7/7 and 2/4 False Pos. incl. Spybot, LANguard, VNC

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

On the first computer I tested, every single one of the 7
"spyware threats" detected was a false positive of some kind.

The file c:\program files\winfingerprint\uninst-wfp.exe is
not related to KaZaA - it's the uninstaller for
winfingerprint (http://winfingerprint.sourceforge.net/).
The default action was Ignore, so AntiSpyware Beta1 would
have left it alone, at least.

The supposed "StartNow Hyperbar" infection is actually
LANguard, which was legitimately installed. The LANguard
objects should NOT be listed as StartNow Hyperbar objects,
but should be listed *separately* as an Enabler, if at all.
The recommended action was Remove, which would have
permanently removed 4 registry entries for LANguard. The
four entries are located in
HKEY_LOCAL_MACHINE\SOFTWARE\cLASSES\clsid\{3f2bbc05-40df-11d2-9455-00104bc936ff}

What Beta1 detects as SearchSquire is NOT Adware; it's
Spybot - Search & Destroy's immunization AGAINST
SearchSquire. Two registry entries in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\ (one was "searchsquire.com" and
the other was "searchsquire.com * 4"). Recommended action
was Remove, which action removed the IMMUNIZATION that
Spybot-S&D had made! (I verified this: After removing
these entries, Spybot had 1 protection disabled. I
reenabled it in Spybot, ran the Beta1 scan again, and it
was found again. I allowed Beta1 to remove it again. This
time I did not reimmunize with Spybot, and the Beta1 scan
came up clean.)

WinPCap ("Enabler") is legitimately installed, as is
RealVNC ("Commercial Remote Control"). Both were detected
as spyware threats, although the recommended action was
Ignore, as it should have been.

Beta1 called a "Host [sic] file redirection of 0.0.0.0
ads.auctions.yahoo.com" a "Possible Hosts File Hijack
(Spyware)". It's not a hijack, although I've seen Spybot
do similar things with ad-disabling hosts files. This
Hosts entry was installed by myself on purpose as part of
the ad-blocking hosts list from
http://someonewhocares.org/hosts/zero/ . The recommended
action was Remove, which simply would have allowed ads from
that site (not a big deal).

Finally, and this one is definitely grounds for a debate,
Beta1 detected "Kontiki (Browser Plug-in)" as a threat and
recommended to Quarantine it. This is backwards from what
the information in the right pane suggested; it said it was
not spyware, but strongly recommended that I read the EULA
for the software. There was no EULA in the Kontiki folder
(c:\program files\kontiki\) so I did a Web search for it.
I found something interesting. According to this page...

http://help.kontiki.com/enduser/group.jsp?node=1906

.... Ad-Aware and Spybot have listed Kontiki as spyware in
the past, but have since removed Kontiki from their lists
of detections. The page gives links to pages on the
Ad-Aware and Spybot sites to back up this claim. From the
Kontiki page:

"Note: If your anti-spyware program continues to list any
Kontiki programs as spyware, even though you have the
latest updates installed, please Notify Kontiki Support at
(e-mail address removed), and include the Name, version, and
release of the anti-spyware program. We will attempt to
find out why they have listed Kontiki programs as 'spyware'."

Also from the Kontiki page:

"The Delivery Manager does not do any of the things that
most adware and spyware applications are designed to do.

Things we don't do:

1. We do not track internet browsing.
2. We do not serve pop-up ads to users.
3. We do not have hidden 3rd party applications that are
installed with the Delivery Manager.
4. We do not hide the fact that the Delivery Manager is
running. (It appears in the Windows System Tray, even when
it is running in the background.)

Things we do:

1. We do provide many user configurable options so that
users can customize the behavior of the Delivery Manager.
2. We do allow users to completely uninstall the
Delivery Manager.
3. We do alert users before the Delivery Manager
installation process begins and require them to confirm
that they want to install the Delivery Manager.

The Delivery Manager improves the speed, efficiency,
reliability, and security of downloads. Our customers --
typically Fortune 1000 firms -- allow users to access
software or video files that, due to their large size,
would be very difficult to obtain reliably without the
Kontiki Delivery Manager."

If all that is true, why was GIANT still recommending that
it be Quarantined? Perhaps a future Microsoft beta should
address this issue in some way.

---

On another computer, Beta1 found 4 "spyware threats" and
two of them were false positives (RealVNC and Spybot's
SearchSquire immunization again). The other two were
actual positives: a folder related to GAIN Publishing (only
a folder - located at c:\documents and settings\all
users\start menu\programs\gain publishing; this was already
on the computer when it was purchased) and 24 KaZaA
registry items (this also came preinstalled on the
computer). The latest versions of Spybot, Ad-Aware,
Bazooka Scanner, and the demo of Spyware Doctor did not
find these 25 objects (perhaps because KaZaA itself is a
bundler and not necessarily detected as spyware, and the
GAIN thing is just a harmless folder).

I found a bug that occurs when one scrolls to the bottom of
the expanded scan results, and then hides the extended
results for the bottom item. When I did this the scroll
bar disappeared entirely, making it seemingly impossible to
go back to the top of the results list. I tried expanding
the bottom listing again, and the scroll bar reappeared.
Nevertheless, the bug should be fixed.

There are a lot of misspellings and grammatical errors in
the software. Some are in the information help bubbles
that appear when you click-and-hold on an object while
Beta1 is still scanning. I didn't get a chance to write
them down. In the post-scanning results there are also
typos. For example, when I click on KaZaA, the right pane
displays at the bottom of Adware Bundler: "In addition in
most cases if the adware is removed the software will seize
[sic] to function as well." It will *cease* to function,
not seize. Also, it is unnecessary to have both "In
addition" and "as well" in the sentence. I mentioned
another example in a previous paragraph: "Host [sic] file
redirection of 0.0.0.0 ads.auctions.yahoo.com" should be
"Hosts file ..." since the actual name of the file is
Hosts. There are a lot of little things like that
throughout the software. Not a bug, per se, but it looks
bad to have the Microsoft name on so many careless grammar
mistakes.

So for a total of 11 "threats" on two computers, I have yet
to see Beta1 discover any *real* spyware or adware, and if
I had selected the default options it would have
quarantined or removed many legitimate items. I keep both
computers pretty clean with a number of anti-spyware
tactics (Spybot, SpywareBlaster, and Spyware Doctor
immunizations, a Hosts file comprising hosts from several
sources, using Firefox instead of IE, etc.) so it is not a
major surprise that Beta1 didn't find anything harmful.
Guess I'll have to wait until someone brings me an infected
box before I can test Beta1's prowess against real threats. =)
 
(Same poster as the parent of this post.)

I scanned another computer that had been previously
infected by 2020Search, which Beta1 describes as a
Browser Plug-in. Ad-Aware and Spybot both claimed to
have removed 2020Search previously.

Before allowing Beta1 to fix anything I updated and
scanned with Spybot and Ad-Aware. Spybot reported that
no infections were found. Ad-Aware found some 2020Search
objects with its updated definitions. Below I'll compare
the results given by Beta1 and Ad-Aware:

Object:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\2020SEARCHTB
Detected by: Beta1 and Ad-Aware

Object:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\2020SEARCHTB UninstallString regsvr32.exe -
u -s C:\WINDOWS\2020search2.dll
Detected by: Beta1 and Ad-Aware

Object:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\2020SEARCHTB DisplayName Search2020
Detected by: Beta1 and Ad-Aware

Object: HKEY_CURRENT_USER\Software\Dynamic Toolbar\
Detected by: Beta1 and Ad-Aware
Note: Beta1 actually listed 8 objects *within* Dynamic
Toolbar, not the directory itself. Ad-Aware just listed
the directory, showing only 1 object (but removing the
directory would remove its contents, so it's functionally
the same in this case).

Object: HKEY_CURRENT_USER:software\microsoft\search
assistant "DefaultSearchURL"
Detected by: Ad-Aware only (NOT found by Beta1)

Object: C:\WINDOWS\downloaded program files\2020Search.inf
Detected by: Ad-Aware only (NOT found by Beta1)

Object: Various cookies in IE Cache (tripod.com,
ads.x10.com, realmedia.com, bravenet.com, trafic.ro
Detected by: Ad-Aware only (NOT found by Beta1)

SUMMARY: Ad-Aware found two 2020Search items that Beta1
didn't find and some cookies that Beta1 didn't detect.
Spybot didn't find anything at all.

Beta1 found VNC (default Ignore) and the Spybot
immunization for SearchSquire (default Remove) again.

It's noteworthy that this machine is immunized with
Spybot and SpywareBlaster. However, unlike the other 2
computers I have tested so far, this computer was not
immunized with the Spyware Doctor demo, and does not have
Firefox installed; IE is the only browser.
 
I concur the following entries are from the "immunize"-feature of Spybot
S&D. MAS detects these entries of the restricted sites list from Spybot S&D:

"SearchSquire Adware more information...
Details: SearchSquire is an Internet Explorer sidebar containing paid links
that open when you use search engines.
Status: Ignored
Elevated threat - Elevated threats are usually threats that fall into the
range of adware in which data about a user's habits are tracked and sent
back to a server for analysis without your consent or knowledge.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\searchsquire.com * 4"



On the first computer I tested, every single one of the 7
"spyware threats" detected was a false positive of some kind.

The file c:\program files\winfingerprint\uninst-wfp.exe is
not related to KaZaA - it's the uninstaller for
winfingerprint (http://winfingerprint.sourceforge.net/).
The default action was Ignore, so AntiSpyware Beta1 would
have left it alone, at least.

The supposed "StartNow Hyperbar" infection is actually
LANguard, which was legitimately installed. The LANguard
objects should NOT be listed as StartNow Hyperbar objects,
but should be listed *separately* as an Enabler, if at all.
The recommended action was Remove, which would have
permanently removed 4 registry entries for LANguard. The
four entries are located in
HKEY_LOCAL_MACHINE\SOFTWARE\cLASSES\clsid\{3f2bbc05-40df-11d2-9455-00104bc936ff}

What Beta1 detects as SearchSquire is NOT Adware; it's
Spybot - Search & Destroy's immunization AGAINST
SearchSquire. Two registry entries in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\ (one was "searchsquire.com" and
the other was "searchsquire.com * 4"). Recommended action
was Remove, which action removed the IMMUNIZATION that
Spybot-S&D had made! (I verified this: After removing
these entries, Spybot had 1 protection disabled. I
reenabled it in Spybot, ran the Beta1 scan again, and it
was found again. I allowed Beta1 to remove it again. This
time I did not reimmunize with Spybot, and the Beta1 scan
came up clean.)

WinPCap ("Enabler") is legitimately installed, as is
RealVNC ("Commercial Remote Control"). Both were detected
as spyware threats, although the recommended action was
Ignore, as it should have been.

Beta1 called a "Host [sic] file redirection of 0.0.0.0
ads.auctions.yahoo.com" a "Possible Hosts File Hijack
(Spyware)". It's not a hijack, although I've seen Spybot
do similar things with ad-disabling hosts files. This
Hosts entry was installed by myself on purpose as part of
the ad-blocking hosts list from
http://someonewhocares.org/hosts/zero/ . The recommended
action was Remove, which simply would have allowed ads from
that site (not a big deal).

Finally, and this one is definitely grounds for a debate,
Beta1 detected "Kontiki (Browser Plug-in)" as a threat and
recommended to Quarantine it. This is backwards from what
the information in the right pane suggested; it said it was
not spyware, but strongly recommended that I read the EULA
for the software. There was no EULA in the Kontiki folder
(c:\program files\kontiki\) so I did a Web search for it.
I found something interesting. According to this page...

http://help.kontiki.com/enduser/group.jsp?node=1906

.... Ad-Aware and Spybot have listed Kontiki as spyware in
the past, but have since removed Kontiki from their lists
of detections. The page gives links to pages on the
Ad-Aware and Spybot sites to back up this claim. From the
Kontiki page:

"Note: If your anti-spyware program continues to list any
Kontiki programs as spyware, even though you have the
latest updates installed, please Notify Kontiki Support at
(e-mail address removed), and include the Name, version, and
release of the anti-spyware program. We will attempt to
find out why they have listed Kontiki programs as 'spyware'."

Also from the Kontiki page:

"The Delivery Manager does not do any of the things that
most adware and spyware applications are designed to do.

Things we don't do:

1. We do not track internet browsing.
2. We do not serve pop-up ads to users.
3. We do not have hidden 3rd party applications that are
installed with the Delivery Manager.
4. We do not hide the fact that the Delivery Manager is
running. (It appears in the Windows System Tray, even when
it is running in the background.)

Things we do:

1. We do provide many user configurable options so that
users can customize the behavior of the Delivery Manager.
2. We do allow users to completely uninstall the
Delivery Manager.
3. We do alert users before the Delivery Manager
installation process begins and require them to confirm
that they want to install the Delivery Manager.

The Delivery Manager improves the speed, efficiency,
reliability, and security of downloads. Our customers --
typically Fortune 1000 firms -- allow users to access
software or video files that, due to their large size,
would be very difficult to obtain reliably without the
Kontiki Delivery Manager."

If all that is true, why was GIANT still recommending that
it be Quarantined? Perhaps a future Microsoft beta should
address this issue in some way.

---

On another computer, Beta1 found 4 "spyware threats" and
two of them were false positives (RealVNC and Spybot's
SearchSquire immunization again). The other two were
actual positives: a folder related to GAIN Publishing (only
a folder - located at c:\documents and settings\all
users\start menu\programs\gain publishing; this was already
on the computer when it was purchased) and 24 KaZaA
registry items (this also came preinstalled on the
computer). The latest versions of Spybot, Ad-Aware,
Bazooka Scanner, and the demo of Spyware Doctor did not
find these 25 objects (perhaps because KaZaA itself is a
bundler and not necessarily detected as spyware, and the
GAIN thing is just a harmless folder).

I found a bug that occurs when one scrolls to the bottom of
the expanded scan results, and then hides the extended
results for the bottom item. When I did this the scroll
bar disappeared entirely, making it seemingly impossible to
go back to the top of the results list. I tried expanding
the bottom listing again, and the scroll bar reappeared.
Nevertheless, the bug should be fixed.

There are a lot of misspellings and grammatical errors in
the software. Some are in the information help bubbles
that appear when you click-and-hold on an object while
Beta1 is still scanning. I didn't get a chance to write
them down. In the post-scanning results there are also
typos. For example, when I click on KaZaA, the right pane
displays at the bottom of Adware Bundler: "In addition in
most cases if the adware is removed the software will seize
[sic] to function as well." It will *cease* to function,
not seize. Also, it is unnecessary to have both "In
addition" and "as well" in the sentence. I mentioned
another example in a previous paragraph: "Host [sic] file
redirection of 0.0.0.0 ads.auctions.yahoo.com" should be
"Hosts file ..." since the actual name of the file is
Hosts. There are a lot of little things like that
throughout the software. Not a bug, per se, but it looks
bad to have the Microsoft name on so many careless grammar
mistakes.

So for a total of 11 "threats" on two computers, I have yet
to see Beta1 discover any *real* spyware or adware, and if
I had selected the default options it would have
quarantined or removed many legitimate items. I keep both
computers pretty clean with a number of anti-spyware
tactics (Spybot, SpywareBlaster, and Spyware Doctor
immunizations, a Hosts file comprising hosts from several
sources, using Firefox instead of IE, etc.) so it is not a
major surprise that Beta1 didn't find anything harmful.
Guess I'll have to wait until someone brings me an infected
box before I can test Beta1's prowess against real threats. =)
 
Back
Top