Results 1 to 10 of 24

Thread: Cimuz...possible false positive?

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default Cimuz...possible false positive?

    With the latest definitions update, Spybot S&D finds Cimuz on my system. The first time I found this, I elected to have Spybot remove it. Upon doing so, I lost all internet access. I restored a previous image (fixed the lost internet access problem) and reran Spybot and it found it again. I tried running other spyware finders from my antivirus software (F-secure) as well as Adaware, and they found nothing.

    In Spybot's details, it says that this Trojan installs the files ipv4monr.dll and mdms.exe. I searched my computer for these file names and found no matches.

    Is this a false positive?

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default Exact same here..........

    Hi M8

    I have exact the same problem as you. Ive tried F-secure, lavasoft adaware, windows defender, and the dont find cimuz.

    This must be a false positive.....I hope!...

  3. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    hvtemp,

    The fact we both are using F-Secure might be a clue? Just have a backup ready if you decide to have Spybot remove this, as I lost all internet access once I removed it. And there didn't seem to be a recovery point for it in Spybot, so I had no way to undo Spybot's "fix" except to restore a week old image.

    Here's a copy of the Spybot S&D results:

    Cimuz: <$WINSOCK> (Winsock, nothing done)



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-06-19 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2006-02-06 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2006-02-20 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-12-22 Includes\Cookies.sbi (*)
    2006-12-08 Includes\Dialer.sbi (*)
    2006-12-22 Includes\DialerC.sbi (*)
    2006-11-24 Includes\Hijackers.sbi (*)
    2006-12-22 Includes\HijackersC.sbi (*)
    2006-10-27 Includes\Keyloggers.sbi (*)
    2006-12-22 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2006-12-22 Includes\Malware.sbi (*)
    2006-12-22 Includes\MalwareC.sbi (*)
    2006-10-20 Includes\PUPS.sbi (*)
    2006-12-22 Includes\PUPSC.sbi (*)
    2006-12-22 Includes\Revision.sbi (*)
    2006-12-08 Includes\Security.sbi (*)
    2006-12-22 Includes\SecurityC.sbi (*)
    2006-10-13 Includes\Spybots.sbi (*)
    2006-12-22 Includes\SpybotsC.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-12-08 Includes\Trojans.sbi (*)
    2006-12-22 Includes\TrojansC.sbi (*)

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default

    Hi again!

    I use "Norton Ghost 2003" and makes Ghost files so that I can go back or forward if I want.

    I ghosted back to a clean XP + sp2 state today. I have earlier ( 1 year ago) made a ghost file after a clean XP + SP2 installation. This way I can easily reinstall my system.
    After ghosting back I installed Spybot again + updates........now it didnt find any CIMUZ.

    I ghosted forward to my old state and tried again......now it found CIMUZ.

    Conlusion: It must be something I have installed after XP + sp2.

    Question: Should we wait for confirmation from Spybot or reinstall the system and hope that we dont catch it again.

    Im gonna try "Windows Live OneCare safety free scanner " and see if it detects it!

    Also the F-Secure Online Virus Scanner

  5. #5
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default

    Quote Originally Posted by timzak View Post
    hvtemp,

    I lost all internet access once I removed it.
    I removed it and my internet still work............?

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default Found the Source of the problem.........

    1. Clean XP + sp2 installation = NO Spybot "Cimuz"
    2. F-secure 2006 internet security = CIMUZ

    There is something in F-secure That makes Spybot belive its a trojan called CIMUZ.

    THIS MUST BE A FALSE POSITIVE.

    Spybot programmers plz correct this.

  7. #7
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    hvtemp,

    Thanks for confirming this. I was suspicious when you said you were using F-Secure like I do. What's funny is, prior to the latest Spybot S&D definitions update, I did not get a Cimuz detection. This leads me to believe it is a newly-introduced false positive.

    Thanks again for the legwork of tracking this down. Hopefully the folks here will recognize this and correct it in the next update.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •