Uniblue Spyeraser - Trustworthy?

[Nick Skrepetos]

Walt Bilofsky wrote:
> "Nick Skrepetos" <nskrepetos@yahoo.com> wrote:
>
> >
> >Walt Bilofsky wrote:
> >> Uniblue SpyEraser found a number of "threats" on my PC that were not
> >> detected by any other program I tried. Is this a cause for concern?
> >>
> >> I downloaded and ran the free (scan only) SpyEraser from
> >> http://www.liutilities.com/products/spyeraser/ . It found a lot of
> >> problems, and suggested that the product be purchased in order to
> >> clean them up.
> >>
> >> Among the threats it found were Screenspy, Mainpean Dialer, and
> >> AdultLinks QABar. I scanned my system with Norton Anti-Virus 2006,
> >> Spybot 1.3, and Ad-Aware SE Personal, and none of them found any of
> >> these (or anything else worth worrying about). The Symantec web site
> >> lists files and registry keys for these threats, none of which were
> >> present on my PC.
> >>
> >> SpyEraser also listed threats called NX Client, Viewpoint Media
> >> Toolbar, TinTel dialer, and VX2. Symantec doesn't list any of these
> >> as threats.
> >>
> >> So - what's going on here?
> >>
> >> P.S.: It wasn't so easy to uninstall SpyEraser, either. And when I
> >> got the uninstall to run without errors, it left the program files on
> >> the hard drive anyway.
> >
> >I am going to reserve official comment here - I would be interested in
> >seeing the LOG of EXACTLY what was detected. Can you post that here?
> >
> >Nick Skrepetos
> >SUPERAntiSpyware.com
> >http://www.superantispyware.com
>
> Sounds sensible, Nick.
>
> The log (omitting tracking cookies) is below, with my comments in
> brackets. Hope this is helpful.
>
> - Walt
>
> ==================
>
> Start Dateecember 26, 2006 at 09:28:03 PM
>
> End Dateecember 26, 2006 at 09:32:55 PM
>
> Total Time:4 Mins 52 Secs
>
> Detected Threats
>
> NX Client
> Details: NoMachine is useful for remote access and terminal services
> and is installed in companies such as HP, Google, IBM, Siemens,
> Motorola, SAP, Philips Semiconductors, Nokia, Verisign, VMWare,
> Novell, Symbio Technologies, Trolltech, Toshiba Electronics Europe,
> AXA Technology Services etc.
> Status:No Action taken
> Remote Control Software-Remote Control Software
>
> Infected registry keys/values detected
> hkey_local_machine\software\cygnus solutions\cygwin\program
> options\\
> hkey_local_machine\software\cygnus solutions\cygwin\mounts
> v2\\
> hkey_local_machine\software\cygnus solutions\\
>
> [ WALT: These keys are there, but the only values in them are the
> pathnames for my Cygwin directories, and one flag bit.]
>
> Tintel
> Details: Tintel is a program which makes long-distance phone calls or
> calls to 900 and 976 phone numbers without user's knowledge. To
> connect, the computer must be connected to a phone line via a standard
> modem or ADSL. Cable or satellite users and users on network or behind
> a firewall are generally not affected. Tintel allows
> subscription-based websites to charge subscribers by billing the
> user's phone line.
> Status:No Action taken
> Dialer-Dialer
>
> Infected registry keys/values detected
> hkey_classes_root\.tcw\\
>
> [WALT: This registry key assigns the extension .tcw to Turbo Cad Win
> 2.]
>
> ScreenSpy
> Details: ScreenSpy is a type of RAT spyware. Remote Administration
> Tool provides a complete control over the machine and it could be used
> for malicious purposes. It also tries to manipulate machine through a
> remote location on the internet. There are two types of components:
> one is on target machine and answer all the remote commands and second
> application that is used by the attacker to track the server
> applications.
> Status:No Action taken
> Key Logger-Key Logger
>
> Infected registry keys/values detected
>
> hkey_current_user\software\classes\clsid\{1efb6596-857c-11d1-b16a-00c0f0283628}\
> inprocserver32\\
>
> VX2
> Details: VX2 is a Browser Helper Object for InternetExplorer. It
> monitors web pages requested and data entered into forms and sends
> this information to its home server. It then displays pop-up
> advertisement windows based on the information. It can update itself
> and install other software. There are two variants of this parasite
> with different file and internal names, but both work identically. It
> also shares IE's memory context and has the capability to perform any
> action on the available windows and modules.
> Status:No Action taken
> Browser Helper-Browser Helper
>
> Infected registry keys/values detected
> hkey_local_machine\software\vendor
>
> [WALT: The value of the key "vendor" is "Dell", the manufacturer of my
> PC.]
>
> MainPean Dialer
> Details: MainPean Dialer is a program which makes long-distance phone
> calls or calls to 900 and 976 phone numbers without user's knowledge.
> To connect, the computer must be connected to a phone line via a
> standard modem or ADSL. Cable or satellite users and users on network
> or behind a firewall are not affected.
> Status:No Action taken
> Dialer-Dialer
>
> Infected registry keys/values detected
> hkey_current_user\software\freeware\\
>
> [WALT: This key contains a subtree of keys for the freeware program
> VirtualDub.]
>
> NJStar
> Details: NJStar Asian Explorer is a FREE web browser created for
> reading Chinese, Japanese and Korean (CJK) web pages with intelligent
> NJStar CJK auto-detection technologies just like Microsoft Internet
> Explorer or Netscape. It gives a tension free CJK web surfing
> experience. Its use is in conjunction with the best-selling NJStar
> Communicator and it allow us to view, input and save CJK web pages
> with unprecedented control and ease.
> Status:No Action taken
> Adware-Adware
>
> Infected registry keys/values detected
> hkey_current_user\software\njstar\\
>
> [WALT: This browser helper is cited as Adware around the web. I
> installed the software for its Chinese keyboard input.]
>
> AdultLinks.QBar
> Details: AdultLinks QaBar combines links to porn and other sites to
> the Internet Explorer Favorite menu.It is also known as adware that
> shows what third-party is advertising on his computer. Ads could of
> various forms like, pop-ups, pop-unders, banners, or links embedded
> within web pages or parts of the Windows interface. Adware also helps
> in keeping track of browsing habits so that a record could be kept
> with the user.
> Status:No Action taken
> Browser Plugin-Browser Plugin
>
> Infected files detected
> c:\windows\downloaded program files\conflict.1\lssupctl.dll
> c:\windows\downloaded program files\conflict.1\lssupctl.inf
> c:\windows\downloaded program files\conflict.1\sdclicense.txt
> c:\windows\downloaded program files\conflict.1\symadata.dll
> c:\windows\downloaded program files\conflict.1\tgctlsi.dll
> c:\windows\downloaded program files\conflict.1\tgctlsi.inf
> c:\windows\downloaded program files\conflict.1\tgctlsr.dll
> c:\windows\downloaded program files\conflict.1\tgctlsr.inf
> Infected directories detected
> c:\windows\downloaded program files\conflict.1
>
> [WALT: tgctlst.inf starts off:
> ;SprtName=SupportSoft ScriptRunner Control
> ;SprtXpiName=SupportSoft ScriptRunner
> ;SprtJarName=SupportSoft/ScriptRunner
> ;SprtEmbedType=application/x-SupportSoft-ScriptRunner-Plugin
>
> I see an LsSupCtl.dll but no matching inf file. sdclicense.txt is a
> license from support.com.]

Walt - much as I suspected - a whole bunch of what appear to be false
positives. That's quite a few on single non-infected system. SpyEraser
was detecting SUPERAntiSpyware as a "rogue" product - they corrected
that as soon as I found out about the detection.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com