I recently removed malware from my computer with help from the forum (thanks!). I installed SiteAdvisorm WinPatrol etc as recommended. Spybot detected SiteAdvisor as a perfect keylogger. Is this a false positive? I would be grateful if you could let me know
Please make sure to fully update Spybot S&D and restart your computer to make sure that this issue is not related to outdated detection rules which may have been fixed in the past.
If the detection of SiteAdvisor should reoccur please provide more information as stated here
Thank you. I think SD helper had showed the information as a popup.
I terminated the process. After that I uninstalled SiteAdvisor, updated Spybot yesterday (7/28) and did a scan which found no threats. Here is the detailed information requested.
I would be grateful if you could let me know if the computer is safe to use.
Regards
Kasputer
Operating System is Windows XP Media Center 1995-2002
Browser was IE 8
Version of Spybot is 1.6.2
Last update (before SD helper showed process as perfectkeylogger) was 7/22
False positive occured in SD Helper popup. This is the information in the report
7/28/2010 10:38:45 PM Encountered and terminated PerfectKeylogger in c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe!
LONGER VERSION OF REPORT OF 7/28 CHANGES IS
7/28/2010 12:30:27 PM Allowed (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
7/28/2010 12:30:40 PM Allowed (based on authenticode whitelist) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") added in Browser Helper Object!
7/28/2010 9:56:12 PM Allowed (based on user decision) value "Local Page" (new data: "C:\WINDOWS\system32\blank.htm") changed in Browser page!
7/28/2010 10:01:38 PM Allowed (based on user decision) value "NoIE4StubProcessing" (new data: "C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f") added in System Startup global entry!
7/28/2010 10:19:29 PM Allowed (based on user decision) value "NoIE4StubProcessing" (new data: "") deleted in System Startup global entry!
7/28/2010 10:22:56 PM Allowed (based on user decision) value "ITBar7Height" (new data: "25") added in User-specific browser toolbar!
7/28/2010 10:32:48 PM Allowed (based on user decision) value "{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (new data: "McAfee SiteAdvisor") added in Global browser toolbar!
7/28/2010 10:38:18 PM Allowed (based on user decision) value "{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" (new data: "") added in Browser Helper Object!
7/28/2010 10:38:29 PM Allowed (based on user decision) value "{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (new data: "") added in Internet Explorer searches!
7/28/2010 10:38:44 PM Allowed (based on user decision) value "WinPatrol" (new data: "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot") added in System Startup global entry!
7/28/2010 10:38:45 PM Encountered and terminated PerfectKeylogger in c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe!
7/28/2010 11:07:27 PM Allowed (based on user decision) value "{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (new data: "") deleted in Global browser toolbar!
7/28/2010 11:07:52 PM Allowed (based on user decision) value "{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" (new data: "") deleted in Browser Helper Object!
7/28/2010 11:07:55 PM Allowed (based on user decision) value "{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" (new data: "") deleted in Internet Explorer searches!
thank you for providing the requested information.
It appears that the TeaTimer has falsely flagged the mcsacore.exe.
To prevent this from happening in the future I have added the files digital signature to our whitelist. This will be effective with the next detection update to be released on Wednesday 2010-08-04. The TeaTimer will have to be restarted after the update.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
