False postive? (Zonelog)

[Lappen]

I downloaded and installed zonelog
(http://zonelog.co.uk/) from this site hxxp://accs-
net.com/zonelog/zl119_full.exe

I get this report after install
***********************************
Spyware Scan Details
Start Date: 2005-02-24 17:39:34
End Date: 2005-02-24 17:40:53
Total Time: 1 mins 19 secs

Detected Threats

Free Popup Killer Adware more information...
Status: Quarantined
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected files detected
c:\windows\is-ugh11.exe

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\RunOnce InnoSetupRegFile.0000000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\RunOnce InnoSetupRegFile.0000000001

Detected Spyware Cookies
No spyware cookies were found during this scan.
********************************************

Virusscan at http://virusscan.jotti.org/ gives Status: OK

Wondering if this is a fp or if it's really a correct
entry

 

[Bill Sanderson]

I don't have a clear answer, but I'm leaning towards false positive.

I downloaded the same package via the same route you did.

I installed the program, and, without running it, then did a quickscan with
Microsoft Antispyware. It flagged this executable:

02/10/2002 02:00 AM 33,792 is-N5HUJ.exe

Which you will note is similar to, but different from yours, and in my case
was in e:\windows--far from the D drive where the zonelog program was
installed. It also flagged two registry entries like yours.

There is also a similarly named .LST file, with this content:

* List of files to be registered on the next reboot. DO NOT EDIT! *

E:\Program Files\Common Files\Microsoft Shared\DAO\DAO350.dll
[t]E:\Program Files\Common Files\Microsoft Shared\DAO\DAO2535.tlb
E:\WINDOWS\system32\Msflxgrd.ocx
E:\WINDOWS\system32\Mscomct2.ocx
d:\Program Files\ZoneLog\HexLookup.dll
E:\WINDOWS\system32\MSINET.OCX
E:\WINDOWS\system32\MSMAPI32.OCX
E:\WINDOWS\system32\MSWINSCK.OCX

Using the tools, advanced tools, system explorers, I find this in startup:
------
is-n5huj.exe

File name: is-n5huj.exe

Description:

Publisher:

File path: e:\windows\is-n5huj.exe

File version:

Location details: Program located in registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.

Technical Details:

MD5: 0a0c940e9855085a84f24ca4d69e8754

I've gone back and forth looking at this one, but my present thought is
false positive. The virusscan doesn't make it look more likely to be
spyware, but the fact that it isn't detected isn't proof of anything--I
don't trust the a/v vendors in terms of spyware coverage at this point.

I don't know why this executable is randomly named, but the job it is doing
appears legitimate to me. I also don't know why it is left around after the
uninstall, but perhaps if I'd done the reboot it would have been removed by
some other process.

It is a runonce--which doesn't make a lot of sense for spyware unless it
installs something even more well hidden on your machine.

Since the file appears randomly named, Microsoft Antispyware must be IDing
it by the characteristics--the MD5 hash. Whether or not this package
contains spyware, one might wonder how this file came to be used in both
this package and a spyware package.

Here's what another vendor has to say about the characteristics of the
threat named:

http://research.sunbelt-software.com/threat_display.cfm?name=Free Popup Killer

I don't find anything resembling the fpk_setup.exe file anywhere on my
system.

I'd recommend writing to the developer--I believe there is contact
information at the site. You mght pass along to him the URL for reporting
false positives:

http://www.spynet.com/vendors.aspx

 

[Lappen]

Thanx for the info Bill!

I have mailed the developer about this.

 

[Lappen]

Got this reply from the developer

**********************************************
I can confirm it is a false positive, the file in question
is a temporary
file created by the installer to clean up other temporary
files it has
created after the next reboot. It has often been flagged,
falsely, as virus
or malware simply because it is programmed in Delphi, a
common programming
language seemingly used by the malware programmers, and,
presumably, has a
fairly basic signature.
**********************************************

I informed him about these 2 pages

http://www.spynet.com/falsepositive.aspx
http://www.spynet.com/vendors.aspx

 

[Bill Sanderson]

That is a good explanation of the likely reason for the false positive. I'd
not worry about this one, and I hope his report and this discussion will
encourage Microsoft to tune their detection of the actual malware better.

 

[guest3]

so its ok if i just delete this file? i dont trust it..