SpySubtract

Discussion in 'other anti-malware software' started by habari42, Feb 2, 2005.

Thread Status:
Not open for further replies.
  1. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi. I hope I'm in the right section here! I have Intermute's SpySubtract for trial and it has picked-up two suspects which my other anti-spywares (including Spybot and AdAware) have not reported. They are Conducent Technologies Inc. and New Media Properties LLC. Can anyone tell me if these are real nasties or just false positives please.? Cheers, Haba.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I believe Spysubtract provides a little info of what and where it found the entry. Having said that....does Spysubtract reference the below registry key in reference to finding Conducent and New Media. If you could also post a screen shot or a little more info....we can then determine if it's a False Positive.

    HKCU\software\microsoft\windows\currentversion\internet settings\zonemap\domains
     
  3. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Bubba,

    If it can help Habari42, here's the log of my latest scan with spysubtract (to me, it seems to be all false/positives but who knows?) :

    Time=Wed Feb 02 13:43:04 2005
    Product Version=1, 0, 1, 53
    OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

    Started Scanning
    Internet Cookies
    Programs in Memory
    Windows Registry
    Found '' in 'SOFTWARE\ScreenSaver.com\Relevant Knowledge'
    Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'

    Internet URL Shortcuts
    Files and Directories
    Found 'easymp3.exe' in 'C:\Program Files\EasyMP3'
    Found 'GPInstall.exe' in 'C:\WINDOWS'
    Found 'uninstall.exe' in 'C:\WINDOWS\Web'

    Finished Scanning

    Atomas31
     
  4. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73

    Thanks Bubba. I've had problems with the Screenshots I wanted to post.!! Firstly, "Save As" in Paint only offered Options Bitmap .bmp or .dib (not valid for the purpose) and secondly,the "Manage Attachments" button was dead - no signs of any "Browse"or "Upload"!! As far as I know, I was following your directions correctly, so I don't understand what went wrong but I hope you can put me right.!! Anyway,the answer to your question above is Yes in the case of New Media, but after domains\was "searchsquire3". (CWS ?). In the case of Conducent,the details were "AdGateway Timesink,TsAdBot,Gp-Install." I have had trouble with Gp-Install before, which was interfering with a download. Hope this info: will be sufficent. Cheers, Haba.
     
  5. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
     
  6. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi Atomas. Just to say that I appreciate your response and the only entry in your log that seems suspicious to me is "Found 'GPInstall.exe' in 'C:\WINDOWS'" This is because I experienced it interfering in a download (blocking the install stage) and when I tracked down an address and sent several emails asking for help, they completely ignored me. They also ignored emails from Spyware-Stopper.com. I'll now wait to see what Bubba has to say. Cheers, Haba.
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Haba....I feel we are still going to find these are False positives given the fact they found them in the Domains reg key but I would like a little info Please.

    Also....I just downloaded and installed the 30 day Pro version which is 2.64 just so we can be on the page as I ask questions.

    Questions\Request:
    1)which version are you using
    2)are you using Spybot's Immunize feature....or any other software that places entries in Internet Explorers Restricted Zone
    3)via the Spysubtract program....would you mind selecting View Log....which should open up either wordpad or notepad with the info. Copy and paste all that info into a post here in this thread Please.
     
  8. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi Bubba. To answer your questions:----- 1)Since my last email I have updated SS and now have Product Version 2.60/Definitions Version 2.59 which are said to be "up-to-date", although you have Version 2.64. o_O 2)Yes, I use Spybot Immunise and also have Spyblocker and Spystopper, both of which have "blocked" lists and Searchsquire.com is in Spyblocker's list. 3) This is a copy of the latest log since, I uplifted:----------

    "Machine=N0V2I8
    Time=Fri Feb 04 12:22:40 2005
    Product Version=1, 0, 1, 49
    OS Version=Microsoft Windows 98 SE

    Started Scanning
    Programs in Memory
    Finished Scanning
    Started Scanning
    Files and Directories
    Found 'GPInstall.exe' in 'C:\WINDOWS'
    Programs in Memory
    Internet URL Shortcuts
    Internet Cookies
    Found 'com.com' in 'Internet Explorer Cache'
    Windows Registry
    Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
    Finished Scanning"
    You can see that New Media has gone, com.com cookie has been added and the Registry entry has changed. Over to you,please. Cheers, Haba.
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    "Files and Directories
    Found 'GPInstall.exe' in 'C:\WINDOWS'"


    • According to InCtrl5(an install monitoring program)....GPInstall.exe is part of a Spyblocker install....and if you check the properties of that file you can then confirm that it is indeed a False positive by Spysubtract.

      Partial InCtrl5 log:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyBlocker(2) "UninstallString"
      Type: REG_SZ
      Data: C:\WINDOWS\GPINSTALL.EXE "/
    "Windows Registry
    Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'"


    • If you look in the registry location found in the above scan result....it will probably match the below pic of a Spybot Immunize entry as far as the 0x00000004 (4) entry is concerned. The IP may differ....but in any case if it is a (4) Dword value....it signifies a site placed in IE's Restricted Zone and would be a False positive by Subtract.
     

    Attached Files:

  10. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Thanks again Bubba for all the detailed info: I have now found that the com.com entry is,infact, CNet. To summarise,is it the case that all the entries in both my logs and Atomas' log are false positives, which appears to indicate a rather poor performance by SpySubtract.? I rather like it's format etc. but it's reliability seems doubtful. As the subject has already been raised in this thread, could I refer back to my second posting, in which I described my screenshots problems and ask if you can tell me how to get
    over them please.? Cheers, Haba.
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    IMO....yours are definetly False positives....and the chances are good that Atomas's entries are also....but that would have to be confirmed by them.
    Each and every legit program of this kind has False positives periodically. If Spysubtract False positives were on a scale of 1 to 5....with 5 being no False positives....I would have to give Spysubtract a 3 based on the threads I have read or been involved in....but I'm sure their track record will improve....or they will be left behind.

    Would you doublecheck the Manage Attachments button again Please....and is it showing as a button to you or a link.
     
  12. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    More thanks Bubba.!! The more I see of SpySubtract,the more I like it, so in view of your rating, I'll give it a fair trial. I consider the inclusion of CWShredder a useful plus. I have two problems in trying to carry out the directions in your step-by-step overview. 1)At Screenshots 8, the only choices I have are Bitmaps .bmp or.dil -- none of the valid extensions you quote are in the "Save as Type" options. 2)At Image Posting 2/3,"Manage Attachments" is a button but nothing happens when I hit it. I'd like to solve, this because I often want to use screenshots in the various Forums I subscribe to. Hope you can help. Cheers, Haba.
     
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    There is known problem concerning Win98 SE's MS Paint after installing Office 2000 as noted at the link below. Even if you do not have Office 2000....my suggestion would still be to look over the below Microsoft Knowledgebase article and see if it may help resolve that problem. While that might fix your MS Paint problem....you also might want to consider installing other image software such as Ifranview, Snagit, MWsnap....etc....until you can sort the MS Paint problem out.

    This MSKB article---> http://support.microsoft.com/?kbid=299953&sd=RMVP

    What do you see if you go to this below link ?

    https://www.wilderssecurity.com/newa...791&posthash=f4da6904e70aaac1cad78874ac570dce
     
  14. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    What do you see if you go to this below link ?

    https://www.wilderssecurity.com/newa...791&posthash=f4da6904e70aaac1cad78874ac570dce[/QUOTE]

    Hi Bubba. I'll look into the Paint problem but in the meantime, this is what the link gets me:-----------

    "habari42, you do not have permission to access this page. This could be due to one of several reasons:

    Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
    If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
    If you are trying to start a thread in the HijackThis forum section, please be aware that we no longer process new, unsolicited HijackThis Logs here.
    Log Out Home" Help,please.!! Haba. o_O
     
  15. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi Bubba. Please see my posting of 06/02. I had no luck with the MSKB article, I'm sorry to say. I was stuck at step 2 because my HKEY-LOCAL-MACHINE entry had "Import" after "Graphics Filters" instead of "Export"as quoted. Any ideas yet on my heartbreaking rejection,please.?!!! Cheers, Haba. :'(
     
  16. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi Bubba. Could you have a look at my postings of 06/02 and 10/02, please? Cheers, Haba.
     
  17. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Hi. Can someone tell me if Bubba has left the building.!!! Several of my replies and a private message have not produced any response and it's getting quite worrying. Cheers, Haba. :'(
     
  18. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    habari....my online time has been limited lately and I personally have given as many replies as I can in an attempt to assist you but I honestly don't have the answer that will fix your problem. If others do....hopefully they will speak up.
     
  19. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    OK Bubba,that's fair enough. Thanks for all your help and I'll keep dropping in to see if anyone else picks up this thread. Cheers, Haba.
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    We certainly did not ignored postings and we certainly do not ignore emails sent to us.

    :rolleyes: have you even tried the forum?

    one of the questions regarding gpinstall file...

    http://spyblocker-software.com/IPB/index.php?showtopic=1807


    sorry you had this experience anyway.

    Inf./Opt.
     
  21. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
     
  22. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Habari, I have spoken to Paul concerning this a lot of times regarding software wrappers and gp install...

    I am moderator at SpyBlocker Forums, and we allways try to answer emails, answer our posts...I tried to locate your concern/posts at the forum and couldn't find a member Habari...like you won't find Infinity (I am Optimizer ;))

    anyway I still believe it is a false positive, I am sure of it. like so many apps have their false positives. We fight spyware just like Wilders so why in the world making spyware or installing spyware on MILLIONS of computers :)

    another thing, IF gp install is spyware I will draw my conclusions and step back of everything but knowing Paul he did his investigation far better then me and he surely is a respectable person who I trust unendlessly!

    I will keep you informed regarding this matter and I'll speak to Paul this evening.

    sincerely

    Inf./Opt.
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    why don't you try to email spysubtract and ask what is the issue in this case?

    I'll email spysubtract too regarding their flagging.


    Inf.
     
    Last edited: Mar 12, 2005
  24. habari42

    habari42 Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    73
    Thank you Inf/Opt. I have only just seen your postings. Im afraid I've got quite muddled over your Wildings/Skyblocker connections but I think this thread went off track from my posting of 10/02. The GP Install angle was a side issue which seems to have rather taken over the thread since Bubba's posting of 28/02. With regard to contacting SpySubtract -- I hope you have better luck than I've had,as I've been locked in battle with their TechSupport for several weeks.!! Their system is appallingly complicated and demands the submission of masses of data and continuous "updating"of the issue. It has almost driven me to drink (any excuse,I suppose !!) and,so far, has produced no results at all. I have tried to get my complaints to a Management level but no success up to now. It's a pity, because I'm quite impressed with the ap itself, but the Support side is hopeless. Cheers. Haba.
     
  25. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    I too am having considerable problems getting someone technical enough to look at my SpySubtract problem (more false +ves - looks like a scam to me). The sales and support staff know nothing about the technical side of the product - I need to talk to a programmer! Looks like I won't be able to recommend SpySubtract to any of my colleagues, since they seem so incommunicado. I had a similar problem with M$ tech supp, and they eventually gave me an answer 5 months (yes that's right!) after I had solved the problem myself. Sometime, a simple Google will do more to answer your questions than any tech support department! Is it me, or are people getting less and less technical nowadays, and more moronic?!? When Longhorn is released, how will people cope with maintaining basic security settings, when they're gonna have to text-edit XML files!
     
Thread Status:
Not open for further replies.