Jump to content

64.135.77.30 False positive


Recommended Posts

Hi,

I contacted Prevx and they fixed their wrong rating of our file as it was a false positive. Check here:

http://www.prevx.com/filenames/X3360864763...RSETUP.EXE.html

Free Crawler Toolbar that is installed frm www.funutilities.com is neither adware, nor any other kind of malware. It is a regular search toolbar just like Google Toolbar. It also has been certified by TRUSTe as safe software.

Funutilities.com domain is rated as a safe domain by top companies such as Symantec:

http://safeweb.norton.com/report/show?url=...amp;x=0&y=0

http://linkscanner.explabs.com/linkscanner...unutilities.com

http://www.browserdefender.com/site/funutilities.com/

Could you possibly let us know the reasons for adding our domain to your database with negative rating? If some of your arguments prove to be right, we will attempt to fix the problems so that you could change the rating of our domain in your database.

Sincerely,

Ivo Konzbul

Spyware Terminator Manager

Link to post
Share on other sites

  • 2 weeks later...

Just an update to let you know I've not forgotten about this, due to a hardware failure, the scheduled re-tests were delayed. I've not got a test machine as such at present, but should have a machine I can use as such, later tonight, and your programs are currently top of the list to be re-tested.

Link to post
Share on other sites

Test machine now has a new hard drive, and I'll be beginning the test a soon as I've grabbed a coffee. Results will be posted later today (got the docs at 4pm, so unless the tests are finished before then, they'll likely not be posted until after I get back around 5pm'ish).

Link to post
Share on other sites

Oks, so far, I've looked at inbox.com, Crawler, and looked in minor detail (thus far) at funutilities.

I wonder if you'd mind explaining the spyware behaviour I'm seeing? (i.e. the loading of what appear to be tracking images from awltovhc.com, which redirs to qksrv.net, which redirs to - Comission Junction). This connection came immediately after the download of the inbox.com toolbar, and a packet indicates you're passing CJ (and yourselves), this toolbars unique installation ID .... a similar connection was made after installing Web Security Guard, in this case, it went to tqlkg.com, which of course, redirs to CJ.

You also pass this same information on to wsclick.infospace.com and rc12.overture.com. Passing this to YOUR servers is one thing (and even then, I'd personally consider it spyware even if it did that), but passing it to third parties, especially without CLEAR notification to the user, and their PERMISSION, is absolutely disgusting.

Your screensavers are also adware - the search box shouldn't be there, and when typing a word into it and pressing return, it goes to inbox.com, complete with the toolbars installation ID.

I'm also disgusted to find that like some other vendors, your software also PRE-TICKS the home/search page etc, installations - something it should NOT be doing!

I'll be looking at Spyware Terminator etc, soon, but wonder if you'd mind explaining why your software is exhibiting blatant spyware behaviour? (the toolbar ID on it's own may not mean much, but combined with the IP it means a hell of alot to marketing/tracking companies - something Xacti already knows), especially given no mention is made concerning this passing of data to third parties when installing for example, your screensavers .....

I'll post back once I've looked at Spyware Terminator.

Link to post
Share on other sites

On to SystemProtect now and;

1. Installer has the Crawler/Web Security Guard toolbar PRE-TICKED - MAJOR NO-NO!

2. "Make Crawler.com my search provider and notify me of change" is pre-ticked

3. At least 4 outgoing connections are made during the installation;

a. system-protect.com/sd.asmx/GetVersionENC?[Long_string]

b. system-protect.com/sd.asmx/GetVersionENC?[Long_string]

c. cfg.crawler.com/cr_config.asmx/UID2Info?UID=STWSGDB

d. www.websecurityguard.com/dnl/files/domains.cab

e. www.websecurityguard.com/dnl/files/domains.cab

2 further connections are then made to system-protect.com when actually loading the application. One of which, is apparently to display the text at the top-right of the programs UI. Forgivable I suppose, but not ideal - especially for an alledged anti-malware program.

5. Last update is showing as 01/01/2003, and it tells me no updates are available, err .....

6. Programs "protection" facilities appear to be nothing more than "for show". It neither asked me, nor prevented me, from deleting files at my leisure.

Glad to see Send usage statistics isn't enabled by default, but everything else I'm seeing is showing me this program is snake-oil at best.

7. It failed to remove the Crawler toolbar when I uninstalled it, and not surprisingly, several connections were made to YOUR servers when I uninstalled the toolbars manually (and again, complete with IP address, IE version, screen resolution etc etc etc).

Next up is Spyware Terminator ....

Link to post
Share on other sites

Whilst SpywareTerminator is installing, I'm still not happy about your use of 404-errorpage.com, and I'm definately not happy about your adware (and assuming it exhibits the same behaviour as the rest, spyware aswell) at win-tools.com.

On a side note, there's absolutely no reason for your using a downloader to install SpywareTerminator - it would install alot quicker if the program etc, was included in the installer. I'm also disgusted to see an alledged security program doing the same as the rest of your stuff - pre-ticking the installation of the Crawler toolbar.

Link to post
Share on other sites

Oh dear, no personally identifiable information will be sent huh? Then why pray tell, does it make several connections once installed - none of which are update related, and one of which, sends the users IP address, IE version, screen resolution etc etc etc, to YOUR servers.

On the plus side, it didn't produce any F/P's on my test machine, deteting only a couple of cookies.

Link to post
Share on other sites

To begin, I would like to note that one of your arguments why your database has our IP addresses was detection by Prevx and Siteadvisor, both companies were marked as False detections and are no longer detected.

Responses to your observations:

A.

IP addresses and resolution are sent by Windows when using wininet.dll which is a standard part of the system

B.

Control on new version - system-protect.com/sd.asmx/GetVersionENC?[Long_string]

Control on new version - system-protect.com/sd.asmx/GetVersionENC?[Long_string]

Control on new WSG database version -cfg.crawler.com/cr_config.asmx/UID2Info?UID=STWSGDB

database WSG - www.websecurityguard.com/dnl/files/domains.cab

database WSG - www.websecurityguard.com/dnl/files/domains.cab

C.

About Win-tools, win-tools is a very old application and on <http://win-tools.com/> is a precise guide on how to uninstall the application. The application was terminated several years ago and we don

Link to post
Share on other sites

Sorry Ivo, but nice try.

The CJ redirect was NOT within the pages. It was during the installation of one of YOUR programs. There were NO notifications that it was going to pass anything to third parties, and absolutely no notification or warning, that it was going to send the IP et al, to external servers.

As for the sending being a standard part of Windows, rubbish. I've used wininet.dll in a few of my apps, and never once have they sent ANYTHING to ANYWHERE without my explicitly telling it to do such. The .dll is indeed part of Windows - the behaviour is NOT.

And yep, I'm aware of information sent to servers when visiting websites - but again, that's not what I'm discussing here - it was your programs sending that, NOT a browser (hows the .dll going to know to send this information to a stats page on your server without your telling it? Is it capable of mind reading now?)

As for others doing this, I'm aware of several vendors that are doing this, Symantec being one of them, and am not going to comment on those - they aren't the issue being discussed here. You want me to believe your a legit security vendor - stop using misleading tactics (just because others do it doesn't make it ethical or right, does it?)

As an aside, you'll also find we're not the only ones blacklisting you. I know of at least one other that does (MVPHosts for example).

/edit

Just to clarify, the IP et al, were passed in a querystring, and not as a standard header packet, which is how they'd normally be sent by browsers etc

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.