Hi,
I have recently removed some viruses from my machine. I have:
- updated Spybot S&D, Ad-Aware, eZTrust AntiVirus
- updated anything and everything related to Micrsoft that I can find
- run the Housecall online scan
All of these say I have no infections. However, when I run the online PestPatrol, it says I have the following:
SystemSpy - Keylogger
Fake CD .99 - Cracking Tool
Ezula Toptext - Adware
Ezula Adware - Adware
BonziBuddy - Spyware
TribalFusion - Tracking Cookie
com.com - Tracking Cookie
FalKag - Tracking Cookie
About.com - Tracking Cookie
Why do these show up in PestPatrol but not anywhere else? When I look at how to manually remove them, I can't find them in the path they suggest.
Are these real? Do I need to worry about any of these?
Thanks for all of your help,
kpalys
Full Version: PestPatrol
When you check the path, does it look like they are stored in some application's virus vault? You might want to check their quarantine vaults out and delete the contents.
Cheers,
John
Cheers,
John
I dont see it in the bad list. Look here this is a list of all the bad ones and it gives details about how they lie and such:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Security -> AntiVirus, Firewall and Privacy Products and Protection Methods -> PestPatrol
IMO, these are darn good questions, kpalys and very appropriate ones to consider when dealing with what we do predominately here.
It just so happens that I am studying the winXPpro registry. A thread I'm working on regarding the SP2 installation factors has led to the end to do do. As often is the case, one question leads to another. Due to the focus of my training in HJT log analysis & the need for understanding of windows in general, I have also side-tracked other things I usually use my computer to help me in doing. Because of this, several dozen applications remain presently in a download folder or on CDs off to the side of my PC. One of them is PestPatrol, which I won in a drawing here at bleepingcomputer.com. BTW, you have a chance at the next one, so I encourage you to sign-up. When I had PestPatrol up & running, I found it to be effective. I like the eTrust database access. I do have other programs in place that I recommend, and they are free. Combining them on any PC will provide excellent coverage against problems encountered online. I did experience some unusual difficulties installing it the first time, which email response from PestPatrol confirmed I had a typical misunderstanding about how the information given on the install disk might be interpreted. OK. Then I founf at about the second week of operation a CWS MS Google infection had been found. As I study these matters, and that particular CWS infection was not one identified by the creator of CWS Shredder, I wondered and sure enough, a day and a lotta searchin' later I found that it most likely was a false positive. PestPatrol was just recently bought-out by another company, CA so I figured some changes might be temporarily effecting things as they can at times like this. PestPatrol is one of very few rated highly at a trusted site dealing with this issue of rogue anti-spyware software programs.
I do like recommending online sites in general due to a few reasons. They tend to update the definitions faster than anyone else. Many people are unaware of these services and should know of them. PestPatrol does not cleanup, it recommends. That is all. Trendmicro and Pandasoftware are a couple others, and my favorite is BitDefender as it states the following: BitDefender Scan Online is a fully functional antivirus product, with a web-based interface and featuring all required elements for remotely antivirus scanning and cleaning: it scans system's memory, all files, folders and drives' boot sector, providing the user with the option to automatically clean the infected files. It is nice enough to include this simple statement: The BitDefender ScanOnLine Service currently supports only the ActiveX enabled browsers. This makes it unavailable for the Netscape family browsers.
I do not like to recommend online sites in general due to a few reasons. Curiously enough, none of then work in browsers that are not Internet Explorer. IE has several known vulnerabilities that have prompted me to discontinue using it on a daily basis, partly because of this, partly because I don't prefer to have a whole bunch of activeX downloads that IE enables, and partly because it's a slow, pondersome thing that wastes my time waiting for it to tell me about the progress it's making towards resolving websites when Firefox would already have been finished long before I get the "done" from it. I do not like to recommend that a user who is having difficulties online or with malware go wade through the steps & time they require to be able to have a company tell them what might be wrong. It takes patience and time to do them the first time. I do not like having to deal with the "encouragement" to buy the products these companies want to sell me, either, and ya get that being at their sites. I don't like the links to gawd-only-knows how many previous manifestations of crapware there have been incidences of, nor do I like being made afraid of the internet because of those jerks. I do not feel i should be expected to pay for their mistakes, even though I do in the time it takes to understand what it is they do. To pay even more for products designed to save me the time of fully understanding the problem makes me even madder.
Well, with that in mind, I felt compelled to do some more research into the question you asked.
First, I made the mistake of going to the site in Firefox. Whoops, I forgot. Some of the sites wil allow a download of a Java Runtime Environment-compatible applet so the scans will work, but it's easier (faster) to just close the browser & somewhat reluctantly open the "other" browser.
The process began at 5:11pm P.S.T. November 20th, 2004. It is now 7:30pm. Don't panic, I type slow and I made some screenshots along the way. Had to upload them to the web photo-host, Photobucket so we could see just what this online scan is all about.
1. Gotta get past some roadblocks, temporary I hope
2. I clicked the auto-popup block bar to read: needs active X
3. I guess my default internet settings for IE require this, also
4. I get it again, when going to the next page. hmmm
5. Resident protection alerts me to a system change. I like that
6. and another one Looks like the activeX involves several registry changes. Who knows how many .exe files. Other files. Location unknown, and without filenames, search impossible. Beginning yet another topic for discussion about online scans. We see them in evidence in areas known for scandalous behavior as identified by HJT, so it's a reminder to research your downloads b4 ya' do 'em. In this case spywareBlaster identifies them as OK, for the time being at least. New updated definitions have been known to change the status of any particular registry entries, however. Another topic... some companies change sides, according to some experts.
7. OK, having allowed the changes, Here is the main screen It has changed since I last visited it a month ago. I didn't much like the former one, so I recall somewhat how it was. This is different. It's been 20 minutes getting here.
8. Scan begins with immediate results. Not as many as your's, kpalys, but I too have a "clean machine". The scan continues for five minutes.
9. done I have a key logger & a cracking tool. Well, I guess. I click the files, to see as you stated the location of these damned items. Odd. I can't see the entire location. That's by design.
10. What Now? Learn More. Buy Now. these are my options. Click these buttons or two other links to find out the valuable services offered. This is known in marketing as subtle persuasion, and it is a few notches down the rating charts from "goads" or "blatent disinformation" it should be duly noted. It also has another effect, that being one I briefly mentioned regarding the location of the (?) files now part of my system. The search, or more precisely, the "RUN" regedit. Then search, manually for another thing that caught my eye. Those "partially revealed" locations. The ones where the BAdGUys at at, according to this. It's a start.
11. where does all the time go?
12. Here lies a couple hundred thousand entries. Now, what was the beginning of those badfilepathnames er..reg key entryypaths ah..locations?
HKEY_LOCAL MACHINE\Software\Microsoft\Internet Explorer\Main (I could see) and it has to be in one of three folders:
14. FeatureControl
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33. URL Template The last possible location.
Summary. No conclusions for me as of yet, I'm sorry to say. I may yet come to some.
QUOTE
PestPatrol, Does this online scan put in bogus stuff
QUOTE
Are these real? Do I need to worry about any of these?
IMO, these are darn good questions, kpalys and very appropriate ones to consider when dealing with what we do predominately here.
It just so happens that I am studying the winXPpro registry. A thread I'm working on regarding the SP2 installation factors has led to the end to do do. As often is the case, one question leads to another. Due to the focus of my training in HJT log analysis & the need for understanding of windows in general, I have also side-tracked other things I usually use my computer to help me in doing. Because of this, several dozen applications remain presently in a download folder or on CDs off to the side of my PC. One of them is PestPatrol, which I won in a drawing here at bleepingcomputer.com. BTW, you have a chance at the next one, so I encourage you to sign-up. When I had PestPatrol up & running, I found it to be effective. I like the eTrust database access. I do have other programs in place that I recommend, and they are free. Combining them on any PC will provide excellent coverage against problems encountered online. I did experience some unusual difficulties installing it the first time, which email response from PestPatrol confirmed I had a typical misunderstanding about how the information given on the install disk might be interpreted. OK. Then I founf at about the second week of operation a CWS MS Google infection had been found. As I study these matters, and that particular CWS infection was not one identified by the creator of CWS Shredder, I wondered and sure enough, a day and a lotta searchin' later I found that it most likely was a false positive. PestPatrol was just recently bought-out by another company, CA so I figured some changes might be temporarily effecting things as they can at times like this. PestPatrol is one of very few rated highly at a trusted site dealing with this issue of rogue anti-spyware software programs.
I do like recommending online sites in general due to a few reasons. They tend to update the definitions faster than anyone else. Many people are unaware of these services and should know of them. PestPatrol does not cleanup, it recommends. That is all. Trendmicro and Pandasoftware are a couple others, and my favorite is BitDefender as it states the following: BitDefender Scan Online is a fully functional antivirus product, with a web-based interface and featuring all required elements for remotely antivirus scanning and cleaning: it scans system's memory, all files, folders and drives' boot sector, providing the user with the option to automatically clean the infected files. It is nice enough to include this simple statement: The BitDefender ScanOnLine Service currently supports only the ActiveX enabled browsers. This makes it unavailable for the Netscape family browsers.
I do not like to recommend online sites in general due to a few reasons. Curiously enough, none of then work in browsers that are not Internet Explorer. IE has several known vulnerabilities that have prompted me to discontinue using it on a daily basis, partly because of this, partly because I don't prefer to have a whole bunch of activeX downloads that IE enables, and partly because it's a slow, pondersome thing that wastes my time waiting for it to tell me about the progress it's making towards resolving websites when Firefox would already have been finished long before I get the "done" from it. I do not like to recommend that a user who is having difficulties online or with malware go wade through the steps & time they require to be able to have a company tell them what might be wrong. It takes patience and time to do them the first time. I do not like having to deal with the "encouragement" to buy the products these companies want to sell me, either, and ya get that being at their sites. I don't like the links to gawd-only-knows how many previous manifestations of crapware there have been incidences of, nor do I like being made afraid of the internet because of those jerks. I do not feel i should be expected to pay for their mistakes, even though I do in the time it takes to understand what it is they do. To pay even more for products designed to save me the time of fully understanding the problem makes me even madder.
Well, with that in mind, I felt compelled to do some more research into the question you asked.
First, I made the mistake of going to the site in Firefox. Whoops, I forgot. Some of the sites wil allow a download of a Java Runtime Environment-compatible applet so the scans will work, but it's easier (faster) to just close the browser & somewhat reluctantly open the "other" browser.
The process began at 5:11pm P.S.T. November 20th, 2004. It is now 7:30pm. Don't panic, I type slow and I made some screenshots along the way. Had to upload them to the web photo-host, Photobucket so we could see just what this online scan is all about.
1. Gotta get past some roadblocks, temporary I hope
2. I clicked the auto-popup block bar to read: needs active X
3. I guess my default internet settings for IE require this, also
4. I get it again, when going to the next page. hmmm
5. Resident protection alerts me to a system change. I like that
6. and another one Looks like the activeX involves several registry changes. Who knows how many .exe files. Other files. Location unknown, and without filenames, search impossible. Beginning yet another topic for discussion about online scans. We see them in evidence in areas known for scandalous behavior as identified by HJT, so it's a reminder to research your downloads b4 ya' do 'em. In this case spywareBlaster identifies them as OK, for the time being at least. New updated definitions have been known to change the status of any particular registry entries, however. Another topic... some companies change sides, according to some experts.
7. OK, having allowed the changes, Here is the main screen It has changed since I last visited it a month ago. I didn't much like the former one, so I recall somewhat how it was. This is different. It's been 20 minutes getting here.
8. Scan begins with immediate results. Not as many as your's, kpalys, but I too have a "clean machine". The scan continues for five minutes.
9. done I have a key logger & a cracking tool. Well, I guess. I click the files, to see as you stated the location of these damned items. Odd. I can't see the entire location. That's by design.
10. What Now? Learn More. Buy Now. these are my options. Click these buttons or two other links to find out the valuable services offered. This is known in marketing as subtle persuasion, and it is a few notches down the rating charts from "goads" or "blatent disinformation" it should be duly noted. It also has another effect, that being one I briefly mentioned regarding the location of the (?) files now part of my system. The search, or more precisely, the "RUN" regedit. Then search, manually for another thing that caught my eye. Those "partially revealed" locations. The ones where the BAdGUys at at, according to this. It's a start.
11. where does all the time go?
12. Here lies a couple hundred thousand entries. Now, what was the beginning of those bad
HKEY_LOCAL MACHINE\Software\Microsoft\Internet Explorer\Main (I could see) and it has to be in one of three folders:
- ErrorThresholds
- FeatureControl
- URL Template
14. FeatureControl
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33. URL Template The last possible location.
Summary. No conclusions for me as of yet, I'm sorry to say. I may yet come to some.
- As is the case in other software programs written for the purpose of disclosing the whereabouts of crummy files , this one may be finding things that are/are not yet crummy. SP2 changed my registry in ways I am not certain of at this time. For obvious reasons... I'm not that savvy to details of this kind, yet.
- The search for more information is a valid approach to problem-solving, and so I can't exactly fault PestPatrol in that regard.
- Microsoft itself has mysterious methods and often will add things that are to be fully implemented in future updates or in their ongoing improvements of their OS versions in general. We may be lookin' at something the Longhorn OS version will make a reality, as near as I can tell
- Nothing that says: "I'm a cracker or bad tastin' saltine" stands out to me at this hour (9:55pm)
- We pay to play.
Hi,
I found the quantine logs for Ad-Aware and deleted them. When I re-ran Pest Patrol the TribalFusion and Falkag were gone and a new one showed up. I'm not sure where or how else to look for Spybot S&D or other logs and what to delete.
Thanks,
I found the quantine logs for Ad-Aware and deleted them. When I re-ran Pest Patrol the TribalFusion and Falkag were gone and a new one showed up. I'm not sure where or how else to look for Spybot S&D or other logs and what to delete.
Thanks,
Spybot files can be removed by opening the program. Click "recovery". Choose "purge". OK the choice. 
Thanks for the reply. I purged the spybot files, rebooted and re-ran pest patrol. What I now see:
SystemSpy - Keylogger
Fake CD .99 - Cracking Tool
Ezula Toptext - Adware
Ezula Adware - Adware
BonziBuddy - Spyware
com.com - Tracking Cookie
About.com - Tracking Cookie
I've submitted an HJT log this morning because of another question I had. Will an analysis of that help answer the above?
Kathy
SystemSpy - Keylogger
Fake CD .99 - Cracking Tool
Ezula Toptext - Adware
Ezula Adware - Adware
BonziBuddy - Spyware
com.com - Tracking Cookie
About.com - Tracking Cookie
I've submitted an HJT log this morning because of another question I had. Will an analysis of that help answer the above?
Kathy
They should be able to take care of those, in the HJT post.
I still think these two still may be debatable.
SystemSpy - Keylogger
Fake CD .99 - Cracking Tool
The others Ezula & Bonzi might show up in HJT logs as something, if not precisely them.
You may choose to clean your system further, as a habit, using these two techiques.
Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.
Delete Temp Files
To clean out your temp files use: Start-->Run-->type in: %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files and folders found in the temp folder. If you get an error when deleting a file, skip that file and delete all the others. Doing this in Safe Mode you should be able to delete all the files.
Reboot your computer to go
back to normal mode. Note: you may do this all
in normal mode if it is easier for you.
Start-->Run-->type in:
cleanmgr and press the ok button.
You get this box:
Ticking all boxes should pose no problem.
Delete Temporary Internet Files
You can also navigate by using Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted.
Empty the recycle bin.
SystemSpy - Keylogger
Fake CD .99 - Cracking Tool
The others Ezula & Bonzi might show up in HJT logs as something, if not precisely them.
You may choose to clean your system further, as a habit, using these two techiques.
Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.
Delete Temp Files
To clean out your temp files use: Start-->Run-->type in: %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files and folders found in the temp folder. If you get an error when deleting a file, skip that file and delete all the others. Doing this in Safe Mode you should be able to delete all the files.
Reboot your computer to go
back to normal mode. Note: you may do this all
in normal mode if it is easier for you.
Start-->Run-->type in:
cleanmgr and press the ok button.
You get this box:
Ticking all boxes should pose no problem.
Delete Temporary Internet Files
You can also navigate by using Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted.
Empty the recycle bin.
I followed directions, rebooted and ran the clean manager. After this (and without rebooting) ran Pest Patrol. The exact same list of stuff appeared as before.
Do I wait for the results of the HJT scan or ?
Thanks, Kathy
Do I wait for the results of the HJT scan or ?
Thanks, Kathy
Yes, Kathy, please wait for one of the volunteers to analyze it and recommend what should be done. I glanced at it, you have it right where it belongs. One optional program caught my eye, and I'd likely mention it if I were "doing" your log. The Wild Tangent is a program that is used for downloading games. It is considered by some to be adware. The advertisements may also contain pornographic or other material that you might find inappropriate. A new uninstall tool is now available. You may do that while waiting, and if you do, post a reply to your HJT log post mentioning that. The volunteer will keep it in mind as he/she makes the recommendations. Also, any thing else that pertains to your particular problem, or something you may be unclear on. I still think yours is a good question to keep in mind when considering the bigger picture. Thank you.
Thanks, I'll do that. When I have tried to remove Wild Tangent from Spybot in the past, it has created problems for me. I'll try the new tool and post a new HJT.
Kathy
Kathy
This is what Pest Patrol has to say about: (Fake CD .99 - Cracking Tool)
http://www.pestpatrol.com/PestInfo/f/fake_cd__99.asp
http://www.pestpatrol.com/PestInfo/f/fake_cd__99.asp
Thank-you, Scarlett, I have been kinda busy and hadn't taken the time to read it. Very authoritative, and the format of eTrust's database is a consistantly good method in which to present data. I do not have these files on my PC. I know, for certain. It was recently up-dated, too. November 17, 2004. So the cracking tool on my PC is a 'false positive" No stephanos file. No removal required, but it is identified in the same way kpalys's scan determined her's to have it. That of course leaves us wondering, and well read about the problem ... that isn't a problem. 
Until it is made one.
Until it is made one.
Yeah, after reading the CA site when I first saw the Fake CD .99 and looked for the files they mentioned, I couldn't find them. That's what prompted to ask if they were bogus or not - since CA doesn't correct the problem but suggests you buy their product to remove the items listed. Once I am finished with HJT process and declared clean, I will try re-running PestPatrol and see what happens.
I have to say, I have been amazed at two things:
- the amount of problems there are out there (mine were minor compared to some) and that the requests for help come from all over the world.
- how awesome it is for the HJT team to help us clean up our systems!
kpalys
I have to say, I have been amazed at two things:
- the amount of problems there are out there (mine were minor compared to some) and that the requests for help come from all over the world.
- how awesome it is for the HJT team to help us clean up our systems!
kpalys
I also have this system-keylogger detected by pestcontrol plus 65 other pests were found. the keylogger has frightened me because I do internet banking. Although other software that I used example a2, spybot and adaware don't detect anything.
Because of this I made my own search and I stumbled across this website. I downloaded the trial version and updated and scan my computer. nothing has been detected! TDS
The website is http://tds.diamondcs.com.au/
Because of this I made my own search and I stumbled across this website. I downloaded the trial version and updated and scan my computer. nothing has been detected! TDS
The website is http://tds.diamondcs.com.au/
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.