Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Cimuz...possible false positive?

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default Cimuz...possible false positive?

    With the latest definitions update, Spybot S&D finds Cimuz on my system. The first time I found this, I elected to have Spybot remove it. Upon doing so, I lost all internet access. I restored a previous image (fixed the lost internet access problem) and reran Spybot and it found it again. I tried running other spyware finders from my antivirus software (F-secure) as well as Adaware, and they found nothing.

    In Spybot's details, it says that this Trojan installs the files ipv4monr.dll and mdms.exe. I searched my computer for these file names and found no matches.

    Is this a false positive?

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default Exact same here..........

    Hi M8

    I have exact the same problem as you. Ive tried F-secure, lavasoft adaware, windows defender, and the dont find cimuz.

    This must be a false positive.....I hope!...

  3. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    hvtemp,

    The fact we both are using F-Secure might be a clue? Just have a backup ready if you decide to have Spybot remove this, as I lost all internet access once I removed it. And there didn't seem to be a recovery point for it in Spybot, so I had no way to undo Spybot's "fix" except to restore a week old image.

    Here's a copy of the Spybot S&D results:

    Cimuz: <$WINSOCK> (Winsock, nothing done)



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-06-19 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2006-02-06 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2006-02-20 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-12-22 Includes\Cookies.sbi (*)
    2006-12-08 Includes\Dialer.sbi (*)
    2006-12-22 Includes\DialerC.sbi (*)
    2006-11-24 Includes\Hijackers.sbi (*)
    2006-12-22 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2006-12-22 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2006-12-22 Includes\Malware.sbi (*)
    2006-12-22 Includes\MalwareC.sbi (*)
    2006-10-20 Includes\PUPS.sbi (*)
    2006-12-22 Includes\PUPSC.sbi (*)
    2006-12-22 Includes\Revision.sbi (*)
    2006-12-08 Includes\Security.sbi (*)
    2006-12-22 Includes\SecurityC.sbi (*)
    2006-10-13 Includes\Spybots.sbi (*)
    2006-12-22 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-12-08 Includes\Trojans.sbi (*)
    2006-12-22 Includes\TrojansC.sbi (*)

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default

    Hi again!

    I use "Norton Ghost 2003" and makes Ghost files so that I can go back or forward if I want.

    I ghosted back to a clean XP + sp2 state today. I have earlier ( 1 year ago) made a ghost file after a clean XP + SP2 installation. This way I can easily reinstall my system.
    After ghosting back I installed Spybot again + updates........now it didnt find any CIMUZ.

    I ghosted forward to my old state and tried again......now it found CIMUZ.

    Conlusion: It must be something I have installed after XP + sp2.

    Question: Should we wait for confirmation from Spybot or reinstall the system and hope that we dont catch it again.

    Im gonna try "Windows Live OneCare safety free scanner " and see if it detects it!

    Also the F-Secure Online Virus Scanner

  5. #5
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default

    Quote Originally Posted by timzak View Post
    hvtemp,

    I lost all internet access once I removed it.
    I removed it and my internet still work............?

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default Found the Source of the problem.........

    1. Clean XP + sp2 installation = NO Spybot "Cimuz"
    2. F-secure 2006 internet security = CIMUZ

    There is something in F-secure That makes Spybot belive its a trojan called CIMUZ.

    THIS MUST BE A FALSE POSITIVE.

    Spybot programmers plz correct this.

  7. #7
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    hvtemp,

    Thanks for confirming this. I was suspicious when you said you were using F-Secure like I do. What's funny is, prior to the latest Spybot S&D definitions update, I did not get a Cimuz detection. This leads me to believe it is a newly-introduced false positive.

    Thanks again for the legwork of tracking this down. Hopefully the folks here will recognize this and correct it in the next update.

  8. #8
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default no false positive

    the found Winsock entry relates to this file:
    C:\windows\sytem32\mswsck32.dll
    which is a confirmed threat and no part of F-Secure.
    try scanning with Antivir, Kaspersky , AVG, Authentium, BitDefender, DrWeb, F-Prot, Panda , Sophos


    http://www.cexx.org/lspfix.htm can be used to fix LSPs
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  9. #9
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default Strange

    This is a bit strange, beacause:

    With an clean XP installation with spybot there is no CIMUZ.
    But when I install F-secure The trojan CIMUZ is found immediately with spybot.

    If I uninstall F-secure the Cimuz is gone...???

    Doesnt this sound strange to you?..............

    Am going to contact F-secure about this and hear what they have to say about this.

    timzak! Try uninstall your F-secure and se if Spybot finds Cimuz.

  10. #10
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,575

    Default

    Hmmm Winsock and that... there was something about the name I think. The LSP is using LAYERED_PROVIDER. That's the DEFAULT name from a Microsoft example for LSPs. Everyone out there knows not to use default names from public code examples (just like GUIDs should be unique, or filenames need to be unique in one folder, these names need to be as well). Can't really imagine that someone at F-Secure actually was knowlegable enough to write a LSP, but didn't care about changing such an obvious thing - that's normally left to silly bad guys who just copy and modify easy code examples

    Imho (will have to check) mswsck32 is also the default name of that public code example. Copying public code without even changing the most important properties is something I call... well, stupid

    Update:
    1.
    Check if you're using Spybot-S&D 1.4 and NOT 1.3. The old 1.3 is not capable of checking the advanced properties and may use only the name "LAYERED_PROVIDER", and not the contents itself.
    2. Could someone who has only F-Secure please email his mswsck32.dll to detections(at-sign)spybot.info, with attention to Vanvi and Patrick?
    3. Someone with this installed and shown in results, could you please switch Spybot to Advanced Mode, go to Tools -> Winsock LSPs, right-click the list, copy it to clipboard and paste it here? (you can cut out everything not related to mswsck32.dll and LAYERED_something )
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •