Jump to content

Spyware Detector


joe53
 Share

Recommended Posts

Is Spyware Detector a rogue antispyware app?

Not according to Spyware Warrior's Rogue/Suspect list, where it was de-listed in 2006:

http://spywarewarrior.com/rogue_anti-spywa...m#swdetect_note

Previously it had made that list because of concerns with false positives. I believe it should be re-listed as a rogue program, for the following reasons:

1) I downloaded the trial version of Spyware Detector from http://www.spywaredetector.net/

2) After installing it on my PC, known to be free of malware, a scan found 33 "detections" involving 7 "threats" (2 listed as "critical").

These were all clearly false positives, which I ignored.

3) I then ran Rogue Remover v1.18 (which had never detected anything from day one) and it detected 17 rogue antispyware components.

All were related to "Vendor: 2-AntiSpyware" which I note is a program targeted by Rogue Remover.

4) I uninstalled Spyware Detector, and let Rogue Remover fix the detections.

5) I then went to MS Updates, and found 2 previously installed hotfixes needed re-installing:

- Cumulative Security Update for Internet Explorer 7 for Windows XP (KB928090)

- Security Update for JView Profiler (KB903235)

6) After running and checking all my other scanners, I noticed that several thousand entries in my SpywareBlaster IE protection had been disabled.

Items 5 & 6 above I have never seen before, and can only attribute to something I did in in items 1-4. I can provide more details on request.

I have repaired all the damage, which I attribute to Spyware Detector. It seems that a leopard cannot change its spots.

Link to post
Share on other sites

Hi Joe and welcome to Malwarebytes. Thanks for posting your findings, very interesting. Please give us all the "dirt". ;)

Your on target with your observation about rogues IMO they seldom come over to the light side completely. Many revert to their old ways after cleaning up their act for a short time.

Link to post
Share on other sites

Thanks, JeanInMontana.

More info:

1) "Threats" detected by Spware Detector:

- 12 tracking cookies not found by any other scanner, including cookies from secunia.com, aumha.net, and forums.spybot.info (all respected security sites)

- Downloader.SpySetup (low threat)

- Adware.WinAd (high threat)

- Spyware.Digital Names (critical)

- Adware.MyWaySA (high)

- Adware.MyWay (medium)

- Trojan.VB (critical)

I tried to copy/paste the filepaths shown, but SD wouldn't let me. I clicked on the log for these detections, and was re-directed to their website! There is no log file for detections in the SD folder. Obviously SD doesn't want anyone double-checking their detections.

2) Here is what Rogue Remover found after installing SD:

RogueRemover has detected rogue antispyware components! Results below...

Type: File

Vendor: 2-AntiSpyware

Location: C:\WINDOWS\system32\VchReg.dll

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\AppID\{FD452F78-C495-40A1-B5BD-D8A586CA7F23}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\AppID\VoucherReg.DLL

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\CLSID\{17BB6D1C-BCD3-4667-B56D-ABBBD2230042}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\CLSID\{856D8ADB-99C3-4AEA-B294-E3FBDBC198CF}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\CLSID\{FF1AECC7-0C21-4B5F-BD3F-8D5B0BF042D9}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\Interface\{157BF1E5-C86C-48E7-ADCC-2890C45B63CE}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\Interface\{1A5D27ED-D7EC-4ED3-A631-64CAA8482D27}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\Interface\{C5B002C9-E508-4723-AB34-2AC6B5E3DC0E}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\TypeLib\{D89D48EF-8915-4729-954E-69F3C6C3F19E}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.CorporateEvalReg

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.CorporateEvalReg.1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg.1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg1.1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDNotify

----------------------------------

3) It took 3 attempts via Add/Remove Programs- and 2 re-directs to their website- to successfully uninstall SD. Even then, Rogue Remover still detected the registry keys noted above.

4) I don't know whether it was the installation or removal of SD that removed the 2 security updates from MSU, but it clearly didn't occur before or after my testing of SD (about 1 hour, from download to deletion). These updates had been on my PC for months.

5) This PC has never had a virus or malware infection (other than tracking cookies). The only reason I tested SD was to demonstrate to a poster in another forum that SD had a lot of FPs, and not to trust it just because it was de-listed. (I think I convinced him!)

On the brighter side, it was nice to see that Rogue Remover was worth installing. Keep up the good work!

System specs:

XP MCE/sp2

IE7

Cable/Linksys Router/ZA 6.5 free FW

Nod32 AV

Windows Defender (resident)

Comodo BOClean 4.23

On-demand scanners:

- Ad-Aware SE Personal

- AVG Anti-spyware (free)

- a-squared Free anti-trojan

- Spybot S&D

- SuperAntiSpyware (free)

SpywareBlaster

mvps HOSTS file

Link to post
Share on other sites

Thanks Joe, would you post a HiJack This! log here in a new thread of your own please? Run the scan and save the log then copy and paste it. You can get HiJack This! here for free. This is just to see if everything is really gone from the program and maybe get more evidence. This is most interesting. Thanks again for taking the time to let us know.

Link to post
Share on other sites

Done!

I'm no expert at HJT, though I've used it (the old version) to monitor my PC for years now. I'm glad to get this chance to try out the new Trend Micro beta. I don't see much that worries me, but as I said, I'm no expert.

Hope it is of some help.

Joe

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.