Sign in to follow this  
Donna

False Positives: 7FaSSt and PowerStrip

Recommended Posts

Ad-aware SE with latest definitions file has false positives and flagged as data miners and rated as critical:

 

7FaSSt

PowerStrip

 

Name:7FaSSt

Category:Data Miner

Object Type:Regkey

Size:11 Bytes

Location:interface\{38493f7f-2922-4c6c-9a9a-8da2c940d0ee}\

Last Activity:12-11-2006

Relevance:Low

TAC index:7

Comment:

Description:Installed by ActiveX. Installs a user ID. Tracks browser use. Records the names of folders, images and other objects on the system.

 

Name:7FaSSt

Category:Data Miner

Object Type:Regkey

Size:0 Bytes

Location:typelib\{3277cd27-4001-4ef8-9d96-c6ca745ac2f9}\

Last Activity:12-11-2006

Relevance:Low

TAC index:7

Comment:

Description:Installed by ActiveX. Installs a user ID. Tracks browser use. Records the names of folders, images and other objects on the system.

 

Name:7FaSSt

Category:Data Miner

Object Type:RegValue

Size:10 Bytes

Location:software\microsoft\internet explorer\toolbar "{669695BC-A811-4A9D-8CDF-BA8C795F261C}"

Last Activity:12-11-2006

Relevance:Low

TAC index:7

Comment:"{669695BC-A811-4A9D-8CDF-BA8C795F261C}"

Description:Installed by ActiveX. Installs a user ID. Tracks browser use. Records the names of folders, images and other objects on the system.

 

The above 3 items were added by RadarSync toolbar and application that I am using to check for updates

 

Name:PowerStrip

Category:Data Miner

Object Type:Regkey

Size:10 Bytes

Location:clsid\{669695bc-a811-4a9d-8cdf-ba8c795f261c}\

Last Activity:12-11-2006

Relevance:Low

TAC index:6

Comment:

Description:Incomplete uninstaller. Auto updates. Browser Hijacker.

 

That was added by PowerStrip application which is an overclocking utility.

 

All are safe apps so I thought to report to you that I believe those are false positives.

 

Thanks!

Share this post


Link to post
Share on other sites

Hi Donna and thank you for your report.

 

We haven´t done any updates in (7FaSSt)-family in a very long time.

 

And I checked some of the regvalues and we don't considered this as false positives.

 

I suggest you go to this forum to get more help:

 

 

http://www.lavasoftsupport.com/index.php?showforum=36

 

Thank You

 

Albin Bodahl

 

Lavasoft Research Team

Share this post


Link to post
Share on other sites

Thanks Janie!

 

Thanks to you to Albin for checking this report of mine. I just realized that the 7FaSSt family is in the detection for long time {blushed}

 

Thanks for the link Albin. However, I'm quite familiar that the said applications are safe and 1 of them is new in the scene (RadarSync) and that the said registry keys are added by the applications I mentioned which I know clean.. I'll pass for now and leave it as ignore by Ad-aware SE ;)

PowerStrip isn't new in the scene though :)

 

Again, thank you guys :huh:

Share this post


Link to post
Share on other sites

It is due to the fact that RadarSync uses a Class ID that happens to be in use by known malware as well. As a matter of fact, so does SlingShot...

 

http://www.castlecops.com/modules.php?name...F-BA8C795F261C}

 

Although this is arguably due to bad research by the developers of RadarSync and SlingShot, Ad-Aware does risk crippling legitimate software in this way...

Share this post


Link to post
Share on other sites

Very correct Tony. One of those keys that is known bad but not bad for this instance ;)

For now, I ignore the false positive on RadarSync key and PowerStrip.

 

BTW, here's a screenshot that HJT shows it is really for RadarSync and I don't know whether RadarSync will do anything to this or LS will adjust the detection:

 

hjt.jpg

Share this post


Link to post
Share on other sites

It might not be a bad idea contact RadarSync support about this as well; after all they have an interest not to have their software crippled by AS software.

 

In all fairness, it is not only AAW that detects this key; I also found instances of SpyBot and SpySweeper detecting 7faSSt in the SlingShot "version" of this registry key as early as a year or two ago...

Share this post


Link to post
Share on other sites

I reported to them already Tony.

Many thanks again Tony!

Share this post


Link to post
Share on other sites

Hi all,

 

Just to follow up on this one, it should be resolved at this point. Our research team states:

For the 7FaSSt Radarsynch collision I'm pretty sure we changed the CLSIDs to be conditional and only be detected if you got a hit on anything else in the 7fasSSt family first. So that issue should be resolved.

 

Please post back if you find that this is not resolved.

 

Thanks for reporting it! :huh:

Share this post


Link to post
Share on other sites
Sign in to follow this