• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

False Positive?

Am using NIS 2009 - v 16.5.0135, and decided to try some other AV/AS checkers. Tried Spyware Cease and it reports 14 cases of trojan.win32.buzus.acks.

In doing a google search, this particular bugaboo is Spyware Cease specific, and I'm wondering whether with downloading and installing this program it added these registry entries, or if they are just false positives, to motivate the user to buy the full version to remove them.

Any info out there?

TIA,

Bob

Replies

Kudos0

Re: False Positive?

Am using NIS 2009 - v 16.5.0135, and decided to try some other AV/AS checkers. Tried Spyware Cease and it reports 14 cases of trojan.win32.buzus.acks.

In doing a google search, this particular bugaboo is Spyware Cease specific, and I'm wondering whether with downloading and installing this program it added these registry entries, or if they are just false positives, to motivate the user to buy the full version to remove them.

Any info out there?

TIA,

Bob

Kudos1 Stats

Re: False Positive?

Hi -

I think that it would be crazy for the vendor to motivate you in that way.

Let's check ...

1 - Delete Spyware Cease.

2 - Run complete NIS 2009 Full System Scan. Check results.

3 - This Virus is over a year old. NIS 2009 would surely detect it. 

Report back with your findings, here.

BTW  - Where did you download Spyware Cease from?

Message Edited by Compumind on 03-28-2009 09:50 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: False Positive?


Compumind wrote:

I think that it would be crazy for the vendor to motivate you in that way.


In the best of all worlds, that would be nice, however it is not uncommon for that tactic to be used.

Please read this post in it's entirety. Zemana was promoting a bogus keylogger test which turned out to be fake. Of course, they were selling very expensive software to "protect" folks from this "threat".

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: False Positive?

Hi-

Now *that* is shady!

Let's see.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: False Positive?

I see there are threats that are named similar without the last few characters. I also see Spyware Cease is available for download from Cnet (download.com). hmmmmmm  if it is the same product.

One thing you could try is once uninstalling Spyware Cease, download Malwarebytes and SuperAntispyware Free, both free to use. Update the definitions the run full scans.

Both products as free are not realtime so don't interfere with Norton.

If both Norton, Malwarebytes and SuperAntispyware Free  full scans come back clean, then I would say you would be clean.

Quads 

Edit, I will download it tonight and give it a go. 

Message Edited by Quads on 03-29-2009 02:23 PM
Kudos0

Re: False Positive?

Hi -

FYI... 

Best going to the vendor's site whenever possible - especially for the latest builds, IMHO.

Message Edited by Compumind on 03-28-2009 10:34 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: False Positive?


Compumind wrote:

Hi -

FYI... 

Best going to the vendor's site whenever possible - especially for the latest builds, IMHO.

Message Edited by Compumind on 03-28-2009 10:34 PM
 
It depends, I was actually just stating how "Spyware Cease" is available for download from Cnet /Download.com, Download.com is used by alot of Vendors for software downloading like for instance Malwarebytes does from their website.
Quads 
Kudos0

Re: False Positive?

Ok 

In the results of the Spyware Cease Scan are,

1. "trojan.win32.buzus.acks" the results actually belong to Google updater as the registry entries, so if you use a Google product like Google Chrome these results will appear.   And/or Mozilla Plugins for the likes of Firefox.

2. If you get either of "Win32.Agent.beew" or "Win32.Agent.bbhn" it could be because of the "askbar" toolbar that comes with many products like even Norton now.

One thing I noticed is that, some files I have that are infections are not detected by Spyware Cease, that Malwarebytes, SuperAntispyware Free, or even Norton detect.

I have no idea whether the detections by Spyware Cease are intentional or F.P. s

Quads 

Message Edited by Quads on 03-29-2009 04:23 PM
Kudos1 Stats

Re: False Positive?

MalwareBytes, 1.35 detects Spyware Cease as a Rogue product

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware cease_is1 (Rogue.SpywareCease) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RkHit (Rogue.SpywareCease) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywarecease.exe (Rogue.SpywareCease) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Program Files\Spyware Cease (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\update (Rogue.SpywareCease) -> No action taken.

D:\Documents and Settings\All Users\Start Menu\Programs\Spyware Cease (Rogue.SpywareCease) -> No action taken.

Files Infected:

D:\Documents and Settings\John\Desktop\snake.exe (Trojan.Downloader) -> No action taken.

D:\Program Files\Spyware Cease\AutoUpdate.exe (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\LSR.lsr (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\md5.dll (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\networkdll.dll (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\opfile.dll (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\RegDefend.ini (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\rgp.tmp (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\RkHitApi.dll (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\spkdll.dll (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\SpywareCease.chm (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\SpywareCease.exe (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\SpywareCease.url (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\swdb.ssk (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\unins000.dat (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\unins000.exe (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\zlib1.dll (Rogue.SpywareCease) -> No action taken.

D:\Program Files\Spyware Cease\update\Update.ini (Rogue.SpywareCease) -> No action taken.

D:\Documents and Settings\All Users\Start Menu\Programs\Spyware Cease\Spyware Cease on the Web.lnk (Rogue.SpywareCease) -> No action taken.

D:\Documents and Settings\All Users\Start Menu\Programs\Spyware Cease\Spyware Cease.lnk (Rogue.SpywareCease) -> No action taken.

D:\Documents and Settings\All Users\Start Menu\Programs\Spyware Cease\Uninstall Spyware Cease.lnk (Rogue.SpywareCease) -> No action taken.

Quads 

Message Edited by Quads on 03-29-2009 10:17 PM
Kudos0

Re: False Positive?

Thanks for that great research! (again)
"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: False Positive?

Thanks for all the replies folks. To follow up since I posted up the inquiry, yes ... I did download it from Cnet's download.com.

I did try to uninstall Spyware Cease (v 1.34), but it did not uninstall all the way. I use Malwarebytes and did a full scan, which came up with 5 notifications. All of the entries were quantined and then deleted.

Note, NIS 2009 did not detect those same entries. I am going to rescan the system using MB 1.35 later today to see if it finds any other entries.

Speaking of Malwarebytes, I was wantching all the entries and files getting scanned, and noticed quite a few entries from files I had previously uninstalled, including Norton 360. Here I thought that when I used Symantec's tool to fully remove a product, it would completely clean out the system, but apparently, it doesn't.

Kudos0

Re: False Positive?

If you are unsure of entries Malwarebytes finds, Malwarebytes creates a .txt log, like what I posted above.

Quads 

Kudos0

Re: False Positive?

Hi -

badbob52 says:

"Speaking of Malwarebytes, I was wantching all the entries and files getting scanned, and noticed quite a few entries from files I had previously uninstalled, including Norton 360. Here I thought that when I used Symantec's tool to fully remove a product, it would completely clean out the system, but apparently, it doesn't."

I think that you are referring to the NRT - Norton Removal Tool.

Run it 2-3 times and see if your situation changes. Reboot after each try.

It is not perfect.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: False Positive?

Hi -

One more thing ...

You will need to reinstall Norton

Hold onto your Product Key.

P.S. I really would not be concerned about the extra Notron registry keys. IMHO.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: False Positive?


Compumind wrote:

Hi -

One more thing ...

You will need to reinstall Norton

Hold onto your Product Key.

P.S. I really would not be concerned about the extra Notron registry keys. IMHO.


As an another follow up, Malwarebytes v1.35 did not find any other entries.

I did use NRT, way back in  late Aug/Early Sept, to change from 360 to NIS. I see no need to reinstall NIS 09. It's been working fine. 

Kudos0

Re: False Positive?

Hi -

Good! That is what it is supposed to do - work fine.

Let us know if you require any additional assitance.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8

This thread is closed from further comment. Please visit the forum to start a new thread.