Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Cimuz...possible false positive?

  1. #11
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default Email sent to F-secure

    I have asked F-secure about this.
    I´ll get back to you with their answer when I get a reply.

    Cheers!

  2. #12
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    @hvtemp

    PepiMK has updated his post above, if possible follow the 3 items he posted

    Update:
    1. Check if you're using Spybot-S&D 1.4 and NOT 1.3. The old 1.3 is not capable of checking the advanced properties and may use only the name "LAYERED_PROVIDER", and not the contents itself.
    2. Could someone who has only F-Secure please email his mswsck32.dll to detections(at-sign)spybot.info, with attention to Vanvi and Patrick?
    3. Someone with this installed and shown in results, could you please switch Spybot to Advanced Mode, go to Tools -> Winsock LSPs, right-click the list, copy it to clipboard and paste it here? (you can cut out everything not related to mswsck32.dll and LAYERED_something )
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #13
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    PepiMK,

    1. I am using Spybot S&D 1.4.

    2. I did a file search for mswsck32.dll on my system and no file was found. There is (as you can see below) a similar-named file "mswsock.dll" on my system, though. I don't know where Yodama came up with mswsck32.dll as neither I nor hvtemp mentioned that in our posts? I am the original poster. I have F-Secure, though my version is supplied by my Cable Provider and not purchased directly from F-Secure.

    3. Here's a copy of my Winsock LSP page:

    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {961B22D8-CC72-44E9-8C73-786D25884C1A}
    Filename: winsflt.dll

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {20244282-0F5F-4C1F-B740-5A1E7894A699}
    Filename: winsflt.dll

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {53FF899B-51DA-4826-BA9E-074F62E1AF16}
    Filename: winsflt.dll

    Protocol 3: RSVP UDP Service Provider
    GUID: {A0C1E165-5CB2-43D2-933C-349C58E3A111}
    Filename: winsflt.dll

    Protocol 4: RSVP TCP Service Provider
    GUID: {D32D899F-8550-4992-A946-B2CC2B69DD75}
    Filename: winsflt.dll

    Protocol 5: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 6: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 7: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip[*]

    Protocol 8: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 9: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B613B07-A34C-4B52-9EE3-9CDBCDD6F2EF}] SEQPACKET 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B613B07-A34C-4B52-9EE3-9CDBCDD6F2EF}] DATAGRAM 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3466ACD-D900-4CE0-8A07-93EEC8895374}] SEQPACKET 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A3466ACD-D900-4CE0-8A07-93EEC8895374}] DATAGRAM 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{67630850-E1F1-4FF2-BEC2-A772321452BA}] SEQPACKET 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{67630850-E1F1-4FF2-BEC2-A772321452BA}] DATAGRAM 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D459AF6-EE81-4557-A9CC-34B5E71948CC}] SEQPACKET 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D459AF6-EE81-4557-A9CC-34B5E71948CC}] DATAGRAM 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2BF05593-7504-4598-BD8E-A5E7900B710F}] SEQPACKET 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2BF05593-7504-4598-BD8E-A5E7900B710F}] DATAGRAM 4
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\msafd.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 20: LAYERED_PROVIDER
    GUID: {5A81F161-AF30-A1CF-8927-00AA90359F1D}
    Filename: winsflt.dll

    Namespace Provider 0: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\rnr20.dll
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 1: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

  4. #14
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Hmmm the only LAYERED_thing is this:
    Protocol 20: LAYERED_PROVIDER
    GUID: {5A81F161-AF30-A1CF-8927-00AA90359F1D}
    Filename: winsflt.dll
    But the filename is different, so Spybot shouldn't flag it.

    Maybe Yodama came up with that name since there has been an email about it as well (I seem to remember seeing one in an inbox). Can't find anything about winsflt.dll though - shouldn't be detected that way will have to look depper
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #15
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default same answer as Timzak....

    1. Am using Spybot - Search & Destroy version: 1.4 (build: 20050523)

    2. Could not find any mswsck32 in computer or in text file from spybot.

    3. The only thing I found was a about "layered_......" Se below:

    Protocol 16: LAYERED_PROVIDER
    GUID: {5A81F161-AF30-A1CF-8927-00AA90359F1D}
    Filename: winsflt.dll

    ---------------------------
    I tried a few online scanners.
    Symantec= No Cimuz
    PandaSoftware= No Cimuz
    McAffe= No Cimuz

    Windows Defender or Lavasoft adaware doesnt find Cimuz.

    I got an answer from F-secure:

    "This is most likely a false alarm. Please locate the file that is
    detected as Cimuz by Spybot S&D and send this file to us for checking.
    If you can't send the file please at least send the Spybot's scanning
    report file where the name and location of an infected file can be seen."



    I do hope that this can help Spybot finding an answer.

    Regards

    Mr H

  6. #16
    Junior Member
    Join Date
    Dec 2006
    Posts
    10

    Default With F-secure Internet security 2007 = NO cimuz!

    I tried the 2007 30days full Demo.

    With 2007: spybot finds no Cimuz.
    With 2006: it does.

    hmmm...... time to upgrade f-secure maybee?

  7. #17
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    hvtemp,

    Like I said, this detection only occurs after the latest definitions update from Spybot. The previous definitions did not detect "Cimuz" even though I've been using F-Secure for months. I'm pretty sure it is correctable on Spybot's end. My version of F-Secure is bundled from my cable provider, and I don't have the budget to purchase my security suite if one is being offered me at no additional cost, so I am not at liberty to choose to pay for the 2007 version. Hopefully the fellows here can confirm to us if it is a false positive or not so we can know which direction to take.
    Last edited by timzak; 2006-12-29 at 02:48.

  8. #18
    Junior Member
    Join Date
    Dec 2006
    Posts
    1

    Default

    So for those of us that don't have a backup, and who now have no interenet connection after removing this false positive, does anyone have any suggestions for how to fix it?

  9. #19
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    cmcnulty:

    Unless you are indicating that you have changed the default setting in Spybot to "Create backups of fixed spyware problems for easy recovery", try going into Spybot-Search & Destroy > Recovery (left pane) > locate the "Backup" for the item that you removed in the right pane (expanding the recovery item if necessary with the [+]) and check it > then click the "Recover selected items" button at the top of the right pane.
    Last edited by md usa spybot fan; 2006-12-30 at 19:24.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  10. #20
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    Quote Originally Posted by md usa spybot fan View Post
    cmcnulty:

    Unless you are indicating that you have changed the default setting in Spybot to "Create backups of fixed spyware problems for easy recovery", try going into Spybot-Search & Destroy > Recovery (left pane) > locate the "Backup" for the item that you removed in the right pane (expanding the recovery item if necessary with the [+]) and check it > then click the "Recover selected items" button at the top of the right pane.
    Just an FYI, but I have "Create backups of fixed spyware problems for easy recovery" ENABLED, but when I had Spybot remove Cimuz (and lost my internet connection), it did NOT show up as a recoverable item on the Spybot Recovery page. That was the first thing I tried after discovering I lost my internet connection. I was fortunate to have a system backup to fall back on.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •