Jump to content


Photo

Spy My PC Pro


  • Please log in to reply
13 replies to this topic

#1 cissp

cissp

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 01 December 2004 - 06:39 PM

Tonight I updated my SpySweeper definitions and then ran a full scan. This is what it found:

Found System Monitor: Spy My PC Pro, version 1.9, c:\program files\sure delete\unins000.exe
06:32 PM: Found System Monitor: Spy My PC Pro, version 1.9, c:\program files\zonelog\unins000.exe
06:41 PM: Now sweeping drive D:
06:41 PM: Now sweeping drive E:
06:44 PM: Found System Monitor: Spy My PC Pro, version 1.9, e:\sure delete\unins000.exe
06:44 PM: Found: 3 file traces.

I did use SpySweeper's quarantine and then delete features to remove this alleged spyware. However, considering that this is a commercial PC monitoring program, and no one physically accesses my PC but me, I thought it strange how such a program could get on my PC. Also, I have SpyCop and X-Cleaner, two programs that specifically target commercial key loggers and such. Also, I thought it strange that the infected areas pointed to Sure Delete and Zone Alarm with uninstall files as the culprits. I'm wondering now that because I had just updated a new signature file for SpySweeper, that this caused a false positive. In absence of hearing anything from the forum here, I will submit a trouble ticket, but in my personal dealings with them, they do not seem to be very responsive. In fact, the last two trouble tickets I submitted, no one ever responded.

Thanks.

#2 Dragonslore

Dragonslore

    Advanced Member

  • Helper Trainee
  • PipPipPip
  • 230 posts

Posted 02 December 2004 - 02:37 AM

Here is the main site for this software

http://www.e-spysoft..._my_pc_pro.html

Generally from what I've learned about this type of software, it can be remotely installed on your system without your knowledge through an Email. All it takes is to open the email which contails the install file and the way it's designed, it'll install itself right away by doing a silent install.

One way to prevent this sort of thing from happening again if you're using OutLook would be to configure it to display all email as plain text. This way you can see any code the eamil contains and if it looks safe, you can choose to display as html.

With Outllook Express you can go to options > Read tab. "Read as Plain Text"


- Excuse the Writing, I've Got a Dyslexic Keyboard

#3 cissp

cissp

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 02 December 2004 - 07:36 AM

I've pretty much eliminated the possibility that this sort of program could have been physically installed on my PC. As far as remote installations, I am familiar with the email install technique. I worked a contract previously for a Federal agency where I was actually testing this sort of monitoring spyware. Still, as a practice I do not open emails from unknown sources, open attachments without virus and malware scanning it first, and only receive mail in plain text format. On top of that, the outgoing connection ("phoning home") would need to slip by ZA Pro, as well as TrojanHunter, SpyCop, X-Cleaner, SpySweeper, KAV, SS&D Tea Timer, and RegProtect, just to name a few. If Spy My PC Pro could circumvent that many and varied protection mechanisms, then it would be a very, very effective (but bad to the anti-spyware community) program.

I'm going to contact Webroot and present the situation to them. I think it could be a false positive (given the reasons stated in my first post), but they need to know this.

Thanks.

#4 tantricobstacles

tantricobstacles

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 02 December 2004 - 11:13 AM

Cissp,
That is indeed a false positive... you do need to contact Webroot so that this can be fixed (and it will.)
If you feel that you're not getting a respose from Webroot, email me here and I can make sure it gets handled.

Thanks,

-Tantric

#5 cissp

cissp

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 02 December 2004 - 03:53 PM

Actually, I submitted a trouble ticket this morning, so let's see if/when Webroot gets around to addressing this issue. By the way, what makes you believe this is a FP? I believe it is, too, but I'd just like to know what makes you agree, unless your reasoning is based on the information contained in my last two posts on this. Anyway, thanks for the offer to make sure Webroot handles this trouble ticket. If they don't respond back within a couple of days, I just may take you up on that.

Thanks.

#6 tantricobstacles

tantricobstacles

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 02 December 2004 - 04:20 PM

Actually, I submitted a trouble ticket this morning, so let's see if/when Webroot gets around to addressing this issue. By the way, what makes you believe this is a FP? I believe it is, too, but I'd just like to know what makes you agree, unless your reasoning is based on the information contained in my last two posts on this. Anyway, thanks for the offer to make sure Webroot handles this trouble ticket. If they don't respond back within a couple of days, I just may take you up on that.

Thanks.

View Post


I know it's an FP because it's being detected as a system monitor and it's only one file. Keyloggers/System Monitors are by for the most likely to generate an FP because they do tend to use a lot of common components. The file being an uninstaller is also a good clue, uninstallers tend to be similar to one another so that's another indication that something may be a false psoitive.
While I can't confirm off hand if your ticket has been handled, the FP has been identified and the def is being corrected - it should be fixed in the next definition update. Let's just say I have inside info...

#7 cissp

cissp

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 02 December 2004 - 06:02 PM

Tantric,

When I arrived home, I already had a response back from Webroot. If your intervention was a contributing factor, thank you. However, the "fix" action they gave me is confusing. They do not even allude to it being a false positive, rather, they request that I make sure I'm running the latest build (duh), and then run a scan in Safe mode. That seems to infer that that the first scan didn't catch it all; hence, the instruction to scan in Safe mode. If it were truly a false positive, why didn't they just tell me that?

That aside, thanks for your insight on common characteristics of keyloggers/system monitors. Sounds like something that could be a "testable" item in our Help exam. :)

#8 tantricobstacles

tantricobstacles

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 December 2004 - 03:27 PM

Tantric,

When I arrived home, I already had a response back from Webroot. If your intervention was a contributing factor, thank you. However, the "fix" action they gave me is confusing. They do not even allude to it being a false positive, rather, they request that I make sure I'm running the latest build (duh), and then run a scan in Safe mode. That seems to infer that that the first scan didn't catch it all; hence, the instruction to scan in Safe mode. If it were truly a false positive, why didn't they just tell me that?

That aside, thanks for your insight on common characteristics of keyloggers/system monitors. Sounds like something that could be a "testable" item in our Help exam. :)

View Post


I didn't have anything to do with the response you got, from what you're saying whoever replied was not necessarily correct... (I'd need to know your email address or some other way of identifying the ticket you sent in order to do any follow up on that)
Sorry the "fix" was confusing.... I have no idea why they would tel you that when reporting a false positive.. all tech support people are not created equal...

The FP is fixed and the next Spy Sweeper definition update that is scheduled for Monday (don't hold me to that date) will include the corrected definition.

-Tantric

#9 cissp

cissp

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 03 December 2004 - 05:41 PM

Tantric,

I need to remind myself that Webroot (and other companies like them) services people of varying technical prowess, so their boilerplate response (at least the initial one) is excuseable. Since my trouble ticket with them is still open, I will give them the opportunity to respond, and hopefully they will address the false positive issue.

I didn't have anything to do with the response you got, from what you're saying whoever replied was not necessarily correct... (I'd need to know your email address or some other way of identifying the ticket you sent in order to do any follow up on that)
Sorry the "fix" was confusing....  I have no idea why they would tel you that when reporting a false positive.. all tech support people are not created equal...

The FP is fixed and the next Spy Sweeper definition update that is scheduled for Monday (don't hold me to that date) will include the corrected definition.

-Tantric

View Post



#10 cissp

cissp

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 05 December 2004 - 07:14 AM

UPDATE: I had another system at home that was identified with this Spy My PC Pro when I ran a SpySweeper scan, and it was associated with a Sure Delete uninstall file. Although this PC is connected to the Internet via cable access (like my earlier "infected" PC), I don't have shares set up for access. Also, this is a PC I normally only use on the weekend, and primarily for DVD authoring. So...this adds more fuel to mine and Tantric's suspicion that this is a false positive. And according to Tantric (who has some sort of inside track with Webroot support), a definition update is forthcoming that is supposed to address this false positive. It will be interesting to see if Webroot support responds to my open ticket, and acknowledes this. Stay tuned.

#11 baz

baz

    Advanced Member

  • Full Member
  • PipPipPip
  • 151 posts

Posted 07 December 2004 - 03:50 AM

Hadn't been aware of this problem until I saw your response in my update posting, cissp. Webroot updated the definitions again on Monday (12/6). I'm wondering if it addresses the FP problem with the last update.

#12 cissp

cissp

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 07 December 2004 - 08:28 AM

Hadn't been aware of this problem until I saw your response in my update posting, cissp. Webroot updated the definitions again on Monday (12/6). I'm wondering if it addresses the FP problem with the last update.

View Post


I noticed also that Webroot had an update available as of yesterday for SpySweeper. On their website, my trouble ticket is still open, but I haven't heard from them since 12/02. I queried them again, to find out if they would acknowledge that this is a false positive.

#13 tantricobstacles

tantricobstacles

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 07 December 2004 - 04:00 PM

Hadn't been aware of this problem until I saw your response in my update posting, cissp. Webroot updated the definitions again on Monday (12/6). I'm wondering if it addresses the FP problem with the last update.

View Post


I noticed also that Webroot had an update available as of yesterday for SpySweeper. On their website, my trouble ticket is still open, but I haven't heard from them since 12/02. I queried them again, to find out if they would acknowledge that this is a false positive.

View Post


Cissp,
It may be best for you to email me through this forum. I'd need something to be able to identify your ticket from in order to try to figure out why you haven't recieved a response (and I'm not going to ask you to post your email addy in a forum.) The FP should have been fixed in the update that went out yesterday (425).

-Tantric

#14 Gianni

Gianni

    Member

  • Full Member
  • Pip
  • 36 posts

Posted 08 December 2004 - 11:38 AM

Some version or versions of the SpySweeper Anti-Trojan product falsely reports that a file distributed with our products (i.e. unins000.exe) would contain a key logger application called "Spy My PC Pro".

This report is false, none of our products contain any kind of addware or spyware. The problem has been reported to the manufacturer of the SpySweeper product and their next update to the trojan definition file will fix this problem.


http://www.macecraft.com/news/65/

btw SS False Positives are a nightmare... :angry:

http://www.wildersse...ead.php?t=50194
http://www.wildersse...ead.php?t=45723

quoting from Fred Langa's Newsletter (2004/10/04):

I've heard more complaints about false positives with Spy Sweeper than with the other tools. Erring on the side of caution is fine, but Spy Sweeper seems like it may be the software equivalent of Chicken Little or "the boy who cried 'wolf'".


Edited by Gianni, 08 December 2004 - 11:55 AM.





Member of UNITE
Support SpywareInfo Forum - click the button