SDS Software/Setup2Go found; also ? FP on 2 Trojans?

Ewido and Webroot Spy Audit found this registry entry in

HKLM/SOFTWARE/SDS Software/Setup2Go

I found the program's website, says it's an installer. So I'm guessing that some bad guy tried ?? to install something ??

Another scan (I forget which one) said it found Kitten Free Sex Dialer (which I did find a definition on eTrust Spyware Encyclopedia, but not on the Spyware Guide site) and neither found another one called "Media.... something I can't remember, both called Trojans.

I was wondering if it was a FP though, to get me to buy the software?? None of the other antispy programs I have found them.

I've scanned with:

CounterSpy -- nothing
Spyware Blaster -- nothing
Spyware Guard -- nothing
Spybot S&D -- nothing
A-squared -- nothing

Also using:
ZoneAlarm
NAV
SpywareBlaster
IESpyAd
BHO Demon

Any thoughts about this?

Thanks,

Callie

 

That registry entry and the Kitten Free Sex appear to be related. (scroll halfway down this link -> http://64.233.161.104/search?q=cach...000679-4/ HKLM/SOFTWARE/SDS Software/Setup2Go - you'll see the google highlights when you get to the post I'm referring to)

Steve

 

Ewido's database is much better than some of the other products that you mentioned. If you wanted some more confirmation (it appears that Webroot concurs), then I would try an online scan. Maybe McAfee since I do not think that KAV online is still available. I think I would trust Ewido and Webroot at this point.

Rich

 

Hi,
Ewido is very powerful, but it can still have fps.
On one of my machines, which is protected by 35 tons of layered security applications, Ewido found two bargain buddy keys, however none of those keys or files you find in online encyclopedia showing the usual files and locations of the malware, just two nondescript keys in the registry. And this machine has had fresh format and install just 2 months ago.
Now, this is definitely a fp, since I never use IE, have no extra toolbars or anything, netstat shows clean, hijackthis shows clean and blah blah so forth. I also scanned with A2 anti-trojan and it showed nothing. Sometimes, even very good programs can have spoofed alerts.
Now, I don't know how you surf or what you did, it could be that you contracted some nasty or something. Is your machine behaving differently than you're used to? Extra cpu usage? Modem blinking too much when you're idle?
I suggest you trial versions of TDS-3 and Trojan Hunter and see if they can discover anything. If nothing else gives you an alarm, you're probably clean. Do a hijackthis log and post it in a relevant forum, and ask for expert's help.
Cheers,
Mrk

 

Trial version of TDS-3?

 

Mrkvonic, they all have false postives, including TDS-3 which had false postives, because it was discontinued 2 weeks ago and are not available anymore.

 

Thanks for all the suggestions. I downloaded a trial of Trojan Hunter and it didn't find anything, whew. I thought I had pretty good security though so I was shocked that I had something at all. Wouldn't it be nice if it was a FP?

I pass the GRC port scan okay, ZA is set to notify me, as is CounterSpy. I have scripting turned off in IE, use Firefox primarily and am usually on as Limited User. I do have DSL, but haven't noticed degraded performance, extra popups, or anything suspicious lately.

Does DSL also "phone" with a dialer?

Thanks again. I guess I'm okay again.

Callie

 

Yes, it would be nice, and to be sure i would recommend that you submit the file to Ewido:http://www.ewido.net/en/malware/ to confirm this and also help others.

 

Hi Callie,

In answer to your question " Does DSL also "phone" with a dialer? "

If you don't have a 56k modem installed in your comp, or it's physically disconnected from the wall socket, then it can't dial out. If you do have you can disable it in the Network settings. This will also free up resources for you.

As an extra precaution you could remove the lead to a safe place so nobody could reconnect it.


StevieO

 

There's probably a modem in there, but the only connection is via the DSL modem. Whew.

 

Hmm, the link you gave me takes me to a place to send items that *weren't* detected ?? And what "file" do I send to them?

I found a list of *.tmp files in the Ewido\Quarantine folder, but can't read them in Notepad so can't tell which one is the bad guy. And they're in quarantine so I can't find them where they used to be. And I don't see any place in Ewido to save the list of what it found. ??

oops, I stumbled upon a possible way --- if you go to the support on their website, there's a "contact" form that lets you upload a screenshot. I'll try that.

http://www.ewido.net/en/contact/

 

You're sending a possble false positive Callie, this is the only way to submit files, first restore the file from quarantine and submit it.

 

This is what I got back from Ewido:

Dear customer,

thank you for your request. This is a known and already fixed problem. We're
sorry for this ungratefulness.

With best regards,

Your ewido networks Support-Team