Jump to content
AKAJohnDoe

Detects, but does not remove/fix

Recommended Posts

SAS is detecting Apropos Media/PeopleOnPage on a Vista Home Premium PC. The registry anchor roots do appear to exist (no subkey/value information) but there does not appear to be any of the supporting debris (e.g.: POP225.exe, et. al.) present.

However, SAS will not remove these anchor registry keys, nor can the be manually removed via REGEDIT. SAS does try, and requests a reboot, but they are redetected on each subsequent scan.

Suggestions?

Share this post


Link to post
Share on other sites
SAS is detecting Apropos Media/PeopleOnPage on a Vista Home Premium PC. The registry anchor roots do appear to exist (no subkey/value information) but there does not appear to be any of the supporting debris (e.g.: POP225.exe, et. al.) present.

However, SAS will not remove these anchor registry keys, nor can the be manually removed via REGEDIT. SAS does try, and requests a reboot, but they are redetected on each subsequent scan.

Suggestions?

Are you using 4.23 of SUPERAntiSpyware?

Share this post


Link to post
Share on other sites
Also, FWIW, this is not detected at all by any of these: MBAM; ZoneAlarm AV; HiJackThis; Windows Defender; Windows Malicious Software Removal Tool.

Add Ad-Aware to this list of products that do not detect this.

At this point I am calling this a FALSE POSITIVE by SAS.

Share this post


Link to post
Share on other sites
Also, FWIW, this is not detected at all by any of these: MBAM; ZoneAlarm AV; HiJackThis; Windows Defender; Windows Malicious Software Removal Tool.

Add Ad-Aware to this list of products that do not detect this.

At this point I am calling this a FALSE POSITIVE by SAS.

Can you post the text version of the scan log here please.

Share this post


Link to post
Share on other sites

System Restore Points on this Vista have been turned off for a long time already. ;)

I am running a registry-only scan (which is where this is detected) right now and will post the log in a few minutes.

Share this post


Link to post
Share on other sites

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/15/2008 at 06:01 PM

Application Version : 4.23.1006

Core Rules Database Version : 3675

Trace Rules Database Version: 1654

Scan type : Custom Scan

Total Scan Time : 00:02:22

Memory items scanned : 0

Memory threats detected : 0

Registry items scanned : 6492

Registry threats detected : 4

File items scanned : 0

File threats detected : 0

Browser Hijacker.Apropos Media/PeopleOnPage

HKLM\Software\Classes\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\Implemented Categories

HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/15/2008 at 02:27 PM

Application Version : 4.23.1006

Core Rules Database Version : 3675

Trace Rules Database Version: 1654

Scan type : Custom Scan

Total Scan Time : 00:03:22

Memory items scanned : 0

Memory threats detected : 0

Registry items scanned : 6492

Registry threats detected : 4

File items scanned : 0

File threats detected : 0

Browser Hijacker.Apropos Media/PeopleOnPage

HKLM\Software\Classes\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\Implemented Categories

HKCR\CLSID\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

Share this post


Link to post
Share on other sites

I am having a similar problem. I have ran a complete scan 4-5 times. Each time it will detect MJCore.dll and several associate registry keys. It runs through the quarantine process and appears to remove them, but then they're still there on the next scan. Additionally, the path to the dll (C:\Program Files\MJCore\MJCore.dll) can't seem to be navigated to through Windows Explorer or from the DOS prompt.

Running Windows XP: Media Center Edition.

SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 12/16/2008 at 03:09 PM

Application Version : 4.23.1006

Core Rules Database Version : 3676
Trace Rules Database Version: 1655

Scan type       : Complete Scan
Total Scan Time : 01:06:59

Memory items scanned      : 387
Memory threats detected   : 0
Registry items scanned    : 6643
Registry threats detected : 12
File items scanned        : 88486
File threats detected     : 1

Browser Hijacker.MJCore
HKLM\Software\Classes\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\InprocServer32#ThreadingModel
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\ProgID
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\Programmable
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\TypeLib
HKCR\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}\VersionIndependentProgID
HKCR\BHO_MyJavaCore.Mjcore.1
HKCR\BHO_MyJavaCore.Mjcore
HKCR\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}
C:\PROGRAM FILES\MJCORE\MJCORE.DLL

Share this post


Link to post
Share on other sites
Actually, please disregard the prior ... bump ...; I uninstalled Superantispyware.

What? No, don't disregard it! Regard it! I'm still having the problem I described above and I would rather not uninstall SAS.

Share this post


Link to post
Share on other sites

I downloaded, installed, and ran the latest SAS today and these entries are again found.

As no other anti-spyware product is detecting them, and they appear to be known to Microsoft, I am persisting in my assessment that they are false positives.

Would SUPERAntiApyware.com please respond and either substantiate this assessment (and correct the detection in the product) or advise as to an alternative?

Share this post


Link to post
Share on other sites
If you suspect these are false positive detections, I recommend using the built-in false positive detector in SUPERAntiSpyware. That will send samples directly to the SUPERAntiSpyware developers for analysis.

Found it and sent it along.

Share this post


Link to post
Share on other sites

I downloaded, installed, and ran the latest SAS today.

Although 7DD95801-9882-11CF-9FA9-00AA006C42C4 is still present in the system registry, SuperAntiSpyWare no longer flags it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×