MS AS, Adware, & Spybot on "clean" system

[JW]

(Sorry, should have crossposted this; it's a duplicate of a posting on the
spyware group.)

Ran Ad-Aware, Spybot, and MS Antispyware on my main PC which is kept pretty
clean of spyware junk. Latest versions of each, most recent updates. Interesting
results:

1) Spybot S&D results (all includes):
Congratulations!: No immediate threats were found.

2) Ad-Aware (deep scan, which takes a _long_ time):
SpyArsenal HomeKeylogger Object Recognized!
Type : File
Data : keylogger.zip
Category : Monitoring Tool
Comment : Object "HomeKeyLogger-setup.exe" found in this archive.

SpyArsenal FamilyKeylogger Object Recognized!
Type : File
Data : keylogger.zip
Category : Monitoring Tool
Comment : Object "FamilyKeyLogger-setup.exe" found in this
archive.

JW Notes: Ad-Aware detected these two keyloggers in my software archives.

3) Microsoft Antispyware Beta 1
Their definitions:
Elevated threats are usually threats that fall into the range of adware in
which data about a user's habits are tracked and sent back to a server for
analysis without your consent or knowledge.
Moderate threats may profile users online habits or broadcast data back to a
server with 'opt-out' permission. In most cases this type of threat is more
along the lines of commercial type adware that offer a premium service in
exchange for tracking your user online performance.
Low risk threats pose a very low risk or no immediate danger to your
computer or your privacy, however these types of applications may profile user
online habits, but only according to specific privacy policies stated in the
applications End-User License. These types of threats generally borderline on
being a threat to being a standard application that has a complex license
agreement that you knowingly installed.

What it found:

A) SearchSquire Adware
Details: SearchSquire is an Internet Explorer sidebar containing paid links that
open when you use search engines.
Elevated threat

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com * 4

JW Notes: Never seen this before. Told MS AntiSpyware to remove it.

B) BrilliantDigital Adware
Details: BrilliantDigital displays multimedia advertisements.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\.b3d
HKEY_CLASSES_ROOT\.b3d IrfanView.b3d

JW Notes: False positive. The extension is for an image format.

C) TightVNC Commercial Remote Control
Status: Ignored
Moderate threat
Infected files detected
C:\Program Files\UltraVNC\VNCHooks_Settings.reg

JW Notes: interestingly, MS detected vnc files for the RealVNC viewer, but only
this reg file for TightVNC.

D) RealVNC Commercial Remote Control
Status: Ignored
Moderate threat
Infected files detected
c:\program files\realvnc\vncviewer.exe
c:\program files\realvnc\unins000.dat
c:\program files\realvnc\unins000.exe

JW Notes: I don't know if anyone is using these VNC products as trojans or
spyware, but it's nice that MS flagged them.

E) Morpheus Adware Bundler more information...
Details: Morpheus is a peer-to-peer file sharing program that installs spyware.
Morpheus also displays pop-up advertising.
Status: Ignored
Moderate threat
Infected files detected
C:\Program Files\Paltalk\BtHook.dll

JW Notes: PalTalks is ad-sponsored sw. I've had this installed for more than 6
months. Ad-Aware and Spybot should have detected it.

F) eDonkey2000 Adware Bundler
Details: eDonkey2000 is a peer-to-peer file sharing program that installs with
adware and spyware such as Webhancer, Web Search Toolbar, and New.Net.
Status: Ignored
Low threat

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon C:\Program
Files\emule\eMule.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\command "C:\Program
Files\emule\eMule.exe" "%1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k URL: ed2k Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k URL Protocol

JW Notes: I think that this is a false positive. The MS tool just flagged the
ed2K registry entry, even though eMule (which, as far as I know, contains no
spyware) created it.

 

[Richard Steven Hack]

A) SearchSquire Adware
Details: SearchSquire is an Internet Explorer sidebar containing paid links that
open when you use search engines.

JW Notes: Never seen this before. Told MS AntiSpyware to remove it.

According to others here, this is an Active X block that Spybot put
there to prevent such an Active X control from running. Microsoft
helpfully caused you to remove it, which now makes you vulnerable to
it.

D) RealVNC Commercial Remote Control
Status: Ignored
Moderate threat
Infected files detected
c:\program files\realvnc\vncviewer.exe
c:\program files\realvnc\unins000.dat
c:\program files\realvnc\unins000.exe

JW Notes: I don't know if anyone is using these VNC products as trojans or
spyware, but it's nice that MS flagged them.

Well, no, while VNC MIGHT be installed surreptitiously on someone's
machine who is clueless, basically this is excessive paranoia on the
program's part. VNC is a completely legitimate program - even though
it CAN be used for remote control of another person's machine.

Granted, if someone didn't know what it was, presumably they didn't
put it there and in that case, I suppose it's helpful to point it out.

Interestingly, it labeled it a "moderate threat" - which indicates it
thinks VNC is legitimate - but if it WAS installed without someone's
knowing, I would call it a MAJOR threat since it provides total remote
control of that person's machine. So which is it, Microsoft? Major or
moderate? And if so, what is Remote Desktop?

E) Morpheus Adware Bundler more information...
Details: Morpheus is a peer-to-peer file sharing program that installs spyware.
Morpheus also displays pop-up advertising.
Status: Ignored
Moderate threat
Infected files detected
C:\Program Files\Paltalk\BtHook.dll

From the PestPatrol site:

PalTalk is included with Morpheus, a free program sponsored by
advertisements through an ad server contained in the program. PalTalk
contains third party advertising delivered and serviced by
DoubleClick, which PalTalk confirms as their "Web advertising
partner". Once you register with PalTalk, you will receive email
solicitations from whatever companies are associated with both
PalTalk, and DoubleClick. Once enrolled, you are offered the
opportunity to unsubscribe from the PalTalk mailing list, but once you
have been loaded onto other mailing lists you will have to unsubscribe
from them too.

Additionally, communications may be monitored and any form of your
communication may be found published at another site for another
purpose. Additionally, you waive all rights to any personal images
sent through PalTalk to another user.

JW Notes: PalTalks is ad-sponsored sw. I've had this installed for more than 6
months. Ad-Aware and Spybot should have detected it.

Probably, but as we know, neither of them is infallible - in fact, in
a recent test, Spybot detected barely 37% IIRC of the stuff used in
the test.

F) eDonkey2000 Adware Bundler
Details: eDonkey2000 is a peer-to-peer file sharing program that installs with
adware and spyware such as Webhancer, Web Search Toolbar, and New.Net.
Status: Ignored
Low threat

I wonder what they're calling "high threat" if they say a program
which installs spyware is a "low" threat...

JW Notes: I think that this is a false positive. The MS tool just flagged the
ed2K registry entry, even though eMule (which, as far as I know, contains no
spyware) created it.

eMule doesn't, but according to posts on their forum, eDonkey2k DOES
and of course if you download the wrong thing, that wrong thing might
have some.