Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Or False Positive?


  • Please log in to reply
13 replies to this topic

#1 Wendy K. Walker

Wendy K. Walker

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:09:13 PM

Posted 19 February 2008 - 05:52 PM

Hi Everybody,

I was trying to help someone with a browser hijacker problem in one of the other forums. While doing that I downloaded a new free program to see how it worked because I was recommending to them that they install some such programs if they didn't already have any.

Anyway I downloaded it, updated it and let it run. When it had finished running it made an evil sounding noise and told me that my system is infected with a couple of Trojans. :flowers:

Normally, as paranoid as I am about those things, I would have panicked over such a revaluation, however, as this program told me that I had to BUY the paid version before it could REMOVE the threats... but offered me the option to FIX said problem I'm wondering if the report of Trojans is just a sham false positive to get me to buy their product.

I have several other Anti Ad\Spyware programs that I run every couple of days and none of them have picked up any Trojans.

I haven't taken any action on those buggers yet as I wanted to see if there is a way that I can check to see if those suckers are really threats on my system or just a marketing tool used by that company.

I'm attaching a screen shot of what that program said that it found for you to look at.

Thanks for any information on this.

Wendy

EDITED: In a moment of blondness I posted this without the picture attached so here it is. :thumbsup:
SECOND EDIT!; *RATS! blushing with embarrassment Can you believe that I just did it a second time?* Wendy
THIRD EDIT: The image seems to be a little blurred so here's a direct link to the picture --> https://ssl-proxy-updated.herokuapp.com/52ac93864926457943a8a65ceb31c68f4a1d09d2/687474703a2f2f696d673232312e696d616765736861636b2e75732f696d673232312f313138392f6263317565392e6a7067/ Wendy
Posted Image

Edited by Wendy K. Walker, 19 February 2008 - 06:35 PM.

TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:13 PM

Posted 19 February 2008 - 06:15 PM

Wendy, I don't see the picture. If you could tell us what the application is called, I am sure we could determine whether it was legitimate or not.
Thanks,
John
Whereof one cannot speak, thereof one should be silent.

#3 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:09:13 PM

Posted 19 February 2008 - 06:28 PM

Hi jgweed, Thanks for the amazingly quick reply.

Check it out again, and please read my edit at the bottom of the post... God I'm feeling super blond today!

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:13 PM

Posted 19 February 2008 - 06:57 PM

It is very readable if you click on the image and enlarge it.
Thanks,
John
Whereof one cannot speak, thereof one should be silent.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:13 PM

Posted 19 February 2008 - 07:59 PM

Hello Wendy you've grabbed a beauty there
Trojan.PWS.Tanspy will install itself on to an infected computer as a Browser Helper Object (BHO). This Trojan will then be activated each time an instance of Internet Explorer is launced and will attempt to steal passwords.
Type: Keylogger, Trojan
Trojan.Generic Common Components that may be used by Trojans Small, DRSN Search, Binet, Euniverse, Adrotator and Dloader among others.

The tanspy is an infostealer as such are very dangerous. Although you may still have to go thru HiJackThis as I am looking up the possibility of complete removal. These Infostealers can be bad enough that only a refprmat and reinstall of the OS can promise you a secure computer.
Please do this first. So we can see what it finds.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt
.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:09:13 PM

Posted 20 February 2008 - 12:30 AM

Hi boopme, Thanks for the reply.

OK, now things have gotten even weirder. Well not really as I actually think that the PC Tools Spyware Doctor is tossing up some false positives here.

I already have the two items that you recommended and I use them regularly too, However, I made sure that I had the latest updates installed, then snuck over into Safe Mode and followed your instructions. I ran ATF first, then ran SuperAntiSpyware, then after it was done I ran SpyWare Doctor again. When I started SpyWare Doctor it tossed up a nag screen complaining that it ought NOT to be run it in Safe Mode but I ran it nonetheless.

OK SuperAntiSpyware came up clean, as you can see in the log below, HOWEVER, SpyWare Doctor found the same infections that it had found the first time around PLUS several more nasty items as you can see in the pic below.

I'm still inclined to be thinking those are false positives, however, I don't want to be taking any chances, especially with PW Stealing Trojans as I have recently stumbled across some kiddy porn on Yahoo 360, reported it to Yahoo, and to the FBI... THEN I found a heavy duty tracking cookie on my system when I had scanned it that night.

So now I'm asking for your recommendation... what to do about the things that SpyWare Doctor claims to have found?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/20/2008 at 03:37 AM

Application Version : 3.9.1008

Core Rules Database Version : 3406
Trace Rules Database Version: 1398

Scan type : Complete Scan
Total Scan Time : 01:20:38

Memory items scanned : 235
Memory threats detected : 0
Registry items scanned : 4704
Registry threats detected : 0
File items scanned : 38406
File threats detected : 0


Direct link to picture --> https://ssl-proxy-updated.herokuapp.com/01b6f5a1f642aca755f891de82b630c62d7eb2c6/687474703a2f2f696d673135332e696d616765736861636b2e75732f696d673135332f343533352f6263316e75372e6a7067/

Posted Image

Thanks for any help.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 PM

Posted 22 February 2008 - 09:33 AM

Wendy K. Walker is in the process of posting a HijackThis log. I have just moved a separate topic with that log to the Misplaced logs forum and will provide further instructions from there.

To avoid confusion, this thread is closed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:02:13 PM

Posted 22 February 2008 - 10:44 PM

HJT Log was withdrawn at Wendy K. Walkers request. Thread reopened at her request as well.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 PM

Posted 22 February 2008 - 11:22 PM

I closed your other thread where you posted a RKR log. As I said there, please do not start new threads or duplicate topics as this causes confusion.

RKR scans the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded (trailing) nulls. This is normal and not a cause for alarm. The presence of some keys with nulls may be pertinent to the correct operation of related applications. See RKR 1.71 and HKLM\Security\Policy\Secrets. Also see "Info on common log entries" such as:

SoftwareDistribution\DataStore
WinGenerics
ODBCINST Entries
Data Mismatches
InprocServer32/embedded nulls
Zero Bytes
Daemon Tools and Alcohol software entries
Cryptography\RNG\Seed\
System Volume Information\_restore <- there is a link that explains this (the last entry you were concerned about)

Spyware Doctor appears to only be finding a few registry entries. There is no indication of any files or path to where they may be located. In your second screenshot, it also found evidence of NirCmd. It seems you used an older version of Combofix in the past as several of the registry entries are related to that tool. NirCmd is a command-line utility that allows writing to and deletion of values and keys in the registry. See NirCmd - Freeware command-line tool.

If your using a trial version of Spyware Doctor that will not remove anything unless you pay for it then you can remove it and switch to the free Spyware Doctor Starter Edition.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:09:13 PM

Posted 23 February 2008 - 12:50 AM

Hi Animal, Thanks for your assistance.

Hi quietman7, Thanks for the reply.

Sorry about all of the confusion... I didn't realize that the RKR log was related to the topic of this thread.

As for NirCmd, I checked out the link that you gave me and that is not a tool that I would have downloaded nor installed as I am a long way from being comfortable when it comes to mucking about in the Registry or write values into any INI file.

Where would I look to see if that NirCmd utility is actually on my system so that I can kick that little bugger to the curb?

As for that PC Tools SpyWare Doctor utility goes it was the 'Free' one. The main reason that I don't trust the results that it came up with is because it won't cure any problem that it finds unless you pay for the full version.

Well then too there's also the fact that NONE of the other Anti Ad\Spyware utilities that I've been running, and have ran since I ran SpyWare Doctor, have found anything at all to report...

Oh, and it hasn't been more than a month since I had had to do a recovery install of Windows... so how would that NirCmd thingy have gotten on my system seeing as how I haven't downloaded it and I'm the only Admin account on my machine?

As for the Combofix utility, yes I had used it prior to having done that recovery that I just spoke of... hey wait a minute here are Combofix and NirCmd by any chance related to each other?

I'm off to do some reading at that RKR link that you gave me now.

Thanks for any help here guys.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 PM

Posted 23 February 2008 - 11:38 AM

As for that PC Tools SpyWare Doctor utility goes it was the 'Free' one.

I was not aware you were using the free version of SD and that it will not fix everything it detects without upgrading to a paid version. If that's the case, I will not longer recommend it.

NirCmd is used in the ComboFix tool.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:09:13 PM

Posted 24 February 2008 - 01:08 AM

Hi quietman7, Thanks for the reply.

Yes, I was giving the 'Free' edition a test run because I was recommending it to someone else and I wanted to see how it worked.

Once I had made that first run with it and it announced the fact that although it had found that crud-ware, it couldn't fix any of it, UNLESS I were to BUY the paid version.

Anyway that was why I was wondering if what it was showing was actually some sort or Trojan or just their sleazy way of selling their product by showing a bunch of false positives.

Anyway, at this point I don't know why they aren't listed on SpyWare Warriors Rouge\Suspect Anti-Spyware& Web Site List.

And if NirCmd is used in the ComboFix tool why the heck would they pick it up as some sort of Trojan anyway? I had an old copy of ComboFix that I had tried to run awhile back but it told me that it had expired when I had tried to run it and then just politely took its icon and disappeared off of my system.

Are you up to date on the information in this topic?--> http://icrontic.com/forum/showthread.php?t=54508 <--seems like I remember seeing something about that awhile back and I'm wondering if they ever got that problem fixed.



Thanks

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 PM

Posted 24 February 2008 - 07:36 AM

That issue in the Icrontic Forums link you provided was resolved months ago. The first posting was dated 02/15/07. The tool was pulled until sUBs was able to come up with an effective solution which he did.

Combofix is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

...and if NirCmd is used in the ComboFix tool why the heck would they pick it up as some sort of Trojan anyway?

I that I already explained that. ComboFix or some of its embedded files like NirCmd may be flagged as malware by some anti-virus/anti-malware programs for a variety of reasons to include its compiler, the files it uses, registry fixes and malware strings it contains. These files may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool, "Potentially unwanted tool or even "malware (virus/trojan)" when that is not the case.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Potentially unwanted does not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:09:13 PM

Posted 24 February 2008 - 08:16 PM

Hi quietman7,

I was thinking that such was the case with ComboFix. I know that I had used it in a HJT fix once way back. Thanks for the enlightenment on the NirCmd. Now it won't upset my nervous system if I run across references to it in the future.

Oh no... I might run that utility just to see what it kicks up... that's how I discovered that my Repair Console was missing, but no way in heck am I going to be trying to fix anything that it comes across without someone guiding me through what I'm doing.

I'm off to read that disclaimer now.


Thanks Again.

Wendy

Edited by Wendy K. Walker, 24 February 2008 - 08:21 PM.

TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users