Elmer
2007-09-19, 23:12
We have found that the Win32.Small.Of is identifying a legit product as a trojan.
The company is http://ppc.thomson.com. They have all their products going into the HKEY_LOCAL_MACHINE\SOFTWARE\PPC registry. The Spybot software apparenty assumes that all ppc entries are the same as bad Ppc entry in the registry.
Currently we have the customer restore the entry and then go in an ignore the win32.small.of item so it doesn't happen again.
Appreciate any help on this.
Here is the log
Win32.Small.Of: [SBI $72649B53] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Ppc
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-06-18 unins000.exe (51.41.0.0)
2007-09-19 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-09-19 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-19 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-19 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-19 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-19 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-19 Includes\PUPSC.sbi (*)
2007-09-19 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-19 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-19 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-19 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
Here is little of the PPC entry that is used for the products.
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC\ElectronicWorkpapers]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC\ElectronicWorkpapers\Commercial]
"LatestYear"="20060501"
"Title"="Small Business Audits"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC\ElectronicWorkpapers\Commercial\2005]
The company is http://ppc.thomson.com. They have all their products going into the HKEY_LOCAL_MACHINE\SOFTWARE\PPC registry. The Spybot software apparenty assumes that all ppc entries are the same as bad Ppc entry in the registry.
Currently we have the customer restore the entry and then go in an ignore the win32.small.of item so it doesn't happen again.
Appreciate any help on this.
Here is the log
Win32.Small.Of: [SBI $72649B53] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Ppc
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-06-18 unins000.exe (51.41.0.0)
2007-09-19 unins001.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-09-19 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-19 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-19 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-19 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-19 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-19 Includes\PUPSC.sbi (*)
2007-09-19 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-19 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-19 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-19 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
Here is little of the PPC entry that is used for the products.
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC\ElectronicWorkpapers]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC\ElectronicWorkpapers\Commercial]
"LatestYear"="20060501"
"Title"="Small Business Audits"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\PPC\ElectronicWorkpapers\Commercial\2005]