ken turbine
2008-06-22, 08:24
I suspect that I may have come across a false positive in either the detection, fix or reporting with the following setup
Operating System : Windows XP sp3 : virus check by Avast! : Firewall ZoneAlarm
Browser and Version :Internet Explorer 7
Version of Spybot S&D : 1.3
Date of the latest update 18 June 2008
where did the false positive occur
Scan result/after fix
The scan showed coolwwwsearch.hjg as present, I immediately instituted the fix. Spybot showed it as fixed, and I then re-scanned. It was again shown present and I used the fix and it was shown as cleaned.
To remove any doubts, I re-booted and rescanned with th esame results as the two previous scans.
The next step was to come onto the Spybot site and get help. As most of the malware clean threads advised that the first step was to ensure the latest version of Spybot be installed and do a Hijack This scan, I downloaded both Hijack This (from the site advised in the malware section), and ran a Hijack This scan. I then downloaded vers 1.5.2 of Spybot and uninstalled vers 1.3 and installed vers 1.5.2. I did not delete either the Hijack This log or the the Spybot 1.3 logs, merely renaming the folder for the latter so vers 1.5.2 would install correctly.
I then ran a scan with vers 1.5.2, and the only positive it gave was for the Windows Security Centre virus control being off (I assume this is due to my use of Avast! and having Windows monitoring of it set to Off, which I have not yet set Spybot to ignore) BUT no sign of the coolwwwsearch.hjg. For confirmation, I re-booted and repeated the scan with Spybot and got the same result.
My conclusion is that either :
vers 1.3 gave a false positive in the identifications
or I really had the Trojan, but Spybot 1.3 fixed it and the clean-up did not register this adequately.
I accept that 1.3 is an old version, but with this particular Trojan having such a bad reputation, then it may be wise to determine if this is a single random ocuurence of mis-identification on my machine, or if 1.3 realyy does have problems with the 18/06/2008 detection for this particular Trojan.
As stated above, I should be able to provide the appropriate logs if the Team wish to see them
ken turbine
Operating System : Windows XP sp3 : virus check by Avast! : Firewall ZoneAlarm
Browser and Version :Internet Explorer 7
Version of Spybot S&D : 1.3
Date of the latest update 18 June 2008
where did the false positive occur
Scan result/after fix
The scan showed coolwwwsearch.hjg as present, I immediately instituted the fix. Spybot showed it as fixed, and I then re-scanned. It was again shown present and I used the fix and it was shown as cleaned.
To remove any doubts, I re-booted and rescanned with th esame results as the two previous scans.
The next step was to come onto the Spybot site and get help. As most of the malware clean threads advised that the first step was to ensure the latest version of Spybot be installed and do a Hijack This scan, I downloaded both Hijack This (from the site advised in the malware section), and ran a Hijack This scan. I then downloaded vers 1.5.2 of Spybot and uninstalled vers 1.3 and installed vers 1.5.2. I did not delete either the Hijack This log or the the Spybot 1.3 logs, merely renaming the folder for the latter so vers 1.5.2 would install correctly.
I then ran a scan with vers 1.5.2, and the only positive it gave was for the Windows Security Centre virus control being off (I assume this is due to my use of Avast! and having Windows monitoring of it set to Off, which I have not yet set Spybot to ignore) BUT no sign of the coolwwwsearch.hjg. For confirmation, I re-booted and repeated the scan with Spybot and got the same result.
My conclusion is that either :
vers 1.3 gave a false positive in the identifications
or I really had the Trojan, but Spybot 1.3 fixed it and the clean-up did not register this adequately.
I accept that 1.3 is an old version, but with this particular Trojan having such a bad reputation, then it may be wise to determine if this is a single random ocuurence of mis-identification on my machine, or if 1.3 realyy does have problems with the 18/06/2008 detection for this particular Trojan.
As stated above, I should be able to provide the appropriate logs if the Team wish to see them
ken turbine