Cydoor - false positive?

**CanopusArchives** · 2007-11-12, 21:34

Spybot S&D threw up three detections today, all were Cydoor. What was strange was that it found them in my program downloads folder, the products had been there for some years and have been scanned many times with Spybot S&D and never found to be infected.

Two of these Cydoor infections were in an old and newer version of the AdAware installer (AdAware itself is not installed). The third Cydoor infection was in uk_pix_download.exe which is the installer for the BonusPrint photo uploader. Although uk_pix_download.exe was reported to be infected with Cydoor the actual program file in Bonusprint Pix, the Bonus Print uploader, is clean or at least no spyware including Cydoor was found in it.

How does an installer that doesn't connect to the Internet and is used once have spyware in it yet the actual program it installs which does connect to the Internet has no spyware? I think something is amiss here. I'm not even going to try to get into the detections found in AdAware :

**md usa spybot fan** · 2007-11-12, 21:51

Please read the "Sticky" (pinned) thread:

How to report False Positives
http://forums.spybot.info/showthread.php?t=19117

**CanopusArchives** · 2007-11-12, 22:16

OK, sorry, a little extra info:

OS: Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
Browser: Firefox 1.5.0.12
Spybot S&D version: 1.5 (build: 20070830)
Last Detection update: 07/11/2007
False Positive occurred in Scan Results

Probable false positive: Cydoor in uk_pix_download.exe which is the installer for Bonusprint Pix photo uploader.

**md usa spybot fan** · 2007-11-12, 22:34

CanopusArchives:

Please post a log of the actual detections you are getting. If you are unable to do that by accessing a previous report as the posting instructions for How to report False Positives indicate, the easiest way to do that is:

Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.

**CanopusArchives** · 2007-11-12, 23:08

Scan Results:

Cydoor: [SBI $2D4720C9] Downloaded program file (File, nothing done)
H:\DAta\My Documents\My Downloads\Bonusprint Software\uk_pix_download.exe

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-05-10 unins000.exe (51.41.0.0)
2007-09-26 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-07 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti
2007-11-07 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-07 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-07 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-07 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-07 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-07 Includes\Trojans.sbi (*)
2007-11-07 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

********************************

Note 1: AdAware Installer already deleted so cannot scan that again.

Note 2: Totel Scan shows 30 out of 31 scan engines show file as clean. eSafe reports "Suspicious Archive Structure"

**Yodama** · 2007-11-13, 11:26

hello,

looks like a false positive in the beta detections, thank you for reporting this.

AdAware Installer already deleted so cannot scan that again.

you can use Spybot S&Ds recovery function to get the file back, then you can rescan.
If the files are not too large, please send them via email to detections-at-spybot.info, alternatively you could tell us how to get the files in the versions you have. Another method to give us more information on the files would be to create a filealyzer report and send this to us.

**Yodama** · 2007-11-13, 11:59

I removed the rules that were responsible for detecting the Adaware6 installers, it is possible that this also fixes the issue with the uk_pix_download.exe.
To make sure this is also fixed with the next update please
send the file or fileinfo as described above.

**CanopusArchives** · 2007-11-13, 12:24

Ah, I forgot it could be restored that way. Files restored and rescanned, results below:

Cydoor: [SBI $2D4720C9] Downloaded program file (File, nothing done)
H:\DAta\My Documents\My Downloads\Bonusprint Software\uk_pix_download.exe

Cydoor: [SBI $2D4720C9] Downloaded program file (File, nothing done)
H:\DAta\My Documents\My Downloads\AdAware\aawsepersonal.exe

Cydoor: [SBI $2D4720C9] Downloaded program file (File, nothing done)
H:\DAta\My Documents\My Downloads\AdAware\Old Versions\aawsepersonal.exe

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-05-10 unins000.exe (51.41.0.0)
2007-09-26 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-07 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti
2007-11-07 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-07 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-07 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-07 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-07 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-07 Includes\Trojans.sbi (*)
2007-11-07 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

**Yodama** · 2007-11-13, 12:55

Thank you for your feedback, your report shows that the 3 files get detected by the same ruleset.
The Beta.sbi has been corrected and will be released as scheduled for the update tomorrow.

Thread: Cydoor - false positive?

Thread Tools

Display

Cydoor - false positive?

Posting Permissions