Giant FP with SptBot S&D

Discussion in 'other anti-malware software' started by edipoli, Dec 14, 2004.

Thread Status:
Not open for further replies.
  1. edipoli

    edipoli Registered Member

    Joined:
    Jan 9, 2004
    Posts:
    5
    Location:
    TURKEY/ISTANBUL
    Re: Giant Antispyware

    I am using the latest spybot version with the latest updates. However, after immunizing all the bad products, I used the new tool ''Giant antispyware'' , it found out spyware "SearchSquire" inside my system. After I removed them, I started Spybot again and clicked on the "immunize" button and it prompt me that "1 additional immunization possible..." So I immunized my system again but after I do that, again the spyware "SearchSquire" is detected by Giant antispyware. This problem keep on recurring.

    May I know what actually happens and whether is this a bug within spybot?
    o_O
     
  2. dog

    dog Guest

    Re: Giant Antispyware

    It sounds like a GiantAS False Postive ... What are the details/location when Giant finds SearchSquire?

    Steve
     
  3. dog

    dog Guest

    Re: Giant Antispyware

    To Help you out a bit more before you answer. ;)

    What GiantAS is probably finding is:

    HKEY_Current_User\Software\Microsoft\Windows\Current Version\Internet Settings\Zone Map\Domains\Searchsquire.com

    (Thanks aagfr for pointing out this slight oversight ... details are very important. ;) )

    If you type regedit in the run box ... & navigate to this ... in the right pane you will see a Dword Value. The Value should be 4. Which is right. (See screen shot)

    A value of 4 means searchsquire is set as a restricted zone. A value of 2 indicates a trusted zone.

    If the value you find for the Dword Value is 4 ... it's a False Positive from GiantAS ... it's only finding the key ... and not the Dword Value. Which is incorrect ... you can add it to the ignore list for now.

    I haven't gotten this F/P ... are you using the current definitions # 5677 ?

    Steve
     

    Attached Files:

    Last edited by a moderator: Dec 14, 2004
  4. aagfr

    aagfr Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    56
    Re: Giant Antispyware

    Thanks dog.

    Just for clarity, the correct address for the key is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com

    (Naturally, the correct address was apparent in your screenshot.)

    Thanks again for your help re the FP. I got it too, but fortunately checked here first.
     
  5. edipoli

    edipoli Registered Member

    Joined:
    Jan 9, 2004
    Posts:
    5
    Location:
    TURKEY/ISTANBUL
    Thank you sooo much friends.....I was away for a few days & couldnt reply,sorry.. Giant AS found exactly what you said.. (I use adaware,spybot,spywareblaster) My current defs were 5677 as you said..
    I will ignore G AS & immunize all @SSD..
    By the way 5 minutes ago,Giant loaded new defs 5678..
    Will make a new scan now..
    Whatever it finds SearchSquire or not,I will ignore..
    Best regards..
    :rolleyes:
     
  6. aagfr

    aagfr Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    56
    I just ran another deep scan with Giant AS using its latest definitions #5678. It still detects the SearchSquire reg keys noted above as adware threats.
     
  7. WilliG

    WilliG Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    3
    Dog,
    Thanks! Learned something new this evening. However, my GiantAS is updatd through 7778 ver 1.0.301 and still produced a false positive. For now, it has been place in the ignore mode. I have sent an email to Giant, however.
    Got another one for you: Using the most recent update of SpyCop, I received and odd message at completion:
    Scan Results:
    Spector/Spector Pro/EBLaster by SpectorSoft | C:\Program Files\InterMute\SpySubtract\CWSInstall.exe
    The recommendation was to remove the object, instead I renamed it, the place program in quarantine. Any thoughts?

    Lastly, Merjin sold CWShredder to Intermute, but running such left me with the aforementioned that SpyCop picked up on, only (lavasoft, spybot missed it altogher).

    I currently run, Spy-Bot Seach & Destroy 1.3, SpywareBlaster, the new LavaSoft Suite Pro, PestPatrol, GiantAS, ZoneAlarm Pro, AVG Pro, BHO Demon,
    Bugnosis, Maxon 1.1.067.x, FireFox 1.0, IE 6 Sp-1, Outlook Express 6 Sp-1, Spam Bully OE, Stinger, X-Cleaner, Windbrush and Windows Washser, et al.
    I run these programs synergistically, at varying times in varying combinations,
    then in an overnight batch for a real scrub down. So far I have not had any major problems nor crashes. No reloads nor clean loads. I keep up todate, realtime, with everthing, but XP Pro SP-2.

    Any thoughts on the aformentioned errors (Spycop and GiantAS)? Are the Fresh Devices suite of concern? I get some questions to such with pest patorl.

    Your humble student.

    WillG :cool:
     
  8. readdi

    readdi Registered Member

    Joined:
    Jan 18, 2005
    Posts:
    1
    ZoneMap\Domains entries (SearchSquire)

    Thanks Dog, you just answered a lot of my about to be written questions.

    Presumably, if you delete this registry entry (as MS Antispyware just advised me), you are more vulnerable to attack? ie you are not actively preventing it from installing.

    BTW do you know if there are values for the dword other than 2 and 4, and what they might mean?

    Cheers.

    Dave
     
  9. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
  10. dog

    dog Guest

    Re: ZoneMap\Domains entries (SearchSquire)

    Hi Dave, ;)

    M$ Anti-Spy will delete only the Dword Value ... Hence removing it from the restricted zone (4) ... where it would then fall in default, zone 3 = Internet Zone. Where your settings would/should be high, but not as stiffling as the Restricted Zone (4).

    The other possible values would be:

    (0) - My Computer
    (1) - Local Intranet Zone
    (3) - Internet Zone

    Plus the Two already Mention:

    (2) - Trusted Zone
    (4) - Restricted Zone

    This M$ KB Article has a lot of info if you're interested:

    Description of Internet Explorer security zones registry entries
    http://support.microsoft.com/default.aspx?scid=kb;en-us;182569

    HTH, ;)

    Steve
     
Loading...
Similar Threads
  1. FanJ
    Replies:
    10
    Views:
    782
Thread Status:
Not open for further replies.