Page 1 of 2 12 LastLast
Results 1 to 16 of 19

Thread: Mega Spyware infection, or thousands of false positives?

  1. #1
    Flat cap, Whippets, Cave. Clunk's Avatar
    Join Date
    Jan 2006
    Posts
    11,056
    Thanks
    360
    Thanked
    725 times in 459 posts

    Mega Spyware infection, or thousands of false positives?

    I did a Ewido online scan, and it kind of goes into what appears to be a never ending loop, and it is getting stuck at the registry after it has found a shedload of what it thinks are spyware infections.

    I have a feeling that it is detecting the virus definitions from kaspersky internet security, but I'm not sure.

    There are some silly long names of the locations of the files, and it wont let me copy and paste, so Ill type it out...

    HKLM\SOFTWARE\Wow6432Node\Wow6432Node\Wow6432Node...this goes on repeating for what looks to be forever, and I'm guessing that that is what has stumped it.

    I also ran adaware, and that also fails miserably with an error and has to quit.

    Spybot turned up nothing.

    Hijack this turned up a load, but not the same as Ewido was reporting.

    So, would anyone with Vista x64 be good enough to run an Ewido online scan and see if yours gets stuck in the same place please?

    P.S. if you arent familiar with it, you need to use internet explorer.

    thanks
    Quote Originally Posted by Blitzen View Post
    stupid betond belief.
    You owe it to yourself to click here really.

  2. #2
    Flat cap, Whippets, Cave. Clunk's Avatar
    Join Date
    Jan 2006
    Posts
    11,056
    Thanks
    360
    Thanked
    725 times in 459 posts
    Managed to get ewido to finish, I left it over night



    It couldnt clean them all either.
    Quote Originally Posted by Blitzen View Post
    stupid betond belief.
    You owe it to yourself to click here really.

  3. #3
    Gentoo Ricer
    Join Date
    Jan 2005
    Location
    Galway
    Posts
    11,048
    Thanks
    1,016
    Thanked
    944 times in 704 posts
    • aidanjt's system
      • Motherboard:
      • Asus Strix Z370-G
      • CPU:
      • Intel i7-8700K
      • Memory:
      • 2x8GB Corsiar LPX 3000C15
      • Storage:
      • 500GB Samsung 960 EVO
      • Graphics card(s):
      • EVGA GTX 970 SC ACX 2.0
      • PSU:
      • EVGA G3 750W
      • Case:
      • Fractal Design Define C Mini
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • Asus MG279Q
      • Internet:
      • 240mbps Virgin Cable
    Probably not a good idea to try to clean them, I scanned my XP x64 install (which took nearly an hour) and it treated just about every cookie I have as a 'tracking cooking' and one of them as a 'high' risk, I would say it's a braindead and unreliable scanner, it's use of ActiveX is a good starting point in that opinion. Although I only use Firefox for browsing so that might have some bearing on it.
    Quote Originally Posted by Agent View Post
    ...every time Creative bring out a new card range their advertising makes it sound like they have discovered a way to insert a thousand Chuck Norris super dwarfs in your ears...

  4. Received thanks from:

    Clunk (20-07-2007)

  5. #4
    Flat cap, Whippets, Cave. Clunk's Avatar
    Join Date
    Jan 2006
    Posts
    11,056
    Thanks
    360
    Thanked
    725 times in 459 posts
    Ive used it for a while now, and its always been ok, but this is the first time I've used it on x64.

    It said to download the AVG anti spyware, so I did and it only found 13 things, and they were just tracking cookies, so it looks like it was just detecting the Kaspersky virus defs.

    Phew!

    Thanks
    Quote Originally Posted by Blitzen View Post
    stupid betond belief.
    You owe it to yourself to click here really.

  6. #5
    www.dougmcdonald.co.uk
    Join Date
    May 2007
    Location
    Bath
    Posts
    523
    Thanks
    5
    Thanked
    20 times in 20 posts
    • DougMcDonald's system
      • Motherboard:
      • Asus P5B Deluxe
      • CPU:
      • Inter Core 2 Duo E6600
      • Memory:
      • 2 x 2GB - Geil Black Dragon PC6400
      • Storage:
      • 2 x 400GB Samsung Spinpoints (Running in Matrix array) 100GB @ RAID0 + 300GB @ RAID1
      • Graphics card(s):
      • BFG nVidia 8800GTS 320MB OC2
      • PSU:
      • Corsair HX520W modular
      • Case:
      • Lian-Li PC7 II Plus
      • Monitor(s):
      • LG 17" Flat Thingy
      • Internet:
      • Crappy BT 1MB Unreliable wank :s
    Tracking cookies aren't really an issue as I'm sure you're aware, and the dailier in the list is going to be redundant unless you've got an active analogue modem connection on your pc.

  7. #6
    Flat cap, Whippets, Cave. Clunk's Avatar
    Join Date
    Jan 2006
    Posts
    11,056
    Thanks
    360
    Thanked
    725 times in 459 posts
    Quote Originally Posted by DougMcDonald View Post
    Tracking cookies aren't really an issue as I'm sure you're aware, and the dailier in the list is going to be redundant unless you've got an active analogue modem connection on your pc.
    Yep, but the rest of the list of spyware and trojans looks like a pretty good selection of everything. I think it was just detecting the virus defs for kaspersky.
    Quote Originally Posted by Blitzen View Post
    stupid betond belief.
    You owe it to yourself to click here really.

  8. #7
    www.dougmcdonald.co.uk
    Join Date
    May 2007
    Location
    Bath
    Posts
    523
    Thanks
    5
    Thanked
    20 times in 20 posts
    • DougMcDonald's system
      • Motherboard:
      • Asus P5B Deluxe
      • CPU:
      • Inter Core 2 Duo E6600
      • Memory:
      • 2 x 2GB - Geil Black Dragon PC6400
      • Storage:
      • 2 x 400GB Samsung Spinpoints (Running in Matrix array) 100GB @ RAID0 + 300GB @ RAID1
      • Graphics card(s):
      • BFG nVidia 8800GTS 320MB OC2
      • PSU:
      • Corsair HX520W modular
      • Case:
      • Lian-Li PC7 II Plus
      • Monitor(s):
      • LG 17" Flat Thingy
      • Internet:
      • Crappy BT 1MB Unreliable wank :s
    Nice!

    Most times i've ever found anything my AV has been good enough to give a rough idea of what the virus maybe and then I've just followed manual removal instructions or just reformatted (since i keep very little which can't be restored)

    I spose the moral of the story is to keep off the granny porn sites!

  9. #8
    Registered User
    Join Date
    Jul 2007
    Posts
    4
    Thanks
    0
    Thanked
    0 times in 0 posts
    Quote Originally Posted by Clunk View Post
    HKLM\SOFTWARE\Wow6432Node\Wow6432Node\Wow6432Node...this goes on repeating for what looks to be forever, and I'm guessing that that is what has stumped it.
    There are 19 nested Wow6432Node folders in my Vista 64 Registry -- and I know that one of the Microsoft KB updates put them all there. I have posted a list with additional info but this site will not let me post the url. Rather than put all that info here just Google Wow6432Node\Wow6432Node and look for...

    Wow6432Node\... nested instances of this registry key - TechNet Forums
    forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1901358&SiteID=17

    I hope someone figures out what happened and how to fix it with a future KB. Searching the Registry takes forever on a quad core machine.

  10. #9
    Flat cap, Whippets, Cave. Clunk's Avatar
    Join Date
    Jan 2006
    Posts
    11,056
    Thanks
    360
    Thanked
    725 times in 459 posts
    And are you using Kaspersky?
    Quote Originally Posted by Blitzen View Post
    stupid betond belief.
    You owe it to yourself to click here really.

  11. #10
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Strange things can occur if you run 32-bit applications that try to read deep into the registry on a 64-bit system.
    Wow = "Windows on Windows"

    32-bit processes see a "virtualised" portion of the registry, which is why you have Wow6432Node - it is for compatibility.

    e.g.
    32-bit app WIDGET32.EXE creates a registry key HKLM\SOFTWARE\WidgetSoft and dumps some values in there.
    It then reads the registry values back and it works fine.
    Launch Registry Editor and look for that key - it doesn't exist, it has been redirected to HKLM\SOFTWARE\Wow6432Node\WidgetSoft.
    The reason it appears to work is that the API calls to open the registry keys are redirected for 32-bit processes without their knowledge.

    Native 64-bit applications do not have this virtualisation, so WIDGET64.EXE might launch after WIDGET32.EXE has created its keys, and attempt to read HKLM\SOFTWARE\WidgetSoft - and not find it.

    I just did a clean install of Vista x64 Ultimate, and as part of the setup let it go to Windows Update and install what it thought was important - 21 updates downloaded, sequenced, installed and I rebooted.
    Went to the ewido online scan site using the 64-bit browser - it doesn't work.
    Opened the 32-bit browser and the plugin installed, and I got what appeared to be your symptoms, Clunk - and the funny thing is the registry paths do not exist (not only are they obviously false positives for a clean-installation).

    I would not bother with any 32-bit program trying to do registry cleanups, they may fall into this same trap - they are probably enumerating HKLM\SOFTWARE\Wow6432Node and then trying to browse into it, which is virtualised to HKLM\SOFTWARE\Wow6432Node\Wow6432Node, which is then virtualised to HKLM\SOFTWARE\Wow6432Node\Wow6432Node\Wow6432Node...
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  12. Received thanks from:

    Clunk (27-07-2007)

  13. #11
    o|-< acrobat's Avatar
    Join Date
    May 2006
    Posts
    1,754
    Thanks
    225
    Thanked
    75 times in 58 posts
    • acrobat's system
      • Motherboard:
      • Gigabyte DS4 965p Revision 2
      • CPU:
      • E6600
      • Memory:
      • Corsair 4gig DDR 800 (C4)
      • Storage:
      • two 320gig Seagate Barracudas, and one 750 gig Seagate Barracuda (7200.10) and a 750gig same brand.
      • Graphics card(s):
      • 8800GTX
      • PSU:
      • Corsair HX 620
      • Case:
      • Akasa Eclipse 62
      • Monitor(s):
      • Apple Cinema Display 20"
      • Internet:
      • Virgin Media - Slow, expensive rip off, Indian customer service. Great choice eh? :C
    welcome to the woooorld of tomorrrroooowwww

  14. #12
    Flat cap, Whippets, Cave. Clunk's Avatar
    Join Date
    Jan 2006
    Posts
    11,056
    Thanks
    360
    Thanked
    725 times in 459 posts
    Thanks for taking the time to do that Paul, much appreciated

    While you have the x64 version installed, do you get a high cpu usage and genral slowness in windows mail, just from doing simple things like viewing emails in the preview pane, and then clicking on the next email to preview it, it can take several seconds, and the cpu usage can hit around 35&#37; for those seconds.

    Same thing happens when navigating anywhere in windows mail.

    Thanks
    Quote Originally Posted by Blitzen View Post
    stupid betond belief.
    You owe it to yourself to click here really.

  15. #13
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Not used Windows Mail, I must admit (I have Outlook 2007 installed on my machines).
    I'll try to set up a test mail account next week in Windows Mail and let you know if it behaves oddly.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  16. Received thanks from:

    Clunk (28-07-2007)

  17. #14
    Registered User
    Join Date
    Jul 2007
    Posts
    4
    Thanks
    0
    Thanked
    0 times in 0 posts
    Quote Originally Posted by Paul Adams View Post
    Went to the ewido online scan site using the 64-bit browser - it doesn't work.
    I found IE (x64) has a lot of problems and is not a reliable browser at this point.

    Quote Originally Posted by Paul Adams View Post
    I would not bother with any 32-bit program trying to do registry cleanups, they may fall into this same trap - they are probably enumerating HKLM\SOFTWARE\Wow6432Node and then trying to browse into it
    My thoughts as well -- I really don' want to reinstall everything yet again!

  18. #15
    Flat cap, Whippets, Cave. Clunk's Avatar
    Join Date
    Jan 2006
    Posts
    11,056
    Thanks
    360
    Thanked
    725 times in 459 posts
    Thanks for that
    Quote Originally Posted by Blitzen View Post
    stupid betond belief.
    You owe it to yourself to click here really.

  19. #16
    Registered User
    Join Date
    Jul 2007
    Posts
    4
    Thanks
    0
    Thanked
    0 times in 0 posts
    BTW

    Since the nested registry folders issue is (1) obviously not what Microsoft intended -- a bug --and (2) can be reproduced 'at will' and (3) the culprit is one of a defined group of KB updates, I assume that Microsoft will fix it if the right people at MS find out about it.

    Soooo... does anyone know how to raise the issue on the MS radar scope?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Puzzle - which door?
    By Paul Adams in forum General Discussion
    Replies: 90
    Last Post: 23-11-2008, 06:05 PM
  2. MSI's mega - cool plans for MEGA
    By XTR in forum PC Hardware and Components
    Replies: 9
    Last Post: 23-08-2003, 10:51 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •