Mowergun
join:2004-02-15
Charleston, IL
 ·Consolidated Commu..
1 edit | CounterSpy false positive?
I just updated CounterSpy to definitions version 255 and then ran a scan. CounterSpy detected either a folder called 6635zipper, or something within that folder. The folder is a sub folder of a CounterSpy directory. Attached are some screen shots.
P.S.
I dug a little deeper and found the log of the scan:
Spyware Scan Details
Start Date: 11/11/05 6:39:20 AM
End Date: 11/11/05 6:55:03 AM
Total Time: 15 mins 43 secs
Detected spyware
Adw.Afriz.Downloader Browser Hijacker more information...
Details: Adw.Afriz.Downloader silently travels to porn sites without displaying IE.
Status: Ignored
Infected files detected
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\6635zipper\com\ms\security\SecurityClassLoader.class |
|
suzi
Premium
join:2004-05-01
| Mowergun,
That's a very puzzling result you have there. Could you go to c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\
and see if there is a \6635zipper\ folder? That's not a normal folder and my CounterSpy doesn't have that. Also I don't see any threat named Adw.Afriz.Downloader in the Research Center and it shows all the threats in the database.
»research.sunbelt-software.com/Br···rary.cfm
A search for that threat does not get any results. Could you run the scan again and see if you get the same results?
--
Spyware Warrior
Microsoft MVP Windows Security 2005
Sunbelt Software Consultant |
|
Mowergun
join:2004-02-15
Charleston, IL
·Consolidated Commu..
| reply to Mowergun
Before final uninstall/reinstall | 
After final uninstall/reinstall |
After my initial post, but before I found your reply, I uninstalled CounterSpy version 1.5.77, deleted the CounterSpy directory in C:\Program Files, and then installed CounterSpy version 1.5.81. The new scan log is as follows:
Spyware Scan Details
Start Date: 11/12/05 2:32:34 AM
End Date: 11/12/05 2:46:41 AM
Total Time: 14 mins 7 secs
Detected spyware
Adw.Afriz.Downloader Browser Hijacker more information...
Details: Adw.Afriz.Downloader silently travels to porn sites without displaying IE.
Status: Ignored
Infected files detected
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\6635zipper\com\ms\security\SecurityClassLoader.class
I checked and the 6635zipper folder does exist per attachment.
After seeing your post, I decided to try uninstalling and reinstalling CounterSpy version 1.5.81, only this time I deleted the CounterSpy directory in both C:\Program Files and in C:\WINDOWS\Local Settings\Application Data. I also deleted everything from my Temp folders. After reinstalling CounterSpy version 1.5.81 the last time, I checked and the CounterSpy directory in C:\WINDOWS\Local Settings\Application Data did not re-appear until after I had ran CounterSpy. When it did re-appear the 6635zipper folder was not present per second attachment. I ran one more scan after updating the definitions, and the scan came up clean, except CounterSpy detected the SecurityClassLoader.class file in my recycle bin.
The 6635zipper folder may have been an ancient legacy from long ago previous versions of CounterSpy, possibly beta's. In any event, even if it was a legitimate detection, then It's gone now. |
|
suzi
Premium
join:2004-05-01
| Mowergun, you wrote:
quote:
The 6635zipper folder may have been an ancient legacy from long ago previous versions of CounterSpy, possibly beta's. In any event, even if it was a legitimate detection, then It's gone now.
I think that's correct. I remember some false positives having something to do with "zipper" several months ago, maybe in July or August. It sounds like the problem is resolved now.
When I was beta testing the new builds of CounterSpy 1.5 before it was released, the instructions were to delete the Sunbelt folder in program files and the directory in C:\WINDOWS\Local Settings\Application Data. You did exactly the right thing by deleting both folders.
--
Spyware Warrior
Microsoft MVP Windows Security 2005
Sunbelt Software Consultant |
|
