Text only | Text with Images

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: mitch on August 01, 2005, 06:01:00 PM

Title: [Done] can someone confirm a false positive?
Post by: mitch on August 01, 2005, 06:01:00 PM
i saw that some of the anti-spyware will not flag the common troubles so this is what i am running now( like wenU)
aaw
spybot s & d(yep installed today)
ewido
A2
ms-anti spyware
spywareblaster
hijack this

i did not have spybot immunize as i don't know if there might be a conflict with other programs?

now ms has changed their "check for updates" and I'm guessing that is where this came from?
i did a google and think someone would have found this in the past as it has been around for a looong time it looks like?

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fmembers.accessbee.com%2Fmitch%2Fspybot.gif&hash=0aab67998f7e80ad1f5ec30dd09540104b012e29)

and when i installed spybot i have it set for the normal not expert and did all the updates
no one else finds this?

and that IP belongs to MS

here is a HJT that i just ran

thanks a new spybot usere here and don't want to loose something with a reg fix!

it only shows uo in the admin, not the limited that i surf with and i am up to date on allms updates and all and have ie secure and use Firefox for all but ms updates

Logfile of HijackThis v1.99.1
Scan saved at 10:40:04 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\devldr32.exe
D:\DOWNLOAD STUFF\HijackThis-1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://cc.a-2.org
O15 - Trusted Zone: http://sacbee.accessbee.com
O15 - Trusted Zone: http://www.meganslaw.ca.gov
O15 - Trusted Zone: http://www.dhl-usa.com
O15 - Trusted Zone: http://www.downloadlavasoft.de
O15 - Trusted Zone: http://download.lavasoft.de.edgesuite.net
O15 - Trusted Zone: http://cc.emsisoft.com
O15 - Trusted Zone: http://asap.maddoktor2.com
O15 - Trusted Zone: http://forums.maddoktor2.com
O15 - Trusted Zone: http://www.manageyourpc.com
O15 - Trusted Zone: http://www.mediom.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://www.s-tracking.com
O15 - Trusted Zone: http://members.shaw.ca
O15 - Trusted Zone: http://security.symantec.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://www.trojanscan.com
O15 - Trusted Zone: *.wellsfargo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120615535812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Title: Re: can someone confirm a false positive?
Post by: Corrine on August 01, 2005, 06:55:19 PM
Hi, Mitch. I checked with Tashi and she indicated that the CWS.Googlems entries are false positives.  However, please confirm which version of SpyBot S&D you installed. Was it 1.3 or 1.4? 

Thanks.
Title: Re: can someone confirm a false positive?
Post by: mitch on August 01, 2005, 07:44:48 PM
1.4 and did all the updates and read the help files and tutorial ;-))))

thought it was a fp but wanted confirm on it first ;-)
thanks

after the news report i figured i had better finally use spybot too;-)
Title: Re: can someone confirm a false positive?
Post by: Corrine on August 01, 2005, 08:01:56 PM
Multi-layered protection all the way, Mitch!!!

Besides, we have friends here who are on Team SpyBot.  They can always give us a hand as needed.  :)
Title: Re: can someone confirm a false positive?
Post by: tashi on August 02, 2005, 04:22:21 AM
Hi Mitch. :)
Where did you download Spybot-S&D 1.4 Final?

Could I see a log please as CoolWWWSearch.Googlems was an f/p in version 1.3  and I have not seen it show up since 1.4 Final was released. Could be an entry in the HOSTS file.

Open SpyBot, check for and get any updates available, close all browsers, check for problems and fix everything found. Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select Additional Options...>Attach: navigate to and attach that report.

If you have any problems attaching the Spybot log please go ahead and copy paste the log.

Please make sure the log includes the header showing the items Spybot fixed (or tried to fix) it will also show the Spybot version and definition updates.

Cheers, Susan.

Title: Re: can someone confirm a false positive?
Post by: mitch on August 02, 2005, 02:14:42 PM
first of all
thanks for helping me on this one ;-)
second  this is after just one sip of coffee so not operating at 100% yet
i figured where the item was i put in ignore so this is a scan ( i did not remove/ignore anything)

i downloaded from download.com yesterday and had printed out the instructions so did the updates ( several and were big for us dialup guys) and did verify 1.4 on install

the security hits- i manage and not ms my security settings so have them disabled

and the googlems is showing now
so here is the log
hope this helps?


--- Search result list ---
CoolWWWSearch.Googlems: RAS profile (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-1614895754-115176313-682003330-1004\Software\Microsoft\RAS Autodial\Addresses\207.46.242.247

Windows Security Center: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Windows Security Center: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Windows Security Center: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4  (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-04-26 Includes\Cookies.sbi (*)
2005-07-29 Includes\Dialer.sbi (*)
2005-07-29 Includes\Hijackers.sbi (*)
2005-06-23 Includes\Keyloggers.sbi (*)
2005-07-29 Includes\Malware.sbi (*)
2005-07-22 Includes\PUPS.sbi (*)
2005-04-27 Includes\Revision.sbi (*)
2005-07-29 Includes\Security.sbi (*)
2005-07-29 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-07-29 Includes\Trojans.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB887797
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB900930)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)


--- Startup entries list ---
Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
   file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
   size: 352256
    MD5: 6e74941e3e14cb67fb1648b45a041f0d

Located: HK_LM:Run, AVG7_EMC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
   file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
   size: 273920
    MD5: 8f0843b553882e9c678b8f83be8a438a

Located: HK_LM:Run, gcasServ
command: "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
   file: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
   size: 473928
    MD5: 263740ede788a60a6c0a47249fc410bf

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
   file: C:\WINDOWS\system32\RUNDLL32.EXE
   size: 33280
    MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, POINTER
command: C:\Program Files\Microsoft Hardware\Mouse\point32.exe
   file: C:\Program Files\Microsoft Hardware\Mouse\point32.exe
   size: 176128
    MD5: 44fcd222d8a4bcff2c944c081aead78c

Located: HK_LM:Run, SmcService
command: C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
   file: C:\PROGRA~1\Sygate\SPF\smc.exe
   size: 2376928
    MD5: fdd4bba2c4d514e4b6519dac50918907

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
   file: C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
   size: 36975
    MD5: 1f6573d67dd5dc06dd29ec7fcf81dc6f

Located: Startup (disabled), MRU-Blaster Silent Clean (DISABLED)
command: C:\PROGRA~1\MRU-BL~1\MRUBLA~1.EXE -silent
   file: C:\PROGRA~1\MRU-BL~1\MRUBLA~1.EXE
   size: 1216512
    MD5: 52efeb28f52f709d70346df170972904

Located: WinLogon, crypt32chain
command: crypt32.dll
   file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
   file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
   file: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
   file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
   file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
   file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
   file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
   file: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
   file: wlnotify.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
          BHO name:
        CLSID name: AcroIEHlprObj Class
       description: Adobe Acrobat reader
    classification: Legitimate
    known filename: AcroIEhelper.ocx
AcroIEhelper.dll
         info link: http://www.adobe.com/products/acrobat/readstep2.html
       info source: TonyKlein
              Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
         Long name:   AcroIEHelper.ocx
        Short name:       ACROIE~1.OCX
    Date (created): 4/21/2003 9:30:26 PM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 3/2/2001 12:02:04 PM
          Filesize:              37808
        Attributes:                   
               MD5: 8394ABFC1BE196A62C9F532511936DF7
             CRC32:           71D6E350
           Version:            1.0.0.1



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
          DPF name: Microsoft XML Parser for Java
        CLSID name:
         Installer:
          Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
       description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\xmldso.cab
         info link:
       info source: Patrick M. Kolla

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage)
          DPF name:
        CLSID name: Windows Genuine Advantage
         Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
          Codebase: http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
              Path: C:\WINDOWS\system32\
         Long name: LegitCheckControl.dll
        Short name:       LEGITC~1.DLL
    Date (created): 7/12/2005 6:04:22 PM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 7/12/2005 6:04:22 PM
          Filesize:             520456
        Attributes:           archive
               MD5: 873B40B79F93C160AE7F1B88DA72E5F8
             CRC32:           67A985E9
           Version:          1.3.254.0

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
          DPF name:
        CLSID name: Office Update Installation Engine
         Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
          Codebase: http://office.microsoft.com/officeupdate/content/opuc2.cab
              Path:        C:\WINDOWS\
         Long name:           opuc.dll
        Short name:                   
    Date (created): 8/27/2003 4:10:30 AM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 1/18/2005 2:07:18 AM
          Filesize:             326656
        Attributes:           archive
               MD5: 20393D64F69F26361A97FD9AFB3C9243
             CRC32:           0B4DBA7F
           Version:        11.0.6466.0

{597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class)
          DPF name:
        CLSID name: OPUCatalog Class
         Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
          Codebase: http://office.microsoft.com/productupdates/content/opuc.cab
       description: MS Office stuff
    classification: Legitimate
    known filename: opuc.cab
         info link:
       info source: JavaCool
              Path: C:\WINDOWS\System32\
         Long name:           opuc.dll
        Short name:                   
    Date (created): 4/3/2003 4:48:58 PM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 4/3/2003 4:48:58 PM
          Filesize:             180496
        Attributes:                   
               MD5: 81FBAD247E1A8C38BD5937578748C248
             CRC32:           9A0F00AB
           Version:        10.0.4928.0

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
          DPF name:
        CLSID name: WUWebControl Class
         Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
          Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120615535812
              Path: C:\WINDOWS\System32\
         Long name:          wuweb.dll
        Short name:                   
    Date (created): 8/15/2004 7:36:56 AM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 5/26/2005 4:19:32 AM
          Filesize:             173536
        Attributes:           archive
               MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
             CRC32:           EEF66B50
           Version:         5.8.0.2469

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
          DPF name:
        CLSID name: HouseCall Control
         Installer: C:\WINDOWS\Downloaded Program Files\xscan.inf
          Codebase: http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
       description: Trend Micro Antivirus online scanner
    classification: Legitimate
    known filename: XSCAN53.OCX
         info link:
       info source: Patrick M. Kolla
              Path: C:\WINDOWS\DOWNLO~1\
         Long name:        xscan53.ocx
        Short name:                   
    Date (created): 6/9/2004 5:56:02 PM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 6/9/2004 5:56:02 PM
          Filesize:             435712
        Attributes:           archive
               MD5: DCFFCA7F818B4CF4DF29B8932907735D
             CRC32:           89BBB9BF
           Version:        5.70.0.1086

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
          DPF name: Java Runtime Environment 1.5.0
        CLSID name: Java Plug-in 1.5.0_02
         Installer:
          Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
       description: Sun Java
    classification: Legitimate
    known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
         info link:
       info source: Patrick M. Kolla
              Path: C:\Program Files\Java\jre1.5.0_02\bin\
         Long name:    NPJPI150_02.dll
        Short name:       NPJPI1~1.DLL
    Date (created): 3/4/2005 3:36:50 AM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 3/4/2005 3:54:18 AM
          Filesize:              69746
        Attributes:           archive
               MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
             CRC32:           55F989EE
           Version:           5.0.20.9

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
          DPF name:
        CLSID name:
         Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
          Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.6242708333
       description: Windows Update
    classification: Legitimate
    known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
         info link:
       info source: Patrick M. Kolla

{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
          DPF name: Java Runtime Environment 1.5.0
        CLSID name: Java Plug-in 1.5.0_01
         Installer:
          Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
              Path: C:\Program Files\Java\jre1.5.0_01\bin\
         Long name:    NPJPI150_01.dll
        Short name:       NPJPI1~1.DLL
    Date (created): 12/6/2068 10:31:52 PM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 12/6/2004 10:49:16 PM
          Filesize:              69746
        Attributes:           archive
               MD5: 7B8F5AAF633987C6F1B88146357D04E5
             CRC32:           AD99524A
           Version:           1.5.0.10

{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
          DPF name: Java Runtime Environment 1.5.0
        CLSID name: Java Plug-in 1.5.0_02
         Installer:
          Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
              Path: C:\Program Files\Java\jre1.5.0_02\bin\
         Long name:    NPJPI150_02.dll
        Short name:       NPJPI1~1.DLL
    Date (created): 3/4/2005 3:36:50 AM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 3/4/2005 3:54:18 AM
          Filesize:              69746
        Attributes:           archive
               MD5: 6C9A4C573C0C771D99D902EE06DA3CBB
             CRC32:           55F989EE
           Version:           5.0.20.9

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
          DPF name:
        CLSID name: Shockwave Flash Object
         Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
          Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
       description: Macromedia Shockwave Flash Player
    classification: Legitimate
    known filename:
         info link:
       info source: Patrick M. Kolla
              Path: C:\WINDOWS\System32\macromed\flash\
         Long name:          Flash.ocx
        Short name:                   
    Date (created): 4/8/2004 5:51:02 PM
Date (last access): 8/2/2005 6:46:28 AM
Date (last write): 4/8/2004 5:51:02 PM
          Filesize:             939368
        Attributes:           archive
               MD5: 2FB1D6FAB135CEE391AB3D70E1C26347
             CRC32:           488FA4EC
           Version:           7.0.19.0



--- Process list ---
PID:    0 (   0) [System]
PID:  364 (   4) \SystemRoot\System32\smss.exe
PID:  420 ( 364) \??\C:\WINDOWS\system32\csrss.exe
PID:  444 ( 364) \??\C:\WINDOWS\system32\winlogon.exe
PID:  488 ( 444) C:\WINDOWS\system32\services.exe
size: 108032
  MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID:  500 ( 444) C:\WINDOWS\system32\lsass.exe
size: 13312
  MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID:  656 ( 488) C:\WINDOWS\system32\svchost.exe
size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  736 ( 488) C:\WINDOWS\system32\svchost.exe
size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  780 ( 488) C:\Program Files\Sygate\SPF\smc.exe
size: 2376928
  MD5: FDD4BBA2C4D514E4B6519DAC50918907
PID:  820 ( 488) C:\WINDOWS\System32\svchost.exe
size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  836 ( 488) C:\WINDOWS\System32\svchost.exe
size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  868 ( 488) C:\WINDOWS\System32\svchost.exe
size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  948 ( 488) C:\WINDOWS\system32\spoolsv.exe
size: 57856
  MD5: 7435B108B935E42EA92CA94F59C8E717
PID: 1096 ( 488) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
size: 330240
  MD5: 9DBD26D7D7967D918C507B1E2A93A37E
PID: 1144 ( 488) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
size: 84480
  MD5: 62E6B23B906B213836470740FE449B43
PID: 1216 ( 488) C:\Program Files\ewido\security suite\ewidoctrl.exe
size: 16448
  MD5: 867D9D1FA818F8629BB7A4A26E94B06A
PID: 1364 ( 488) C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
size: 200704
  MD5: BC9C77FAC763D84BFDF09B55D4B41AFA
PID: 1384 ( 488) C:\WINDOWS\System32\nvsvc32.exe
size: 81920
  MD5: 5ED834603C36414B579979B3A9C90F54
PID: 1456 ( 488) C:\WINDOWS\System32\svchost.exe
size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  584 (1956) C:\WINDOWS\Explorer.EXE
size: 1032192
  MD5: A0732187050030AE399B241436565E64
PID: 1852 ( 584) C:\Program Files\Microsoft Hardware\Mouse\point32.exe
size: 176128
  MD5: 44FCD222D8A4BCFF2C944C081AEAD78C
PID:  896 ( 584) C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 352256
  MD5: 6E74941E3E14CB67FB1648B45A041F0D
PID:  404 ( 584) C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
size: 273920
  MD5: 8F0843B553882E9C678B8F83BE8A438A
PID: 1352 ( 584) C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
size: 36975
  MD5: 1F6573D67DD5DC06DD29EC7FCF81DC6F
PID: 1952 ( 656) C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
size: 756552
  MD5: 21BD4696317A4A6383F86CDC5E026BFD
PID: 1936 ( 584) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
  MD5: 09CA174A605B480318731E691DC98539
PID:    4 (   0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 8/2/2005 7:08:05 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
  http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
  about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
  http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
  about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
  http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
  http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
  http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
  http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol  0: MSAFD Tcpip [TCP/IP]
        GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Title: Re: can someone confirm a false positive?
Post by: tashi on August 02, 2005, 05:22:52 PM
Thanks Mitch.

There is a topic re:
Security Risks: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\      (etc)
Here:
http://forums.net-integration.net/index.php?showtopic=32257#

Will get back to you re the Googlems,  cheers Susan.
Title: Re: can someone confirm a false positive?
Post by: mitch on August 02, 2005, 06:43:02 PM
thanks
ya i figured what those were so had them on the ignore list ;-)

and the info on the googlem sure looks legit to me so now i'll wait for the dust to settle and put it on the ignore list too ;-)

and i really appreciate your help on this !!

this is what happened when i tried to fix a spybot problem by myself a while ago

http://forums.net-integration.net/index.php?showtopic=18806&st=0 (http://forums.net-integration.net/index.php?showtopic=18806&st=0)
Title: Re: can someone confirm a false positive?
Post by: tashi on August 03, 2005, 10:12:29 PM
Hi Mitch.

I have reported the issue to Team in Germany.

Looks like you are top of things and thanks for the link to that topic.  :lol:

I will share the feedback here when I receive it.
Have a great day.   :D
Title: Re: can someone confirm a false positive?
Post by: mitch on August 04, 2005, 12:02:19 AM
thanks!

hope it doesn't take as many months this time ;-)
Title: Re: can someone confirm a false positive?
Post by: mitch on August 04, 2005, 06:17:49 PM
UPDATE


the update for today 08/04/2005 fixed it !
the 700k def update fixed the false positive so all happy again
and saw where i had to re "ignore" the security settings i like
so all is well in the world again ;-)
Title: Re: can someone confirm a false positive?
Post by: Corrine on August 04, 2005, 09:30:10 PM
Excellent news!  Thanks for the update, Mitch.  (I guess it helps to know someone "on the inside".)

A (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg.photobucket.com%2Falbums%2Fv68%2FCorrine3%2Froses2.jpg&hash=9b2c50a8889dc87c9af07a0e29e682895fc052b9) for Tashi!
Title: Re: [Done] can someone confirm a false positive?
Post by: tashi on August 04, 2005, 09:48:05 PM
 :lol: Thank you for the pretty rose Corrine and thank you Mitch for reporting.   :D




Text only | Text with Images