Jump to content


Possible False/Positve

Started by KS-FINN, May 29 2007 08:48 PM

8 replies to this topic

#1 OFFLINE   KS-FINN

    Advanced Member

  • Members
  • PipPipPip
  • 126 posts

Posted 29 May 2007 - 08:48 PM

I ran NoAdware v5.0 and it detected the following: Is this a False/Positive.? :unsure:


Removing Spyware Hijacker.InternetExplorerZoneHijack...

Removing Registry Hijacker.InternetExplorerZoneHijack...



[Deleting Key...]

Key : HKEY_USERS\S-1-5-21-2897968377-2843162198-137514011-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\defaultbar.com



[Key Deleted]

Key : HKEY_USERS\S-1-5-21-2897968377-2843162198-137514011-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\defaultbar.com

Removing RegValues Hijacker.InternetExplorerZoneHijack...

Fixing RegValue dataHijacker.InternetExplorerZoneHijack...

Removing Cookies Hijacker.InternetExplorerZoneHijack...

Removing Files Hijacker.InternetExplorerZoneHijack...

Removing Folders Hijacker.InternetExplorerZoneHijack..

#2 OFFLINE   JDPower

    Cydonian Knight

  • Members
  • PipPipPipPipPip
  • 2,952 posts
  • Gender:Male
  • Location:England

Posted 29 May 2007 - 11:10 PM

View PostKS-FINN, on May 29 2007, 09:48 PM, said:

I ran NoAdware v5.0 and it detected the following: Is this a False/Positive.? :unsure:
Quit using NoAdware, or at least scan with some more reliable programs to find out for yourself if its a false positive. You've already seen for yourself it gives false positives.

#3 OFFLINE   KS-FINN

    Advanced Member

  • Members
  • PipPipPip
  • 126 posts

Posted 30 May 2007 - 04:57 PM

View PostJDPower, on May 29 2007, 06:10 PM, said:

Quit using NoAdware, or at least scan with some more reliable programs to find out for yourself if its a false positive. You've already seen for yourself it gives false positives.


SURE THING. JDPOWER.!!!!!!! B)

#4 OFFLINE   Andavari

    Captain Spectacular

  • Moderators
  • 13,330 posts
  • Gender:Male
  • Location:Shadow Moses

Posted 30 May 2007 - 05:12 PM

"ZoneMap\Domains\defaultbar.com" Is probably added by SpywareBlaster, or Spybot-S&D because I also have it blocked.

It seems NoAdware can't figure out a safely blocked site from actual hijack, but then again there's more than enough antispyware apps that also have false positives, yet they're not considered "rogue". :rolleyes:
Note: I'm not stating NoAdware is rogue, in fact I haven't even looked up any info on the program whatsoever.
Complexity of incoherent design.

#5 OFFLINE   KS-FINN

    Advanced Member

  • Members
  • PipPipPip
  • 126 posts

Posted 30 May 2007 - 05:23 PM

View PostAndavari, on May 30 2007, 12:12 PM, said:

"ZoneMap\Domains\defaultbar.com" Is probably added by SpywareBlaster, or Spybot-S&D because I also have it blocked.

It seems NoAdware can't figure out a safely blocked site from actual hijack, but then again there's more than enough antispyware apps that also have false positives, yet they're not considered "rogue". :rolleyes:
Note: I'm not stating NoAdware is rogue, in fact I haven't even looked up any info on the program whatsoever.

THANK YOU VERY MUCH FOR ANSWERING MY QUESTION. ;)

EDIT
Uncalled for remark edited out by moderator

#6 OFFLINE   JDPower

    Cydonian Knight

  • Members
  • PipPipPipPipPip
  • 2,952 posts
  • Gender:Male
  • Location:England

Posted 30 May 2007 - 05:31 PM

View PostKS-FINN, on May 30 2007, 05:57 PM, said:

SURE THING. JDPOWER.!!!!!!! B)
Well its your choice. You've had two false positives from it in as many weeks, if you want to keep using it then the least you can do is scan with one or two other scanners to at least try to find out for yourself if its a false positive.

One things for sure, if you keep letting it remove Spyware Blaster or Spybot blocked zones you'll soon start getting real spyware.

#7 OFFLINE   KS-FINN

    Advanced Member

  • Members
  • PipPipPip
  • 126 posts

Posted 30 May 2007 - 11:58 PM

View PostJDPower, on May 30 2007, 12:31 PM, said:

Well its your choice. You've had two false positives from it in as many weeks, if you want to keep using it then the least you can do is scan with one or two other scanners to at least try to find out for yourself if its a false positive.

One things for sure, if you keep letting it remove Spyware Blaster or Spybot blocked zones you'll soon start getting real spyware.

Thanks for the very informative information. I didn't know that if I keep allowing NoAdware to keep removing Spyware Blaster and Spybot blocked Zones that I may start getting spyware because of it. That's why I keep posting these threads because at times I don't know what to do so I COME TO THIS FORUM FOR HELP. I don't mean to be a bother. Thanks Again. :)

#8 OFFLINE   KachinaPeak

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 12 July 2007 - 10:30 PM

I have the same problem; however, SOPHOS ID's this as a trojan....Troj/LowZone-EX.

So it seems that it's not a false positive after all. See "Hi-Lited" area below.

[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]

Troj/LowZone-EX is a Trojan for the Windows platform.

When first run Troj/LowZone-EX copies itself to the Desktop and User folders and creates the following files:

<Desktop>\Calciopoli.lnk
<Desktop>\Cerca Amici.lnk
<User>\My Documents\My Music\U2 - Collection.lnk
<User>\PrintHood\Epson Stylus Photo 3BN.lnk
<User>\Start Menu\Conigliette del Mese.lnk

Troj/LowZone-EX changes the Start Page for Microsoft Internet Explorer by setting the registry entry:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\acquadirose.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\acquadirose.com\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\acquadirose.com\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cywanstorage.biz\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cywanstorage.biz\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cywanstorage.biz\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\defaultbar.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\defaultbar.com\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\defaultbar.com\www*
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\forteforte.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\forteforte.com\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\forteforte.com\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gooogle.bz\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gooogle.bz\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gooogle.bz\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\playmore.biz\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\playmore.biz\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\playmore.biz\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scalalap.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scalalap.com\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scalalap.com\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\semeterapia.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\semeterapia.com\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\semeterapia.com\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tuttaqualita.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tuttaqualita.com\www\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tuttaqualita.com\www
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1004
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1201
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
MinLevel
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
RecommendedLevel
0
[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]][[]

So, what do we do now? I can't pay over $200 bucks to get rid of one bug. I'll do a fresh install before I do that.

Anyone have any suggestions?

#9 OFFLINE   fireryone

    Lets Get Dangerous

  • Members
  • PipPipPipPip
  • 1,626 posts
  • Gender:Male
  • Location:QLD,Australia
  • Interests:PC, LOTRO

Posted 12 July 2007 - 11:53 PM

Go to the "hijackthis log analysis" section of this forum, and post a log file, then you will be helped remove it for free.

By the way welcome to the forum KachinaPeak.
fireryone



There are 10 types of people in this world.
Those who understand binary, and those who don't.
Back to Software · Next Unread Topic →


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Software