Results 1 to 9 of 9

Thread: false positive or just weird (and scary) ?

  1. #1
    Junior Member
    Join Date
    Apr 2007
    Posts
    2

    Default false positive or just weird (and scary) ?

    is it really spyware was installed in my computer?
    is it really recorded all of my keystrokes and send them to someone?
    or it just false positive?

    at the last scan of spybot (after the 2007-03-28 update)
    spybot detect this problem in my computer: "
    Company: WinSpy
    Product: WinSpy.SpySoftWareX
    Threat: Spyware


    Description
    WinSpy.SpySoftWareX records all keystrokes without the user's awareness or consent
    about this. It tracks the user's surfing and working behaviour. It creates autorun
    entries in the registry in order to be launched on
    each Windows startup. WinSpy.SpySoftWareX collects also important system information.

    when i clicked the problem, spybot show the location of the problem:
    C:\WINDOWS\system32\Urlhist.tlb

    when i checked when this file has been created, i discovered that this file has been installed
    in my computer during the installation(it is also written at the installtion log file of this program)
    of a program which called:"privacy cleaner pro"
    (this program allow to the user to erase tracks of the browser(i choosed to install it))
    however this program belongs to "linren software" and not to the company winspy as mentioned at the problem description
    another important information is that i have a software that her name is "winspy" that belongs to the company acesoft (this program also detect tracks, and has been installed at my computer 1 hour after the first one (i choosed to install it))
    finally i tell spybot fix the problem
    i also scan the folder system32 by norton but it didnt detect anything

    i very hope that you will help me to solve this problem
    and let me know if someone really see all of my keystrokes and spy in my computer.


    thanks
    new_smith

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello.

    • Please open SpyBot.
    • Check for problems.
    • When finished, right click and choose "copy results" (not the full report) to clipboard and post that into topic.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Retired
    Join Date
    Oct 2005
    Posts
    566

    Default

    Hello,

    I can confirm that it is a false positive and it will be solved with our next update scheduled for Wednesday.

    regards,
    Markus

  4. #4
    Junior Member
    Join Date
    Apr 2007
    Posts
    2

    Default

    To tashi and MisterW

    hello,

    first of all thanks for your quick response.
    I was glad to hear that it was false negetive, but just for be sure
    I attached here the results as tashi request:

    31.03.2007 23:51:41 - ##### check started #####
    31.03.2007 23:51:41 - ### Version: 1.4
    31.03.2007 23:51:41 - ### Date: 31/03/2007 23:51:41
    31.03.2007 23:51:41 - ##### checking bots #####
    31.03.2007 23:57:57 - found: WinSpy.SpySoftWareX Data
    01.04.2007 00:00:03 - ##### check finished #####

    and here is the log after the repair by spybot:

    --- Report generated: 2007-04-01 05:40 ---

    WinSpy.SpySoftWareX: Data (File, fixed)
    C:\WINDOWS\system32\Urlhist.tlb


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-09-28 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2006-02-06 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2007-01-02 Tools.dll (2.0.1.0)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2007-03-28 Includes\Cookies.sbi (*)
    2006-12-08 Includes\Dialer.sbi (*)
    2007-03-28 Includes\DialerC.sbi (*)
    2007-03-21 Includes\Hijackers.sbi (*)
    2007-03-28 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2007-03-28 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2007-03-21 Includes\Malware.sbi (*)
    2007-03-28 Includes\MalwareC.sbi (*)
    2007-03-21 Includes\PUPS.sbi (*)
    2007-03-28 Includes\PUPSC.sbi (*)
    2007-03-28 Includes\Revision.sbi (*)
    2006-12-08 Includes\Security.sbi (*)
    2007-03-28 Includes\SecurityC.sbi (*)
    2007-03-21 Includes\Spybots.sbi (*)
    2007-03-28 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2007-03-21 Includes\Trojans.sbi (*)
    2007-03-28 Includes\TrojansC.sbi (*)




    and i also attach for your checking (just to be sure with your diagnose)
    what that supposed to be the "infected file" Urlhist.tlb ,
    and as i mention before this file was installed by "privacy cleaner pro"
    and this is the passage from the installation log-file that confirm it:

    the first line that deals with the problematic file:
    File Copy: C:\WINDOWS\system32\Urlhist.tlb | 08-29-1999 | 14:15:36 | | 7716 | 9bb13496

    the second line:
    Self-Register: C:\WINDOWS\system32\Urlhist.tlb


    agian,
    thanks a lot,
    new_smith

  5. #5
    Junior Member
    Join Date
    Apr 2007
    Posts
    8

    Default WinSpy-SpySoftWareX

    Quote Originally Posted by MisterW View Post
    I can confirm that it is a false positive and it will be solved with our next update scheduled for Wednesday.
    Markus
    Earlier today Spybot found this "WinSpy-SpySoftWareX" I chose to fix-it and spybot removed 10 registry entries [as far as I can tell]. The message about this being a false positive, leads me to think I have acted prematurely. Should I use system restore or the restore capabilities of spybot to to reinstall the registery entries?
    Thanks

  6. #6
    Retired
    Join Date
    Oct 2005
    Posts
    566

    Default

    Hello MrToad,

    could you tell me exactly which 10 entries spybot removed from your system? I think it was save to remove them because only the file "urlhist.tlb" mentioned before was a false positive. If you are unsure you could restore the entries, download our new (fixed) detection update on Wednesday and scan again. When Spybot still find them, they do not belong to the false positive

  7. #7
    Junior Member
    Join Date
    Apr 2007
    Posts
    8

    Default WinSpy.SpySoftWareX

    Quote Originally Posted by MisterW View Post
    Hello MrToad,

    could you tell me exactly which 10 entries spybot removed from your system? I think it was save to remove them because only the file "urlhist.tlb" mentioned before was a false positive. If you are unsure you could restore the entries, download our new (fixed) detection update on Wednesday and scan again. When Spybot still find them, they do not belong to the false positive
    I updated Spybot today [Apr 5], restored the registry entries and re-ran spybot. Spybot again flagged the entries. I removed them again. Here's the list of entries:
    WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
    WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
    WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{DF6D6559-5B0C-11D3-9396-008029E9B3A6}
    WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{DF6D6568-5B0C-11D3-9396-008029E9B3A6}
    WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{DF6D656E-5B0C-11D3-9396-008029E9B3A6}
    WinSpy.SpySoftWareX: Settings (Registry key, fixed) HKEY_CLASSES_ROOT\TypeLib\{DF6D6558-5B0C-11D3-9396-008029E9B3A6}
    WinSpy.SpySoftWareX: Root class (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\vbVidC60.ezVidCap
    WinSpy.SpySoftWareX: Class ID (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF6D6569-5B0C-11D3-9396-008029E9B3A6}
    WinSpy.SpySoftWareX: Root class (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\vbVidC60.ICapCallBack
    WinSpy.SpySoftWareX: Class ID (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF6D655A-5B0C-11D3-9396-008029E9B3A6}
    I would like to know more about this keylogger...like which file it uses to store it's captured info...so I can guage extent of compromise.
    ADDED: I beleive I found the answer to the above question at this link: http://www.symantec.com/en/uk/enterp...846-99&tabid=2
    Thanks for considering my issue,
    MrToad
    Last edited by MrToad; 2007-04-05 at 20:16. Reason: Add link to description of WinSpy.SpySoftWareX

  8. #8
    Junior Member
    Join Date
    Apr 2007
    Posts
    8

    Default WinSpy

    Quote Originally Posted by MrToad View Post
    ADDED: I beleive I found the answer to the above question at this link: http://www.symantec.com/en/uk/enterp...846-99&tabid=2
    Thanks for considering my issue,
    MrToad
    While the link I posted describes a "winSpy" that has some of the initial registry entries in common with what Spybot removed, it is far more extensive and does not contain some/all of the last 5 entries. Also I did a search and found no 'keylog.txt' which symantec say's it's 'WinSpy' creates

  9. #9
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello MrToad.

    We should take a different look at the system, please follow the procedure here "BEFORE you POST" to produce a HJT log.

    Then start your own thread in the Malware Removal Forum

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •