False Positive?:Aquaduct Profiler Found...

[sandybeach]

Scan today showed this found in "My Docs" listed as a "text file" (.txt) but upon opening and viewing, it clearly displayed nowhere near the 4 KB indicated in the properties tab (perhaps less than 150 characters viewable).
We do have scuba divers in house so might be a valid ??.
If this is only text, why would it be flagged for removal? If it is hidding much more, I would like to know so I can justify it's removal . What do we know that got it included in threats??
Thanks alot I.A.for any & all info, guesses, suspicions, etc. Sandy

[tashi]

Hello.
Could we see a log please.

• Open SpyBot, check for and get any updates available.
• Close all browsers, check for problems and fix everything found in red
• Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  
• Uncheck[ ] do not report disabled or known legitimate Items.
• uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.
  
• Now select (near the top) view report.
• Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

Cheers.

[sandybeach]

Hi, Tashi! Thanks for the return post. I had Spybot fix it since both of us Scuba Divers decided it had nothing to do w/ the sport. Upon opening & reading further, decided it arrived buried in some software program installed on laptop during Feb/06 (Only 2: 1) Kodak viewer installed with returned picture CD from developing or 2) Small retail CD : Scrapbook Plus by Ideasoft). Figuring this, we got rid of it. The laptop is never on net except to update AVG/Spybot/Adaware All scans clear now.
Besides size, it did have 3 other interesting properties:
1) Although S&D found in my docs, opening My Docs, it did not show as visible there(or I'm going blind in my old age! LOL!)
2) A system Search: C: All Files & Folders (with all hidden shown) for "Aquaduct" showed no findings, possibly as denoted as text didn't HAVE a file/folder of its own.
3) A Rootkit Revealer (F-Secure) Blacklight showed : No hidden files.
If you still wish a log, I can post tomorrow when laptop returns here.
If you don't request Log again, I'll just say Thanks so much for your efforts & time!! You know we have Much more faith in you guys & gals than in M$!!
¡ Hasta Mañana & Gracias Compadres! Sandy

[tashi]

Hi Sandy.

If everything checks out ok and you feel comfortable great.

You can post a log anytime you want a checkup.

Have a great day and thanks, tashi.

[sandybeach]

Have discovered a lot since last post. Sorry that this will be a little long but needs be to be clear & complete.
Discovered source of the Aqueduct Profiler was from Mary's Family Tree Maker (V9.0).
She has an original copy from retail, installed on Desktop( MDG/XPPro) about 2 years ago. At time of install, ran Spybot and "fixed all found". No Spybot scan since has ever found Profiler again since. Apparently that "fix" left the aqueduct.dll file(v.2.3.0.0./60kb) there but disabled its' ability to create the profile.txt & therefore nothing to send out.

Mary has since installed the same original FTM (Unknown to me) on the Laptop(HP/XP Home SP2) last month and got an update installed.
Still has the same(?) Aqueduct.dll (v.2.3.0.0/60kb) which produces the profile.txt upon closing of each session. This is the .txt document Spybot removes after scan (leaving the .dll).

EXCEPTING that now, after the Spybot Fix, the Profile.txt is gone but is re-created after next session of FTM and needs to be removed again & again etc. Apparently, without being obvious (w/version #s/ size change) they have found a way to alter the program such that the fix doesn't disable the problem source any more (my best guess).
Genealogy.com claims they have a patch to disable this but I don't believe it and have seen other Googled posts saying the patch is a non-starter and doesn't load on their machines. After seeing Genealogy's attempted defense with spin doctoring, I wouldn't buy air from him.
Anyway, I have created an "almost" work around by going to the FTW2 file on C; (noting it's not in program files folder) and highlighting the profiler.txt and sending to desktop (creating a shortcut). This allows the easy, frequent,
deleting of the profile without needing to run Spybot scan first to find & fix.
Basically: Delete profile before using program to web and again after ending session so there is nothing there to be retrieved by upload.
I am hoping Patrick &/or you guys & gals can figure a way to disable this new version with 1 fix similarly to past version. (hope, hope!!).
Embarrassed :o to not realize in 1st & 2nd post that "find" didn't because of spelling mistake (aquaduct/aqueduct) & not found(invisible) in docs because it was in its' own root folder on C:.

I am attaching 2 (correction 1)spybot file (report.txt & No Results.txt 139 kb:too big) for whatever help it may be.
Thanks for the time & patience reading all this. Let me know if you need me to send something else. Sandy

--- Report generated: 2006-03-21 23:45 ---

Aqueduct Profiler: Log file (File, fixed)
C:\aqueduct.txt


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2006-01-20 TeaTimer.exe (1.4.0.2)
2005-08-14 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-19 Includes\Cookies.sbi (*)
2006-03-19 Includes\Dialer.sbi (*)
2006-03-19 Includes\Hijackers.sbi (*)
2006-03-19 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-03-19 Includes\Malware.sbi (*)
2006-03-19 Includes\PUPS.sbi (*)
2006-03-19 Includes\Revision.sbi (*)
2006-03-19 Includes\Security.sbi (*)
2006-03-19 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti

[dnjjohns]

Hello.
Could we see a log please.

• Open SpyBot, check for and get any updates available.
• Close all browsers, check for problems and fix everything found in red
• Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  
• Uncheck[ ] do not report disabled or known legitimate Items.
• uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.
  
• Now select (near the top) view report.
• Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

Cheers.

Hello...

I tried the above to get rid of Aqueduct Profiler once and for all, but when I tried to change SpyBot from 'Default' to 'Advanced' I got a warning that I could damage my computer if I don't know what I'm doing.

I'm not exactly a novice, but I can get in over my head sometimes. What, exactly, am I doing here that could cause damage?

Thanks....

[tashi]

Hello,

I tried the above to get rid of Aqueduct Profiler once and for all, but when I tried to change SpyBot from 'Default' to 'Advanced' I got a warning that I could damage my computer if I don't know what I'm doing.

That is a general warning as changing to advanced mode will make more options available, and some of those should only be used by experienced users.

However, using the option to obtain a log is not dangerous.

Hope that helps.

[dnjjohns]

Hello,


Hope that helps.

It did, thanks.

[dnjjohns]

Good Morning tashi...

I have followed your instructions and have exported the report to 'my documents'. When I browse and attempt to attached the file I get: "Your file of 52.9 KB bytes exceeds the forum's limit of 19.5 KB for this filetype"

Additional suggestions?

Doug

[tashi]

Hello dnjjohns.

Sorry I did not receive notification that you had posted.

If you have difficulty attaching the file, (even if zipped), please attach (or copy the report) to an email and send it to: detections(at)spybot.info (Replace AT with @) Please also include a link back to this topic.

Cheers.