PDA

View Full Version : Possibly 27 false positives



Seal8
2006-09-18, 18:08
Using Windows XP SP2 all updates. Scanned with AVG Anti Virus, AntiVirus Personnal Edition (On Demand), Ewido, CWShredder, AdAware SE, Win Patrol, RootkitRevealer and none of these showed any infections.

Installed and updated Spyware S&D yesterday. Version 1.4 Update 2006-09-15.

Showed the following infections. Could not remove any of them. Restarted and ran again and still couldn't remove any of them. Ran in Safe Mode and couldn't remove any of them.

I'm thinking these may be false positives. Any thoughts or suggestions would be appreciated.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 - Build ID: 2006090918

Also installed IE7 beta RC1


http://images6.theimagehosting.com/Spybot Results.th.jpg (http://server6.theimagehosting.com/image.php?img=Spybot Results.jpg)

spybotsandra
2006-09-18, 18:14
Hello,

Your item in the search result list that can't be fixed contains a "\*!=W=4" value in the end.
The value 4 usually means it is part of the restricted zones.
(The immunization of Spybot Search and Destroy adds these sites to the restricted zones in order to block the baddies from getting in.)
If this can't be fixed it means that the attempt of blocking this side and add it to the restricted zones is blocked.
I see in your post that you run another antivirus- or antispywaresoftware.
So they might be blocking this.

I would recommend to run not every realtime protection that your other software offers - as they might comflict with each other - as you can see here.

Best regards
Sandra
Team Spybot

Seal8
2006-09-18, 18:55
Thx for your prompt reply.
I disabled all of my active malware software and scanners listed above. Kept my hardwired router enabled.
Rescanned with Spybot S&D with the same results. Unable to delete any of them.

I have the option I believe to exclude these items from the scan. Should I do this, or just ignore these in furture scans?

The only active malware software are: AVG Anti Virus, Windows Defender Beta, Win Patrol (recent install-not sure if I'll keep), and Kerio Firewall. All others are 'on demand'. Have not experienced any problems in the past with this set up, including scanning with Spybot S & D. Maybe Win Patrol is causing a problem.

I do run IE Spyad to. Problably should disable the immunization mode in Spybot S&D.

Rescanned w/o Win Patrol running with the same results.

Recently reformated and reinstalled everything so I'm fairly sure my system is clean. Must be a conflict with something.

tashi
2006-09-19, 03:27
Atouk, your post was removed.

Our members do not need to be berated by others.

BTW, the conversation is regarding restricted zones not sites visited.

Thank you.

md usa spybot fan
2006-09-19, 06:49
I have the option I believe to exclude these items from the scan. Should I do this, or just ignore these in furture scans?
Neither. These detections must be fixed.

The detections all indicate that those sites are in an Internet explorer zone other than the restricted zone. The "!=" means "not equal", "W=4" means "dword:00000004", so the detection is looking for anything other than a "dword:00000004". A dword:00000004 in this type of entry places the site in the restricted zone. Some of the detections even indicate that the sites are in the trusted zone.

The problem is to determine what is preventing Spybot from removing these entries.

Yodama
2006-09-19, 13:27
hi,

we had this kind of issue before, it is possible that the values for the zonemaps found by spybot are not "*" but something like "http"
even if datatype and data are correct. In this case Spybot cannot fix the problems and will always find it again -.-

I have tested with following software: win patrol, windows defender, iespyad, adaware, ewido,

and was not able to recreate the false posives.

Out of the tested programms apparently only IESpyad makes entries into the IE zonemaps.
Please make sure that you are using the most recent version of IESpyad,
it may be possible that an older version of IESpypad adds the entries with a value of "http" and "https" instead of "*"

This can be checked in the windows registry under
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains , and then in the respective domains.

@Seal8
please use your current version of IESpyad to uninstall the IESpyad Lists/Domains, and then reinstall them with the most recent Version of IESpyad.
If the issue with the Spybot detection still persists please inform us about that.

md usa spybot fan
2006-09-19, 15:57
Yodama:

I could not locate many of the sites in those entries in IESpyad. That is why I am concerned that the entries may have been placed in the registry by something other than an immunization type facility.

md usa spybot fan
2006-09-19, 17:36
Seal8:

I just located a thread that indicates that there may have been problems with ie-spyad last December causing similar results:
FPs generated from IE-SPYAD Zone Settings
http://forums.spybot.info/showthread.php?t=1184
To find out which entries may be related to the ie-spyad problem:
Uninstall the ie-spyad registry entries by running ie-ads-uninst.reg.
Then run ie-ads.reg again.
Run another Spybot scan.
If you still have any detections when the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.