Pest Patrol F/P's

Hi All,

Gave my semi-monthly, Pest Patrol scan a run - it found the following F/P's

All the TrojanSpy.GhostKeyLogger enteries - are the Bazooka Spyware Scanner setup.exe - Reported by PP as suspicious - Hmmm?

And the oem5.inf - is a setup file

dog -

Code:

\TDS3\xDynamic\TDS.Unpk\a0055099.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0053920.exe	TrojanSpy.Win32.GhostKeyLogger.c	
\TDS3\xDynamic\TDS.Unpk\a0053951.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0053988.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0054041.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0054265.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0054926.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0054957.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0054994.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0055018.exe	TrojanSpy.Win32.GhostKeyLogger.c		
\TDS3\xDynamic\TDS.Unpk\a0055039.exe	TrojanSpy.Win32.GhostKeyLogger.c		

\Bazooka Spyware Cleaner\bazookasetup.exe	TrojanSpy.Win32.ghostKeyLogger.c
		
C:\WINDOWS\lastgood\inf\oem5.inf	FavSearch 

 

Hi Paul,

Done - Techsupport AT pestpatrol DOT com -

Link is included.

Thanks

dog -

 

O, I have some more.......

But first: here comes the most ridiculous one I have ever seen :

Pest: ISTbar
Pest Info: Category: Adware
Background Info: Click here
File Info:
In File: C:\WINDOWS\desktop\pestpatrol.lnk
Date: 06-08-2004 7:41:50
Certainty: Confirmed
Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
Action: Ignored

 

Hey folks at PP, come on
Check your own files.

Yes, I know very well that false positives can happen to ALL scanners.
No problem with me.

But this...........

 

O, I forgot, there were some others.....

(this one already posted by dog)
Pest: TrojanSpy.Win32.GhostKeyLogger.c
Pest Info: Category: Key Logger
Release Date: 05/25/2004 0:00:00
Background Info: Click here
File Info: In File: D:\Bazooka\Version 1_13_01\bazookasetup.exe
PVT: 1780703887
MD5: 174e6859d8ea9c33cf0ad0254e2527cb
Date: 06-28-2004 16:20:16
File Analysis: Look up with MD5 (recommended) or PVT.
Certainty: Suspected Threatens: Confidentiality, Integrity, Availability, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
Action: Ignored


Pest: InternetAlert
Pest Info: Category: Adware
Background Info: Click here
File Info: In File: c:\windows\lhsp\tv\tvenuax.dll
Date: 09-24-1998 15:15:44
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
Action: Ignored
~~~

Pest: InternetAlert
Pest Info: Category: Adware
Background Info: Click here
File Info: In File: c:\windows\lhsp\tv\tv_enua.dll
Date: 09-30-1998 10:09:20
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or quarantine
Action: Ignored
~~~

Pest: TOPicks
Pest Info: Category: Adware
Background Info: Click here
File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topicks.com|*
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
Action: Ignored
~~~

Pest: TOPicks
Pest Info: Category: Adware
Background Info: Click here
File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topicks.com
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or ignore
Action: Ignored
~~~

Pest: TOPicks
Pest Info: Category: Adware Background Info: Click here
File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnetp2p.com|*
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
Action: Ignored
~~~

Pest: TOPicks
Pest Info: Category: Adware
Background Info: Click here
File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnetp2p.com
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or ignore
Action: Ignored
~~~

Pest: TOPicks
Pest Info: Category: Adware
Background Info: Click here
File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnet.com|*
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
Action: Ignored
~~~

Pest: TOPicks
Pest Info: Category: Adware
Background Info: Click here
File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\altnet.com
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or ignore
Action: Ignored
~~~

Pest: BonziBuddy
Pest Info: Category: Adware
Background Info: Click here
File Info: In Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ca141fd0-ac7f-11d1-97a3-0060082730ff}
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Low.
Advice: Delete or ignore
Action: Ignored

 

checked the Bazooka setup-file with TDS-3, no alert :

18:52:57 [File Scan] Scanning in -scand D:\Bazooka
18:52:57 [File Scan] Scanning in D:\Bazooka ...
18:53:02 [File Scan] Scanned 1 files: 0 alarms in 5.546875 seconds (Avg 1.18 files/sec)

==========

checked with NOD32, no alert:

NOD32 version 1.796 (20040626)
Command line: D:\Bazooka\Version 1_13_01\bazookasetup.exe
Checking CRC of the NOD32.EXE file: status OK
Operating memory is OK.

date: 28.6.2004 time: 19:05:02
Scanned disks, directories and files: D:\Bazooka\Version 1_13_01\bazookasetup.exe
number of files scanned: 1
number of viruses found: 0
time of completion: 19:05:02 total scanning time: 0 sec (00:00:00)

=====

checked with TrojanHunter, no alert:

Scanning file D:\Bazooka\Version 1_13_01\bazookasetup.exe
No trojan files found

====

checked with Ad-aware, no alert:

Disk scan result for D:\Bazooka
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

19:16:28 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:00:00:0
Objects scanned :4
Objects identified :0
Objects ignored :0
New objects :0

======

checked with The Cleaner, EZ AV, SpyCop, KAV Lite 4.0.7.1, Tauscan: no alerts.

 

Lots of work Jan!


In the first posting the files in the TDS Unpk filder are copies of files unpacked there to be scanned, normally deleted afterwards or in the next scan; the names for me seem from the system restore; so if TDS doesn't see nothing in those system restore files, just delete them or try to zip one from that folder and scan it with several scanners, but make sure during that process you have only one scanner active.
Can also upload it to www.kaspersky.com/remoteviruschk.html for an instantly online scan result.
Anyway Dog, delete those files from that Unpk folder and see what happens in a next scan.

 

Thanks Jooske !

Just done that: all clean

Scanned file: bazookasetup.exe

bazookasetup.exe - packed with UPX
bazookasetup.exe - archived by CAB
bazookasetup.exe/presetup.rgn - OK
bazookasetup.exe/presetup.bmp - OK
bazookasetup.exe/presetup/License.txt - OK
bazookasetup.exe/plugins/0/StdUI.dll - OK
bazookasetup.exe/plugins/0/lng/Enu.lng - OK
bazookasetup.exe/plugins/0/lng/Epo.lng - OK
bazookasetup.exe/plugins/0/lng/Deu.lng - OK
bazookasetup.exe/plugins/0/lng/Fra.lng - OK
bazookasetup.exe/plugins/0/lng/Rus.lng - OK
bazookasetup.exe/db.pdb - OK
bazookasetup.exe/main.pdb - OK
bazookasetup.exe/lng/Enu.lng - OK
bazookasetup.exe/lng/Epo.lng - OK
bazookasetup.exe/lng/Deu.lng - OK
bazookasetup.exe/lng/Fra.lng - OK
bazookasetup.exe/lng/Rus.lng - OK
bazookasetup.exe/Uninstall.exe - OK
bazookasetup.exe/data/App/0/spywarescanner.exe - OK
bazookasetup.exe/data/App/0/system/bazooka_db.bdb - OK
bazookasetup.exe/data/App/0/system/bazooka_db_ver.txt - OK
bazookasetup.exe/data/App/0/system/config.cfg - OK
bazookasetup.exe/data/App/1/faq.html - OK
bazookasetup.exe/data/App/2/manual.html - OK
bazookasetup.exe/data/App/2/manual.html - archived by CAB
bazookasetup.exe/presetup.rgn - OK
bazookasetup.exe/presetup.bmp - OK
bazookasetup.exe/presetup/License.txt - OK
bazookasetup.exe/plugins/0/StdUI.dll - OK
bazookasetup.exe/plugins/0/lng/Enu.lng - OK
bazookasetup.exe/plugins/0/lng/Epo.lng - OK
bazookasetup.exe/plugins/0/lng/Deu.lng - OK
bazookasetup.exe/plugins/0/lng/Fra.lng - OK
bazookasetup.exe/plugins/0/lng/Rus.lng - OK
bazookasetup.exe/db.pdb - OK
bazookasetup.exe/main.pdb - OK
bazookasetup.exe/lng/Enu.lng - OK
bazookasetup.exe/lng/Epo.lng - OK
bazookasetup.exe/lng/Deu.lng - OK
bazookasetup.exe/lng/Fra.lng - OK
bazookasetup.exe/lng/Rus.lng - OK
bazookasetup.exe/Uninstall.exe - OK
bazookasetup.exe/data/App/0/spywarescanner.exe - OK
bazookasetup.exe/data/App/0/system/bazooka_db.bdb - OK
bazookasetup.exe/data/App/0/system/bazooka_db_ver.txt - OK
bazookasetup.exe/data/App/0/system/config.cfg - OK
bazookasetup.exe/data/App/1/faq.html - OK
bazookasetup.exe/data/App/2/manual.html - OK
bazookasetup.exe - OK


Statistics:
Known viruses: 91989 Updated: 28-06-2004
File size (Kb): 719 Virus bodies: 0
Files: 50 Warnings: 0
Archives: 2 Suspicious: 0

 

Now, if KAV says so, which is updated every hour or more then you can be really sure it is all clean! Ad-aware and spybot didn't see nada de nada either.
So that adds to your collection of detection software?

 

Yep, just did a full system scan with Spybot S&D: no alert for that Bazooka setup-file

PS-1:
Spybot S&D has its own false positives...

PS-2:
Please keep in mind that only the Bazooka setup-file was scanned; I haven't installed it.

 

Now I would like to go back to one of those TOPicks alerts by PP:

Take for example the alert on this one:

Quote:

Pest: TOPicks
Pest Info: Category: Adware
Background Info: Click here
File Info: In Registry: HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\topicks.com
Certainty: Confirmed Threatens: Confidentiality, Liability
Risk: Moderate - this file can be executed!
Advice: Delete or ignore
Action: Ignored

- end quote -

It has been said before, and I'll say it again:
This reg-key was put there by IE-SPYAD from Eric Howes !!!

It puts that site in the Restricted Zone of Internet Explorer.

I hope that PP will check the D-WORD of those keys in the future......

 

Hi Jan, G'Day Jooske,

Jooske, Yes those are all unpacked .exe from system restore files - all bazooka setup.exe. (not sure why, TDS doesn't unload/delete these files after the scan/ seems to re-write/replace them on the next scan = no really issue - maybe this can be worked into TDS4 ?)

Jan, all also scanned all my entries (to confirm F/P findings) with:
(as well as executing those .exe to confirm they were all bazooka setup.exe)

Scanned individual files with:
AV's = Main AV - NAV / Back up AV's - AVG, Antvir, Avast
AT's = MAin AT - TDS (which unpacked & scan ... clearly identified with PP results ... LOL ) Back up AT's - ASquared, Ewido
Anti-Spy - Ad-Aware

Scanned full system: (no control for scanning individual files)

Anti-Spy - Spybot 1.3 & Webroot's Spy Sweeper.

Thanks Jan & Jooske

dog -