Spyware Doctor found a few things Windows Defender and Ad-aware didn't

[EApplegate]

I installed the free version just to check whether Ad-aware, Trojan
Hunter and Windows Defender have found everything (actually they find
very little). Spyware Doctor came up with 46 items on the first scan
(and left an empty log file). The infection name for about 38 of
thesewas called "SpywareCleaner".

It also listed "Rogue Anti-Spyware Products" 3x.

It did mention that something I posted earlier was called a System Sleuth
Keylogger from DivineDownloads.com.


The file was named:
_42fe7987.exe

and it was in this directory:
c:\Documents and Settings\user\Application Data\Microsoft\Installer
\{1B485419-875B-428D-816B-2F6627815D7A}


None of the other programs picked this up. It said the risk was high.
I manually deleted a few items from the drive and the registry and the
next scan showed nothing.

However, the program was such a memory hog and insinuated itself into so
many other programs, that I had to delete it. My Outlook express was
hanging as was my IE 6.

I then did a Regseeker scan and found numerous instances of dll files
from Spyware Doctor still in the registry after rebooting. This dll file
was in the registry as were others associated with the program.
\Spyware Doctor\chilkatxml.dll


My advice is to get about three or four good registry cleaning programs
(Regseeker, Regscrub, and the Spybot and CCleaner tools are good). Even
PC Tools Registry Mechanic isn't bad, but I noticed it forced itself into
my startup programs in the registry.

 

[Bill Sanderson]

If you still have that executable, Microsoft would love to have it
submitted:

Please zip it up, password protect the zip--use "infected" as the password,
and send it to:

(e-mail address removed)

If others read this thread--this submission alias is brand new, and
Microsoft is interested in having as many samples as possible sent in--so if
you have stuff you run into, send it on--the more the better.

 

[Bill Sanderson]

Full details on how to submit here:

http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx

--

 

[EApplegate]

If you still have that executable, Microsoft would love to have it
submitted:

Please zip it up, password protect the zip--use "infected" as the
password, and send it to:

(e-mail address removed)

If others read this thread--this submission alias is brand new, and
Microsoft is interested in having as many samples as possible sent
in--so if you have stuff you run into, send it on--the more the
better.

You should have responded when I first posted the message about this and
the other file two weeks ago. I just deleted it yesterday.




This was posted here on March 8th:


Subject: _60c11ac7.exe & _42fe7987.exe part of Defender update?
From: (e-mail address removed)
Newsgroups: microsoft.private.security.spyware.general

I just found these files in my Documents and Settings area:


_60c11ac7.exe

c:\Documents and Settings\user\Application Data\Microsoft\Installer
\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}



& _42fe7987.exe


c:\Documents and Settings\user\Application Data\Microsoft\Installer
\{1B485419-875B-428D-816B-2F6627815D7A}



Anything to be alarmed about? They are 1 and 2 kb in size.

 

[Bill Sanderson]

Sorry--don't know how I missed that, but the volume in these lists means
that there are, for example, 587 messages in .general which I haven't
read--since approximately February 14th.

At any rate the submission address has changed in the last week, although
the page has existed since Beta2 went live and is linked to in the help.
--