Jump to content


Photo

XoftSpy v3.2.07 found some malware


  • Please log in to reply
3 replies to this topic

#1 docboardman

docboardman

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 May 2004 - 06:06 AM

I知 hoping that someone can help me with some spyware questions.

My operating system is Windows 98 and the browser is IE 6. I keep them up to date with the latest security patches from Microsoft. I have ZoneAlarm 5 as a firewall and AVG 6 for anti-virus, as well as Ad-aware 6, which I run about once a week or so. Also, I downloaded and installed SpywareGuard and SpywareBlaster, as well as IE-SPYAD.

Last week I tried a spyware scanner called XoftSpy v3.2.07 and it found these:

Spyware --------- Location
Winpup32 ------- HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
Winpup32 ------- HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
CWS.Oslogo ---- Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com
CWS.Oslogo ---- Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\coolwwwsearch.com

The last two may be entries from the IE-SPYAD database, I知 not sure. If they do exist, I am surprised the Ad-aware didn稚 catch them. Is there anything I should do about all this?

Cheers, -------- Doc

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 30 May 2004 - 06:30 AM

Hi,
See if this answers your question about this bogus software: :unsure:
http://www.lavasofts...showtopic=24563

Winpup32 ------- HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}

Ad-Aware detects this as Coolwebsearch not Winpup!

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{48E59291-9880-11CF-9754-00AA00C00908}



CWS.Oslogo ---- Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\coolwwwsearch.com

Open Regedit to the following location:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

Scroll down to: coolwwwsearch.com
Look in the right pane, is the entry = "0x00000004(4)"
If so then that is from IE-SpyAd and is valid.

Uninstall XoftSpy quickly!

You should consider installing:
Download: SpyBot-Search & Destroy 1.3
http://majorgeeks.co...wnload2471.html

Run a scan, "fix" everything marked in red.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 docboardman

docboardman

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 02 June 2004 - 09:24 PM

Hi Mike and thanks for your reply.

As a result of going to the Lavasoft Support forum site you recommended, I ended up following numerous other links which have occupied me for the last few days, hence the delay in my reply.

Just to put you in the picture, I had been used Ad-aware for over a year and was basically happy with it. However, a couple of weeks ago I read something about adware (in all its forms) that made me think I should try another package just to make sure my system was clean. I ended up trying:

1. SpyHunter v1.1.29
2. NoAdware v2.01
3. Spybot S & D v1.3
4. Spysweeper v2.6.1
and
5. XoftSpy v3.2.07

SpyHunter, NoAdware and XoftSpy all 吐ound things that Ad-aware (and Spybot S & D, as it turns out) did not. They each found different things and in the end I had a list of about 20 problems that Ad-aware didn稚 find. At first I was concerned. Eventually I became suspicious, however, because for any of these packages to fix the problems they 吐ound (and they each found different problems) I had to send them money.

Only Spysweeper and Spybot didn稚 find anything. Well, Spybot reported a DSO esploit, but I have since learned that is a bug in Spybot. This is when I posted to the SWI forum. As a result of what you wrote, and what I read on various other sites, I have gotten rid of SpyHunter, NoAdware and XoftSpy. I知 ignoring their scan results, as well. I have to say that I think it is disgusting that the people behind these packages are basically taking advantage of innocent people who are just trying to protect themselves.

Regarding this:


Winpup32 ------- HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}

Ad-Aware detects this as Coolwebsearch not Winpup!


It is still in my registry. In the right pane it says:

Value Name = (Default)
Value Data = 的Inet

I have just done another scan with Ad-aware. The abbreviated results are here:

Scan Results (I have abbreviated the results)
Lavasoft Ad-aware Personal Build 6.181
Logfile created on  :02 June 2004 22:44:51
Created with Ad-aware Personal, free for private use.
Using reference-file :01R312 30.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processesSet : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Registry scan result :
ッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッ
New objects : 0
Objects found so far: 0

Deep registry scan result :
ッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッ
New objects : 0
Objects found so far: 0

22:54:49 Scan complete

Summary of this scan
ッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッッ
Total scanning time :00:09:57:530
Objects scanned :48352
Objects identified :0
Objects ignored :0
New objects :0


So it looks like Ad-aware is not picking this up, but maybe I知 just not doing the scan right. I set up Ad-aware exactly as described at these two sites:

http://www.lavasofts...?showtopic=9240
http://forum.gladiat...?showtopic=8050

Regarding CWS.Oslogo:

Open Regedit to the following location:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

Scroll down to: coolwwwsearch.com
Look in the right pane, is the entry = "0x00000004(4)"


I opened Regedit and scrolled to the key that you said. The value is exactly like you said so it is a valid entry from IE-SpyAd.

Finally, I have removed (as far as I can tell) XoftSpy, SpyHunter, and NoAdware from my computer. I downloaded and installed IE-Spyad; and have also checked to see that all the latest MS security updates are installed. In addition I have also downloaded

Spybot Search & Destroy1.3 and Bazooka Adware & Spyware Scanner, which I also use from time to time. Lastly, I got SpywareBlaster and SpywareGuard. Perhaps this is all overkill, I don稚 know.

There are many interesting articles out there. One is Pieter Arntz at:

http://home.planet.n...wareinfoen.html

Another is CalamityJane痴 at:

http://forum.gladiat...indpost&p=31222

Some good sites are:

www.spywareinfo.com
www.cexx.org
www.tomcoyote.com
www.net-integration.net
www.kephyr.com (Bazooka Adware & Spyware)
www.lavasoft.de (Ad-aware)
www.security.kolla.de (SpyBot-Search & Destroy 1.3)
www.staff.uiuc.edu (IE-Spyad)

This turned into something longer than I had planned if you are still here. . . .

ANYWAY Thanks for your help!!!

------- Doc

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 02 June 2004 - 09:57 PM

Doc,
Glad to see you have resolved your problems.

It is still in my registry. In the right pane it says:

Do not delete that entry, it's valid ...

Perhaps this is all overkill, I don稚 know.

No not at all, that's the kind of "Defense" you need nowadays ...

Most of those things are mentioned here: (my site)
See section: How To: Prevent this from happening again?
http://www.mvps.org/...02/unwanted.htm :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button