PDA

View Full Version : Fixed: Win32.ActiveKeyLogger F/P



Terminator
2008-12-03, 21:04
I found the above False Positive whilst using the On-Demand Scanner on 2 "UNWISE" Un-installers. I can repeat this False Positive on both Programs.

I ran a full Spyware only Scan and it turned up nothing, I also scanned with Avast! On-Demand Scanner and that also failed to find anything.


My System:


Windows Vista Home Premium SP1 (Fully Patched)

Internet Explorer 7 (Fully Patched)

Spybot 1.6.1.38 with Todays updates including the beta (3/12/2008)


Screenshot:

http://img219.imageshack.us/img219/8652/spybotondemandscannerfpss3.th.jpg (http://img219.imageshack.us/my.php?image=spybotondemandscannerfpss3.jpg)


Log File:


2008-06-18 SDDelFile.exe (1.0.2.5)
2008-11-13 SDFiles.exe (1.6.1.7)
2008-11-13 SDMain.exe (1.0.0.6)
2008-11-13 SDShred.exe (1.0.2.4)
2008-11-13 SDUpdate.exe (1.6.0.11)
2008-11-13 SDWinSec.exe (1.0.0.12)
2008-11-13 SpybotSD.exe (1.6.1.38)
2008-11-13 TeaTimer.exe (1.6.4.26)
2008-11-23 unins000.exe (51.49.0.0)
2008-11-13 Update.exe (1.6.0.7)
2008-11-13 advcheck.dll (1.6.2.14)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-11-13 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-11-13 Tools.dll (2.1.6.10)
2008-11-04 Includes\Adware.sbi
2008-11-25 Includes\AdwareC.sbi
2008-12-02 Includes\Beta.sbi
2007-11-06 Includes\Beta.uti
2008-06-03 Includes\Cookies.sbi
2008-09-02 Includes\Dialer.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-11-18 Includes\Hijackers.sbi
2008-11-18 Includes\HijackersC.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-11-18 Includes\KeyloggersC.sbi
2008-11-18 Includes\Malware.sbi
2008-12-03 Includes\MalwareC.sbi
2008-11-03 Includes\PUPS.sbi
2008-12-02 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-12-02 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-11-04 Includes\Spyware.sbi
2008-12-02 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi
2008-12-02 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows Vista (Build: 6001) Service Pack 1 (6.0.6001)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB941833)

--- Startup entries list ---
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 81000
MD5: 55EBFBAB39BFAB5E62358C093F297641
Located: HK_LM:Run, COMODO Firewall Pro
command: "C:\Program Files\COMODO\Firewall\cfp.exe" -h
file: C:\Program Files\COMODO\Firewall\cfp.exe
size: 1796856
MD5: B443A3B66DFBC137EEE36BEC364735F5
Located: HK_LM:Run, HotKeysCmds
command: C:\Windows\system32\hkcmd.exe
file: C:\Windows\system32\hkcmd.exe
size: 166424
MD5: E0913BFFE047972BAA72AC3AE608E24D
Located: HK_LM:Run, HP Metrics
command: C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
file: C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
size: 368640
MD5: 36BA55D14C3F78C2F137D741EB99E3C0
Located: HK_LM:Run, HP Software Update
command: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 49152
MD5: 7AF5A466CF4AECA28E3DCBCF5B6FD220
Located: HK_LM:Run, hpsysdrv
command: c:\hp\support\hpsysdrv.exe
file: c:\hp\support\hpsysdrv.exe
size: 65536
MD5: 9A4322EE420D6FACD4D4B1FF6CB856B1
Located: HK_LM:Run, IgfxTray
command: C:\Windows\system32\igfxtray.exe
file: C:\Windows\system32\igfxtray.exe
size: 141848
MD5: EF4FF93786AE65DD307FCADABCD087CA
Located: HK_LM:Run, KBD
command: C:\HP\KBD\KbdStub.EXE
file: C:\HP\KBD\KbdStub.EXE
size: 65536
MD5: 7088B136BB58A5F95CF0DE8386CA6C0F
Located: HK_LM:Run, OsdMaestro
command: "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
file: C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
size: 118784
MD5: B1361669BDC6ED612C35B7C67ADA2240
Located: HK_LM:Run, Persistence
command: C:\Windows\system32\igfxpers.exe
file: C:\Windows\system32\igfxpers.exe
size: 133656
MD5: 83591BC9E3328F5BACCF487CD12414EB
Located: HK_LM:Run, RtHDVCpl
command: RtHDVCpl.exe
file: C:\Windows\RtHDVCpl.exe
size: 4874240
MD5: 361CD47DC5BD83EE24407903233B0D9A
Located: HK_LM:Run, SunJavaUpdateReg
command: "C:\Windows\system32\jureg.exe" -delete
file: C:\Windows\system32\jureg.exe
size: 54936
MD5: 4F89DD4EA74C66916E15A6E7D74A50B5
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 136600
MD5: B98FFA8288EFAABC436C30D198608345
Located: HK_LM:Run, Windows Defender
command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-19...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file: C:\Windows\system32\oobefldr.dll
size: 2153472
MD5: 83E4A5435B0FA6AD0166722621A04725
Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-20...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file: C:\Windows\system32\oobefldr.dll
size: 2153472
MD5: 83E4A5435B0FA6AD0166722621A04725
Located: HK_CU:Run, ehTray.exe
where: S-1-5-21-16169106-2878052200-2811833100-1000...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
Located: HK_CU:Run, WMPNSCFG
where: S-1-5-21-16169106-2878052200-2811833100-1000...
command: C:\Program Files\Windows Media Player\WMPNSCFG.exe
file: C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 202240
MD5: 35937EAD711207544E219C2A19A78A7D
Located: Startup (common), HP Digital Imaging Monitor.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
file: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 210520
MD5: F14219FC767F1383526AB423F278A8E3
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 27/03/2008 16:50:26
Date (last access): 23/11/2008 19:52:52
Date (last write): 13/11/2008 16:19:32
Filesize: 1877336
Attributes: archive
MD5: D0EE028C2FB3F0C38B40147F9AB31F77
CRC32: 90CB2B8B
Version: 1.6.2.14
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (Java(tm) Plug-In SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: ssv.dll
Short name:
Date (created): 28/10/2008 14:40:42
Date (last access): 10/11/2072 03:39:26
Date (last write): 10/11/2008 05:43:32
Filesize: 320920
Attributes: archive
MD5: 35E6FB6E6003BD54A5D69C9C1C762192
CRC32: 9699660C
Version: 6.0.110.3
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 28/10/2008 14:40:40
Date (last access): 10/11/2008 03:39:26
Date (last write): 10/11/2008 05:43:16
Filesize: 34816
Attributes: archive
MD5: 5D57FD3DF32DC69CEC3D1D54B4C43162
CRC32: D7C13FB2
Version: 6.0.110.3
{DC3EB972-8628-4C46-B7CE-25EBD05EA362} (NetPurity.SiteAccess)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: NetPurity.SiteAccess
Path: C:\Windows\System32\
Long name: NetPurity.dll
Short name: NETPUR~1.DLL
Date (created): 03/12/2008 18:27:50
Date (last access): 03/12/2008 18:27:50
Date (last write): 23/03/2005 18:02:20
Filesize: 49152
Attributes: archive
MD5: 425ABE2C7E142680CEA5682473817439
CRC32: A5BA056E
Version: 1.1.0.0
{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

--- ActiveX list ---
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} ()
DPF name:
CLSID name:
Installer:
Codebase:
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\Windows\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\Windows\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 20/03/2008 17:06:36
Date (last access): 20/03/2008 17:06:36
Date (last write): 20/03/2008 17:06:36
Filesize: 1480232
Attributes: archive
MD5: E058C4821D48E0A67F6069CB50818D44
CRC32: 3513AE02
Version: 1.7.69.2
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\Windows\Downloaded Program Files\MSNPUpld.inf
Codebase: http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Windows\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 20/11/2006 11:04:16
Date (last access): 20/11/2006 11:04:16
Date (last write): 20/11/2006 11:04:16
Filesize: 543544
Attributes: archive
MD5: A0F541D9D2CACEEC7A4A378CD0C31626
CRC32: 035C591F
Version: 10.0.914.0
{73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class)
DPF name:
CLSID name: GMNRev Class
Installer: C:\Windows\Downloaded Program Files\setup.inf
Codebase: http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
Path: C:\Program Files\HP\Common\
Long name: HPGMNRev.dll
Short name:
Date (created): 29/07/2008 13:47:04
Date (last access): 27/08/2008 19:53:18
Date (last write): 29/07/2008 13:47:04
Filesize: 198448
Attributes: archive
MD5: D118AAAB43BFAB719B2F185C3D556E54
CRC32: 4FA69970
Version: 8.7.13.0
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_11
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 28/10/2008 14:40:40
Date (last access): 10/11/2008 03:39:26
Date (last write): 10/11/2008 05:43:16
Filesize: 94208
Attributes: archive
MD5: 3DA696FCE470365F830726A5DB33733F
CRC32: F0FC81C2
Version: 6.0.110.3
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07)
DPF name:
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase:
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 28/10/2008 14:40:40
Date (last access): 10/11/2008 03:39:26
Date (last write): 10/11/2008 05:43:16
Filesize: 94208
Attributes: archive
MD5: 3DA696FCE470365F830726A5DB33733F
CRC32: F0FC81C2
Version: 6.0.110.3
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10)
DPF name:
CLSID name: Java Plug-in 1.6.0_10
Installer:
Codebase:
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 28/10/2008 14:40:40
Date (last access): 10/11/2008 03:39:26
Date (last write): 10/11/2008 05:43:16
Filesize: 94208
Attributes: archive
MD5: 3DA696FCE470365F830726A5DB33733F
CRC32: F0FC81C2
Version: 6.0.110.3
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_11
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 28/10/2008 14:40:40
Date (last access): 10/11/2008 03:39:26
Date (last write): 10/11/2008 05:43:16
Filesize: 94208
Attributes: archive
MD5: 3DA696FCE470365F830726A5DB33733F
CRC32: F0FC81C2
Version: 6.0.110.3
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_11
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_11.dll
Short name: NPJPI1~1.DLL
Date (created): 10/11/2008 03:39:26
Date (last access): 10/11/2072 03:39:26
Date (last write): 10/11/2008 05:43:32
Filesize: 132504
Attributes: archive
MD5: D400116F6776ACB6EDB6B1F5EEB9F92D
CRC32: CECB5751
Version: 6.0.110.3
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\Windows\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\Windows\system32\Macromed\Flash\
Long name: Flash10a.ocx
Short name:
Date (created): 05/10/2008 03:16:26
Date (last access): 25/11/2008 20:03:58
Date (last write): 05/10/2008 03:16:26
Filesize: 3789728
Attributes: readonly archive
MD5: 466C1355934925768822E380DA6E6E4A
CRC32: 48EC1E52
Version: 10.0.12.36

--- Process list ---
PID: 1668 (1104) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 59903071D7ACE6A02093C47E9E38AF97
PID: 1696 (1660) C:\Windows\Explorer.EXE
size: 2927104
MD5: FFA764631CB70A30065C12EF8E174F9F
PID: 260 (1696) C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
PID: 280 (1696) C:\hp\support\hpsysdrv.exe
size: 65536
MD5: 9A4322EE420D6FACD4D4B1FF6CB856B1
PID: 300 (1696) C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
size: 118784
MD5: B1361669BDC6ED612C35B7C67ADA2240
PID: 320 (1696) C:\Windows\RtHDVCpl.exe
size: 4874240
MD5: 361CD47DC5BD83EE24407903233B0D9A
PID: 12 (1696) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
size: 49152
MD5: 7AF5A466CF4AECA28E3DCBCF5B6FD220
PID: 600 (1124) C:\Windows\system32\taskeng.exe
size: 169472
MD5: 5F109032CE46B7184ED9E50F9FE8489E
PID: 880 (1696) C:\Windows\System32\hkcmd.exe
size: 166424
MD5: E0913BFFE047972BAA72AC3AE608E24D
PID: 1228 (1696) C:\Windows\System32\igfxpers.exe
size: 133656
MD5: 83591BC9E3328F5BACCF487CD12414EB
PID: 1636 (1696) C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
size: 368640
MD5: 36BA55D14C3F78C2F137D741EB99E3C0
PID: 1716 (1696) C:\Program Files\Alwil Software\Avast4\ashDisp.exe
size: 81000
MD5: 55EBFBAB39BFAB5E62358C093F297641
PID: 1580 ( 828) C:\Windows\system32\igfxsrvc.exe
size: 256536
MD5: E604D80346076DDD1B9F214678A35A38
PID: 1048 (1696) C:\Program Files\COMODO\Firewall\cfp.exe
size: 1796856
MD5: B443A3B66DFBC137EEE36BEC364735F5
PID: 1068 (1696) C:\Program Files\Java\jre6\bin\jusched.exe
size: 136600
MD5: B98FFA8288EFAABC436C30D198608345
PID: 1012 (1696) C:\Windows\ehome\ehtray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
PID: 1496 (1696) C:\Program Files\Windows Media Player\wmpnscfg.exe
size: 202240
MD5: 35937EAD711207544E219C2A19A78A7D
PID: 1052 (1696) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 210520
MD5: F14219FC767F1383526AB423F278A8E3
PID: 2208 ( 828) C:\Windows\ehome\ehmsas.exe
size: 37376
MD5: 0F4195B9B348DE5CF9B822F81704B20E
PID: 1644 ( 828) C:\Windows\system32\wbem\unsecapp.exe
size: 37888
MD5: 25873356E52849C3F5B3F1B02317E8C8
PID: 1188 (1052) C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
size: 151552
MD5: FEDDD3579FEE51A9873D856DF3933C68
PID: 4756 ( 296) C:\hp\kbd\kbd.exe
size: 67128
MD5: 7CAC10A1C258DFCB5ADE563BAE6D2F15
PID: 5316 (4248) C:\Program Files\Internet Explorer\ieuser.exe
size: 299520
MD5: 5B2E1C16A2C420F60CD391B666003F14
PID: 4992 (5080) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 5B92133D3E7FB2644677686305E29E81
PID: 940 (1696) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5287768
MD5: F55B10E6B28A01265A18E7DB787282AB
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 452 ( 4) smss.exe
size: 64000
PID: 540 ( 528) csrss.exe
size: 6144
PID: 584 ( 528) wininit.exe
size: 96768
PID: 596 ( 576) csrss.exe
size: 6144
PID: 628 ( 584) services.exe
size: 279040
PID: 640 ( 584) lsass.exe
size: 9728
PID: 648 ( 584) lsm.exe
size: 229888
PID: 692 ( 576) winlogon.exe
size: 314880
PID: 828 ( 628) svchost.exe
size: 21504
PID: 896 ( 628) svchost.exe
size: 21504
PID: 932 ( 628) svchost.exe
size: 21504
PID: 1056 ( 628) svchost.exe
size: 21504
PID: 1104 ( 628) svchost.exe
size: 21504
PID: 1124 ( 628) svchost.exe
size: 21504
PID: 1204 (1056) audiodg.exe
size: 88064
PID: 1236 ( 628) SLsvc.exe
size: 2623488
PID: 1292 ( 628) svchost.exe
size: 21504
PID: 1424 ( 628) svchost.exe
size: 21504
PID: 1532 ( 628) aswUpdSv.exe
PID: 1544 ( 628) ashServ.exe
PID: 496 ( 628) spoolsv.exe
size: 125952
PID: 532 ( 628) svchost.exe
size: 21504
PID: 1884 (1124) taskeng.exe
size: 169472
PID: 2472 ( 628) cmdagent.exe
PID: 2516 ( 628) svchost.exe
size: 21504
PID: 2544 ( 628) LSSrvc.exe
PID: 2560 ( 628) svchost.exe
size: 21504
PID: 2716 ( 628) svchost.exe
size: 21504
PID: 2744 ( 628) svchost.exe
size: 21504
PID: 2764 ( 628) svchost.exe
size: 21504
PID: 2792 ( 628) svchost.exe
size: 21504
PID: 2812 ( 628) SearchIndexer.exe
size: 439808
PID: 3084 ( 628) SDWinSec.exe
size: 1124184
MD5: EF94D5714AD0AC78ADAFF8A3A6438DDD
PID: 3260 (1104) WUDFHost.exe
size: 142336
PID: 3772 ( 628) ashMaiSv.exe
PID: 3908 ( 628) ashWebSv.exe
PID: 4040 ( 628) wmpnetwk.exe
PID: 1768 ( 828) WmiPrvSE.exe
PID: 5400 ( 628) HPHC_Service.exe

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 03/12/2008 18:57:28
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.co.uk/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{114E311E-6CE2-404C-9BC3-B537B8F2651C}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{114E311E-6CE2-404C-9BC3-B537B8F2651C}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{39C42534-2708-497A-9082-659CBCC7CD75}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{39C42534-2708-497A-9082-659CBCC7CD75}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{114E311E-6CE2-404C-9BC3-B537B8F2651C}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{114E311E-6CE2-404C-9BC3-B537B8F2651C}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:
Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS


If I've missed anything or you need me to perform further tests please let me know I'll rectify the situation.

Yodama
2008-12-04, 09:50
hello,

thank you for reporting this false positive with the heuristics scan.
Please also email the unwise.exe to detections-at-spybot.info (relpace -at- with @) with a reference to this thread. That way we can better check that the issue is resolved.

Terminator
2008-12-04, 13:11
As requested I have e-mailed the unwise file to detections-at-spybot.info:police:.

Terminator
2008-12-06, 18:59
Just out of curiosity When can I expect this to be fixed?

drragostea
2008-12-06, 22:16
Well, there seems to be a F/P Fix (2KB) just today the 4th. You can download it and scan again.

Terminator
2008-12-06, 23:01
Well, there seems to be a F/P Fix (2KB) just today the 4th. You can download it and scan again.

I already did that and the F/P is still there:sad:.

Yodama
2008-12-08, 09:07
this heuristics FP will be fixed on Wednesday