MacEachaidh
2007-07-10, 06:42
Dilemma:
Spybot repeatedly finds two results on my PC that it identifies as trojans (CurePCSolution and BlackCore), even though I clean them out each time.
Even if I run it first, my anti-virus software (Norman) doesn't detect either.
Norman Tech Support wants me to provide sample "infected" files to them before they can determine whether this is something they need to act on, but Spybot doesn't provide a way to archive or identify possibly-infected files.
(Or does it ? Am I wrong here ?)
How do I tell whether these are false positives ?
How can I identify what file the Spybot alert is coming from ?
Any suggestions, please ?
Thanks !
md usa spybot fan
2007-07-10, 07:15
When you run a scan the the listing of problems detected usually points to the object being detected.
Please post a log of the actual detections you are getting. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.
MacEachaidh
2007-07-16, 21:53
Thanks for your help, md usa spybot fan.
Here's an example of the report from a scan I've just completed:
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)
CurePCSolution: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-07-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-11 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-11 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-07-11 Includes\HijackersC.sbi (*)
2007-07-11 Includes\Keyloggers.sbi (*)
2007-07-11 Includes\KeyloggersC.sbi (*)
2007-07-11 Includes\Malware.sbi (*)
2007-07-11 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-07-11 Includes\PUPSC.sbi (*)
2007-07-11 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-11 Includes\SecurityC.sbi (*)
2007-07-11 Includes\Spybots.sbi (*)
2007-07-11 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-11 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Is this the report you meant for me to post ? It doesn't seem to give much detail.
The item I'm most interested in is the one listed as "CurePCSolution". This is normally considered a trojan, as it's malware that installs itself to your PC.
According to Symantec's threat database, references to this should show up in my Registry, a CurePCSolution folder should appear in C:\Program Files, and "CurePCSolution" should show up in my "Add/Remove Programs" list in Control Panels.
Well, it doesn't show up in any of those places. I've queried the developers of the antivirus software I use (Norman) as to why, assuming this isn't a false positive I'm getting from Spybot, this trojan isn't picked up by their software when it is detected by Spybot. Their reply has been to ask me to send a sample of an infected file, but I can't really see how to find a sample of the infection, since Spybot only identifies this as a tracking cookie.
I'm using Firefox as my browser, and that has an in-built Cookie manager, that shows the cookies on your machine, their names and contents, and allows you to delete them.
Well, CurePCSolution doesn't show up there as a cookie. So I'm wondering just what it is that Spybot is detecting and interpreting as a CurePCSolution infection -- both so that I can check that my machine really is clean, and also so I can send a sample to my virus-killer's developers and resolve my query with them.
If you can help me resolve this, I'd be very very grateful.
regards,
Bran
md usa spybot fan
2007-07-16, 22:38
All of the detections that you received are FireFox tracking cookies (even the CurePCSolution detection, although I don't exactly what cookie is being titled CurePCSolution).
Tracking Cookies are cookies stored on your computer by a 3rd party not directly related to the web site you're currently viewing. The intention of this type of cookie in many cases is to track your movement as you surf between sites.
Sometimes Spybot has trouble removing Firefox tracking cookies. There are suggestions in the following post on how to remove them as well as block them from being stored in the future:
http://forums.spybot.info/showpost.php?p=64081&postcount=4
MacEachaidh
2007-07-18, 10:23
Hi,
Yes, I realised they were being detected as cookies, which isn't what I would have expected from a genuine CurePCSolution infection, and why I posted this here querying it as a false positive.
Is there any way to discover what Spybot is actually reading as if it's a CurePCSolution trojan ? The same thing happens sporadically with Spybot claiming it's found a BlackCore infection, both on my machine and on several others belonging to friends. I don't believe they're genuine infections, so that's not an issue, but don't understand why Spybot keeps "finding" them.
Any thoughts, please ?
(By the way, I've made the change in my Firefox about:config to block 3rd-party cookies. Thanks for that link.)