Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: True Sword FP (I hope)

  1. #11
    Junior Member
    Join Date
    Jul 2006
    Posts
    3

    Default UPDATE: True Sword FP (I hope)

    Anyway... for good or ill, I let Spybot erase the entries mentioned in my 1st post. {By the way, I had not bought the bogus security app True Sword and hence, not being a programmer and not a real whiz bang security guy, apparently - I didn't quite see what the tie in was/wasn't with the two companies, etc.}

    Parenthetically, while running a trial ver. of Trend Micro's AntiSpyware, it too pegged an eSellerate registry mention as being a baddie, but not True Sword; however, TM's AS also pegged NirSoft's ShellExView, Vcom's PowerDesk 6.0, and Analog X's Script Defender as bad guys... so take that with a grain of salt, I guess.

    But, good to see Spybot team on top of things, as I read they will be taking care of this Fp in update later this week, I read here.

    Many thanks for help, info on this.

    SG1windowsxp (Pat)... living and learning, thanks to these great forums and folks always willing to assist.

  2. #12
    Junior Member
    Join Date
    Jul 2006
    Posts
    3

    Default UPDATE, Part Two: True Sword FP (I hope)

    As an addendum: no, I've not any eSellerate app, per se (or not that I am aware of). It's been just, as far as I know, that when buying apps online a given seller uses that particular vendor.

    Also, happened to notice today that there's also a few Control and Engine .dlls (from eSellerate) in SYSTEM32 Dir. No idea what that's about; seems a bit much to get from a co., just from buying an app or two through them, though). ???

    These folks work for Google and/or the CIA, by chance? <g>

    SG1windowsxp (Pat)

  3. #13
    Junior Member
    Join Date
    Aug 2006
    Posts
    8

    Default

    Gotta love those false positives. Always glad to find threads like this one.

    Anyway, I knew it was a FP because I know a completely legitimate company that uses the eSellerate purchasing system.

    Head over to http://www.fscloud9.com/, they make Microsoft Flight Simulator add-ons. I bought a scenery add-on from them (and a boxed set before, bought in a store). You've got the scenery (or aircraft or whatever) installer, it installs a demo version of the product. You can try it. Then through the MS Flight Simulator interface, you can click on buy and a pop-up window will appear for your name, address, credit card info, etc... Secure connection, e-mail confirmation, no problems. And the purchase process activates the scenery. And no illegal activities with the credit card after the purchase.

    By the way, I only got True Sword: Library (File, nothing done) C:\WINDOWS\eSellerateEngine.dll


    Talking about false positives, I got two more results, returning favorites:

    Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

    Windows.Explorer: Settings (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-823518204-879983540-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=W=0

    Does Spybot really need to report just those two things? If it finds those changes along with other fishy stuff, fine, but I don't see the "spy" in those registry keys.

  4. #14
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    211

    Default

    They are not false positives.

    Sybot is flagging that the settings are not the expected defaults (!=W=2 means the data for that value is not the expected 2). Of course if you disabled security center and disabled active desktop changes deliberately, then you know it's OK, but if you didn't then you would investigate further.

    If you set them deliberately, you can left click on one to highlight, then right click, click on exclude this detection from further searches and they won't show up again.

  5. #15
    Retired
    Join Date
    Oct 2005
    Posts
    566

    Default

    Ok, seems like there is a little bit confusion now. The keys

    True Sword: Root class (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350

    True Sword: Root class (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350.1

    True Sword: Class ID (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25982EAA-87CC-4747-BE09-9913CF7DD2F1}

    have been false positives because they are used by some legit applications, too. So we decided to correct our detections.

    The keys

    Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

    Windows.Explorer: Settings (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-823518204-879983540-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=W=0

    are no false positives. They are windows settings which often gets changed by some malware. If you have made these changes by yourself, please ignore these detections.

    Best Regards,
    Markus

  6. #16
    Junior Member
    Join Date
    Dec 2006
    Posts
    2

    Default

    Well, it seems that the discussion was a long time ago and found it only now. It's better to do something late than never as we say in Russia.

    My name is Konstantin Artemev and I'm the head of department which developed True Sword you were talking of here.

    I can assure you that True Sword is a legitimate application and I encourage you to perform your own tests to check this out. As far as I remember Sbybot team de-listed us long time ago.

    However, this post is still visible in the Internet so everyone who visits it often sees the very first messages of the discussion where someone named True Sword to be bogus application. Well, there was a time when True Sword had some problems with false positives and this generated questions from the community. However, True Sword _never_ was a bogus program - our business is open for all and clear.

    Right now True Sword is a modern and quality anti spyware and I invite everyone to check this on your own.


    http://forums.spybot.info/showthread...0058#post60058
    Last edited by tashi; 2008-09-19 at 18:03. Reason: added link :)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •