Uniblue Spyeraser - Trustworthy?

[Walt Bilofsky]

Uniblue SpyEraser found a number of "threats" on my PC that were not
detected by any other program I tried. Is this a cause for concern?

I downloaded and ran the free (scan only) SpyEraser from
http://www.liutilities.com/products/spyeraser/ . It found a lot of
problems, and suggested that the product be purchased in order to
clean them up.

Among the threats it found were Screenspy, Mainpean Dialer, and
AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
these (or anything else worth worrying about). The Symantec web site
lists files and registry keys for these threats, none of which were
present on my PC.

SpyEraser also listed threats called NX Client, Viewpoint Media
Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
as threats.

So - what's going on here?

P.S.: It wasn't so easy to uninstall SpyEraser, either. And when I
got the uninstall to run without errors, it left the program files on
the hard drive anyway.

[David H. Lipman]

From: "Walt Bilofsky" <bilofsky@toolworks.com>

| Uniblue SpyEraser found a number of "threats" on my PC that were not
| detected by any other program I tried. Is this a cause for concern?

| I downloaded and ran the free (scan only) SpyEraser from
| http://www.liutilities.com/products/spyeraser/ . It found a lot of
| problems, and suggested that the product be purchased in order to
| clean them up.

| Among the threats it found were Screenspy, Mainpean Dialer, and
| AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
| Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
| these (or anything else worth worrying about). The Symantec web site
| lists files and registry keys for these threats, none of which were
| present on my PC.

| SpyEraser also listed threats called NX Client, Viewpoint Media
| Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
| as threats.

| So - what's going on here?

P.S.:: It wasn't so easy to uninstall SpyEraser, either. And when I
| got the uninstall to run without errors, it left the program files on
| the hard drive anyway.

Symantec is not a good non-viral anti malware detector. Ad-aware SE and SpyBot S&D are.
However, you need to remove SpyBot S&D v1.4 and replace it with v1.4, then update it.

I haven't heard of SpyEraser and it isn't on the Rogue list on Spyware Warrior. The
installer also scans clean at Virus Total. However, it may be a new Rogue. One that
repoerts malware that isn't there and one that won't allow easy removal.

I suggest adding the following to Ad-aware and SpyBot
SuperAntiSpyware -- http://www.superantispyware.com/supe...freevspro.html

then perform the following...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Walt Bilofsky]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

>From: "Walt Bilofsky" <bilofsky@toolworks.com>
>
>| Uniblue SpyEraser found a number of "threats" on my PC that were not
>| detected by any other program I tried. Is this a cause for concern?
>
>| I downloaded and ran the free (scan only) SpyEraser from
>| http://www.liutilities.com/products/spyeraser/ . It found a lot of
>| problems, and suggested that the product be purchased in order to
>| clean them up.
>
>| Among the threats it found were Screenspy, Mainpean Dialer, and
>| AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
>| Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
>| these (or anything else worth worrying about). The Symantec web site
>| lists files and registry keys for these threats, none of which were
>| present on my PC.
>
>| SpyEraser also listed threats called NX Client, Viewpoint Media
>| Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
>| as threats.
>
>| So - what's going on here?
>
>P.S.:: It wasn't so easy to uninstall SpyEraser, either. And when I
>| got the uninstall to run without errors, it left the program files on
>| the hard drive anyway.
>
>Symantec is not a good non-viral anti malware detector. Ad-aware SE and SpyBot S&D are.
>However, you need to remove SpyBot S&D v1.4 and replace it with v1.4, then update it.
>
>I haven't heard of SpyEraser and it isn't on the Rogue list on Spyware Warrior. The
>installer also scans clean at Virus Total. However, it may be a new Rogue. One that
>repoerts malware that isn't there and one that won't allow easy removal.
>
>I suggest adding the following to Ad-aware and SpyBot
>SuperAntiSpyware -- http://www.superantispyware.com/supe...freevspro.html
>
>then perform the following...
>
>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>To use this utility, perform the following...
>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>Choose; Unzip
>Choose; Close
>
>Execute; C:\AV-CLS\StartMenu.BAT
>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>
>NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
>FireWall to allow it to download the needed AV vendor related files.
>
>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>This will bring up the initial menu of choices and should be executed in Normal Mode.
>This way all the components can be downloaded from each AV vendor's web site.
>The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
>You can choose to go to each menu item and just download the needed files or you can
>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>file. http://www.ik-cs.com/multi-av.htm
>
>Additional Instructions:
>http://pcdid.com/Multi_AV.htm
>
>
>* * * Please report back your results * * *

Thanks for your reply.

SuperAntiSpyware reported no problems. (Every program found tracking
cookies; I'm not considering them as problems for the purpose of these
reports.)

I downloaded all the scanners in Multi_AV. Sophos (in Normal Mode)
found a "virus fragment" in one of the folders in my mail program, and
without asking removed it, I know not where. Fortunately that
particular folder hadn't been changed since my weekly automatic
backup; if it had deleted my entire in-box I would have been peeved.
(Norton Anti-Virus is happy with that file so perhaps a fragment isn't
a virus. But I'll take advice on that.)

At that point I decided that the pursuit of further knowledge wasn't
worth running three more programs intended for use when a system is so
damaged that deleting the odd file without prompting is perfectly
acceptable. So I terminated the Sophos scan before it could find and
devour my backup file.

If any of the other three scanners prompts before deleting, I'll be
happy to give them a whirl.

Do you think I've seen enough to conclude that Uniblue Spyeraser is
reporting bogus infections? I do.

- Walt Bilofsky

[pcbutts1]

David's Multi_Avi does not prompt for deletion or even quarantines what it
finds it just deletes it. This is for all modules. Not only that but it is
very slow. This is very bad. They is no recourse for false positives or
legit files you may have on your system that you know about. I do not
recommend his program. I noticed the same thing you did last year sometime
when I was evaluating it. When I mentioned it to him he attacked me and
tried to have my website shutdown and my ISP shut me down. This same issue
was brought to his attention in another newsgroup just last week and he was
asked if he could fix it and his answer was a flat out No! It's a good thing
you have a backup.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker,David H. Lipman, Max M Wachtell III aka
What's in a Name?,Fitz,Rhonda Lea Kirk,Meat Plow, F Kwatu F, George Orwell



"Walt Bilofsky" <bilofsky@toolworks.com> wrote in message
news:usn3p2phes7h41k0d0oh22tcgepppdjn8e@4ax.com...
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>
>>From: "Walt Bilofsky" <bilofsky@toolworks.com>
>>
>>| Uniblue SpyEraser found a number of "threats" on my PC that were not
>>| detected by any other program I tried. Is this a cause for concern?
>>
>>| I downloaded and ran the free (scan only) SpyEraser from
>>| http://www.liutilities.com/products/spyeraser/ . It found a lot of
>>| problems, and suggested that the product be purchased in order to
>>| clean them up.
>>
>>| Among the threats it found were Screenspy, Mainpean Dialer, and
>>| AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
>>| Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
>>| these (or anything else worth worrying about). The Symantec web site
>>| lists files and registry keys for these threats, none of which were
>>| present on my PC.
>>
>>| SpyEraser also listed threats called NX Client, Viewpoint Media
>>| Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
>>| as threats.
>>
>>| So - what's going on here?
>>
>>P.S.:: It wasn't so easy to uninstall SpyEraser, either. And when I
>>| got the uninstall to run without errors, it left the program files on
>>| the hard drive anyway.
>>
>>Symantec is not a good non-viral anti malware detector. Ad-aware SE and
>>SpyBot S&D are.
>>However, you need to remove SpyBot S&D v1.4 and replace it with v1.4, then
>>update it.
>>
>>I haven't heard of SpyEraser and it isn't on the Rogue list on Spyware
>>Warrior. The
>>installer also scans clean at Virus Total. However, it may be a new
>>Rogue. One that
>>repoerts malware that isn't there and one that won't allow easy removal.
>>
>>I suggest adding the following to Ad-aware and SpyBot
>>SuperAntiSpyware --
>>http://www.superantispyware.com/supe...freevspro.html
>>
>>then perform the following...
>>
>>Download MULTI_AV.EXE from the URL --
>>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>>
>>To use this utility, perform the following...
>>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>>Choose; Unzip
>>Choose; Close
>>
>>Execute; C:\AV-CLS\StartMenu.BAT
>>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>>
>>NOTE: You may have to disable your software FireWall or allow WGET.EXE to
>>go through your
>>FireWall to allow it to download the needed AV vendor related files.
>>
>>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>>This will bring up the initial menu of choices and should be executed in
>>Normal Mode.
>>This way all the components can be downloaded from each AV vendor's web
>>site.
>>The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
>>Reboot the PC.
>>
>>You can choose to go to each menu item and just download the needed files
>>or you can
>>download the files and perform a scan in Normal Mode. Once you have
>>downloaded the files
>>needed for each scanner you want to use, you should reboot the PC into
>>Safe Mode [F8 key
>>during boot] and re-run the menu again and choose which scanner you want
>>to run in Safe
>>Mode. It is suggested to run the scanners in both Safe Mode and Normal
>>Mode.
>>
>>When the menu is displayed hitting 'H' or 'h' will bring up a more
>>comprehensive PDF help
>>file. http://www.ik-cs.com/multi-av.htm
>>
>>Additional Instructions:
>>http://pcdid.com/Multi_AV.htm
>>
>>
>>* * * Please report back your results * * *
>
> Thanks for your reply.
>
> SuperAntiSpyware reported no problems. (Every program found tracking
> cookies; I'm not considering them as problems for the purpose of these
> reports.)
>
> I downloaded all the scanners in Multi_AV. Sophos (in Normal Mode)
> found a "virus fragment" in one of the folders in my mail program, and
> without asking removed it, I know not where. Fortunately that
> particular folder hadn't been changed since my weekly automatic
> backup; if it had deleted my entire in-box I would have been peeved.
> (Norton Anti-Virus is happy with that file so perhaps a fragment isn't
> a virus. But I'll take advice on that.)
>
> At that point I decided that the pursuit of further knowledge wasn't
> worth running three more programs intended for use when a system is so
> damaged that deleting the odd file without prompting is perfectly
> acceptable. So I terminated the Sophos scan before it could find and
> devour my backup file.
>
> If any of the other three scanners prompts before deleting, I'll be
> happy to give them a whirl.
>
> Do you think I've seen enough to conclude that Uniblue Spyeraser is
> reporting bogus infections? I do.
>
> - Walt Bilofsky

[David H. Lipman]

From: "Walt Bilofsky" <bilofsky@toolworks.com>



| Thanks for your reply.

| SuperAntiSpyware reported no problems. (Every program found tracking
| cookies; I'm not considering them as problems for the purpose of these
| reports.)

| I downloaded all the scanners in Multi_AV. Sophos (in Normal Mode)
| found a "virus fragment" in one of the folders in my mail program, and
| without asking removed it, I know not where. Fortunately that
| particular folder hadn't been changed since my weekly automatic
| backup; if it had deleted my entire in-box I would have been peeved.
| (Norton Anti-Virus is happy with that file so perhaps a fragment isn't
| a virus. But I'll take advice on that.)

| At that point I decided that the pursuit of further knowledge wasn't
| worth running three more programs intended for use when a system is so
| damaged that deleting the odd file without prompting is perfectly
| acceptable. So I terminated the Sophos scan before it could find and
| devour my backup file.

| If any of the other three scanners prompts before deleting, I'll be
| happy to give them a whirl.

| Do you think I've seen enough to conclude that Uniblue Spyeraser is
| reporting bogus infections? I do.

| - Walt Bilofsky

Walt:

If Sophos found and deleted "...found a "virus fragment" in one of the folders in my mail
program" Then it is highly likely that you did indeed hve a Trojan or virus in an email
message found by scanning "mime".

The Sophos log can be more definitive; C:\AV-CLS\Sophos\ScanReport.txt

BTW: A toggle switch in the menu that can go between 'malware rename' and 'malware delete'
modes is still in development. That version is not ready for release.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Nick Skrepetos]

Walt Bilofsky wrote:
> Uniblue SpyEraser found a number of "threats" on my PC that were not
> detected by any other program I tried. Is this a cause for concern?
>
> I downloaded and ran the free (scan only) SpyEraser from
> http://www.liutilities.com/products/spyeraser/ . It found a lot of
> problems, and suggested that the product be purchased in order to
> clean them up.
>
> Among the threats it found were Screenspy, Mainpean Dialer, and
> AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
> Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
> these (or anything else worth worrying about). The Symantec web site
> lists files and registry keys for these threats, none of which were
> present on my PC.
>
> SpyEraser also listed threats called NX Client, Viewpoint Media
> Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
> as threats.
>
> So - what's going on here?
>
> P.S.: It wasn't so easy to uninstall SpyEraser, either. And when I
> got the uninstall to run without errors, it left the program files on
> the hard drive anyway.

I am going to reserve official comment here - I would be interested in
seeing the LOG of EXACTLY what was detected. Can you post that here?

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[Walt Bilofsky]

"Nick Skrepetos" <nskrepetos@yahoo.com> wrote:

>
>Walt Bilofsky wrote:
>> Uniblue SpyEraser found a number of "threats" on my PC that were not
>> detected by any other program I tried. Is this a cause for concern?
>>
>> I downloaded and ran the free (scan only) SpyEraser from
>> http://www.liutilities.com/products/spyeraser/ . It found a lot of
>> problems, and suggested that the product be purchased in order to
>> clean them up.
>>
>> Among the threats it found were Screenspy, Mainpean Dialer, and
>> AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
>> Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
>> these (or anything else worth worrying about). The Symantec web site
>> lists files and registry keys for these threats, none of which were
>> present on my PC.
>>
>> SpyEraser also listed threats called NX Client, Viewpoint Media
>> Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
>> as threats.
>>
>> So - what's going on here?
>>
>> P.S.: It wasn't so easy to uninstall SpyEraser, either. And when I
>> got the uninstall to run without errors, it left the program files on
>> the hard drive anyway.
>
>I am going to reserve official comment here - I would be interested in
>seeing the LOG of EXACTLY what was detected. Can you post that here?
>
>Nick Skrepetos
>SUPERAntiSpyware.com
>http://www.superantispyware.com

Sounds sensible, Nick.

The log (omitting tracking cookies) is below, with my comments in
brackets. Hope this is helpful.

- Walt

==================

Start Dateecember 26, 2006 at 09:28:03 PM

End Dateecember 26, 2006 at 09:32:55 PM

Total Time:4 Mins 52 Secs

Detected Threats

NX Client
Details: NoMachine is useful for remote access and terminal services
and is installed in companies such as HP, Google, IBM, Siemens,
Motorola, SAP, Philips Semiconductors, Nokia, Verisign, VMWare,
Novell, Symbio Technologies, Trolltech, Toshiba Electronics Europe,
AXA Technology Services etc.
Status:No Action taken
Remote Control Software-Remote Control Software

Infected registry keys/values detected
hkey_local_machine\software\cygnus solutions\cygwin\program
options\\
hkey_local_machine\software\cygnus solutions\cygwin\mounts
v2\\
hkey_local_machine\software\cygnus solutions\\

[ WALT: These keys are there, but the only values in them are the
pathnames for my Cygwin directories, and one flag bit.]

Tintel
Details: Tintel is a program which makes long-distance phone calls or
calls to 900 and 976 phone numbers without user’s knowledge. To
connect, the computer must be connected to a phone line via a standard
modem or ADSL. Cable or satellite users and users on network or behind
a firewall are generally not affected. Tintel allows
subscription-based websites to charge subscribers by billing the
user's phone line.
Status:No Action taken
Dialer-Dialer

Infected registry keys/values detected
hkey_classes_root\.tcw\\

[WALT: This registry key assigns the extension .tcw to Turbo Cad Win
2.]

ScreenSpy
Details: ScreenSpy is a type of RAT spyware. Remote Administration
Tool provides a complete control over the machine and it could be used
for malicious purposes. It also tries to manipulate machine through a
remote location on the internet. There are two types of components:
one is on target machine and answer all the remote commands and second
application that is used by the attacker to track the server
applications.
Status:No Action taken
Key Logger-Key Logger

Infected registry keys/values detected

hkey_current_user\software\classes\clsid\{1efb6596-857c-11d1-b16a-00c0f0283628}\
inprocserver32\\

VX2
Details: VX2 is a Browser Helper Object for InternetExplorer. It
monitors web pages requested and data entered into forms and sends
this information to its home server. It then displays pop-up
advertisement windows based on the information. It can update itself
and install other software. There are two variants of this parasite
with different file and internal names, but both work identically. It
also shares IE's memory context and has the capability to perform any
action on the available windows and modules.
Status:No Action taken
Browser Helper-Browser Helper

Infected registry keys/values detected
hkey_local_machine\software\vendor

[WALT: The value of the key "vendor" is "Dell", the manufacturer of my
PC.]

MainPean Dialer
Details: MainPean Dialer is a program which makes long-distance phone
calls or calls to 900 and 976 phone numbers without user’s knowledge.
To connect, the computer must be connected to a phone line via a
standard modem or ADSL. Cable or satellite users and users on network
or behind a firewall are not affected.
Status:No Action taken
Dialer-Dialer

Infected registry keys/values detected
hkey_current_user\software\freeware\\

[WALT: This key contains a subtree of keys for the freeware program
VirtualDub.]

NJStar
Details: NJStar Asian Explorer is a FREE web browser created for
reading Chinese, Japanese and Korean (CJK) web pages with intelligent
NJStar CJK auto-detection technologies just like Microsoft Internet
Explorer or Netscape. It gives a tension free CJK web surfing
experience. Its use is in conjunction with the best-selling NJStar
Communicator and it allow us to view, input and save CJK web pages
with unprecedented control and ease.
Status:No Action taken
Adware-Adware

Infected registry keys/values detected
hkey_current_user\software\njstar\\

[WALT: This browser helper is cited as Adware around the web. I
installed the software for its Chinese keyboard input.]

AdultLinks.QBar
Details: AdultLinks QaBar combines links to porn and other sites to
the Internet Explorer Favorite menu.It is also known as adware that
shows what third-party is advertising on his computer. Ads could of
various forms like, pop-ups, pop-unders, banners, or links embedded
within web pages or parts of the Windows interface. Adware also helps
in keeping track of browsing habits so that a record could be kept
with the user.
Status:No Action taken
Browser Plugin-Browser Plugin

Infected files detected
c:\windows\downloaded program files\conflict.1\lssupctl.dll
c:\windows\downloaded program files\conflict.1\lssupctl.inf
c:\windows\downloaded program files\conflict.1\sdclicense.txt
c:\windows\downloaded program files\conflict.1\symadata.dll
c:\windows\downloaded program files\conflict.1\tgctlsi.dll
c:\windows\downloaded program files\conflict.1\tgctlsi.inf
c:\windows\downloaded program files\conflict.1\tgctlsr.dll
c:\windows\downloaded program files\conflict.1\tgctlsr.inf
Infected directories detected
c:\windows\downloaded program files\conflict.1

[WALT: tgctlst.inf starts off:
;SprtName=SupportSoft ScriptRunner Control
;SprtXpiName=SupportSoft ScriptRunner
;SprtJarName=SupportSoft/ScriptRunner
;SprtEmbedType=application/x-SupportSoft-ScriptRunner-Plugin

I see an LsSupCtl.dll but no matching inf file. sdclicense.txt is a
license from support.com.]

[Nick Skrepetos]

Walt Bilofsky wrote:
> "Nick Skrepetos" <nskrepetos@yahoo.com> wrote:
>
> >
> >Walt Bilofsky wrote:
> >> Uniblue SpyEraser found a number of "threats" on my PC that were not
> >> detected by any other program I tried. Is this a cause for concern?
> >>
> >> I downloaded and ran the free (scan only) SpyEraser from
> >> http://www.liutilities.com/products/spyeraser/ . It found a lot of
> >> problems, and suggested that the product be purchased in order to
> >> clean them up.
> >>
> >> Among the threats it found were Screenspy, Mainpean Dialer, and
> >> AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
> >> Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
> >> these (or anything else worth worrying about). The Symantec web site
> >> lists files and registry keys for these threats, none of which were
> >> present on my PC.
> >>
> >> SpyEraser also listed threats called NX Client, Viewpoint Media
> >> Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
> >> as threats.
> >>
> >> So - what's going on here?
> >>
> >> P.S.: It wasn't so easy to uninstall SpyEraser, either. And when I
> >> got the uninstall to run without errors, it left the program files on
> >> the hard drive anyway.
> >
> >I am going to reserve official comment here - I would be interested in
> >seeing the LOG of EXACTLY what was detected. Can you post that here?
> >
> >Nick Skrepetos
> >SUPERAntiSpyware.com
> >http://www.superantispyware.com
>
> Sounds sensible, Nick.
>
> The log (omitting tracking cookies) is below, with my comments in
> brackets. Hope this is helpful.
>
> - Walt
>
> ==================
>
> Start Dateecember 26, 2006 at 09:28:03 PM
>
> End Dateecember 26, 2006 at 09:32:55 PM
>
> Total Time:4 Mins 52 Secs
>
> Detected Threats
>
> NX Client
> Details: NoMachine is useful for remote access and terminal services
> and is installed in companies such as HP, Google, IBM, Siemens,
> Motorola, SAP, Philips Semiconductors, Nokia, Verisign, VMWare,
> Novell, Symbio Technologies, Trolltech, Toshiba Electronics Europe,
> AXA Technology Services etc.
> Status:No Action taken
> Remote Control Software-Remote Control Software
>
> Infected registry keys/values detected
> hkey_local_machine\software\cygnus solutions\cygwin\program
> options\\
> hkey_local_machine\software\cygnus solutions\cygwin\mounts
> v2\\
> hkey_local_machine\software\cygnus solutions\\
>
> [ WALT: These keys are there, but the only values in them are the
> pathnames for my Cygwin directories, and one flag bit.]
>
> Tintel
> Details: Tintel is a program which makes long-distance phone calls or
> calls to 900 and 976 phone numbers without user's knowledge. To
> connect, the computer must be connected to a phone line via a standard
> modem or ADSL. Cable or satellite users and users on network or behind
> a firewall are generally not affected. Tintel allows
> subscription-based websites to charge subscribers by billing the
> user's phone line.
> Status:No Action taken
> Dialer-Dialer
>
> Infected registry keys/values detected
> hkey_classes_root\.tcw\\
>
> [WALT: This registry key assigns the extension .tcw to Turbo Cad Win
> 2.]
>
> ScreenSpy
> Details: ScreenSpy is a type of RAT spyware. Remote Administration
> Tool provides a complete control over the machine and it could be used
> for malicious purposes. It also tries to manipulate machine through a
> remote location on the internet. There are two types of components:
> one is on target machine and answer all the remote commands and second
> application that is used by the attacker to track the server
> applications.
> Status:No Action taken
> Key Logger-Key Logger
>
> Infected registry keys/values detected
>
> hkey_current_user\software\classes\clsid\{1efb6596-857c-11d1-b16a-00c0f0283628}\
> inprocserver32\\
>
> VX2
> Details: VX2 is a Browser Helper Object for InternetExplorer. It
> monitors web pages requested and data entered into forms and sends
> this information to its home server. It then displays pop-up
> advertisement windows based on the information. It can update itself
> and install other software. There are two variants of this parasite
> with different file and internal names, but both work identically. It
> also shares IE's memory context and has the capability to perform any
> action on the available windows and modules.
> Status:No Action taken
> Browser Helper-Browser Helper
>
> Infected registry keys/values detected
> hkey_local_machine\software\vendor
>
> [WALT: The value of the key "vendor" is "Dell", the manufacturer of my
> PC.]
>
> MainPean Dialer
> Details: MainPean Dialer is a program which makes long-distance phone
> calls or calls to 900 and 976 phone numbers without user's knowledge.
> To connect, the computer must be connected to a phone line via a
> standard modem or ADSL. Cable or satellite users and users on network
> or behind a firewall are not affected.
> Status:No Action taken
> Dialer-Dialer
>
> Infected registry keys/values detected
> hkey_current_user\software\freeware\\
>
> [WALT: This key contains a subtree of keys for the freeware program
> VirtualDub.]
>
> NJStar
> Details: NJStar Asian Explorer is a FREE web browser created for
> reading Chinese, Japanese and Korean (CJK) web pages with intelligent
> NJStar CJK auto-detection technologies just like Microsoft Internet
> Explorer or Netscape. It gives a tension free CJK web surfing
> experience. Its use is in conjunction with the best-selling NJStar
> Communicator and it allow us to view, input and save CJK web pages
> with unprecedented control and ease.
> Status:No Action taken
> Adware-Adware
>
> Infected registry keys/values detected
> hkey_current_user\software\njstar\\
>
> [WALT: This browser helper is cited as Adware around the web. I
> installed the software for its Chinese keyboard input.]
>
> AdultLinks.QBar
> Details: AdultLinks QaBar combines links to porn and other sites to
> the Internet Explorer Favorite menu.It is also known as adware that
> shows what third-party is advertising on his computer. Ads could of
> various forms like, pop-ups, pop-unders, banners, or links embedded
> within web pages or parts of the Windows interface. Adware also helps
> in keeping track of browsing habits so that a record could be kept
> with the user.
> Status:No Action taken
> Browser Plugin-Browser Plugin
>
> Infected files detected
> c:\windows\downloaded program files\conflict.1\lssupctl.dll
> c:\windows\downloaded program files\conflict.1\lssupctl.inf
> c:\windows\downloaded program files\conflict.1\sdclicense.txt
> c:\windows\downloaded program files\conflict.1\symadata.dll
> c:\windows\downloaded program files\conflict.1\tgctlsi.dll
> c:\windows\downloaded program files\conflict.1\tgctlsi.inf
> c:\windows\downloaded program files\conflict.1\tgctlsr.dll
> c:\windows\downloaded program files\conflict.1\tgctlsr.inf
> Infected directories detected
> c:\windows\downloaded program files\conflict.1
>
> [WALT: tgctlst.inf starts off:
> ;SprtName=SupportSoft ScriptRunner Control
> ;SprtXpiName=SupportSoft ScriptRunner
> ;SprtJarName=SupportSoft/ScriptRunner
> ;SprtEmbedType=application/x-SupportSoft-ScriptRunner-Plugin
>
> I see an LsSupCtl.dll but no matching inf file. sdclicense.txt is a
> license from support.com.]

Walt - much as I suspected - a whole bunch of what appear to be false
positives. That's quite a few on single non-infected system. SpyEraser
was detecting SUPERAntiSpyware as a "rogue" product - they corrected
that as soon as I found out about the detection.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[Walt Bilofsky]

"Nick Skrepetos" <nskrepetos@yahoo.com> wrote:

>
>Walt Bilofsky wrote:
>> "Nick Skrepetos" <nskrepetos@yahoo.com> wrote:
>>
>> >
>> >Walt Bilofsky wrote:
>> >> Uniblue SpyEraser found a number of "threats" on my PC that were not
>> >> detected by any other program I tried. Is this a cause for concern?
>> >>
>> >> I downloaded and ran the free (scan only) SpyEraser from
>> >> http://www.liutilities.com/products/spyeraser/ . It found a lot of
>> >> problems, and suggested that the product be purchased in order to
>> >> clean them up.
>> >>
>> >> Among the threats it found were Screenspy, Mainpean Dialer, and
>> >> AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
>> >> Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
>> >> these (or anything else worth worrying about). The Symantec web site
>> >> lists files and registry keys for these threats, none of which were
>> >> present on my PC.
>> >>
>> >> SpyEraser also listed threats called NX Client, Viewpoint Media
>> >> Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
>> >> as threats.
>> >>
>> >> So - what's going on here?
>> >>
>> >> P.S.: It wasn't so easy to uninstall SpyEraser, either. And when I
>> >> got the uninstall to run without errors, it left the program files on
>> >> the hard drive anyway.
>> >
>> >I am going to reserve official comment here - I would be interested in
>> >seeing the LOG of EXACTLY what was detected. Can you post that here?
>> >
>> >Nick Skrepetos
>> >SUPERAntiSpyware.com
>> >http://www.superantispyware.com
>>
>> Sounds sensible, Nick.
>>
>> The log (omitting tracking cookies) is below, with my comments in
>> brackets. Hope this is helpful.
>>
>> - Walt
>>
>> ==================
>>
>> Start Dateecember 26, 2006 at 09:28:03 PM
>>
>> End Dateecember 26, 2006 at 09:32:55 PM
>>
>> Total Time:4 Mins 52 Secs
>>
>> Detected Threats
>>
>> NX Client
>> Details: NoMachine is useful for remote access and terminal services
>> and is installed in companies such as HP, Google, IBM, Siemens,
>> Motorola, SAP, Philips Semiconductors, Nokia, Verisign, VMWare,
>> Novell, Symbio Technologies, Trolltech, Toshiba Electronics Europe,
>> AXA Technology Services etc.
>> Status:No Action taken
>> Remote Control Software-Remote Control Software
>>
>> Infected registry keys/values detected
>> hkey_local_machine\software\cygnus solutions\cygwin\program
>> options\\
>> hkey_local_machine\software\cygnus solutions\cygwin\mounts
>> v2\\
>> hkey_local_machine\software\cygnus solutions\\
>>
>> [ WALT: These keys are there, but the only values in them are the
>> pathnames for my Cygwin directories, and one flag bit.]
>>
>> Tintel
>> Details: Tintel is a program which makes long-distance phone calls or
>> calls to 900 and 976 phone numbers without user's knowledge. To
>> connect, the computer must be connected to a phone line via a standard
>> modem or ADSL. Cable or satellite users and users on network or behind
>> a firewall are generally not affected. Tintel allows
>> subscription-based websites to charge subscribers by billing the
>> user's phone line.
>> Status:No Action taken
>> Dialer-Dialer
>>
>> Infected registry keys/values detected
>> hkey_classes_root\.tcw\\
>>
>> [WALT: This registry key assigns the extension .tcw to Turbo Cad Win
>> 2.]
>>
>> ScreenSpy
>> Details: ScreenSpy is a type of RAT spyware. Remote Administration
>> Tool provides a complete control over the machine and it could be used
>> for malicious purposes. It also tries to manipulate machine through a
>> remote location on the internet. There are two types of components:
>> one is on target machine and answer all the remote commands and second
>> application that is used by the attacker to track the server
>> applications.
>> Status:No Action taken
>> Key Logger-Key Logger
>>
>> Infected registry keys/values detected
>>
>> hkey_current_user\software\classes\clsid\{1efb6596-857c-11d1-b16a-00c0f0283628}\
>> inprocserver32\\
>>
>> VX2
>> Details: VX2 is a Browser Helper Object for InternetExplorer. It
>> monitors web pages requested and data entered into forms and sends
>> this information to its home server. It then displays pop-up
>> advertisement windows based on the information. It can update itself
>> and install other software. There are two variants of this parasite
>> with different file and internal names, but both work identically. It
>> also shares IE's memory context and has the capability to perform any
>> action on the available windows and modules.
>> Status:No Action taken
>> Browser Helper-Browser Helper
>>
>> Infected registry keys/values detected
>> hkey_local_machine\software\vendor
>>
>> [WALT: The value of the key "vendor" is "Dell", the manufacturer of my
>> PC.]
>>
>> MainPean Dialer
>> Details: MainPean Dialer is a program which makes long-distance phone
>> calls or calls to 900 and 976 phone numbers without user's knowledge.
>> To connect, the computer must be connected to a phone line via a
>> standard modem or ADSL. Cable or satellite users and users on network
>> or behind a firewall are not affected.
>> Status:No Action taken
>> Dialer-Dialer
>>
>> Infected registry keys/values detected
>> hkey_current_user\software\freeware\\
>>
>> [WALT: This key contains a subtree of keys for the freeware program
>> VirtualDub.]
>>
>> NJStar
>> Details: NJStar Asian Explorer is a FREE web browser created for
>> reading Chinese, Japanese and Korean (CJK) web pages with intelligent
>> NJStar CJK auto-detection technologies just like Microsoft Internet
>> Explorer or Netscape. It gives a tension free CJK web surfing
>> experience. Its use is in conjunction with the best-selling NJStar
>> Communicator and it allow us to view, input and save CJK web pages
>> with unprecedented control and ease.
>> Status:No Action taken
>> Adware-Adware
>>
>> Infected registry keys/values detected
>> hkey_current_user\software\njstar\\
>>
>> [WALT: This browser helper is cited as Adware around the web. I
>> installed the software for its Chinese keyboard input.]
>>
>> AdultLinks.QBar
>> Details: AdultLinks QaBar combines links to porn and other sites to
>> the Internet Explorer Favorite menu.It is also known as adware that
>> shows what third-party is advertising on his computer. Ads could of
>> various forms like, pop-ups, pop-unders, banners, or links embedded
>> within web pages or parts of the Windows interface. Adware also helps
>> in keeping track of browsing habits so that a record could be kept
>> with the user.
>> Status:No Action taken
>> Browser Plugin-Browser Plugin
>>
>> Infected files detected
>> c:\windows\downloaded program files\conflict.1\lssupctl.dll
>> c:\windows\downloaded program files\conflict.1\lssupctl.inf
>> c:\windows\downloaded program files\conflict.1\sdclicense.txt
>> c:\windows\downloaded program files\conflict.1\symadata.dll
>> c:\windows\downloaded program files\conflict.1\tgctlsi.dll
>> c:\windows\downloaded program files\conflict.1\tgctlsi.inf
>> c:\windows\downloaded program files\conflict.1\tgctlsr.dll
>> c:\windows\downloaded program files\conflict.1\tgctlsr.inf
>> Infected directories detected
>> c:\windows\downloaded program files\conflict.1
>>
>> [WALT: tgctlst.inf starts off:
>> ;SprtName=SupportSoft ScriptRunner Control
>> ;SprtXpiName=SupportSoft ScriptRunner
>> ;SprtJarName=SupportSoft/ScriptRunner
>> ;SprtEmbedType=application/x-SupportSoft-ScriptRunner-Plugin
>>
>> I see an LsSupCtl.dll but no matching inf file. sdclicense.txt is a
>> license from support.com.]
>
>Walt - much as I suspected - a whole bunch of what appear to be false
>positives. That's quite a few on single non-infected system. SpyEraser
>was detecting SUPERAntiSpyware as a "rogue" product - they corrected
>that as soon as I found out about the detection.
>
>Nick Skrepetos
>SUPERAntiSpyware.com
>http://www.superantispyware.com

Thanks, Nick.

I am no expert on anti spyware - perhaps an intelligent though not
knowledgeable consumer. And it's hard to impute motivation rather
than a lack of diligence, especially when the cost of a false negative
is much higher than a false positive.

Nevertheless, I think an average computer user would have seen the
results SpyEraser gave, and rushed in a panic to buy the full version
that does cleanup. This would be lucrative for the manufacturer.

And I wonder if any of my programs would have stopped working had I
purchased the full version of SpyEraser and asked it to remove all the
"spyware" from my system.

- Walt

[Dustin Cook]

Walt Bilofsky <bilofsky@toolworks.com> wrote in
news:c385p2hu5dcptgvcujuu0cvhhcigiuc49u@4ax.com:

> "Nick Skrepetos" <nskrepetos@yahoo.com> wrote:
>
>>
>>Walt Bilofsky wrote:
>>> "Nick Skrepetos" <nskrepetos@yahoo.com> wrote:
>>>
>>> >
>>> >Walt Bilofsky wrote:
>>> >> Uniblue SpyEraser found a number of "threats" on my PC that were
>>> >> not detected by any other program I tried. Is this a cause for
>>> >> concern?
>>> >>
>>> >> I downloaded and ran the free (scan only) SpyEraser from
>>> >> http://www.liutilities.com/products/spyeraser/ . It found a lot
>>> >> of problems, and suggested that the product be purchased in order
>>> >> to clean them up.
>>> >>
>>> >> Among the threats it found were Screenspy, Mainpean Dialer, and
>>> >> AdultLinks QABar. I scanned my system with Norton Anti-Virus
>>> >> 2006, Spybot 1.3, and Ad-Aware SE Personal, and none of them
>>> >> found any of these (or anything else worth worrying about). The
>>> >> Symantec web site lists files and registry keys for these
>>> >> threats, none of which were present on my PC.
>>> >>
>>> >> SpyEraser also listed threats called NX Client, Viewpoint Media
>>> >> Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of
>>> >> these as threats.
>>> >>
>>> >> So - what's going on here?
>>> >>
>>> >> P.S.: It wasn't so easy to uninstall SpyEraser, either. And when
>>> >> I got the uninstall to run without errors, it left the program
>>> >> files on the hard drive anyway.
>>> >
>>> >I am going to reserve official comment here - I would be interested
>>> >in seeing the LOG of EXACTLY what was detected. Can you post that
>>> >here?
>>> >
>>> >Nick Skrepetos
>>> >SUPERAntiSpyware.com
>>> >http://www.superantispyware.com
>>>
>>> Sounds sensible, Nick.
>>>
>>> The log (omitting tracking cookies) is below, with my comments in
>>> brackets. Hope this is helpful.
>>>
>>> - Walt
>>>
>>> ==================
>>>
>>> Start Dateecember 26, 2006 at 09:28:03 PM
>>>
>>> End Dateecember 26, 2006 at 09:32:55 PM
>>>
>>> Total Time:4 Mins 52 Secs
>>>
>>> Detected Threats
>>>
>>> NX Client
>>> Details: NoMachine is useful for remote access and terminal services
>>> and is installed in companies such as HP, Google, IBM, Siemens,
>>> Motorola, SAP, Philips Semiconductors, Nokia, Verisign, VMWare,
>>> Novell, Symbio Technologies, Trolltech, Toshiba Electronics Europe,
>>> AXA Technology Services etc.
>>> Status:No Action taken
>>> Remote Control Software-Remote Control Software
>>>
>>> Infected registry keys/values detected
>>> hkey_local_machine\software\cygnus solutions\cygwin\program
>>> options\\
>>> hkey_local_machine\software\cygnus solutions\cygwin\mounts
>>> v2\\
>>> hkey_local_machine\software\cygnus solutions\\
>>>
>>> [ WALT: These keys are there, but the only values in them are the
>>> pathnames for my Cygwin directories, and one flag bit.]
>>>
>>> Tintel
>>> Details: Tintel is a program which makes long-distance phone calls
>>> or calls to 900 and 976 phone numbers without user's knowledge. To
>>> connect, the computer must be connected to a phone line via a
>>> standard modem or ADSL. Cable or satellite users and users on
>>> network or behind a firewall are generally not affected. Tintel
>>> allows subscription-based websites to charge subscribers by billing
>>> the user's phone line.
>>> Status:No Action taken
>>> Dialer-Dialer
>>>
>>> Infected registry keys/values detected
>>> hkey_classes_root\.tcw\\
>>>
>>> [WALT: This registry key assigns the extension .tcw to Turbo Cad Win
>>> 2.]
>>>
>>> ScreenSpy
>>> Details: ScreenSpy is a type of RAT spyware. Remote Administration
>>> Tool provides a complete control over the machine and it could be
>>> used for malicious purposes. It also tries to manipulate machine
>>> through a remote location on the internet. There are two types of
>>> components: one is on target machine and answer all the remote
>>> commands and second application that is used by the attacker to
>>> track the server applications.
>>> Status:No Action taken
>>> Key Logger-Key Logger
>>>
>>> Infected registry keys/values detected
>>>
>>> hkey_current_user\software\classes\clsid\{1efb6596-857c-11d1-b16a-00c
>>> 0f0283628}\ inprocserver32\\
>>>
>>> VX2
>>> Details: VX2 is a Browser Helper Object for InternetExplorer. It
>>> monitors web pages requested and data entered into forms and sends
>>> this information to its home server. It then displays pop-up
>>> advertisement windows based on the information. It can update itself
>>> and install other software. There are two variants of this parasite
>>> with different file and internal names, but both work identically.
>>> It also shares IE's memory context and has the capability to perform
>>> any action on the available windows and modules.
>>> Status:No Action taken
>>> Browser Helper-Browser Helper
>>>
>>> Infected registry keys/values detected
>>> hkey_local_machine\software\vendor
>>>
>>> [WALT: The value of the key "vendor" is "Dell", the manufacturer of
>>> my PC.]
>>>
>>> MainPean Dialer
>>> Details: MainPean Dialer is a program which makes long-distance
>>> phone calls or calls to 900 and 976 phone numbers without user's
>>> knowledge. To connect, the computer must be connected to a phone
>>> line via a standard modem or ADSL. Cable or satellite users and
>>> users on network or behind a firewall are not affected.
>>> Status:No Action taken
>>> Dialer-Dialer
>>>
>>> Infected registry keys/values detected
>>> hkey_current_user\software\freeware\\
>>>
>>> [WALT: This key contains a subtree of keys for the freeware program
>>> VirtualDub.]
>>>
>>> NJStar
>>> Details: NJStar Asian Explorer is a FREE web browser created for
>>> reading Chinese, Japanese and Korean (CJK) web pages with
>>> intelligent NJStar CJK auto-detection technologies just like
>>> Microsoft Internet Explorer or Netscape. It gives a tension free CJK
>>> web surfing experience. Its use is in conjunction with the
>>> best-selling NJStar Communicator and it allow us to view, input and
>>> save CJK web pages with unprecedented control and ease.
>>> Status:No Action taken
>>> Adware-Adware
>>>
>>> Infected registry keys/values detected
>>> hkey_current_user\software\njstar\\
>>>
>>> [WALT: This browser helper is cited as Adware around the web. I
>>> installed the software for its Chinese keyboard input.]
>>>
>>> AdultLinks.QBar
>>> Details: AdultLinks QaBar combines links to porn and other sites to
>>> the Internet Explorer Favorite menu.It is also known as adware that
>>> shows what third-party is advertising on his computer. Ads could of
>>> various forms like, pop-ups, pop-unders, banners, or links embedded
>>> within web pages or parts of the Windows interface. Adware also
>>> helps in keeping track of browsing habits so that a record could be
>>> kept with the user.
>>> Status:No Action taken
>>> Browser Plugin-Browser Plugin
>>>
>>> Infected files detected
>>> c:\windows\downloaded program files\conflict.1\lssupctl.dll
>>> c:\windows\downloaded program files\conflict.1\lssupctl.inf
>>> c:\windows\downloaded program files\conflict.1\sdclicense.txt
>>> c:\windows\downloaded program files\conflict.1\symadata.dll
>>> c:\windows\downloaded program files\conflict.1\tgctlsi.dll
>>> c:\windows\downloaded program files\conflict.1\tgctlsi.inf
>>> c:\windows\downloaded program files\conflict.1\tgctlsr.dll
>>> c:\windows\downloaded program files\conflict.1\tgctlsr.inf
>>> Infected directories detected
>>> c:\windows\downloaded program files\conflict.1
>>>
>>> [WALT: tgctlst.inf starts off:
>>> ;SprtName=SupportSoft ScriptRunner Control
>>> ;SprtXpiName=SupportSoft ScriptRunner
>>> ;SprtJarName=SupportSoft/ScriptRunner
>>> ;SprtEmbedType=application/x-SupportSoft-ScriptRunner-Plugin
>>>
>>> I see an LsSupCtl.dll but no matching inf file. sdclicense.txt is a
>>> license from support.com.]
>>
>>Walt - much as I suspected - a whole bunch of what appear to be false
>>positives. That's quite a few on single non-infected system. SpyEraser
>>was detecting SUPERAntiSpyware as a "rogue" product - they corrected
>>that as soon as I found out about the detection.
>>
>>Nick Skrepetos
>>SUPERAntiSpyware.com
>>http://www.superantispyware.com
>
> Thanks, Nick.
>
> I am no expert on anti spyware - perhaps an intelligent though not
> knowledgeable consumer. And it's hard to impute motivation rather
> than a lack of diligence, especially when the cost of a false negative
> is much higher than a false positive.
>
> Nevertheless, I think an average computer user would have seen the
> results SpyEraser gave, and rushed in a panic to buy the full version
> that does cleanup. This would be lucrative for the manufacturer.
>
> And I wonder if any of my programs would have stopped working had I
> purchased the full version of SpyEraser and asked it to remove all the
> "spyware" from my system.
>
> - Walt
>

virtualdub wouldn't really appreciate the registry keys deleted..


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool -V2.0
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: January 4th, 2007