you will see i get two hits for "favoriteman" in this log
look at the company !
they are respected and several big firms use them
NAV had the same false positive !
http://www.indigorose.com/forums/showthread.php?t=8007&page=2&pp=15&highlight=norton (http://www.indigorose.com/forums/showthread.php?t=8007&page=2&pp=15&highlight=norton)
and another forum
http://www.xpforum.co.uk/forum/archive.php/o_t__t_5842__solved-is-iun6002.exe-really-spyware.html (http://www.xpforum.co.uk/forum/archive.php/o_t__t_5842__solved-is-iun6002.exe-really-spyware.html)
so now i gt to play "put back"
someone might want to tell the "official" aaw people?
spybot S & D clear no problem
A2 clear and no problem
Microsoft's anti-spyware clear no problems
EWIDO clear and no problems
AVG clear and no problems
here is my aaw log
Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, August 31, 2005 9:22:43 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R64 31.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Favoriteman(TAC index:8):2 total references
MRU List(TAC index:0):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R64 31.08.2005
Internal build : 74
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 515383 Bytes
Total size : 1551653 Bytes
Signature data size : 1518542 Bytes
Reference data size : 32599 Bytes
Signatures total : 43185
CSI Fingerprints total : 1032
CSI data size : 36709 Bytes
Target categories : 15
Target families : 740
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:67 %
Total physical memory:1015140 kb
Available physical memory:676076 kb
Total page file size:1436964 kb
Available on page file:1219952 kb
Total virtual memory:2097024 kb
Available virtual memory:2046480 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Reanalyze results after scanning before displaying results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
8-31-2005 9:22:43 PM - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 364
ThreadCreationTime : 9-1-2005 3:08:59 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 420
ThreadCreationTime : 9-1-2005 3:09:01 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 444
ThreadCreationTime : 9-1-2005 3:09:01 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 488
ThreadCreationTime : 9-1-2005 3:09:02 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 500
ThreadCreationTime : 9-1-2005 3:09:02 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 660
ThreadCreationTime : 9-1-2005 3:09:03 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 724
ThreadCreationTime : 9-1-2005 3:09:04 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [smc.exe]
FilePath : C:\Program Files\Sygate\SPF\
ProcessID : 768
ThreadCreationTime : 9-1-2005 3:09:04 AM
BasePriority : Normal
FileVersion : 5.5.00.2637
ProductVersion : 5.5.00.2637
ProductName : Sygate® Security Agent and Personal Firewall
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate Agent Firewall
InternalName : Smc
LegalCopyright : Copyright © 1999 - 2003 Sygate Technologies, Inc. All rights reserved.
OriginalFilename : Smc.EXE
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 808
ThreadCreationTime : 9-1-2005 3:09:05 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 840
ThreadCreationTime : 9-1-2005 3:09:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 868
ThreadCreationTime : 9-1-2005 3:09:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 948
ThreadCreationTime : 9-1-2005 3:09:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:13 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1252
ThreadCreationTime : 9-1-2005 3:09:12 AM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE
#:14 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1340
ThreadCreationTime : 9-1-2005 3:09:12 AM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE
#:15 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 1412
ThreadCreationTime : 9-1-2005 3:09:12 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe
#:16 [ghosts~2.exe]
FilePath : C:\PROGRA~1\Symantec\NORTON~1\
ProcessID : 1432
ThreadCreationTime : 9-1-2005 3:09:13 AM
BasePriority : Normal
FileVersion : 2003.775
ProductVersion : 2003.775
ProductName : Norton Ghost Start Service
CompanyName : Symantec Corporation
FileDescription : Norton Ghost Start
InternalName : GhostStartService
LegalCopyright : Copyright (C) 1998-2002 Symantec Corp. All rights reserved.
OriginalFilename : GhostStartService.exe
#:17 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1452
ThreadCreationTime : 9-1-2005 3:09:13 AM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
#:18 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1520
ThreadCreationTime : 9-1-2005 3:09:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:19 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 672
ThreadCreationTime : 9-1-2005 4:20:50 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:20 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ProcessID : 1024
ThreadCreationTime : 9-1-2005 4:20:53 AM
BasePriority : Normal
#:21 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1784
ThreadCreationTime : 9-1-2005 4:20:53 AM
BasePriority : Normal
FileVersion : 7,1,0,338
ProductVersion : 7.1.0.338
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE
#:22 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1208
ThreadCreationTime : 9-1-2005 4:20:53 AM
BasePriority : Normal
FileVersion : 7,1,0,338
ProductVersion : 7.1.0.338
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe
#:23 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_02\bin\
ProcessID : 1084
ThreadCreationTime : 9-1-2005 4:20:53 AM
BasePriority : Normal
#:24 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1372
ThreadCreationTime : 9-1-2005 4:20:54 AM
BasePriority : Normal
FileVersion : 1.00.0615
ProductVersion : 1.00.0615
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe
#:25 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2248
ThreadCreationTime : 9-1-2005 4:22:34 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Favoriteman Object Recognized!
Type : File
Data : A0031573.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{F75A251E-D057-4F0D-A53A-01F7356F21B3}\RP127\
FileVersion : 6.0.1.4
ProductVersion : 6.0.1.4
ProductName : Setup Factory 6.0 Runtime Module
CompanyName : Indigo Rose Corporation
FileDescription : SUF60Runtime
InternalName : SUF60Runtime
LegalCopyright : Copyright © 2001 - 2002 Indigo Rose Corporation. All Rights Reserved
LegalTrademarks : Setup Factory is a trademark of Indigo Rose Corporation
OriginalFilename : SUF60Runtime.exe
Comments : http://www.indigorose.com
Favoriteman Object Recognized!
Type : File
Data : iun6002.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\
FileVersion : 6.0.1.4
ProductVersion : 6.0.1.4
ProductName : Setup Factory 6.0 Runtime Module
CompanyName : Indigo Rose Corporation
FileDescription : SUF60Runtime
InternalName : SUF60Runtime
LegalCopyright : Copyright © 2001 - 2002 Indigo Rose Corporation. All Rights Reserved
LegalTrademarks : Setup Factory is a trademark of Indigo Rose Corporation
OriginalFilename : SUF60Runtime.exe
Comments : http://www.indigorose.com
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 4
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4
9:26:59 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:16.250
Objects scanned:101013
Objects identified:2
Objects ignored:0
New critical objects:2
Has AAW taken the simple route..........detect objects by filename?? :moreevil:
Die Hard :)
Put here for LS Steve to see: http://www.dslreports.com/forum/remark,14268670
Perhaps the issue is the file iun6002.exe? It is usually related to Desktop Surveillance Personal "program".
It is also the uninstaller created by Setup Factory 6.0 ... http://indigorose.com/forums/showthread.php?t=4718
Quote from: Die Hard on September 01, 2005, 07:26:59 AM
Has AAW taken the simple route..........detect objects by filename?? :moreevil:
Die Hard :)
:uhm: Hhrrm! :lol: :mrgreen:
Well well ...
I just ran the updater, and it seems as though an update has been released quietly (it is still marked SE1R64 31.08.2005) ...
Internal build is now 75 instead of 74
File size is 515324 bytes (was 515383)
Total size is 1551493 bytes (was 1551653)
Signature total is 43181 (was 43185)
a few thoughts from the phantom ;-)
1. a unannounced update doesn't help all!
2. it looks like if you did remove the FALSE POSITIVES that you will have trouble uninstalling that program
3. well aaw is up to 50% now
i took the two and removed them from the ignore list and now just this shows
so you are 1/2 way there aaw and when you do fix this one you might make a announcement
kinda like being pregnant....you are or your aren't......... no 1/2 way
Favoriteman Object Recognized!
Type : File
Data : A0031585.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{F75A251E-D057-4F0D-A53A-01F7356F21B3}\RP127\
FileVersion : 6.0.1.4
ProductVersion : 6.0.1.4
ProductName : Setup Factory 6.0 Runtime Module
CompanyName : Indigo Rose Corporation
FileDescription : SUF60Runtime
InternalName : SUF60Runtime
LegalCopyright : Copyright © 2001 - 2002 Indigo Rose Corporation. All Rights Reserved
LegalTrademarks : Setup Factory is a trademark of Indigo Rose Corporation
OriginalFilename : SUF60Runtime.exe
Comments : http://www.indigorose.com
There was also a f/p reported at CCSP. Here's the info from the Research Blog:
SE1R64 31.08.2005 Build 75 available
September 2nd, 2005
This replaces SE1R64 build 74, correcting reported false positives discovered in the definition file update dated 31.08.2005
The files in question were an ActiveX registry manipulation object and an installation runtime file.
The ActiveX object was detected as family "Adlogix", and the runtime file as family "Favoriteman".
We have released a fix for this problem, which can be installed by performing a webupdate.
MD5 checksum is: 186000c65363112db6161c3d7c153a7d
http://www.lavasoftresearch.com/bloglogin.php
There are reports at BBR,CCSP & GSF that users are unable to get Build 75 via WebUpdate. I suspect not all the servers were updated.
Quote from: Corrine on September 02, 2005, 11:20:58 PM
There are reports at BBR,CCSP & GSF that users are unable to get Build 75 via WebUpdate. I suspect not all the servers were updated.
Just was able to get mine after several attemps :)