click here
    File Info: In File: C:\WINDOWS\system32\msxml3.dll PVT: -2060094940 MD5:
    172ed2b7122c60e0e4e53466b2a6e73e Date: 11/09/2002 14:00:00 File Analysis:
    Look up with MD5 (recommended) or PVT.
    Certainty: Confirmed Threatens: Liability Risk: Moderate - this file can be
    executed! Advice: Delete or quarantine
    Action: Ignored
    ~~~
    Pest: Xupiter.Orbitexplorer
    Pest Info: Category: Homepage Hijacker Author: [Xupiter.com] Release Date:
    5/23/2004 0:00:00 Background Info: Click here
    File Info: In File: C:\WINDOWS\system32\dllcache\msxml3.dll PVT: -2060094940
    MD5: 172ed2b7122c60e0e4e53466b2a6e73e Date: 11/09/2002 14:00:00 File
    Analysis: Look up with MD5 (recommended) or PVT.
    Certainty: Confirmed Threatens: Liability Risk: Moderate - this file can be
    executed! Advice: Delete or quarantine
    Action: Ignored

    Pest: AdShooter.SearchForIt
    Pest Info: Category: Adware Background Info: Click here
    File Info: In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet
    explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}
    |compatibility flags
    Certainty: Confirmed Threatens: Confidentiality, Liability Risk: Low. Advice: Delete
    or ignore
    Action: Ignored
    ~~~
    Pest: AdShooter.SearchForIt
    Pest Info: Category: Adware Background Info: Click here
    File Info: In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet
    explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}
    Certainty: Confirmed Threatens: Confidentiality, Liability Risk: Low. Advice: Delete
    or ignore
    Action: Ignore

    Can anyone help me with this? Thank you very much :).

    PS: I have also send this info to PestPatrol Customer Service.
     
  2. FanJ

    FanJ Guest

    Hi,

    I'm sorry to say it: PestPatrol is "well" (....) known for its false positives :mad:

    I really would advice to check and check again its alerts before letting it delete its alerts.
    Never ever rely on it without having cross-checked its alerts !
    It is simply the truth.
    Why this program has 3 stars at the Wilders-org site is simply completely unclear to me.


    Well, lets have a look at this one:

    Pest: AdShooter.SearchForIt
    Pest Info: Category: Adware Background Info: Click here
    File Info: In Registry: HKEY_LOCAL_MACHINE\software\microsoft\internet
    explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}
    |compatibility flags

    Yep, I too got this one (with lots of other false positives but that's another story...).

    OK, let's have a look at the CLSID list from TonyKlein (a well known expert!!!) at ComputerCops:
    http://computercops.biz/CLSID.html
    I put in that CLSID {c109664b-ceb1-420b-b353-d55a561536dd}
    Let it do a search; you will get what my screenshot is showing you.
    What you see there, is that it is related to a file SYSsfitb.dll
    Well, I did a search on my system for that file: it simply is NOT on my system (W 98 SE).
    I rechecked by searching the database of my File-Integrity-Checker NISFileCheck: that file does NOT exist on my system.

    So what we've got here, is that this program PestPatrol forgot to search whether that file exists on your system.


    I'll ask TonyKlein to have a look at this thread, if he has the time and would like to do so.
     

    Attached Files:

  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi ragna

    The first two (Pest: Xupiter) look like false/positives as the 'msxml3.dll' is a Microsoft file: http://support.microsoft.com/default.aspx?scid=kb;EN-US;269238

    You can check the file by right-clicking on it and choosing 'properties' to verify who created it and when.

    The second two (Pest: AdShooter) may not be false as the CLSID {c109664b-ceb1-420b-b353-d55a561536dd} does belong to the AdShooter toolbar: http://computercops.biz/clsid-899.html

    You might want to email PestPatrol with your scan results and see what they say first before doing anything.

    Regards,

    snap
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    LOL! Hi Jan. :D
     
  5. FanJ

    FanJ Guest

    Hey Snap :D

    :D :D :D
     
  6. FanJ

    FanJ Guest

    Well, I might have been completely wrong with what I posted.
    I take my words back, and apologize for my posting.

    I don't understand it anymore.
    I'll better leave these things to others.
     
  7. Justhelping

    Justhelping Guest

    I guess this thread perfectly illustrates why Pest Patrol is useless except in the hands of a real expert who is current with spyware/adware, who probably wouldn't need it anyway.

    Out of 3 detections, 2 are false positives. The danger is that a newbie would completely trust it and damage his system by removing them all.

    While even someone more experienced (or someone VERY experienced but who hasn't kept up with the latest malware lol )might after dismissing yet another of the numerous false positive, go the opposite route and dismiss them all as false positives hence missing the occasional/rare time when it's correct. This is almost as bad.
     
  8. FanJ

    FanJ Guest

    Well,
    I have looked at that registry-key on my (Dutch) W 98 SE system.

    Indeed the key is there, and here are its values:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C109664B-CEB1-420B-B353-D55A561536DD}

    Naam Gegevens
    (Standaard) (geen waarde ingesteld)
    Compatibility Flags 0x00000400 (1024)

    (sorry, I have the Dutch version of Windows)

    I have to leave it further to those who might understand it.
     
  9. tImEwArP

    tImEwArP Guest

    I am also getting the following detections/FPs with Pest Patrol. All are adware. Anyone else getting any of these in their scans?



    1. AdShooter.SearchForIt (2 in Registry-same as above)

    2. I-Lookup (1 in reg- HKEY_LOCAL_MACHINE\software\classes\interface\
    {e7bc43a2-ba86-11cf-84b1-cbc2da68bf6c})

    3. SpediaBar (1 in reg- HKEY_LOCAL_MACHINE\software\stdllupdt)

    4. VX2 (4 in reg- HKEY_USERS\default\software\microsoft\currentversion\internet settings\zonemap\domains\vx2.com)

    5. Spyster 1.0.19 (1 in c:\windows\setup1.exe )

    6. EUniverse Directory (3 in c:\program files\earthlink\total access\fast lane )
     
  10. ragna

    ragna Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    12
    Location:
    Belgium
    Thank you FanJ, Snapdragin,... :-*
    I am still waiting on pestpatrol' s answer.I am certainly gonna let you know their answer.
    Yes Justhelping it is indeed very frustrating to be not able to rely on your bought software.
    Luckily there are forums like this ;)
     
  11. wyrmrider

    wyrmrider Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    59
    Location:
    california
    I've seen
    Backdoor.Noknok
    from pest patrol and A2
    I think sbs&d takes care of it so it is on the back burner
    there are two versions at least
    I did not find the file with a search but have not checked the registry yet

    Wyrmrider
     
  12. FanJ

    FanJ Guest


    Hmmm :rolleyes:

    Here we go again:

    Have a look at this site:
    http://www.winguides.com/registry/display.php/1188/

    What that page explains, is that a kill bit has been set for an ActiveX Control when the DWORD is 1024.
    And that is exactly what has happened on my machine !

    At the moment I have not looked which program has set that kill bit, but I suppose it is either SpywareBlaster or SpywareGuard.

    So: it looks to me that it IS a false positive (well, at least on my machine where the DWORD for that ActiveX CLSID is indeed 1024)!
     
    Last edited by a moderator: Jul 26, 2004
  13. FanJ

    FanJ Guest

    I have them too.
    False positive if the DWORD is 1024, as explained above.

    I have it too.
    I'm not sure about this one at the moment.

    I didn't get this alert.
    I don't know.

    I have those 4 alerts too.
    All are false positives if the DWORD is 4.
    They are put there by IE-SPYAD.
    A known problem with PestPatrol; similar things have been posted several times and many months ago...
    On my W 98 SE machine for example:
    HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\vx2.com

    I have that alert too.
    False positive:
    A legitimate file from Microsoft:
    Visual Basic 6.0 Setup Toolkit.
    My version: 6.00.9782
    MD5 checksum of my version:
    C6264B17629F6F9F0BD2BA7671CEFF69

    I didn't get that alert.
    I don't know.

    BTW:
    I myself got several other alerts too....
     
  14. tImEwArP

    tImEwArP Guest

    Thanks for your reply FanJ. I really appreciate your post. Now i know at least some of them are FPs. The last one i posted, 'EUniverse Directory' i think was part of Earthlink that was left over from when i used to have it. Not sure about SpediaBar. Is Pest Patrol ever going to get rid of their FP problems? Sometimes i wonder why i continue to use it at all. Hopefully your detections, the ones you didn't post, are just FPs too.
     
  15. FrogmanLa

    FrogmanLa Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    1
    I am not too sure on the false positive theory. I am also running Spyware Blaster on my system (XP Home), I set it to protect against SearchForIt Tool Bar. Everytime I reboot and check it, the protection has been turned off. The only thing Pest Patrol had listed that I found on my machine was the Active X registry entry. I delete it and it comes back when I reboot. I have yet to have Pest Patrol reply to any of 5 different inquiries
     
  16. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    I used to be be betatester for pest patrol for lost all interest when they dedcided to shut down their forums.
     
  17. Odyssey

    Odyssey Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    7
    FanJ, Please elaborate on the "checksum" you mentioned for setup1.exe. Are you testing whether the file has been compromised? How does one determine if it is an unaltered MS file or compromised?

    Pest Patrol gave me a warning about Spyster 1.0.19 in this file, which shows to have been created in April of this year, well after I bought and set up the computer, therefore a bit concerned.

    Thanks.
     
  18. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    I just scanned and pestpatrol came up with the same thing on that Spyster 1.0.19. I have always stood up for pestpatrol but these last updates are fps galore. I havent had this problem before. And for some reason they stopped updating like they use to. And its taking them longer to answere techsupport, use to you would get a response back within 24 hours from my experience but not now. And the site is still not done. Maybe they working thier butt off on version 5 of home edition and gonna straightened everything up. I hope pestpatrol is looking at these post, hope someone is pointing them to these post. Gonna get get it for another year and just see what happens.
     
  19. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi dread,
    I really can not recommend it. I purchased several licenses in the past (now expiring) and I won't renew. I personally experienced several false positives. Prior to my discovering that it is a false positive glutten, I trusted it. Who knows how much trouble it caused by deleting necessary components and such?
    I thought maybe it was just me, but once I saw how many others were having the same problems, then I knew it was PP.
    If it was just a few, it could be a fluke. They have a bad track record. Inexcusable.
    They should call it FalsePositivePatrol (or FalsePositivePlus) :p
     
  20. Ruffian

    Ruffian Guest

  21. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    Yes I am. I am hopeing when version 5 comes out they will go back to updating normally like they use to and they get things fixed. They did increase some of thier teams or that was something someone siad on this forum one time if I remember correctly. Growing pains mabye? Every company runs into problems sooner or later. And I still say it can detect things the other guys miss despite the fps. Renewing dont cost that much anyway. And I will have a whole year to see if they change. And like I siad I havent had all these fps till the last several updates, I dont know whats going on with them. But I am seeing the fp side of it that people has posted on here. Thankfully I usually know what they are or can find out real quick. Like I siad before I hope they are looking at these post.
     
  22. FanJ

    FanJ Guest

    Hi Odyssey,

    My remark about that checksum makes not much sense :oops: : as far as I was able to see the MS-site doesn't give its MD5 checksum (but I could be wrong here... :oops: ).
    Thanks for your question !

    PS: I still tend to think that it is a false positive (at least I myself have not let PP remove it).
     
  23. Ruffian

    Ruffian Guest

    I bet they are too busy looking at all the complains in their own forum (if they had one that is).
     
  24. rrainbow

    rrainbow Registered Member

    Joined:
    May 22, 2004
    Posts:
    16
    Location:
    Canada
    I had trouble with a software from the Spysweeper people and never got hardly any good support whatsoever!! I've never(except once) been treated SO Horrible from anyone before!! They Don't Deserve any $$$$$ from us at all!! Who cares if they have a Free download. If they Don't back there product they are Not worth there grain in salt. Period. Thank you.
    I also once tried Pest Patrol and then I downloaded another anti-spyware software and it caught a spyware that Pest Patrol downloaded on my PC when I downloaded it!!! Because my PC was Clean Before I downloaded Pest Patrol! o_O
     
  25. FanJ

    FanJ Guest

    Hi rrainbow,

    As far as I remember that never happened to me.

    With all due respect :
    I think it would be better to come with some prove of your statement.

    Regards, Jan.
     
Loading...
Thread Status:
Not open for further replies.