Spybot Update 8/30/04 False Positive?

Discussion in 'other anti-malware software' started by Bubba, Aug 30, 2004.

Thread Status:
Not open for further replies.
  1. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The latest Spybot release is flagging an entry that the SpywareBlaster program placed in the registry.

    SpywareBlaster entry
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}

    Spybot scan
    SearchForIt: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}


    Related topic @ the Official Spybot Search & Destroy Forums
    Possible False Positive – Searchforit, 30Aug2004 Update
     
  2. FlashGordon

    FlashGordon Registered Member

    Joined:
    Jul 3, 2004
    Posts:
    27
    Nice catch. Thx. I actually had spybot "fix" problem. After checking this post, checked spywareblaster and found one item disabled. Simply re-enabled all protection to unfix spybot "fix".
     
  3. Shae

    Shae Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    47
    This is one to put in the Ignore List for Spybot until they get the problem fixed.
     
  4. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    After updating Spybot it found

    SearchForIt: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}

    but it also found and:
    Evileye
    Executable
    C:\WINNT\iun6002.exe

    Does anyone know what this is? TIA
     
  5. AUXHILLARYmikE

    AUXHILLARYmikE Registered Member

    Joined:
    Aug 31, 2004
    Posts:
    12
    Location:
    I live in Crosskeys near Cardiff in Wales. United
    THANKS BUBBA!!
    I`ll select ignore NOW.
    Its a good job i visited the forum before trying to delete in the registry again!!
    AUXHILLARYmikE
     
  6. AUXHILLARYmikE

    AUXHILLARYmikE Registered Member

    Joined:
    Aug 31, 2004
    Posts:
    12
    Location:
    I live in Crosskeys near Cardiff in Wales. United
    I have just done a google search on WINNT\iun6002.exe and in the results was an entry that suggests that this is a virus?? Allthough not 100%
    Time for a full scan!
    AUXHILLARYmikE.
     
  7. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    After the entry was found with Spybot and vaulting it I scanned my PC with Nortons, AVG, Ad-aware, and Housecall and nothing else was found.

    So, do you guys recommend leaving the Searchforit in the registry and ignoring it in Spybot or vaulting it?
     
    Last edited: Sep 4, 2004
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    My suggestion is to re-enable the entry in SpywareBlaster and when you scan with Spybot again....right click that item and select ignore....until Spybot releases an updated definition file.

    The iun6002.exe file may need some looking into. Have you right clicked the propeties of that file to see who the Mfg. is ?
     
  9. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    Got this of another site:
    http://www.indigorose.com/forums/showthread.php?t=4718

    The iun6002.exe is the uninstall routine created by our installation creation tool, Setup Factory 6.0 (see http://www.indigorose.com for information.) The reason that this file is on your sytsem is that someone used our Setup Factory prouduct to create an install program for their software and you ran it on your system. The iun6002.exe file allows the software to be removed after installation. This file is harmless to your system and does not
    need to be removed. If you have already removed the file, the only side-effect is that one or more products currently installed on your system will not be able to be uninstalled in the usual manner. Other than that, there will not be any noticable effect on your system.

    We have been in contact with Symantec and they have informed us that the best way to resolve this issue is for Norton Antivirus users like yourself to scan the file and then submit it to Symantec through the AntiVirus software as a false-positive.
     
  10. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    After ignoring Searchforit in Spybot I went into my ignore list and found some other entries that are ignored even thought I never ignored them. Can someone tell me if Spybot ignores the automatically ignores them or should I 'unignore' them?

    LSP.New.net
    MySearch
    New.net
    SideStep
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Yes....Spybot indeed ignores those entries by default and those items have been removed from targeting. They remain at the users discretion to re-enable.
     
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Last edited: Sep 5, 2004
  13. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I am confused about 'SearchforIt' I had read this post and noted it was a false positive but when you look at Pest Control they are showing the method for removing it o_O

    I really would be grateful if someone would confirm that this is a false postive and can be ingnored until Spybot issues new detection rules. Sorry to go over all of this again but there are concerns on various forums about this find plus conflicting advice o_O
     
  14. Justhelping

    Justhelping Guest

    Because Searchforit is a real malware, obviously there will be instructions for removing it! But that is a farcry from being infected.

    The pest patrol info page lists a number of processes, if you don't have them you are not infected.

    If all you have is HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatibility\{c109664b-ceb1-420b-b353-d55a561536dd}

    then it is almost 100% certain that is a FP. A killbit placed by Spywareblaster or similar proggies. To confirm, run regedit search for this. Look at the value, the dword if it says 1024 you are fine.
     
  15. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thank you :) I have just checked and my Dword is 1024 much to my relief! Many thanks for this extra detail which has confirmed my FP with Spybot.
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The confirmation can be found in the first post of this thread by visiting the link provided to the Official Spybot Forum where it was addressed by a member of Team Spybot SD.

    I would also suggest you provide the above link for those with "concerns on various forums"
     
  17. chip718

    chip718 Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    60
    Thanks for the reply, Bubba. Has anyone been able to update Spybot in the last couple of days? Their forum says that the false-positives have been fixed, but every time I try to update the program says there are no new updates.
     
  18. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    chip718.... yes.. I updated today.... I only checked about 3-4 days ago, none then, so presume these are latest.

    Log:

    9/6/2004 1:18:47 AM Downloaded update info file. (http://security.kolla.de/updates/spybotsd.ini)
    9/6/2004 1:20:13 AM downloaded update Detection rules
    9/6/2004 1:20:13 AM - URL: http://spybot.eon.net.au/updates/files/includes.zip
    9/6/2004 1:20:13 AM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.zip
    9/6/2004 1:24:44 AM Downloaded update info file. (http://security.kolla.de/updates/spybotsd.ini)
    9/6/2004 1:25:05 AM Downloaded update info file. (http://security.kolla.de/updates/spybotsd.ini)
    9/7/2004 12:51:52 AM Downloaded update info file. (http://security.kolla.de/updates/spybotsd.ini)

    TAS :)
     
  19. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I have just checked via the update feature in Spybot and these are not available to me as updates o_O the last ones I downloaded are the 30.8.04 - I am not sure if the servers are updated at various times (maybe try another one and see if I can retrieve the updates.
     
  20. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The 30.8.04 downloads are the latest updates. I believe what TAS is saying is that he now also has the latest 30.8.04 updates.

    The....9/6/2004 1:18:47 AM Downloaded update info file....entries he's referencing is simply the date he downloaded them and the list he's showing comes from his Update downloads.log file....found in the Application Data\Spybot - Search & Destroy\Logs folder.
     
  21. I'm having the same problem as that, and so I'll just not have ssd delete that entry... but I am having another problem, I can't figure it out... it comes up whenever I open internet explorer, even to an about:blank page... does anyone know what it is and how to get rid of it without formatting my computer? I could do that part easily, I have tons of room on other drives, but it's still a pain in the monkey nuts to do....

    http://home.comcast.net/~since1876/onlinestorage/ihatecomputerssomuch.bmp

    I did right click on the actual thing and then properties and it came up as hxxp://search200.com/passthrough/newpass2.html but it's probably best for none of you to go visit that, it's just to see if it helps anyone. :)


    edited link to suspected spyware to disable - Detox
     
    Last edited by a moderator: Sep 8, 2004
  22. I tried putting the site into internet explorer's restricted sites but it didn't stop it from showing up again...
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    2 nottoosurefolks:

    why don't you delete the link of search200.com:....

    this is not at all funny.

    download adaware and let in safemode adaware and spybot run together with your av.

    then post a hijackthis log in many of the forums analyzing this.

    thanx a lot.
     
  24. where's the link to delete it?
     
  25. I found it when I did a search in the registry... I am having a problem with this lop toolbar now, so I will search for that too... thanks....
     
Loading...
Thread Status:
Not open for further replies.