Lavasoft Support Forums > Please confirm these FPs (SE1R137 06.12.2006)

38 Special

Dec 6 2006, 06:41 PM

Hello,

Did a full scan with today's SE1R137 06.12.2006 definitions and here is the results, please confirm if these are safe to delete:

Click to view attachment

QUOTE

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : {03F998B2-0E00-11D3-A498-00104B6EB52E} (https://components.viewpoint.com/mtsinstallers/metastream3.cab?url=www.viewpoint.com)

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 0
Category : Vulnerability
Comment : Possible Browser Hijack attempt : https://components.viewpoint.com/mtsinstall...w.viewpoint.com
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
TAC Rating : 0
Category : Vulnerability
Comment : Possible Browser Hijack attempt : https://components.viewpoint.com/mtsinstall...w.viewpoint.com
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Value : Installer
Possible Browser Hijack attempt : {41F17733-B041-4099-A042-B518BB6A408C} (http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/quicktimeinstaller.exe)

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 0
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://a1540.g.akamai.net/7/1540/52/200207...meinstaller.exe
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41F17733-B041-4099-A042-B518BB6A408C}

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
TAC Rating : 0
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://a1540.g.akamai.net/7/1540/52/200207...meinstaller.exe
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41F17733-B041-4099-A042-B518BB6A408C}
Value : Installer

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 47

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ronald@rambler[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:ronald@rambler.ru/
Expires : 31-12-2007 19:00:00
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 48

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 48

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 48

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : World's cities current local time.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://www.worldtimeserver.com/current_time_in_UTC.aspx
Object : C:\Documents and Settings\Ronald\Favoritos\

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 49

12:18:40 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:15:14.735
Objects scanned:180969
Objects identified:6
Objects ignored:0
New critical objects:6

Roy Milano

Dec 6 2006, 07:11 PM

QUOTE(38 Special @ Dec 6 2006, 12:41 PM)

Hello,

Did a full scan with today's SE1R137 06.12.2006 definitions and here is the results, please confirm if these are safe to delete:

Click to view attachment

I am having a similar problem..

I scanned last night with the last signature file and came up clean. I downloaded todays file (6.12) and suddenly I have over 400 critical items most of which are realplayer radio station listings.

The current signature files must be corrupt or have a bad signature in it.

Please advise.

Thanks,

Roy...

Here is an example:
Name:Possible Browser Hijack attempt
Category:Misc
Object Type:File
Size:76 Bytes
Location:C:\...\RealPlayer Stations\Talk\WOR, New York, NY.url
Last Activity:12-6-2006 5:47:12 PM
Relevance:Low
TAC index:3
Comment:Problematic URL discovered: http://stations.real.com/play_stations.rxml?index=91
Description:Possible attempt to control/redirect the browser. This object referrs to a "blacklisted" site. If the site listed is the site intended (in other words, it is set to the setting you wish it to be set to), add this listing to your ignorelist. If not, then selecting this item will reset your browser to the default setting for this item.

38 Special

Dec 6 2006, 07:57 PM

Well, nothing that we can do but wait for an official response from support tech team

PATHIAN

Dec 6 2006, 08:00 PM

OnK!

I might be getting the same thing then; ran AdWare SE with the latest updates (from today 06-12-2006) and had the following picked up...

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=File : C:\Documents and Settings\Owner\Favorites\Games Mags\FutureNet\FutureNet.url
obj[2]=File : C:\Documents and Settings\Owner\Favorites\Misc\Abosso\John Gidney Starling -Â Radio Officer - M.V. Abosso (Liverpool), Merchant Navy.url

...which are both IE Favorites I sometimes use.

This is on a brand new PC, where I've just copied the old Favorites over from another, clean, PC. I mostly use Firefox and haven't visited either of these sites since getting the new PC on Monday this week.

Anything to worry about or just a couple of FP's?

Pathian.

38 Special

Dec 6 2006, 08:09 PM

QUOTE(PATHIAN @ Dec 6 2006, 02:00 PM)

OnK!

I might be getting the same thing then; ran AdWare SE with the latest updates (from today 06-12-2006) and had the following picked up...

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=File : C:\Documents and Settings\Owner\Favorites\Games Mags\FutureNet\FutureNet.url
obj[2]=File : C:\Documents and Settings\Owner\Favorites\Misc\Abosso\John Gidney Starling -Â Radio Officer - M.V. Abosso (Liverpool), Merchant Navy.url

...which are both IE Favorites I sometimes use.

This is on a brand new PC, where I've just copied the old Favorites over from another, clean, PC. I mostly use Firefox and haven't visited either of these sites since getting the new PC on Monday this week.

Anything to worry about or just a couple of FP's?

Pathian.

Hi

According with this response they are investigating about these findings.

PATHIAN

Dec 6 2006, 08:19 PM

QUOTE(38 Special @ Dec 6 2006, 09:09 PM)

According with this response they are investigating about these findings.

Thanks for that, saw that just after posting - that'll teach me to not root around in this Forum before posting stuff!!

...scared the pants outta me 'cos I'd just done some online bank transfers too just prior to the scan - GaaahHHH!!!

Regards,
Pathian.

38 Special

Dec 6 2006, 08:24 PM

QUOTE(PATHIAN @ Dec 6 2006, 02:19 PM)

...scared the pants outta me 'cos I'd just done some online bank transfers too just prior to the scan - GaaahHHH!!!

Regards,
Pathian.

No problem, you've been hacked before the transaction anyway...

...joking

LS Albin

Dec 6 2006, 08:37 PM

We have now corrected the problem with the definition file.

The urls flagged was not intended as possible browser hijack attempts and has been removed.

A new defenition file is now available that will correct these problems.

We are very sorry for the inconvenience this may have caused you.

Regards

Albin Bodahl

Lavasoft Research Team.

38 Special

Dec 6 2006, 11:08 PM

Thank you very much Albin