J
JW
(Sorry, should have crossposted this; it's a duplicate of a posting on the
spyware group.)
Ran Ad-Aware, Spybot, and MS Antispyware on my main PC which is kept pretty
clean of spyware junk. Latest versions of each, most recent updates. Interesting
results:
1) Spybot S&D results (all includes):
Congratulations!: No immediate threats were found.
2) Ad-Aware (deep scan, which takes a _long_ time):
SpyArsenal HomeKeylogger Object Recognized!
Type : File
Data : keylogger.zip
Category : Monitoring Tool
Comment : Object "HomeKeyLogger-setup.exe" found in this archive.
SpyArsenal FamilyKeylogger Object Recognized!
Type : File
Data : keylogger.zip
Category : Monitoring Tool
Comment : Object "FamilyKeyLogger-setup.exe" found in this
archive.
JW Notes: Ad-Aware detected these two keyloggers in my software archives.
3) Microsoft Antispyware Beta 1
Their definitions:
Elevated threats are usually threats that fall into the range of adware in
which data about a user's habits are tracked and sent back to a server for
analysis without your consent or knowledge.
Moderate threats may profile users online habits or broadcast data back to a
server with 'opt-out' permission. In most cases this type of threat is more
along the lines of commercial type adware that offer a premium service in
exchange for tracking your user online performance.
Low risk threats pose a very low risk or no immediate danger to your
computer or your privacy, however these types of applications may profile user
online habits, but only according to specific privacy policies stated in the
applications End-User License. These types of threats generally borderline on
being a threat to being a standard application that has a complex license
agreement that you knowingly installed.
What it found:
A) SearchSquire Adware
Details: SearchSquire is an Internet Explorer sidebar containing paid links that
open when you use search engines.
Elevated threat
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com * 4
JW Notes: Never seen this before. Told MS AntiSpyware to remove it.
B) BrilliantDigital Adware
Details: BrilliantDigital displays multimedia advertisements.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\.b3d
HKEY_CLASSES_ROOT\.b3d IrfanView.b3d
JW Notes: False positive. The extension is for an image format.
C) TightVNC Commercial Remote Control
Status: Ignored
Moderate threat
Infected files detected
C:\Program Files\UltraVNC\VNCHooks_Settings.reg
JW Notes: interestingly, MS detected vnc files for the RealVNC viewer, but only
this reg file for TightVNC.
D) RealVNC Commercial Remote Control
Status: Ignored
Moderate threat
Infected files detected
c:\program files\realvnc\vncviewer.exe
c:\program files\realvnc\unins000.dat
c:\program files\realvnc\unins000.exe
JW Notes: I don't know if anyone is using these VNC products as trojans or
spyware, but it's nice that MS flagged them.
E) Morpheus Adware Bundler more information...
Details: Morpheus is a peer-to-peer file sharing program that installs spyware.
Morpheus also displays pop-up advertising.
Status: Ignored
Moderate threat
Infected files detected
C:\Program Files\Paltalk\BtHook.dll
JW Notes: PalTalks is ad-sponsored sw. I've had this installed for more than 6
months. Ad-Aware and Spybot should have detected it.
F) eDonkey2000 Adware Bundler
Details: eDonkey2000 is a peer-to-peer file sharing program that installs with
adware and spyware such as Webhancer, Web Search Toolbar, and New.Net.
Status: Ignored
Low threat
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon C:\Program
Files\emule\eMule.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\command "C:\Program
Files\emule\eMule.exe" "%1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k URL: ed2k Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k URL Protocol
JW Notes: I think that this is a false positive. The MS tool just flagged the
ed2K registry entry, even though eMule (which, as far as I know, contains no
spyware) created it.
spyware group.)
Ran Ad-Aware, Spybot, and MS Antispyware on my main PC which is kept pretty
clean of spyware junk. Latest versions of each, most recent updates. Interesting
results:
1) Spybot S&D results (all includes):
Congratulations!: No immediate threats were found.
2) Ad-Aware (deep scan, which takes a _long_ time):
SpyArsenal HomeKeylogger Object Recognized!
Type : File
Data : keylogger.zip
Category : Monitoring Tool
Comment : Object "HomeKeyLogger-setup.exe" found in this archive.
SpyArsenal FamilyKeylogger Object Recognized!
Type : File
Data : keylogger.zip
Category : Monitoring Tool
Comment : Object "FamilyKeyLogger-setup.exe" found in this
archive.
JW Notes: Ad-Aware detected these two keyloggers in my software archives.
3) Microsoft Antispyware Beta 1
Their definitions:
Elevated threats are usually threats that fall into the range of adware in
which data about a user's habits are tracked and sent back to a server for
analysis without your consent or knowledge.
Moderate threats may profile users online habits or broadcast data back to a
server with 'opt-out' permission. In most cases this type of threat is more
along the lines of commercial type adware that offer a premium service in
exchange for tracking your user online performance.
Low risk threats pose a very low risk or no immediate danger to your
computer or your privacy, however these types of applications may profile user
online habits, but only according to specific privacy policies stated in the
applications End-User License. These types of threats generally borderline on
being a threat to being a standard application that has a complex license
agreement that you knowingly installed.
What it found:
A) SearchSquire Adware
Details: SearchSquire is an Internet Explorer sidebar containing paid links that
open when you use search engines.
Elevated threat
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com * 4
JW Notes: Never seen this before. Told MS AntiSpyware to remove it.
B) BrilliantDigital Adware
Details: BrilliantDigital displays multimedia advertisements.
Infected registry keys/values detected
HKEY_CLASSES_ROOT\.b3d
HKEY_CLASSES_ROOT\.b3d IrfanView.b3d
JW Notes: False positive. The extension is for an image format.
C) TightVNC Commercial Remote Control
Status: Ignored
Moderate threat
Infected files detected
C:\Program Files\UltraVNC\VNCHooks_Settings.reg
JW Notes: interestingly, MS detected vnc files for the RealVNC viewer, but only
this reg file for TightVNC.
D) RealVNC Commercial Remote Control
Status: Ignored
Moderate threat
Infected files detected
c:\program files\realvnc\vncviewer.exe
c:\program files\realvnc\unins000.dat
c:\program files\realvnc\unins000.exe
JW Notes: I don't know if anyone is using these VNC products as trojans or
spyware, but it's nice that MS flagged them.
E) Morpheus Adware Bundler more information...
Details: Morpheus is a peer-to-peer file sharing program that installs spyware.
Morpheus also displays pop-up advertising.
Status: Ignored
Moderate threat
Infected files detected
C:\Program Files\Paltalk\BtHook.dll
JW Notes: PalTalks is ad-sponsored sw. I've had this installed for more than 6
months. Ad-Aware and Spybot should have detected it.
F) eDonkey2000 Adware Bundler
Details: eDonkey2000 is a peer-to-peer file sharing program that installs with
adware and spyware such as Webhancer, Web Search Toolbar, and New.Net.
Status: Ignored
Low threat
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon C:\Program
Files\emule\eMule.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\command "C:\Program
Files\emule\eMule.exe" "%1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k URL: ed2k Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k URL Protocol
JW Notes: I think that this is a false positive. The MS tool just flagged the
ed2K registry entry, even though eMule (which, as far as I know, contains no
spyware) created it.