Pest Patrol F/P's

Discussion in 'other anti-malware software' started by dog, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. dog

    dog Guest

    Hi All, ;)

    Gave my semi-monthly, Pest Patrol scan a run - it found the following F/P's

    All the TrojanSpy.GhostKeyLogger enteries - are the Bazooka Spyware Scanner setup.exe - Reported by PP as suspicious - Hmmm?

    And the oem5.inf - is a setup file

    dog - *puppy*


    Code:
    \TDS3\xDynamic\TDS.Unpk\a0055099.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0053920.exe	TrojanSpy.Win32.GhostKeyLogger.c	
    \TDS3\xDynamic\TDS.Unpk\a0053951.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0053988.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0054041.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0054265.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0054926.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0054957.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0054994.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0055018.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    \TDS3\xDynamic\TDS.Unpk\a0055039.exe	TrojanSpy.Win32.GhostKeyLogger.c		
    
    \Bazooka Spyware Cleaner\bazookasetup.exe	TrojanSpy.Win32.ghostKeyLogger.c
    		
    C:\WINDOWS\lastgood\inf\oem5.inf	FavSearch 
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    dog,

    Better drop PP an email about this ;).- feel free to point tem to this thread.

    regards.

    paul
     
  3. dog

    dog Guest

    Hi Paul, ;)

    Done - Techsupport AT pestpatrol DOT com - ;)

    Link is included.

    Thanks

    dog - *puppy*
     
  4. FanJ

    FanJ Guest

    O, I have some more.......

    But first: here comes the most ridiculous one I have ever seen :

    Pest: ISTbar
    Pest Info: Category: Adware
    Background Info: Click here
    File Info:
    In File: C:\WINDOWS\desktop\pestpatrol.lnk
    Date: 06-08-2004 7:41:50
    Certainty: Confirmed
    Threatens: Confidentiality, Liability
    Risk: Moderate - this file can be executed!

    Advice: Delete or quarantine
    Action: Ignored
     
    Last edited by a moderator: Jun 28, 2004
  5. FanJ

    FanJ Guest

    Hey folks at PP, come on ;)
    Check your own files.

    Yes, I know very well that false positives can happen to ALL scanners.
    No problem with me.

    But this...........
     
    Last edited by a moderator: Jun 28, 2004
  6. FanJ

    FanJ Guest

    O, I forgot, there were some others.....

    (this one already posted by dog)
    Pest: TrojanSpy.Win32.GhostKeyLogger.c
    Pest Info: Category: Key Logger
    Release Date: 05/25/2004 0:00:00
    Background Info: Click here
    File Info: In File: D:\Bazooka\Version 1_13_01\bazookasetup.exe
    PVT: 1780703887
    MD5: 174e6859d8ea9c33cf0ad0254e2527cb
    Date: 06-28-2004 16:20:16
    File Analysis: Look up with MD5 (recommended) or PVT.
    Certainty: Suspected Threatens: Confidentiality, Integrity, Availability, Liability
    Risk: Moderate - this file can be executed!
    Advice: Delete or quarantine
    Action: Ignored


    Pest: InternetAlert
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In File: c:\windows\lhsp\tv\tvenuax.dll
    Date: 09-24-1998 15:15:44
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Moderate - this file can be executed!
    Advice: Delete or quarantine
    Action: Ignored
    ~~~

    Pest: InternetAlert
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In File: c:\windows\lhsp\tv\tv_enua.dll
    Date: 09-30-1998 10:09:20
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Moderate - this file can be executed!
    Advice: Delete or quarantine
    Action: Ignored
    ~~~

    Pest: TOPicks
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topicks.com|*
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Low.
    Advice: Delete or ignore
    Action: Ignored
    ~~~

    Pest: TOPicks
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topicks.com
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Moderate - this file can be executed!
    Advice: Delete or ignore
    Action: Ignored
    ~~~

    Pest: TOPicks
    Pest Info: Category: Adware Background Info: Click here
    File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnetp2p.com|*
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Low.
    Advice: Delete or ignore
    Action: Ignored
    ~~~

    Pest: TOPicks
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnetp2p.com
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Moderate - this file can be executed!
    Advice: Delete or ignore
    Action: Ignored
    ~~~

    Pest: TOPicks
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnet.com|*
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Low.
    Advice: Delete or ignore
    Action: Ignored
    ~~~

    Pest: TOPicks
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnet.com
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Moderate - this file can be executed!
    Advice: Delete or ignore
    Action: Ignored
    ~~~

    Pest: BonziBuddy
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ca141fd0-ac7f-11d1-97a3-0060082730ff}
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Low.
    Advice: Delete or ignore
    Action: Ignored
     
  7. FanJ

    FanJ Guest

    checked the Bazooka setup-file with TDS-3, no alert :

    18:52:57 [File Scan] Scanning in -scand D:\Bazooka
    18:52:57 [File Scan] Scanning in D:\Bazooka ...
    18:53:02 [File Scan] Scanned 1 files: 0 alarms in 5.546875 seconds (Avg 1.18 files/sec)

    ==========

    checked with NOD32, no alert:

    NOD32 version 1.796 (20040626)
    Command line: D:\Bazooka\Version 1_13_01\bazookasetup.exe
    Checking CRC of the NOD32.EXE file: status OK
    Operating memory is OK.

    date: 28.6.2004 time: 19:05:02
    Scanned disks, directories and files: D:\Bazooka\Version 1_13_01\bazookasetup.exe
    number of files scanned: 1
    number of viruses found: 0
    time of completion: 19:05:02 total scanning time: 0 sec (00:00:00)

    =====

    checked with TrojanHunter, no alert:

    Scanning file D:\Bazooka\Version 1_13_01\bazookasetup.exe
    No trojan files found

    ====

    checked with Ad-aware, no alert:

    Disk scan result for D:\Bazooka
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0

    19:16:28 Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:00:00:0
    Objects scanned :4
    Objects identified :0
    Objects ignored :0
    New objects :0

    ======

    checked with The Cleaner, EZ AV, SpyCop, KAV Lite 4.0.7.1, Tauscan: no alerts.
     
    Last edited by a moderator: Jun 28, 2004
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Lots of work Jan!


    In the first posting the files in the TDS Unpk filder are copies of files unpacked there to be scanned, normally deleted afterwards or in the next scan; the names for me seem from the system restore; so if TDS doesn't see nothing in those system restore files, just delete them or try to zip one from that folder and scan it with several scanners, but make sure during that process you have only one scanner active.
    Can also upload it to www.kaspersky.com/remoteviruschk.html for an instantly online scan result.
    Anyway Dog, delete those files from that Unpk folder and see what happens in a next scan.
     
  9. FanJ

    FanJ Guest

    Thanks Jooske ! :)

    Just done that: all clean :)

    Scanned file: bazookasetup.exe

    bazookasetup.exe - packed with UPX
    bazookasetup.exe - archived by CAB
    bazookasetup.exe/presetup.rgn - OK
    bazookasetup.exe/presetup.bmp - OK
    bazookasetup.exe/presetup/License.txt - OK
    bazookasetup.exe/plugins/0/StdUI.dll - OK
    bazookasetup.exe/plugins/0/lng/Enu.lng - OK
    bazookasetup.exe/plugins/0/lng/Epo.lng - OK
    bazookasetup.exe/plugins/0/lng/Deu.lng - OK
    bazookasetup.exe/plugins/0/lng/Fra.lng - OK
    bazookasetup.exe/plugins/0/lng/Rus.lng - OK
    bazookasetup.exe/db.pdb - OK
    bazookasetup.exe/main.pdb - OK
    bazookasetup.exe/lng/Enu.lng - OK
    bazookasetup.exe/lng/Epo.lng - OK
    bazookasetup.exe/lng/Deu.lng - OK
    bazookasetup.exe/lng/Fra.lng - OK
    bazookasetup.exe/lng/Rus.lng - OK
    bazookasetup.exe/Uninstall.exe - OK
    bazookasetup.exe/data/App/0/spywarescanner.exe - OK
    bazookasetup.exe/data/App/0/system/bazooka_db.bdb - OK
    bazookasetup.exe/data/App/0/system/bazooka_db_ver.txt - OK
    bazookasetup.exe/data/App/0/system/config.cfg - OK
    bazookasetup.exe/data/App/1/faq.html - OK
    bazookasetup.exe/data/App/2/manual.html - OK
    bazookasetup.exe/data/App/2/manual.html - archived by CAB
    bazookasetup.exe/presetup.rgn - OK
    bazookasetup.exe/presetup.bmp - OK
    bazookasetup.exe/presetup/License.txt - OK
    bazookasetup.exe/plugins/0/StdUI.dll - OK
    bazookasetup.exe/plugins/0/lng/Enu.lng - OK
    bazookasetup.exe/plugins/0/lng/Epo.lng - OK
    bazookasetup.exe/plugins/0/lng/Deu.lng - OK
    bazookasetup.exe/plugins/0/lng/Fra.lng - OK
    bazookasetup.exe/plugins/0/lng/Rus.lng - OK
    bazookasetup.exe/db.pdb - OK
    bazookasetup.exe/main.pdb - OK
    bazookasetup.exe/lng/Enu.lng - OK
    bazookasetup.exe/lng/Epo.lng - OK
    bazookasetup.exe/lng/Deu.lng - OK
    bazookasetup.exe/lng/Fra.lng - OK
    bazookasetup.exe/lng/Rus.lng - OK
    bazookasetup.exe/Uninstall.exe - OK
    bazookasetup.exe/data/App/0/spywarescanner.exe - OK
    bazookasetup.exe/data/App/0/system/bazooka_db.bdb - OK
    bazookasetup.exe/data/App/0/system/bazooka_db_ver.txt - OK
    bazookasetup.exe/data/App/0/system/config.cfg - OK
    bazookasetup.exe/data/App/1/faq.html - OK
    bazookasetup.exe/data/App/2/manual.html - OK
    bazookasetup.exe - OK


    Statistics:
    Known viruses: 91989 Updated: 28-06-2004
    File size (Kb): 719 Virus bodies: 0
    Files: 50 Warnings: 0
    Archives: 2 Suspicious: 0
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Now, if KAV says so, which is updated every hour or more then you can be really sure it is all clean! Ad-aware and spybot didn't see nada de nada either.
    So that adds to your collection of detection software? :cool:
     
  11. FanJ

    FanJ Guest

    Yep, just did a full system scan with Spybot S&D: no alert for that Bazooka setup-file ;)

    PS-1:
    Spybot S&D has its own false positives...

    PS-2:
    Please keep in mind that only the Bazooka setup-file was scanned; I haven't installed it.
     
  12. FanJ

    FanJ Guest

    Now I would like to go back to one of those TOPicks alerts by PP:

    Take for example the alert on this one:

    Quote:

    Pest: TOPicks
    Pest Info: Category: Adware
    Background Info: Click here
    File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topicks.com
    Certainty: Confirmed Threatens: Confidentiality, Liability
    Risk: Moderate - this file can be executed!
    Advice: Delete or ignore
    Action: Ignored

    - end quote -

    It has been said before, and I'll say it again:
    This reg-key was put there by IE-SPYAD from Eric Howes !!!

    It puts that site in the Restricted Zone of Internet Explorer.

    I hope that PP will check the D-WORD of those keys in the future......
     
    Last edited by a moderator: Jun 28, 2004
  13. dog

    dog Guest

    Hi Jan, G'Day Jooske, ;)

    Jooske, Yes those are all unpacked .exe from system restore files - all bazooka setup.exe. (not sure why, TDS doesn't unload/delete these files after the scan/ seems to re-write/replace them on the next scan = no really issue - maybe this can be worked into TDS4 ?)

    Jan, all also scanned all my entries (to confirm F/P findings) with:
    (as well as executing those .exe to confirm they were all bazooka setup.exe)

    Scanned individual files with:
    AV's = Main AV - NAV / Back up AV's - AVG, Antvir, Avast
    AT's = MAin AT - TDS (which unpacked & scan ... clearly identified with PP results ... LOL :D) Back up AT's - ASquared, Ewido
    Anti-Spy - Ad-Aware

    Scanned full system: (no control for scanning individual files)

    Anti-Spy - Spybot 1.3 & Webroot's Spy Sweeper.

    Thanks Jan & Jooske

    dog - *puppy*
     
Thread Status:
Not open for further replies.