false positive or just weird (and scary) ? [Archive]

View Full Version : false positive or just weird (and scary) ?

new_smith

2007-04-01, 04:49

is it really spyware was installed in my computer?
is it really recorded all of my keystrokes and send them to someone?
or it just false positive?

at the last scan of spybot (after the 2007-03-28 update)
spybot detect this problem in my computer: "
Company: WinSpy
Product: WinSpy.SpySoftWareX
Threat: Spyware

Description
WinSpy.SpySoftWareX records all keystrokes without the user's awareness or consent
about this. It tracks the user's surfing and working behaviour. It creates autorun
entries in the registry in order to be launched on
each Windows startup. WinSpy.SpySoftWareX collects also important system information.

when i clicked the problem, spybot show the location of the problem:
C:\WINDOWS\system32\Urlhist.tlb

when i checked when this file has been created, i discovered that this file has been installed
in my computer during the installation(it is also written at the installtion log file of this program)
of a program which called:"privacy cleaner pro"
(this program allow to the user to erase tracks of the browser(i choosed to install it))
however this program belongs to "linren software" and not to the company winspy as mentioned at the problem description
another important information is that i have a software that her name is "winspy" that belongs to the company acesoft (this program also detect tracks, and has been installed at my computer 1 hour after the first one (i choosed to install it))
finally i tell spybot fix the problem
i also scan the folder system32 by norton but it didnt detect anything

i very hope that you will help me to solve this problem
and let me know if someone really see all of my keystrokes and spy in my computer.

thanks
new_smith

tashi

2007-04-02, 05:06

Hello.

Please open SpyBot.
Check for problems.
When finished, right click and choose "copy results" (not the full report) to clipboard and post that into topic.
:)

MisterW

2007-04-02, 08:12

Hello,

I can confirm that it is a false positive and it will be solved with our next update scheduled for Wednesday. :oops:

regards,
Markus :bigthumb:

new_smith

2007-04-02, 14:47

To tashi and MisterW

hello,

first of all thanks for your quick response.
I was glad to hear that it was false negetive, but just for be sure
I attached here the results as tashi request:

31.03.2007 23:51:41 - ##### check started #####
31.03.2007 23:51:41 - ### Version: 1.4
31.03.2007 23:51:41 - ### Date: 31/03/2007 23:51:41
31.03.2007 23:51:41 - ##### checking bots #####
31.03.2007 23:57:57 - found: WinSpy.SpySoftWareX Data
01.04.2007 00:00:03 - ##### check finished #####

and here is the log after the repair by spybot:

--- Report generated: 2007-04-01 05:40 ---

WinSpy.SpySoftWareX: Data (File, fixed)
C:\WINDOWS\system32\Urlhist.tlb

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-28 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-03-28 Includes\DialerC.sbi (*)
2007-03-21 Includes\Hijackers.sbi (*)
2007-03-28 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-03-28 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-03-28 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-03-28 Includes\PUPSC.sbi (*)
2007-03-28 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-03-28 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-03-28 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-03-21 Includes\Trojans.sbi (*)
2007-03-28 Includes\TrojansC.sbi (*)

and i also attach for your checking (just to be sure with your diagnose)
what that supposed to be the "infected file" Urlhist.tlb ,
and as i mention before this file was installed by "privacy cleaner pro"
and this is the passage from the installation log-file that confirm it:

the first line that deals with the problematic file:
File Copy: C:\WINDOWS\system32\Urlhist.tlb | 08-29-1999 | 14:15:36 | | 7716 | 9bb13496

the second line:
Self-Register: C:\WINDOWS\system32\Urlhist.tlb

agian,
thanks a lot,:bigthumb:
new_smith

MrToad

2007-04-03, 00:07

I can confirm that it is a false positive and it will be solved with our next update scheduled for Wednesday.
Markus :bigthumb:
Earlier today Spybot found this "WinSpy-SpySoftWareX" I chose to fix-it and spybot removed 10 registry entries [as far as I can tell]. The message about this being a false positive, leads me to think I have acted prematurely. Should I use system restore or the restore capabilities of spybot to to reinstall the registery entries?
Thanks

MisterW

2007-04-03, 11:32

MrToad

2007-04-05, 19:13

Hello MrToad,

could you tell me exactly which 10 entries spybot removed from your system? I think it was save to remove them because only the file "urlhist.tlb" mentioned before was a false positive. If you are unsure you could restore the entries, download our new (fixed) detection update on Wednesday and scan again. When Spybot still find them, they do not belong to the false positive

I updated Spybot today [Apr 5], restored the registry entries and re-ran spybot. Spybot again flagged the entries. I removed them again. Here's the list of entries:
WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Root class (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\vbVidC60.ezVidCap
WinSpy.SpySoftWareX: Class ID (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
WinSpy.SpySoftWareX: Root class (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\vbVidC60.ICapCallBack
WinSpy.SpySoftWareX: Class ID (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
I would like to know more about this keylogger...like which file it uses to store it's captured info...so I can guage extent of compromise.
ADDED: I beleive I found the answer to the above question at this link: http://www.symantec.com/en/uk/enterprise/security_response/writeup.jsp?docid=2003-110711-5846-99&tabid=2
Thanks for considering my issue,
MrToad

MrToad

2007-04-05, 19:37

ADDED: I beleive I found the answer to the above question at this link: http://www.symantec.com/en/uk/enterprise/security_response/writeup.jsp?docid=2003-110711-5846-99&tabid=2
Thanks for considering my issue,
MrToad
While the link I posted describes a "winSpy" that has some of the initial registry entries in common with what Spybot removed, it is far more extensive and does not contain some/all of the last 5 entries. Also I did a search and found no 'keylog.txt' which symantec say's it's 'WinSpy' creates

tashi

2007-04-06, 16:59

Hello MrToad.

We should take a different look at the system, please follow the procedure here "BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288) to produce a HJT log.

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Cheers.