Uniblue Spyeraser - Trustworthy?

[Walt Bilofsky]

"Nick Skrepetos" <nskrepetos@yahoo.com> wrote:

>
>Walt Bilofsky wrote:
>> Uniblue SpyEraser found a number of "threats" on my PC that were not
>> detected by any other program I tried. Is this a cause for concern?
>>
>> I downloaded and ran the free (scan only) SpyEraser from
>> http://www.liutilities.com/products/spyeraser/ . It found a lot of
>> problems, and suggested that the product be purchased in order to
>> clean them up.
>>
>> Among the threats it found were Screenspy, Mainpean Dialer, and
>> AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
>> Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
>> these (or anything else worth worrying about). The Symantec web site
>> lists files and registry keys for these threats, none of which were
>> present on my PC.
>>
>> SpyEraser also listed threats called NX Client, Viewpoint Media
>> Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
>> as threats.
>>
>> So - what's going on here?
>>
>> P.S.: It wasn't so easy to uninstall SpyEraser, either. And when I
>> got the uninstall to run without errors, it left the program files on
>> the hard drive anyway.
>
>I am going to reserve official comment here - I would be interested in
>seeing the LOG of EXACTLY what was detected. Can you post that here?
>
>Nick Skrepetos
>SUPERAntiSpyware.com
>http://www.superantispyware.com

Sounds sensible, Nick.

The log (omitting tracking cookies) is below, with my comments in
brackets. Hope this is helpful.

- Walt

==================

Start Dateecember 26, 2006 at 09:28:03 PM

End Dateecember 26, 2006 at 09:32:55 PM

Total Time:4 Mins 52 Secs

Detected Threats

NX Client
Details: NoMachine is useful for remote access and terminal services
and is installed in companies such as HP, Google, IBM, Siemens,
Motorola, SAP, Philips Semiconductors, Nokia, Verisign, VMWare,
Novell, Symbio Technologies, Trolltech, Toshiba Electronics Europe,
AXA Technology Services etc.
Status:No Action taken
Remote Control Software-Remote Control Software

Infected registry keys/values detected
hkey_local_machine\software\cygnus solutions\cygwin\program
options\\
hkey_local_machine\software\cygnus solutions\cygwin\mounts
v2\\
hkey_local_machine\software\cygnus solutions\\

[ WALT: These keys are there, but the only values in them are the
pathnames for my Cygwin directories, and one flag bit.]

Tintel
Details: Tintel is a program which makes long-distance phone calls or
calls to 900 and 976 phone numbers without user’s knowledge. To
connect, the computer must be connected to a phone line via a standard
modem or ADSL. Cable or satellite users and users on network or behind
a firewall are generally not affected. Tintel allows
subscription-based websites to charge subscribers by billing the
user's phone line.
Status:No Action taken
Dialer-Dialer

Infected registry keys/values detected
hkey_classes_root\.tcw\\

[WALT: This registry key assigns the extension .tcw to Turbo Cad Win
2.]

ScreenSpy
Details: ScreenSpy is a type of RAT spyware. Remote Administration
Tool provides a complete control over the machine and it could be used
for malicious purposes. It also tries to manipulate machine through a
remote location on the internet. There are two types of components:
one is on target machine and answer all the remote commands and second
application that is used by the attacker to track the server
applications.
Status:No Action taken
Key Logger-Key Logger

Infected registry keys/values detected

hkey_current_user\software\classes\clsid\{1efb6596-857c-11d1-b16a-00c0f0283628}\
inprocserver32\\

VX2
Details: VX2 is a Browser Helper Object for InternetExplorer. It
monitors web pages requested and data entered into forms and sends
this information to its home server. It then displays pop-up
advertisement windows based on the information. It can update itself
and install other software. There are two variants of this parasite
with different file and internal names, but both work identically. It
also shares IE's memory context and has the capability to perform any
action on the available windows and modules.
Status:No Action taken
Browser Helper-Browser Helper

Infected registry keys/values detected
hkey_local_machine\software\vendor

[WALT: The value of the key "vendor" is "Dell", the manufacturer of my
PC.]

MainPean Dialer
Details: MainPean Dialer is a program which makes long-distance phone
calls or calls to 900 and 976 phone numbers without user’s knowledge.
To connect, the computer must be connected to a phone line via a
standard modem or ADSL. Cable or satellite users and users on network
or behind a firewall are not affected.
Status:No Action taken
Dialer-Dialer

Infected registry keys/values detected
hkey_current_user\software\freeware\\

[WALT: This key contains a subtree of keys for the freeware program
VirtualDub.]

NJStar
Details: NJStar Asian Explorer is a FREE web browser created for
reading Chinese, Japanese and Korean (CJK) web pages with intelligent
NJStar CJK auto-detection technologies just like Microsoft Internet
Explorer or Netscape. It gives a tension free CJK web surfing
experience. Its use is in conjunction with the best-selling NJStar
Communicator and it allow us to view, input and save CJK web pages
with unprecedented control and ease.
Status:No Action taken
Adware-Adware

Infected registry keys/values detected
hkey_current_user\software\njstar\\

[WALT: This browser helper is cited as Adware around the web. I
installed the software for its Chinese keyboard input.]

AdultLinks.QBar
Details: AdultLinks QaBar combines links to porn and other sites to
the Internet Explorer Favorite menu.It is also known as adware that
shows what third-party is advertising on his computer. Ads could of
various forms like, pop-ups, pop-unders, banners, or links embedded
within web pages or parts of the Windows interface. Adware also helps
in keeping track of browsing habits so that a record could be kept
with the user.
Status:No Action taken
Browser Plugin-Browser Plugin

Infected files detected
c:\windows\downloaded program files\conflict.1\lssupctl.dll
c:\windows\downloaded program files\conflict.1\lssupctl.inf
c:\windows\downloaded program files\conflict.1\sdclicense.txt
c:\windows\downloaded program files\conflict.1\symadata.dll
c:\windows\downloaded program files\conflict.1\tgctlsi.dll
c:\windows\downloaded program files\conflict.1\tgctlsi.inf
c:\windows\downloaded program files\conflict.1\tgctlsr.dll
c:\windows\downloaded program files\conflict.1\tgctlsr.inf
Infected directories detected
c:\windows\downloaded program files\conflict.1

[WALT: tgctlst.inf starts off:
;SprtName=SupportSoft ScriptRunner Control
;SprtXpiName=SupportSoft ScriptRunner
;SprtJarName=SupportSoft/ScriptRunner
;SprtEmbedType=application/x-SupportSoft-ScriptRunner-Plugin

I see an LsSupCtl.dll but no matching inf file. sdclicense.txt is a
license from support.com.]