False Positives

T

tetonbob

Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It always
comes up clean.

Thanks for your attention.
 
B

Bill Sanderson

This is exactly the right place.

I had thought that at least the SearchSquire false positives were reported
to have been fixed by definition updates. Are you running current
definitions? See Help, about. Current are 5691, although I'd have thought
the SearchSquire fix was some versions back.
 
G

Guest

Hi Bill-

Yes, I always update before a scan. 5691 is the listed def.
I talked to a buddy who's doing some BETA work, and he told
me about the SearchSquire being reported, but hadn't heard
anything about the MediaTickets. I'm certain this is an FP.
Thanks for your interest. Keep up the good work!
 
B

Bill Sanderson

Thanks--looks like they aren't fixed, they are just being ignored on
successive passes, perhaps. Odd. The issue is whether the program is
properly distinguishing between the various site lists--and getting that
right is important!
 
S

Steve Dodson [MSFT]

Can you post the information on the remaining false positives? SearchSquire
is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
B

Bill Sanderson

This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and Spybot Search &
Destroy, but probably not at their most paranoid settings. I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Steve Dodson said:
Can you post the information on the remaining false positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
T

tetonbob

Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.
-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and Spybot Search &
Destroy, but probably not at their most paranoid settings. I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Can you post the information on the remaining false positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
news:[email protected]...
Thanks--looks like they aren't fixed, they are just being ignored on
successive passes, perhaps. Odd. The issue is whether the program is
properly distinguishing between the various site lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed def.
I talked to a buddy who's doing some BETA work, and he told
me about the SearchSquire being reported, but hadn't heard
anything about the MediaTickets. I'm certain this is an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you running
current
definitions? See Help, about. Current are 5691, although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It always
comes up clean.

Thanks for your attention.


.
 
B

Bill Sanderson

Can you post the actual entries involved in the false positives--not sure
whether that stuff will cut and paste or not, but if it will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

tetonbob said:
Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.
-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and Spybot Search &
Destroy, but probably not at their most paranoid settings. I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Can you post the information on the remaining false positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
Thanks--looks like they aren't fixed, they are just being ignored on
successive passes, perhaps. Odd. The issue is whether the program is
properly distinguishing between the various site lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed def.
I talked to a buddy who's doing some BETA work, and he told
me about the SearchSquire being reported, but hadn't heard
anything about the MediaTickets. I'm certain this is an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you running
current
definitions? See Help, about. Current are 5691, although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It always
comes up clean.

Thanks for your attention.


.
 
T

tetonbob

Here's an update:

Something strange and interesting occurred. Before my most
recent scan, minutes ago, I went to the manual update
feature (I like to be in control) and found that my
definitions were back to 5691. I have not used System
Restore, Go Back or anything like that. So, it updated, and
ran, and no FPs. MSAS found nothing, as I would expect to
see on my protected system. Not sure why that happened. But
Spyware Definition Version: 5693 (3/1/2005 11:59:06 PM) is
the version now, and for now, all is well. I'll continue to
reply in this thread if any changes occur along these lines.

Hope this helps.
-----Original Message-----
Can you post the actual entries involved in the false positives--not sure
whether that stuff will cut and paste or not, but if it will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.
-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and Spybot Search &
Destroy, but probably not at their most paranoid settings. I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Can you post the information on the remaining false positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
news:[email protected]...
Thanks--looks like they aren't fixed, they are just being ignored on
successive passes, perhaps. Odd. The issue is whether the program is
properly distinguishing between the various site lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed def.
I talked to a buddy who's doing some BETA work, and he told
me about the SearchSquire being reported, but hadn't heard
anything about the MediaTickets. I'm certain this is an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you running
current
definitions? See Help, about. Current are 5691, although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It always
comes up clean.

Thanks for your attention.










.


.
 
B

Bill Sanderson

I've personally seen one instance of a machine (this one!) apparently on
5693, but in fact with 5691 in the files in the install directory. So there
are some issues with updating at the moment.

Glad the issue went away--let us know if it comes back!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

tetonbob said:
Here's an update:

Something strange and interesting occurred. Before my most
recent scan, minutes ago, I went to the manual update
feature (I like to be in control) and found that my
definitions were back to 5691. I have not used System
Restore, Go Back or anything like that. So, it updated, and
ran, and no FPs. MSAS found nothing, as I would expect to
see on my protected system. Not sure why that happened. But
Spyware Definition Version: 5693 (3/1/2005 11:59:06 PM) is
the version now, and for now, all is well. I'll continue to
reply in this thread if any changes occur along these lines.

Hope this helps.
-----Original Message-----
Can you post the actual entries involved in the false positives--not sure
whether that stuff will cut and paste or not, but if it will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.

-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and
letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the
Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and
Spybot Search &
Destroy, but probably not at their most paranoid settings.
I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Steve Dodson [MSFT]" <[email protected]>
wrote in message
Can you post the information on the remaining false
positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and
confers no
rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all
responses to this
message are best directed to the newsgroup/thread from
which they
originated.
"Bill Sanderson" <[email protected]>
wrote in message

Thanks--looks like they aren't fixed, they are just
being ignored on
successive passes, perhaps. Odd. The issue is whether
the program is
properly distinguishing between the various site
lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed
def.
I talked to a buddy who's doing some BETA work, and he
told
me about the SearchSquire being reported, but hadn't heard
anything about the MediaTickets. I'm certain this is
an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you running
current
definitions? See Help, about. Current are 5691, although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Not sure where to report this, so I chose here. I
fthis is
not the correct area, please move it, or direct me
to the
proper place.

My first scan with MSAS came up with 20 false
positives, 2
related to SearchSquire, 18 related to MediaTickets.
These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall
and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It
always
comes up clean.

Thanks for your attention.










.


.
 
T

tetonbob

Ok, it get s a little weirder.

I've tried to disable the autorun function, because, again,
I like to be in control, and see what happens when it
happens. If I log out, and log in again, the defaults are
reset. The default seems to be 2AM. I had logged out and
back on sometime yeterday, and had not reset the autorun
function to OFF. Sooooo...after declaring all clear from a
manual scan last night, I went to bed.

This morning, I went to the machine, and there it was, the
screen telling me about the auto scan which had been run,
and the results - well you guessed it. MediaTickets was
back. OK, I'm a guy who doesn't mind a little adventure. I
checked the def version, it was 5693. I then ran a manual
scan. All clear. No MediaTickets. Huh?

Here are the reg entries from the autoscan. These are the
recurring ones. Note that in my registry, I only see the
entries with the dword value 00000004, which I know is IE
disallowing access.

If users go to the scan history, they can copy and paste
the results for you to look at. Enjoy!

Details: Mediatickets is a spyware program that displays
advertisements, reduces the security settings for the
Trusted Sites zone in Internet Explorer, and attempts to
fraudulently install trusted publishers.
Status: Ignored
Severe threat - Severe threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction and exploits are in the wild. There
exists a high possibility of potential system damage or
security flaw. Attacker has complete control over your
computer or install new software on your machine.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com

-----Original Message-----
I've personally seen one instance of a machine (this one!) apparently on
5693, but in fact with 5691 in the files in the install directory. So there
are some issues with updating at the moment.

Glad the issue went away--let us know if it comes back!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Here's an update:

Something strange and interesting occurred. Before my most
recent scan, minutes ago, I went to the manual update
feature (I like to be in control) and found that my
definitions were back to 5691. I have not used System
Restore, Go Back or anything like that. So, it updated, and
ran, and no FPs. MSAS found nothing, as I would expect to
see on my protected system. Not sure why that happened. But
Spyware Definition Version: 5693 (3/1/2005 11:59:06 PM) is
the version now, and for now, all is well. I'll continue to
reply in this thread if any changes occur along these lines.

Hope this helps.
-----Original Message-----
Can you post the actual entries involved in the false positives--not sure
whether that stuff will cut and paste or not, but if it will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.

-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and
letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the
Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and
Spybot Search &
Destroy, but probably not at their most paranoid settings.
I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Steve Dodson [MSFT]" <[email protected]>
wrote in message
Can you post the information on the remaining false
positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and
confers no
rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all
responses to this
message are best directed to the newsgroup/thread from
which they
originated.
"Bill Sanderson" <[email protected]>
wrote in message
news:[email protected]...
Thanks--looks like they aren't fixed, they are just
being ignored on
successive passes, perhaps. Odd. The issue is whether
the program is
properly distinguishing between the various site
lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed
def.
I talked to a buddy who's doing some BETA work, and he
told
me about the SearchSquire being reported, but hadn't heard
anything about the MediaTickets. I'm certain this is
an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you running
current
definitions? See Help, about. Current are 5691, although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Not sure where to report this, so I chose here. I
fthis is
not the correct area, please move it, or direct me
to the
proper place.

My first scan with MSAS came up with 20 false
positives, 2
related to SearchSquire, 18 related to MediaTickets.
These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall
and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It
always
comes up clean.

Thanks for your attention.










.



.


.
 
T

tetonbob

Thought I'd let you know-

Autoscan finds MediaTickets, manual scan does not. Does
this relate to a stored scan history? I've just cleared
them, so I guess I'll find out.

-----Original Message-----
Ok, it get s a little weirder.

I've tried to disable the autorun function, because, again,
I like to be in control, and see what happens when it
happens. If I log out, and log in again, the defaults are
reset. The default seems to be 2AM. I had logged out and
back on sometime yeterday, and had not reset the autorun
function to OFF. Sooooo...after declaring all clear from a
manual scan last night, I went to bed.

This morning, I went to the machine, and there it was, the
screen telling me about the auto scan which had been run,
and the results - well you guessed it. MediaTickets was
back. OK, I'm a guy who doesn't mind a little adventure. I
checked the def version, it was 5693. I then ran a manual
scan. All clear. No MediaTickets. Huh?

Here are the reg entries from the autoscan. These are the
recurring ones. Note that in my registry, I only see the
entries with the dword value 00000004, which I know is IE
disallowing access.

If users go to the scan history, they can copy and paste
the results for you to look at. Enjoy!

Details: Mediatickets is a spyware program that displays
advertisements, reduces the security settings for the
Trusted Sites zone in Internet Explorer, and attempts to
fraudulently install trusted publishers.
Status: Ignored
Severe threat - Severe threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction and exploits are in the wild. There
exists a high possibility of potential system damage or
security flaw. Attacker has complete control over your
computer or install new software on your machine.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com

-----Original Message-----
I've personally seen one instance of a machine (this one!) apparently on
5693, but in fact with 5691 in the files in the install directory. So there
are some issues with updating at the moment.

Glad the issue went away--let us know if it comes back!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Here's an update:

Something strange and interesting occurred. Before my most
recent scan, minutes ago, I went to the manual update
feature (I like to be in control) and found that my
definitions were back to 5691. I have not used System
Restore, Go Back or anything like that. So, it updated, and
ran, and no FPs. MSAS found nothing, as I would expect to
see on my protected system. Not sure why that happened. But
Spyware Definition Version: 5693 (3/1/2005 11:59:06 PM) is
the version now, and for now, all is well. I'll continue to
reply in this thread if any changes occur along these lines.

Hope this helps.

-----Original Message-----
Can you post the actual entries involved in the false
positives--not sure
whether that stuff will cut and paste or not, but if it
will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.

-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and
letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the
Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and
Spybot Search &
Destroy, but probably not at their most paranoid settings.
I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Steve Dodson [MSFT]" <[email protected]>
wrote in message
Can you post the information on the remaining false
positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and
confers no
rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all
responses to this
message are best directed to the newsgroup/thread from
which they
originated.
"Bill Sanderson" <[email protected]>
wrote in message


Thanks--looks like they aren't fixed, they are just
being ignored on
successive passes, perhaps. Odd. The issue is whether
the program is
properly distinguishing between the various site
lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed
def.
I talked to a buddy who's doing some BETA work, and he
told
me about the SearchSquire being reported, but hadn't
heard
anything about the MediaTickets. I'm certain this is
an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you
running
current
definitions? See Help, about. Current are 5691,
although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"tetonbob" <[email protected]>
wrote in
message
Not sure where to report this, so I chose here. I
fthis is
not the correct area, please move it, or direct me
to the
proper place.

My first scan with MSAS came up with 20 false
positives, 2
related to SearchSquire, 18 related to MediaTickets.
These
entries are all in my Domains registry key, put
there by
IE-Spyad. I know they are safe, I had MSAS ignore
them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall
and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the
aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It
always
comes up clean.

Thanks for your attention.










.



.


.
.
 
B

Bill Sanderson

That's wierd indeed. Thanks for posting the details, and how this is
working for you--looks like a bug for sure.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

tetonbob said:
Thought I'd let you know-

Autoscan finds MediaTickets, manual scan does not. Does
this relate to a stored scan history? I've just cleared
them, so I guess I'll find out.

-----Original Message-----
Ok, it get s a little weirder.

I've tried to disable the autorun function, because, again,
I like to be in control, and see what happens when it
happens. If I log out, and log in again, the defaults are
reset. The default seems to be 2AM. I had logged out and
back on sometime yeterday, and had not reset the autorun
function to OFF. Sooooo...after declaring all clear from a
manual scan last night, I went to bed.

This morning, I went to the machine, and there it was, the
screen telling me about the auto scan which had been run,
and the results - well you guessed it. MediaTickets was
back. OK, I'm a guy who doesn't mind a little adventure. I
checked the def version, it was 5693. I then ran a manual
scan. All clear. No MediaTickets. Huh?

Here are the reg entries from the autoscan. These are the
recurring ones. Note that in my registry, I only see the
entries with the dword value 00000004, which I know is IE
disallowing access.

If users go to the scan history, they can copy and paste
the results for you to look at. Enjoy!

Details: Mediatickets is a spyware program that displays
advertisements, reduces the security settings for the
Trusted Sites zone in Internet Explorer, and attempts to
fraudulently install trusted publishers.
Status: Ignored
Severe threat - Severe threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction and exploits are in the wild. There
exists a high possibility of potential system damage or
security flaw. Attacker has complete control over your
computer or install new software on your machine.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com

-----Original Message-----
I've personally seen one instance of a machine (this one!) apparently on
5693, but in fact with 5691 in the files in the install directory. So there
are some issues with updating at the moment.

Glad the issue went away--let us know if it comes back!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Here's an update:

Something strange and interesting occurred. Before my most
recent scan, minutes ago, I went to the manual update
feature (I like to be in control) and found that my
definitions were back to 5691. I have not used System
Restore, Go Back or anything like that. So, it updated, and
ran, and no FPs. MSAS found nothing, as I would expect to
see on my protected system. Not sure why that happened. But
Spyware Definition Version: 5693 (3/1/2005 11:59:06 PM) is
the version now, and for now, all is well. I'll continue to
reply in this thread if any changes occur along these lines.

Hope this helps.

-----Original Message-----
Can you post the actual entries involved in the false
positives--not sure
whether that stuff will cut and paste or not, but if it
will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.

-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and
letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the
Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and
Spybot Search &
Destroy, but probably not at their most paranoid settings.
I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Steve Dodson [MSFT]" <[email protected]>
wrote in message
Can you post the information on the remaining false
positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and
confers no
rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all
responses to this
message are best directed to the newsgroup/thread from
which they
originated.
"Bill Sanderson" <[email protected]>
wrote in message


Thanks--looks like they aren't fixed, they are just
being ignored on
successive passes, perhaps. Odd. The issue is whether
the program is
properly distinguishing between the various site
lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed
def.
I talked to a buddy who's doing some BETA work, and he
told
me about the SearchSquire being reported, but hadn't
heard
anything about the MediaTickets. I'm certain this is
an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you
running
current
definitions? See Help, about. Current are 5691,
although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"tetonbob" <[email protected]>
wrote in
message
Not sure where to report this, so I chose here. I
fthis is
not the correct area, please move it, or direct me
to the
proper place.

My first scan with MSAS came up with 20 false
positives, 2
related to SearchSquire, 18 related to MediaTickets.
These
entries are all in my Domains registry key, put
there by
IE-Spyad. I know they are safe, I had MSAS ignore
them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall
and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the
aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It
always
comes up clean.

Thanks for your attention.










.



.



.
.
 
B

Bill Sanderson

One question: are both scans the same depth? The choices are Intelligent
Quickscan, Full, or Full & deep.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

tetonbob said:
Thought I'd let you know-

Autoscan finds MediaTickets, manual scan does not. Does
this relate to a stored scan history? I've just cleared
them, so I guess I'll find out.

-----Original Message-----
Ok, it get s a little weirder.

I've tried to disable the autorun function, because, again,
I like to be in control, and see what happens when it
happens. If I log out, and log in again, the defaults are
reset. The default seems to be 2AM. I had logged out and
back on sometime yeterday, and had not reset the autorun
function to OFF. Sooooo...after declaring all clear from a
manual scan last night, I went to bed.

This morning, I went to the machine, and there it was, the
screen telling me about the auto scan which had been run,
and the results - well you guessed it. MediaTickets was
back. OK, I'm a guy who doesn't mind a little adventure. I
checked the def version, it was 5693. I then ran a manual
scan. All clear. No MediaTickets. Huh?

Here are the reg entries from the autoscan. These are the
recurring ones. Note that in my registry, I only see the
entries with the dword value 00000004, which I know is IE
disallowing access.

If users go to the scan history, they can copy and paste
the results for you to look at. Enjoy!

Details: Mediatickets is a spyware program that displays
advertisements, reduces the security settings for the
Trusted Sites zone in Internet Explorer, and attempts to
fraudulently install trusted publishers.
Status: Ignored
Severe threat - Severe threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction and exploits are in the wild. There
exists a high possibility of potential system damage or
security flaw. Attacker has complete control over your
computer or install new software on your machine.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com

-----Original Message-----
I've personally seen one instance of a machine (this one!) apparently on
5693, but in fact with 5691 in the files in the install directory. So there
are some issues with updating at the moment.

Glad the issue went away--let us know if it comes back!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Here's an update:

Something strange and interesting occurred. Before my most
recent scan, minutes ago, I went to the manual update
feature (I like to be in control) and found that my
definitions were back to 5691. I have not used System
Restore, Go Back or anything like that. So, it updated, and
ran, and no FPs. MSAS found nothing, as I would expect to
see on my protected system. Not sure why that happened. But
Spyware Definition Version: 5693 (3/1/2005 11:59:06 PM) is
the version now, and for now, all is well. I'll continue to
reply in this thread if any changes occur along these lines.

Hope this helps.

-----Original Message-----
Can you post the actual entries involved in the false
positives--not sure
whether that stuff will cut and paste or not, but if it
will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest scan.

Hope this helps you guys.

-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and
letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the
Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and
Spybot Search &
Destroy, but probably not at their most paranoid settings.
I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Steve Dodson [MSFT]" <[email protected]>
wrote in message
Can you post the information on the remaining false
positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and
confers no
rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all
responses to this
message are best directed to the newsgroup/thread from
which they
originated.
"Bill Sanderson" <[email protected]>
wrote in message


Thanks--looks like they aren't fixed, they are just
being ignored on
successive passes, perhaps. Odd. The issue is whether
the program is
properly distinguishing between the various site
lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed
def.
I talked to a buddy who's doing some BETA work, and he
told
me about the SearchSquire being reported, but hadn't
heard
anything about the MediaTickets. I'm certain this is
an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you
running
current
definitions? See Help, about. Current are 5691,
although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"tetonbob" <[email protected]>
wrote in
message
Not sure where to report this, so I chose here. I
fthis is
not the correct area, please move it, or direct me
to the
proper place.

My first scan with MSAS came up with 20 false
positives, 2
related to SearchSquire, 18 related to MediaTickets.
These
entries are all in my Domains registry key, put
there by
IE-Spyad. I know they are safe, I had MSAS ignore
them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot S&D,
Avast, and online visits to TrendMicro's Housecall
and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the
aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It
always
comes up clean.

Thanks for your attention.










.



.



.
.
 
T

tetonbob

OK, at the time of my last post, the scans were not the
same depth. Auto is set to Alway run a Deep Scan. Manual wa
set to Intelligent Quick Scan. I've just now updated to the
new defintions, 5695, and run a manual full, deep scan,
with the MediaTickets released from Always Ignore.

The results of this manual full, deep scan are that it
found the MediaTickets item, just like the auto scan has.

If I then choose to have MSAS Always Ignore this item, it
does not find it in subsequent scans.

My next scheduled autoscan is 2AM. I'll post again with
those results.
-----Original Message-----
One question: are both scans the same depth? The choices are Intelligent
Quickscan, Full, or Full & deep.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Thought I'd let you know-

Autoscan finds MediaTickets, manual scan does not. Does
this relate to a stored scan history? I've just cleared
them, so I guess I'll find out.

-----Original Message-----
Ok, it get s a little weirder.

I've tried to disable the autorun function, because, again,
I like to be in control, and see what happens when it
happens. If I log out, and log in again, the defaults are
reset. The default seems to be 2AM. I had logged out and
back on sometime yeterday, and had not reset the autorun
function to OFF. Sooooo...after declaring all clear from a
manual scan last night, I went to bed.

This morning, I went to the machine, and there it was, the
screen telling me about the auto scan which had been run,
and the results - well you guessed it. MediaTickets was
back. OK, I'm a guy who doesn't mind a little adventure. I
checked the def version, it was 5693. I then ran a manual
scan. All clear. No MediaTickets. Huh?

Here are the reg entries from the autoscan. These are the
recurring ones. Note that in my registry, I only see the
entries with the dword value 00000004, which I know is IE
disallowing access.

If users go to the scan history, they can copy and paste
the results for you to look at. Enjoy!

Details: Mediatickets is a spyware program that displays
advertisements, reduces the security settings for the
Trusted Sites zone in Internet Explorer, and attempts to
fraudulently install trusted publishers.
Status: Ignored
Severe threat - Severe threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction and exploits are in the wild. There
exists a high possibility of potential system damage or
security flaw. Attacker has complete control over your
computer or install new software on your machine.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmeup.cc * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchmiracle.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\slotch.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\xxxtoolbar.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\blazefind.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\flingstone.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mt-download.com * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\my-internet.info * 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchbarcash.com


-----Original Message-----
I've personally seen one instance of a machine (this one!)
apparently on
5693, but in fact with 5691 in the files in the install
directory. So there
are some issues with updating at the moment.

Glad the issue went away--let us know if it comes back!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Here's an update:

Something strange and interesting occurred. Before my most
recent scan, minutes ago, I went to the manual update
feature (I like to be in control) and found that my
definitions were back to 5691. I have not used System
Restore, Go Back or anything like that. So, it updated, and
ran, and no FPs. MSAS found nothing, as I would expect to
see on my protected system. Not sure why that happened. But
Spyware Definition Version: 5693 (3/1/2005 11:59:06 PM) is
the version now, and for now, all is well. I'll continue to
reply in this thread if any changes occur along these lines.

Hope this helps.

-----Original Message-----
Can you post the actual entries involved in the false
positives--not sure
whether that stuff will cut and paste or not, but if it
will....

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message
Hi Bill- Thought I'd give you an update. I'm still getting
the FPs on MediaTickets,same number of entries, same
location. No longer getting FPs on SearchSquire. My
definitions were updated this morning to Spyware
Definition
Version: 5693 (2/26/2005 8:05:18 AM) before my latest
scan.

Hope this helps you guys.

-----Original Message-----
This is what I'm hearing from Tetonbob:
-------------------------------------------------------
Not sure where to report this, so I chose here. I fthis is
not the correct area, please move it, or direct me to the
proper place.

My first scan with MSAS came up with 20 false positives, 2
related to SearchSquire, 18 related to MediaTickets. These
entries are all in my Domains registry key, put there by
IE-Spyad. I know they are safe, I had MSAS ignore them,
thought someone would like to know.
-------------------------------------------------------
So--the replication would involve running IE-Spyad and
letting/asking it to
do whatever it does to protect against SearchSquire and
MediaTickets--presumably this is adding them to the
Restricted Sites list.

I haven't seen this firsthand--I do run Ad-aware and
Spybot Search &
Destroy, but probably not at their most paranoid settings.
I don't have
IE-Spyad.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Steve Dodson [MSFT]" <[email protected]>
wrote in message
Can you post the information on the remaining false
positives?
SearchSquire is already resolved.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and
confers no
rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all
responses to this
message are best directed to the newsgroup/thread from
which they
originated.
"Bill Sanderson" <[email protected]>
wrote in message



Thanks--looks like they aren't fixed, they are just
being ignored on
successive passes, perhaps. Odd. The issue is whether
the program is
properly distinguishing between the various site
lists--and getting that
right is important!
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hi Bill-

Yes, I always update before a scan. 5691 is the listed
def.
I talked to a buddy who's doing some BETA work, and he
told
me about the SearchSquire being reported, but hadn't
heard
anything about the MediaTickets. I'm certain this is
an FP.
Thanks for your interest. Keep up the good work!


-----Original Message-----
This is exactly the right place.

I had thought that at least the SearchSquire false
positives were reported
to have been fixed by definition updates. Are you
running
current
definitions? See Help, about. Current are 5691,
although
I'd have thought
the SearchSquire fix was some versions back.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"tetonbob" <[email protected]>
wrote in
message
Not sure where to report this, so I chose here. I
fthis is
not the correct area, please move it, or direct me
to the
proper place.

My first scan with MSAS came up with 20 false
positives, 2
related to SearchSquire, 18 related to MediaTickets.
These
entries are all in my Domains registry key, put
there by
IE-Spyad. I know they are safe, I had MSAS ignore
them,
thought someone would like to know.

I regularly scan my system with AdawareSE,Spybot
S&D,
Avast, and online visits to TrendMicro's Housecall
and it
is fairly well locked down. I use SpywareBlaster,
SpywareGuard, Spybot's TeaTimer, and the
aforementioned
IE-Spyad. Oh yes, the MVPS HOSTS file, as well. It
always
comes up clean.

Thanks for your attention.










.



.



.

.


.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top