Spyware Detector

[joe53]

Is Spyware Detector a rogue antispyware app?

Not according to Spyware Warrior's Rogue/Suspect list, where it was de-listed in 2006:

http://spywarewarrior.com/rogue_anti-spywa...m#swdetect_note

Previously it had made that list because of concerns with false positives. I believe it should be re-listed as a rogue program, for the following reasons:

1) I downloaded the trial version of Spyware Detector from http://www.spywaredetector.net/

2) After installing it on my PC, known to be free of malware, a scan found 33 "detections" involving 7 "threats" (2 listed as "critical").

These were all clearly false positives, which I ignored.

3) I then ran Rogue Remover v1.18 (which had never detected anything from day one) and it detected 17 rogue antispyware components.

All were related to "Vendor: 2-AntiSpyware" which I note is a program targeted by Rogue Remover.

4) I uninstalled Spyware Detector, and let Rogue Remover fix the detections.

5) I then went to MS Updates, and found 2 previously installed hotfixes needed re-installing:

- Cumulative Security Update for Internet Explorer 7 for Windows XP (KB928090)

- Security Update for JView Profiler (KB903235)

6) After running and checking all my other scanners, I noticed that several thousand entries in my SpywareBlaster IE protection had been disabled.

Items 5 & 6 above I have never seen before, and can only attribute to something I did in in items 1-4. I can provide more details on request.

I have repaired all the damage, which I attribute to Spyware Detector. It seems that a leopard cannot change its spots.

[JeanInMontana]

Hi Joe and welcome to Malwarebytes. Thanks for posting your findings, very interesting. Please give us all the "dirt".

Your on target with your observation about rogues IMO they seldom come over to the light side completely. Many revert to their old ways after cleaning up their act for a short time.

[joe53]

Thanks, JeanInMontana.

More info:

1) "Threats" detected by Spware Detector:

- 12 tracking cookies not found by any other scanner, including cookies from secunia.com, aumha.net, and forums.spybot.info (all respected security sites)

- Downloader.SpySetup (low threat)

- Adware.WinAd (high threat)

- Spyware.Digital Names (critical)

- Adware.MyWaySA (high)

- Adware.MyWay (medium)

- Trojan.VB (critical)

I tried to copy/paste the filepaths shown, but SD wouldn't let me. I clicked on the log for these detections, and was re-directed to their website! There is no log file for detections in the SD folder. Obviously SD doesn't want anyone double-checking their detections.

2) Here is what Rogue Remover found after installing SD:

RogueRemover has detected rogue antispyware components! Results below...

Type: File

Vendor: 2-AntiSpyware

Location: C:\WINDOWS\system32\VchReg.dll

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\AppID\{FD452F78-C495-40A1-B5BD-D8A586CA7F23}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\AppID\VoucherReg.DLL

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\CLSID\{17BB6D1C-BCD3-4667-B56D-ABBBD2230042}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\CLSID\{856D8ADB-99C3-4AEA-B294-E3FBDBC198CF}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\CLSID\{FF1AECC7-0C21-4B5F-BD3F-8D5B0BF042D9}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\Interface\{157BF1E5-C86C-48E7-ADCC-2890C45B63CE}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\Interface\{1A5D27ED-D7EC-4ED3-A631-64CAA8482D27}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\Interface\{C5B002C9-E508-4723-AB34-2AC6B5E3DC0E}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\TypeLib\{D89D48EF-8915-4729-954E-69F3C6C3F19E}

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.CorporateEvalReg

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.CorporateEvalReg.1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg.1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_CLASSES_ROOT\VoucherReg.EvalReg1.1

Type: Registry Key

Vendor: 2-AntiSpyware

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDNotify

----------------------------------

3) It took 3 attempts via Add/Remove Programs- and 2 re-directs to their website- to successfully uninstall SD. Even then, Rogue Remover still detected the registry keys noted above.

4) I don't know whether it was the installation or removal of SD that removed the 2 security updates from MSU, but it clearly didn't occur before or after my testing of SD (about 1 hour, from download to deletion). These updates had been on my PC for months.

5) This PC has never had a virus or malware infection (other than tracking cookies). The only reason I tested SD was to demonstrate to a poster in another forum that SD had a lot of FPs, and not to trust it just because it was de-listed. (I think I convinced him!)

On the brighter side, it was nice to see that Rogue Remover was worth installing. Keep up the good work!

System specs:

XP MCE/sp2

IE7

Cable/Linksys Router/ZA 6.5 free FW

Nod32 AV

Windows Defender (resident)

Comodo BOClean 4.23

On-demand scanners:

- Ad-Aware SE Personal

- AVG Anti-spyware (free)

- a-squared Free anti-trojan

- Spybot S&D

- SuperAntiSpyware (free)

SpywareBlaster

mvps HOSTS file

[JeanInMontana]

Thanks Joe, would you post a HiJack This! log here in a new thread of your own please? Run the scan and save the log then copy and paste it. You can get HiJack This! here for free. This is just to see if everything is really gone from the program and maybe get more evidence. This is most interesting. Thanks again for taking the time to let us know.

[joe53]

Done!

I'm no expert at HJT, though I've used it (the old version) to monitor my PC for years now. I'm glad to get this chance to try out the new Trend Micro beta. I don't see much that worries me, but as I said, I'm no expert.

Hope it is of some help.

Joe

[JeanInMontana]

I don't see anything at first glance either. I am too burnt right now to do much searching. I will give it a more in depth look in the AM. Thanks Joe.