I suspect that I may have come across a false positive in either the detection, fix or reporting with the following setup

Operating System : Windows XP sp3 : virus check by Avast! : Firewall ZoneAlarm
Browser and Version :Internet Explorer 7
Version of Spybot S&D : 1.3
Date of the latest update 18 June 2008
where did the false positive occur
Scan result/after fix

The scan showed coolwwwsearch.hjg as present, I immediately instituted the fix. Spybot showed it as fixed, and I then re-scanned. It was again shown present and I used the fix and it was shown as cleaned.
To remove any doubts, I re-booted and rescanned with th esame results as the two previous scans.
The next step was to come onto the Spybot site and get help. As most of the malware clean threads advised that the first step was to ensure the latest version of Spybot be installed and do a Hijack This scan, I downloaded both Hijack This (from the site advised in the malware section), and ran a Hijack This scan. I then downloaded vers 1.5.2 of Spybot and uninstalled vers 1.3 and installed vers 1.5.2. I did not delete either the Hijack This log or the the Spybot 1.3 logs, merely renaming the folder for the latter so vers 1.5.2 would install correctly.
I then ran a scan with vers 1.5.2, and the only positive it gave was for the Windows Security Centre virus control being off (I assume this is due to my use of Avast! and having Windows monitoring of it set to Off, which I have not yet set Spybot to ignore) BUT no sign of the coolwwwsearch.hjg. For confirmation, I re-booted and repeated the scan with Spybot and got the same result.
My conclusion is that either :
vers 1.3 gave a false positive in the identifications
or I really had the Trojan, but Spybot 1.3 fixed it and the clean-up did not register this adequately.

I accept that 1.3 is an old version, but with this particular Trojan having such a bad reputation, then it may be wise to determine if this is a single random ocuurence of mis-identification on my machine, or if 1.3 realyy does have problems with the 18/06/2008 detection for this particular Trojan.

As stated above, I should be able to provide the appropriate logs if the Team wish to see them

ken turbine

Was what Spybot detected similar to the registry key that was detected for this person:
http://forums.spybot.info/showpost.php?p=201972&postcount=5
If so,wait until you hear from Yodama or another team Spybot officially,but I thought I`d post this recent thread where someone had a similar problem,in the meantime:
http://forums.spybot.info/showthread.php?t=29375
Please see md usa spybot fan`s comments.

Zenobia, thanks for the response:
I am not very accomplished with Regedit but the information for the HKEY reported appears to be as follows:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]

PrivDiscUiShown REG_SZ

Is this the appropriate information

ken turbine

Yes,it is,except whether or not it's set to 0 or not is missing.That should be in the Spybot 1.3 log you saved though,so you could just post that if Yodama asks for it,since you`re uncomfortable with regedit. :)

As you suggested Zenobia, this was in Logs\Checks.080619-2004.txt, which is the last check before I uninstalled ver 1.3 and installed 1.5.2

--- Report generated: 2008-06-19 20:04 ---

CoolWWWSearch.hjg: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1757981266-1647877149-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PrivDiscUiShown!=W=0


and it does not appear in Logs\Checks.080620-1714.txt, which was the first check after installation of ver 1.5.2.

The detection report does seems similar to the information given by 'md usa spybot fan',
ken turbine

ken turbine:

The problem with this detection in Spybot 1.3 has been noted before. See:
CoolWWWSearch or not?
http://forums.spybot.info/showthread.php?t=29375

OK, I'll stop worrying then.:)

Thanks to both of you.

ken turbine

You're welcome. :)

Hey,md,I was wondering if maybe Spybot 1.3 changed that to REG_SZ.Didn't Spybot 1.3 do that with dso exploit,change the dword value to REG_SZ when fixing,or am I not remembering correctly?

Zenobia:

Good memory! It could be a similar situation, but I'm not sure that it is. With the DSO Exploit Spybot 1.3 would detect the DSO Exploit properly (REG_DWORD = 3) but then fix it with a REG_SZ instead of a REG_DWORD.

With this detection I'm not sure why it seems to be detected in just Spybot 1.3 to begin with.

Hello,

well first about the original topic:
The dated Spybot S&D 1.3 is not compatible with all new functions and commands that have been developed for later versions of Spybot S&D.
Although we try to keep our rule sets as downward compatible as possible this is not always possible.
In this case Spybot S&D 1.3 does not compute a flow control command, thus it flags an item it should not without meeting some additional parameters.

About the data type , I am not sure if this is the case here, but it would surely add to the issue.
In any case an upgrade to a current Spybot S&D version should fix this issue.

Thanks for answering the curious. :D:

And the uber-geeky explanation about registry changes and some changes between versions: RegyChange (http://wiki.spybot.info/index.php/RegyChange) :laugh:
(on the OpenSBI beta wiki, login with forum credentials required)

There's a spybot wiki?Lol,where have I been? :spider:
Thanks. :)