RogueRemover - false positives?

Question

The latest update for RogueRemover is detecting multiple entries like the following:   RogueRemover has detected rogue antispyware components! Results below...   Type: Registry KeyVendor: Spyware Nuker XTLocation: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\xxx   I strongly suspect these to be false positives, and would advise not removing such entries.

ky331 · Answer

Confirming a similar experience.

Official information:

Version 110 (3/10/07)

[Added]
Antivirus Solution, Copperhead AntiSpyware, PerfectCleaner, SpyAway, Spyware Nuker XT, Spyware Seizer, WebSafe Spyware Secure

[Updated]
Malware Scanner, Neospace Internet Security

[Removed]
RegistryFix

[Notes]
No further comments.

Spyware Nuker XT is a rogue antispyware utility that uses false positives to lure the user into buying the product. It installs third party software without permission. The installer also plants inappropriate links in the registry (history).

In my case, RogueRemover found 46 registry keys, from Spyware Nuker XT, under

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\

the 46 entries in question (as indicated by Joe's xxx) appear to me to be the names of cookies / web sites that I've removed in the past by the likes of Ad-Aware, SpyBot, &etc.... such as 2o7.net , advertising.com , casalemedia.com , hitbox.com, & hitslink.com

So while, like Joe, I'm skeptical that I indeed have Spyware Nuker on my system, I would be interested in seeing if these "Adware" cookies in my history are indeed something which should be removed nonetheless... but I'm waiting to see what others have to say.

Message Edited by ky331 on 03-11-2007 09:50 AM

ky331 · Answer

A little investigation now suggests to me that the registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\

correspond to Tools / Internet Options / Privacy / Sites [from which to block cookies].

If so, by removing these entries, the cookies which had been blocked by my choice, would no longer be blocked!

On this basis, I now fully concur with Joe53 that these are false positives which should NOT be removed. Pending official confirmation, I suggest users click on RogueRemover's Exclude List and UNcheck Spyware Nuker XT before SCANning

EDIT: I've just posted the question and am awaiting an official response here:

http://www.malwarebytes.org/forums/index.php?showtopic=974

Message Edited by ky331 on 03-11-2007 09:28 AM

ky331 · Answer

the Spyware Nuker XT false-positives have now been fixed, with the issuance of Rogue Remover database 111

joe53 · Answer

Nice sleuthing!   All I could find on Spyware Nuker was that it is a dubious Anti-Spyware app once listed as a rogue, but since delisted ( at least at Spyware Warrior's site).   I see that many, if not all, those sites are listed in my MVPS Hosts file, and suspect this was the source of the false detections.

Virus & Spyware

Was this post helpful?