PDA

View Full Version : Cimuz...possible false positive?



timzak
2006-12-27, 07:38
With the latest definitions update, Spybot S&D finds Cimuz on my system. The first time I found this, I elected to have Spybot remove it. Upon doing so, I lost all internet access. I restored a previous image (fixed the lost internet access problem) and reran Spybot and it found it again. I tried running other spyware finders from my antivirus software (F-secure) as well as Adaware, and they found nothing.

In Spybot's details, it says that this Trojan installs the files ipv4monr.dll and mdms.exe. I searched my computer for these file names and found no matches.

Is this a false positive?

hvtemp
2006-12-27, 18:52
Hi M8

I have exact the same problem as you. I´ve tried F-secure, lavasoft adaware, windows defender, and the dont find cimuz.

This must be a false positive.....I hope!...

timzak
2006-12-27, 18:58
hvtemp,

The fact we both are using F-Secure might be a clue? Just have a backup ready if you decide to have Spybot remove this, as I lost all internet access once I removed it. And there didn't seem to be a recovery point for it in Spybot, so I had no way to undo Spybot's "fix" except to restore a week old image.

Here's a copy of the Spybot S&D results:

Cimuz: <$WINSOCK> (Winsock, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-19 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-22 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2006-12-22 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-22 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-12-22 Includes\Malware.sbi (*)
2006-12-22 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-22 Includes\PUPSC.sbi (*)
2006-12-22 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-12-22 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-22 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-08 Includes\Trojans.sbi (*)
2006-12-22 Includes\TrojansC.sbi (*)

hvtemp
2006-12-27, 19:47
Hi again!

I use "Norton Ghost 2003" and makes Ghost files so that I can go back or forward if I want.

I ghosted back to a clean XP + sp2 state today. I have earlier ( 1 year ago) made a ghost file after a clean XP + SP2 installation. This way I can easily reinstall my system.
After ghosting back I installed Spybot again + updates........now it didnt find any CIMUZ.

I ghosted forward to my old state and tried again......now it found CIMUZ.

Conlusion: It must be something I have installed after XP + sp2.

Question: Should we wait for confirmation from Spybot or reinstall the system and hope that we dont catch it again.

I´m gonna try "Windows Live OneCare safety free scanner (http://safety.live.com/site/en-US/default.htm) " and see if it detects it!

Also the F-Secure Online Virus Scanner (http://support.f-secure.com/enu/home/ols.shtml)

hvtemp
2006-12-27, 19:53
hvtemp,

I lost all internet access once I removed it.

I removed it and my internet still work............?

hvtemp
2006-12-27, 23:53
1. Clean XP + sp2 installation = NO Spybot "Cimuz"
2. F-secure 2006 internet security = CIMUZ

There is something in F-secure That makes Spybot belive its a trojan called CIMUZ.

THIS MUST BE A FALSE POSITIVE.

Spybot programmers plz correct this.

timzak
2006-12-28, 00:08
hvtemp,

Thanks for confirming this. I was suspicious when you said you were using F-Secure like I do. What's funny is, prior to the latest Spybot S&D definitions update, I did not get a Cimuz detection. This leads me to believe it is a newly-introduced false positive.

Thanks again for the legwork of tracking this down. Hopefully the folks here will recognize this and correct it in the next update.

Yodama
2006-12-28, 12:10
the found Winsock entry relates to this file:
C:\windows\sytem32\mswsck32.dll
which is a confirmed threat and no part of F-Secure.
try scanning with Antivir, Kaspersky , AVG, Authentium, BitDefender, DrWeb, F-Prot, Panda , Sophos


http://www.cexx.org/lspfix.htm can be used to fix LSPs

hvtemp
2006-12-28, 13:17
This is a bit strange, beacause:

With an clean XP installation with spybot there is no CIMUZ.
But when I install F-secure The trojan CIMUZ is found immediately with spybot.

If I uninstall F-secure the Cimuz is gone...???

Doesnt this sound strange to you?..............

Am going to contact F-secure about this and hear what they have to say about this.

timzak! Try uninstall your F-secure and se if Spybot finds Cimuz.

PepiMK
2006-12-28, 13:29
Hmmm Winsock and that... there was something about the name I think. The LSP is using LAYERED_PROVIDER. That's the DEFAULT name from a Microsoft example for LSPs. Everyone out there knows not to use default names from public code examples (just like GUIDs should be unique, or filenames need to be unique in one folder, these names need to be as well). Can't really imagine that someone at F-Secure actually was knowlegable enough to write a LSP, but didn't care about changing such an obvious thing - that's normally left to silly bad guys who just copy and modify easy code examples :sad:

Imho (will have to check) mswsck32 is also the default name of that public code example. Copying public code without even changing the most important properties is something I call... well, stupid ;)

Update:
1. Check if you're using Spybot-S&D 1.4 and NOT 1.3. The old 1.3 is not capable of checking the advanced properties and may use only the name "LAYERED_PROVIDER", and not the contents itself.
2. Could someone who has only F-Secure please email his mswsck32.dll to detections(at-sign)spybot.info, with attention to Vanvi and Patrick?
3. Someone with this installed and shown in results, could you please switch Spybot to Advanced Mode, go to Tools -> Winsock LSPs, right-click the list, copy it to clipboard and paste it here? (you can cut out everything not related to mswsck32.dll and LAYERED_something ;) )

hvtemp
2006-12-28, 13:40
I have asked F-secure about this.
I´ll get back to you with their answer when I get a reply.

Cheers!:bigthumb:

Yodama
2006-12-28, 14:19
@hvtemp

PepiMK has updated his post above, if possible follow the 3 items he posted


Update:
1. Check if you're using Spybot-S&D 1.4 and NOT 1.3. The old 1.3 is not capable of checking the advanced properties and may use only the name "LAYERED_PROVIDER", and not the contents itself.
2. Could someone who has only F-Secure please email his mswsck32.dll to detections(at-sign)spybot.info, with attention to Vanvi and Patrick?
3. Someone with this installed and shown in results, could you please switch Spybot to Advanced Mode, go to Tools -> Winsock LSPs, right-click the list, copy it to clipboard and paste it here? (you can cut out everything not related to mswsck32.dll and LAYERED_something )

timzak
2006-12-28, 16:25
PepiMK,

1. I am using Spybot S&D 1.4.

2. I did a file search for mswsck32.dll on my system and no file was found. There is (as you can see below) a similar-named file "mswsock.dll" on my system, though. I don't know where Yodama came up with mswsck32.dll as neither I nor hvtemp mentioned that in our posts? I am the original poster. I have F-Secure, though my version is supplied by my Cable Provider and not purchased directly from F-Secure.

3. Here's a copy of my Winsock LSP page:

Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {961B22D8-CC72-44E9-8C73-786D25884C1A}
Filename: winsflt.dll

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {20244282-0F5F-4C1F-B740-5A1E7894A699}
Filename: winsflt.dll

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {53FF899B-51DA-4826-BA9E-074F62E1AF16}
Filename: winsflt.dll

Protocol 3: RSVP UDP Service Provider
GUID: {A0C1E165-5CB2-43D2-933C-349C58E3A111}
Filename: winsflt.dll

Protocol 4: RSVP TCP Service Provider
GUID: {D32D899F-8550-4992-A946-B2CC2B69DD75}
Filename: winsflt.dll

Protocol 5: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 6: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 7: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 8: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B613B07-A34C-4B52-9EE3-9CDBCDD6F2EF}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B613B07-A34C-4B52-9EE3-9CDBCDD6F2EF}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3466ACD-D900-4CE0-8A07-93EEC8895374}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3466ACD-D900-4CE0-8A07-93EEC8895374}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{67630850-E1F1-4FF2-BEC2-A772321452BA}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{67630850-E1F1-4FF2-BEC2-A772321452BA}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D459AF6-EE81-4557-A9CC-34B5E71948CC}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D459AF6-EE81-4557-A9CC-34B5E71948CC}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2BF05593-7504-4598-BD8E-A5E7900B710F}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2BF05593-7504-4598-BD8E-A5E7900B710F}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: LAYERED_PROVIDER
GUID: {5A81F161-AF30-A1CF-8927-00AA90359F1D}
Filename: winsflt.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

PepiMK
2006-12-28, 19:28
Hmmm the only LAYERED_thing is this:

Protocol 20: LAYERED_PROVIDER
GUID: {5A81F161-AF30-A1CF-8927-00AA90359F1D}
Filename: winsflt.dll
But the filename is different, so Spybot shouldn't flag it.

Maybe Yodama came up with that name since there has been an email about it as well (I seem to remember seeing one in an inbox). Can't find anything about winsflt.dll though - shouldn't be detected that way :spider: will have to look depper ;)

hvtemp
2006-12-28, 20:42
1. Am using Spybot - Search & Destroy version: 1.4 (build: 20050523)

2. Could not find any mswsck32 in computer or in text file from spybot.

3. The only thing I found was a about "layered_......" Se below:

Protocol 16: LAYERED_PROVIDER
GUID: {5A81F161-AF30-A1CF-8927-00AA90359F1D}
Filename: winsflt.dll
---------------------------
I tried a few online scanners.
Symantec= No Cimuz
PandaSoftware= No Cimuz
McAffe= No Cimuz

Windows Defender or Lavasoft adaware doesnt find Cimuz.

I got an answer from F-secure:

"This is most likely a false alarm. Please locate the file that is
detected as Cimuz by Spybot S&D and send this file to us for checking.
If you can't send the file please at least send the Spybot's scanning
report file where the name and location of an infected file can be seen."


I do hope that this can help Spybot finding an answer.:rolleyes:

Regards

Mr H

hvtemp
2006-12-28, 21:49
I tried the 2007 30days full Demo.

With 2007: spybot finds no Cimuz.
With 2006: it does.

hmmm...... time to upgrade f-secure maybee?

timzak
2006-12-29, 02:47
hvtemp,

Like I said, this detection only occurs after the latest definitions update from Spybot. The previous definitions did not detect "Cimuz" even though I've been using F-Secure for months. I'm pretty sure it is correctable on Spybot's end. My version of F-Secure is bundled from my cable provider, and I don't have the budget to purchase my security suite if one is being offered me at no additional cost, so I am not at liberty to choose to pay for the 2007 version. Hopefully the fellows here can confirm to us if it is a false positive or not so we can know which direction to take.

cmcnulty
2006-12-30, 18:34
So for those of us that don't have a backup, and who now have no interenet connection after removing this false positive, does anyone have any suggestions for how to fix it?

md usa spybot fan
2006-12-30, 19:12
cmcnulty:

Unless you are indicating that you have changed the default setting in Spybot to "Create backups of fixed spyware problems for easy recovery", try going into Spybot-Search & Destroy > Recovery (left pane) > locate the "Backup" for the item that you removed in the right pane (expanding the recovery item if necessary with the [+]) and check it > then click the "Recover selected items" button at the top of the right pane.

timzak
2006-12-30, 19:27
cmcnulty:

Unless you are indicating that you have changed the default setting in Spybot to "Create backups of fixed spyware problems for easy recovery", try going into Spybot-Search & Destroy > Recovery (left pane) > locate the "Backup" for the item that you removed in the right pane (expanding the recovery item if necessary with the [+]) and check it > then click the "Recover selected items" button at the top of the right pane.

Just an FYI, but I have "Create backups of fixed spyware problems for easy recovery" ENABLED, but when I had Spybot remove Cimuz (and lost my internet connection), it did NOT show up as a recoverable item on the Spybot Recovery page. That was the first thing I tried after discovering I lost my internet connection. I was fortunate to have a system backup to fall back on.

md usa spybot fan
2006-12-30, 19:46
timzak:

The fact Spybot is not taking a backup appears to be another problem in addition to the original detection of:
Cimuz: <$WINSOCK> (Winsock, ...)

Yodama
2007-01-02, 18:01
I don't know where Yodama came up with mswsck32.dll as neither I nor hvtemp mentioned that in our posts?


I came up with mswsck32.dll because that is what our detection is looking for in this context.
For the time being we have removed this Winsockcheck from our detection and are going to conduct more tests to avoid such issues again.

timzak
2007-01-04, 04:19
Yodama,

Thanks for your help. I noticed in the latest update I no longer get the Cimuz detection.

I appreciate the hard work you and your teammates put into this free product. I think sometimes we lose sight of this fact, but I wanted to let you know your collective efforts are not unnoticed!

hvtemp
2007-01-04, 22:38
Yeah.. tnx.

I like the respons and the people at this site.
Tnx again for a great program...and a quick action... I will keep using it and recommend it to my friends.

:bigthumb: