Jump to content


Photo

Exterminate-It


  • This topic is locked This topic is locked
54 replies to this topic

#1 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,397 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 23 August 2008 - 11:42 AM

Anyone fancy checking this one out?

exterminate-it.com
curiolab.net

http://hosts-file.ne...erminate-it.com
http://hosts-file.net/?s=curiolab.net

Don't have time myself or I'd do it myself ;)

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#2 YoKenny1

YoKenny1

    Forum Deity

  • Honorary Members
  • PipPipPipPipPipPip
  • 1,739 posts
  • Gender:Male
  • Location:Ont. Canada
  • Interests:Using computers for learning.
    Happily retired IBMer after 31 years mainly in hardware maintenance.

Posted 23 August 2008 - 03:16 PM

Detects false positives.

Printer is not in my Start menu and SystemExplorer has Mumuboy trojan
E5200 2.5GHZ, 4GB RAM, 320GB HD, Win7 Home Premium 64-bit, avast! V6.0 Free, IE9
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3, 32-bit, avast! V6.0 Pro, Macrium Reflect
with IE8 and Chrome, hpHosts, MVPS HOSTS files, MBAM Full, OpenDNS, SpeedFan, WinPatrol PLUS

#3 sho-dan

sho-dan

    कैंसर योद्धा

  • Malware Hunters
  • PipPipPipPipPipPip
  • 3,227 posts
  • Gender:Not Telling
  • Location:Jah Jersey Shore

Posted 23 August 2008 - 03:20 PM

Hello Steven

Exterminate It:
Downloaded/install and updated, there were no panic/ scare tactic "Your Infected" pop-ups install, no system tray icon only a desktop icon is install. Ran scan and it produce two false postives (first one doesnt exist, 2nd one monln.dll is part of comodo antivirus).
Scan and Pay to remove infection, Click on orange exterminate tab to register product for removal.

Posted Image

http://www.bleepingc....dll-20086.html

#4 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,397 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 23 August 2008 - 03:26 PM

Nice one, cheers ;)

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#5 Exterminate It guy

Exterminate It guy

    New Member

  • Members
  • Pip
  • 13 posts

Posted 23 August 2008 - 09:47 PM

Hi, guys!

I'm represent Exterminate It team and I registered here just to make you sure that we are not producing rogue antispyware product. We are really working hard to make HQ software.

2sho-dan: Please note that false positives is USUAL problem even for such big boys like Kaspersky, Norton etc. BTW, by your request I could provide you with 1 month trial code so your Exterminate It! software will be fully functional. After that you could use Submit State and we will look closer what's going wrong with your PC or with our software. ;)

And at last I want to remind you that refund is always available for unsatisfied users.

#6 JeanInMontana

JeanInMontana

    Delete this account!!

  • Honorary Members
  • PipPipPipPipPipPip
  • 3,867 posts
  • Interests:would love to see some honesty around this site.

Posted 24 August 2008 - 04:48 PM

Hi Exterminate It guy and welcome to Malwarebytes. I'll take that offer of a license. I'm sure some others will too. Particularly our lead rogue researcher SwampDiner.

Edited by JeanInMontana, 24 August 2008 - 04:49 PM.
add comment


#7 Exterminate It guy

Exterminate It guy

    New Member

  • Members
  • Pip
  • 13 posts

Posted 25 August 2008 - 01:30 PM

2JeanInMontana: was sent to PM.

If somebody else interested - please let me know.

#8 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,397 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 07 September 2008 - 08:49 AM

I've just checked this and it's still producing laughable F/P's that it wants paid to "fix" ....

Posted Image

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#9 malware.kill

malware.kill

    New Member

  • Members
  • Pip
  • 1 posts

Posted 07 September 2008 - 05:53 PM

Hi there,

Just checked this program on my windows vista home,
No false positives found.

2 sho-dan - I got also comodo antivirus installed - no detections either.
2 MysteryFCM - What is ServSax.a that were detected on your pc ?
Can you provide details ?
May be this ain't FP ?

#10 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,397 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 07 September 2008 - 05:59 PM

It claimed they were a bunch of reg keys etc that don't actually exist ........ so yep, definately F/P's (I've been doing this a long time :unsure:). If the app actually produced a log of what it found, or provided an option to save the list, I could have posted that - but it doesn't (the log it does create, makes absolutely no mention of the detections).

This was on XP SP2 .....

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#11 Exterminate It guy

Exterminate It guy

    New Member

  • Members
  • Pip
  • 13 posts

Posted 08 September 2008 - 01:03 PM

2MysteryFCM: Would you please to provide more detailed information regarding this false positive to help us improve detection quality? Please provide same screenshot with detailed information visible - i.e. with file and registry paths. I would really appreciate your help.

If this is considered as false positive IT WILL BE IMMEDIATELY REMOVED FROM DATABASE.
Every security professional should know - different methods can be used for malware detection and very often malware hide themselves under
legitimate software file names and registry keys, in this case more strict detection rules/conditions needs to be used.

If we take money for malware removal and submit state feature processing there is no reason to mark our software as a ROGUE.
We show all the paths to files and to registry keys, and many our users remove the malware without paying money by themselves. That's fair.

Submit State reports are processed per client basis - so it requires more processign than usual approach.

Why Exterminate It! is not ROGUE:

1. we never use false positives as a road to purchase. (they will be removed immediately after discovering)
2. we provide fully functional 1 week trial per support request.
3. if people are dissatisfied with our software - we provide immediate money-back !!! As you might be know - rogue never provides moneyback.
4. we show full path to files and to registry keys - so there is no hidden games with non-present infection.

#12 TonyKlein

TonyKlein

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,857 posts
  • Gender:Male
  • Location:The Netherlands

Posted 08 September 2008 - 02:09 PM

Just a couple of FPs, notably:


The "CWS.GonnaSearch" entries are in fact from Internet Explorer 5 Toolbar Wallpaper

(No longer works with IE7, but a legitimate application nonetheless...)


... and the "BrowserAid" detection actually concerns a Snagit reg key:


[HKEY_CLASSES_ROOT\AppID\BHO.DLL]
"AppID"="{59AEAD8A-6822-4794-AF2E-8CC27312E26E}"

[HKEY_CLASSES_ROOT\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
@="SnagIt Toolbar Loader"
"AppID"="{59AEAD8A-6822-4794-AF2E-8CC27312E26E}"

[HKEY_CLASSES_ROOT\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}\InprocServer32]
@="C:\\Program Files\\TechSmith\\SnagIt 9\\SnagItBHO.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}\ProgID]
@="BHO.HelperObject.1"

[HKEY_CLASSES_ROOT\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}\Programmable]

[HKEY_CLASSES_ROOT\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}\TypeLib]
@="{39CAFD20-BAFF-454D-A94C-7115710AE6E3}"

[HKEY_CLASSES_ROOT\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}\VersionIndependentProgID]
@="BHO.HelperObject"



Nothing deliberate though, by the looks of it.

Attached Files

  • Attached File  FP.jpg   150.7KB   11 downloads


#13 Exterminate It guy

Exterminate It guy

    New Member

  • Members
  • Pip
  • 13 posts

Posted 08 September 2008 - 05:44 PM

TonyKlein, thank you for taking time to review us!

All those FPs mentioned by you have been removed from our database.

#14 TonyKlein

TonyKlein

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,857 posts
  • Gender:Male
  • Location:The Netherlands

Posted 09 September 2008 - 02:02 AM

TonyKlein, thank you for taking time to review us!

All those FPs mentioned by you have been removed from our database.


That's good to hear. However, you will of course understand that you can't by any means consider this a full-fledged review. It's just a quick run to check for FPs.

#15 Exterminate It guy

Exterminate It guy

    New Member

  • Members
  • Pip
  • 13 posts

Posted 10 September 2008 - 06:10 AM

It claimed they were a bunch of reg keys etc that don't actually exist ........ so yep, definately F/P's (I've been doing this a long time :unsure:). If the app actually produced a log of what it found, or provided an option to save the list, I could have posted that - but it doesn't (the log it does create, makes absolutely no mention of the detections).

This was on XP SP2 .....


Dear MysteryFCM,

False positives sometimes happens - but this means that good files / regkeys are detected as bad ones. But detection of non-existing reg keys ... or files - SOUNDS STRANGE and IMPOSSIBLE.

It would be great if you can provide Submit State from your pc - for that please click on Submit State button, enter information that you have false positive and you are MysteryFCM, and press Send button.

You can also provide the snapshot from your screen - but please maximize Exterminate It! window to full screen, and make the "Location" column fully visible, (you can minimize the Category column for that). Please put this snapshot to forum.

#16 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,397 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 10 September 2008 - 06:40 AM

The machine I ran it on is no longer a "clean install", so can't do that I'm afraid.

I'll re-run the application once I get access to a test system again (probably either over the weekend or early next week).

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#17 Exterminate It guy

Exterminate It guy

    New Member

  • Members
  • Pip
  • 13 posts

Posted 20 September 2008 - 09:33 AM

The machine I ran it on is no longer a "clean install", so can't do that I'm afraid.

I'll re-run the application once I get access to a test system again (probably either over the weekend or early next week).


Just want to remind you that we are still looking forward to receive from you either submit state or detailed screenshot :angry:

#18 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,397 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 20 September 2008 - 09:38 AM

I'd actually forgotten about this as I've been a little (well okay alot) side tracked with other things.

I'm back tomorrow until Wednesday (so far), so will try and find time between then, to re-run the tests.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#19 junkie26

junkie26

    New Member

  • Members
  • Pip
  • 2 posts

Posted 11 November 2008 - 05:44 AM

I've been running Exterminate It on my PC and it found the followin registry entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{93411B4B-2EEC-4612-96C1-25ABC107B13C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

I've tried all of the following anti-spyware and anti-virus progs, but only Exterminate It came up with these entries...

ComboFix
Exterminate It
FixWareOut
HijackThis
Malwarebytes' Anti-Malware
XsoftSpySE
SmitFraudFix
AdAware
SpyBot S&D
AVG

The registry entries seems to be related to DSN changers (e.g. Zlob), but aren't these entries the (safe) servers of OpenDNS?

#20 junkie26

junkie26

    New Member

  • Members
  • Pip
  • 2 posts

Posted 11 November 2008 - 06:23 AM

Additionally, Exterminate It finds the following registry entry 3 times:

Zlob.Fake Security Alerts

It appears that this can only be fixed by buying Exterminate It, since all other progs do not recognize the entry as a trojan.

What to do!?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users