NAV "finds" Spyware.Perfect

  • Thread starter Thread starter George Del Monte
  • Start date Start date
G

George Del Monte

Here's my problem: Norton AntiVirus 2005 says a file, RAR.EXE, which I use
to do unattended backups to another computer, contains spyware, namely
Spyware.Perfect. Consequently, NAV has quarantined RAR.EXE. Since
Spyware.Perfect is spyware, online virus checks at Symantec, TrendMicro, and
Panda do NOT find anything, since Spyware.Perfect is not actually a virus,
even though it is purported to create a keystroke log and then send it to an
eMail address. The keystroke log could include passwords, credit card
numbers, PINs, etc. This is bad. Microsoft AntiSpyware DOES NOT alarm
whenever it does a scan, meaning it MAY NOT include a definition for
Spyware.Perfect. Any advice? Any one?
 
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.perfectspy.html


--
If you are under attack and MSAS does not seem to help:

*Submit suspected spyware report in the tools menu of MSAS*

PREP YOUR MACHINE FIRST!
- IF you are using Spybot S/D, UN-Immunize your computer
- IF you are using Adaware, turn off AD-Watch
- Disable all other active anti-spy applications
- Dump all temporary file locations and Internet files

1. Download:
lspfix.exe www.cexx.org/lspfix.htm
winsockxpfix.exe www.snapfiles.com/get/winsockxpfix.html
ccleaner.exe www.ccleaner.com
killbox.exe www.bleepingcomputer.com/files/killbox.php

2. Clean out all temp file locations with ccleaner.exe

3. Install and use killbox to delete stubborn files

4. Reboot into safe mode - http://tinyurl.com/pfca
5. Run MSAS at least twice in full/deep mode
6. Run a robust, updated antivirus software scan
7. Reboot into normal mode,see if problem has been corrected

8. If you think something is there but can't see it, download:
- Blacklight by F-Secure
www.europe.f-secure.com/exclude/blacklight/blbeta.exe
- RootKitRevealer by SysInternals
www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

9. If your problem is Virus or Security patch related:
In the United States or Canada, call 1-866-PCSAFETY
MS will provide free support for those issues.

Battle Notes:
- If you have trojans (files that won't go away),
you may have to disable System Restore on XP:
http://tinyurl.com/movy

- If your Internet connectivity quits:
http://support.microsoft.com/kb/892350
http://support.microsoft.com/kb/811259
LSPFix - www.cexx.org/lspfix.htm
Winsockxpfix - www.snapfiles.com/get/winsockxpfix.html

- Install SpywareBlaster to block malware apps from
installing on your machine. Does not actively run
on your machine, you run it, it makes changes that
protect you.
http://www.javacoolsoftware.com/

- This program will not detect or remove viruses
http://www.microsoft.com/athome/security/viruses/default.mspx

*** For assistance in battling infestations***
- Get HijackThis.exe from:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
- Save it to C:\hjt (new folder)
- Open it and select "Scan and Save Log"
- Send it to Ron Kinner as an attachment
- Ron's email address is (e-mail address removed)
- Put Hijack in the subject so he knows it's not spam

Application Notes:
Registering a VB6 dll seems to fix missing agents:
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware
4) If that fails, install VB6 runtime files:
http://www.softwarepatch.com/windows/vbrun6download.htm

- To report false positives:
www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx
- To submit disputes or requests:
www.microsoft.com/athome/security/spyware/software/isv/cdform.aspx
- To learn more about how MS analyzes suspected spyware:
www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx
- To Run MSAS in passive mode:
http://support.microsoft.com/kb/892375

Alternative Anti-Spyware Applications:
- Spybot Search and Destroy
http://www.majorgeeks.com/download2471.html
- LavaSoft AdAware
http://www.majorgeeks.com/download506.html
- AdAware VX2 Cleaner Plugin
http://www.majorgeeks.com/download4283.html
- BHODemon
http://www.majorgeeks.com/download3550.html
- CWShredder (CoolWWWSearch)
http://www.majorgeeks.com/download3019.html
- PestPatrol
http://www.majorgeeks.com/download1187.html
- Webroot Spysweeper
http://www.majorgeeks.com/download3263.html
- Ewido Security Suite
http://www.ewido.net/en/
- CounterSpy (Same Giant Company Engine as MSAS)
- http://www.sunbelt-software.com

Recommended Software to help protect you:
- Windows XP Service Pack 2
http://www.microsoft.com/windowsxp/sp2/default.mspx
- SpywareBlaster
http://www.javacoolsoftware.com
- Outpost Firewall Pro
http://www.agnitum.com/products/outpost
---------------------------------------------
 
Read up on a good description, such as JohnF has pointed to, of the real
bug.

If I want to know whether Microsoft Antispyware detects something, at
present, I tend to check Sunbelt's list of what Counterspy detects. I
didn't find your bug there, but it is definitely in the class of things
Microsoft Antispyware is designed to deal with.

Trend Micro's online scanner DOES detect spyware. I would expect (perhaps
not rationally) that they would detect what Symantec's expanded threat
detection products do--and Symantec lists your bug.

I'd say it looks more likely that you are seeing a false positve than not,
but you need to either trace the file on your machine to a manufacturers
distribution media (and trust that vendor)--or do enough research to be sure
that what you see on your machine doesn't match good descriptions of the
detected bug.
 
George said:
Here's my problem: Norton AntiVirus 2005 says a file, RAR.EXE, which I use
to do unattended backups to another computer, contains spyware, namely
Spyware.Perfect. Consequently, NAV has quarantined RAR.EXE. Since
Spyware.Perfect is spyware, online virus checks at Symantec, TrendMicro, and
Panda do NOT find anything, since Spyware.Perfect is not actually a virus,
even though it is purported to create a keystroke log and then send it to an
eMail address. The keystroke log could include passwords, credit card
numbers, PINs, etc. This is bad. Microsoft AntiSpyware DOES NOT alarm
whenever it does a scan, meaning it MAY NOT include a definition for
Spyware.Perfect. Any advice? Any one?

George,

If you would like the file scanned to satisfy your fears, do so here :
http://virusscan.jotti.org/

TrendMicros has this on it :
http://es.trendmicro-europe.com/enterprise/vinfo/grayware.php?vGrayware=3923

If you have the Sun JRE installed you can scan the file at their
European Housecall online scanner :
http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php

Unless rar.exe has become infected somehow, it is described as:

Process File: rar or rar.exe
Process Name: WinRar DOS Executable

" Rar.exe is an archiving program which can achieve up to a 60%
compression rate. "
http://www.liutilities.com/products/wintaskspro/processlibrary/rar/

If cracking.rar.exe is present, then the system is infested with
the Vavico Trojan: http://www.auditmypc.com/process/cracking.asp

Neither of these Symantec pages lists rar.exe :
http://securityresponse.symantec.com/avcenter/venc/data/spyware.perfect.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.perfect.b.html


Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

===============
*-343-* FDNY
Never Forgotten
===============
 
Thanks, JohnF, for responding. I should have added with my initial post that
I checked my Registry (WinXP) for the tell-tale modifications described at
Symantec and found none. The more I think about it and read what you, Bill
Sanderson, and Steve Wechsler have to say, the more I think this episode has
been simply a case of "mistaken identity" by Norton AntiVirus and I'm
obligated call their hand. Thanks again for responding.
 
Thanks, Steve. The first link you provided got the RAR.EXE on my computer a
clean bill of health, so I'm still wondering what's up with Symantec. I've
contacted them. Now, maybe there'll be a resolution.
 
Back
Top