SpyOnThis False Positives and Detailed Registry Key Analysis

| | Comments (2)

As i blogged earlier in the Entry
In Clean VM, SpyOnThis detected 13 different threats which are all FPs. Most of them were cookies.

Let us dig onto each key flagged as spywares by SpyOnThis and see why are they False Positives?

Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CTLS
RiskLevel: 4

ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CRLS
RiskLevel: 4

Claria object found!!!
Object: Claria
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_USERS:.default\software\microsoft\systemcertificates\trustedpublisher\crls
RiskLevel: 3

Look at the Original keys are in Registry which is flagged as Spyware,

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Note: There are no values associated with the keys when it detected as Spyware.

In order to make a full analysis we need to know some basic things here:


CA - Certification Authority

An entity entrusted to issue certificates that assert that the recipient individual, computer,
or organization requesting the certificate fulfills the conditions of an established policy.

CRL - Certificate Revocation List
A document maintained and published by a certification authority (CA) that lists certificates
issued by the CA that are no longer valid.

CTL - Certificate Trust list
A predefined list of items that have been signed by a trusted entity. A CTL can be anything,
such as a list of hashes of certificates, or a list of file names. All the items in the list are
authenticated (approved) by the signing entity.

The keys which i mentioned are default keys for Windows operating system to handle
trusted publisher certificates when IE makes secure connection (SSL). SSL creates a secure
connection between a client and a server, over which any amount of data can be sent securely.

CA releases CRLs so often to make sure the user or enterprise knows about the no longer valid certificates.
This registry key modified when we import the CRLs from CA.

None of the above keys are related to either Claria or ClearSearch.
Thus classifying these keys as spyware is erroneous.

Let us check other keys also in detail.

Possible Browser Hijack object found!!!
Object: Possible Browser Hijack
Class: REGDATA
Type: HIJACKER
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN[START PAGE="ABOUT:BLANK"]
RiskLevel: 3

The following is the key that SpyOnThis flagged as a hijacker.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"

In the above key no browser hijack is attempted. We can prove it using HijackThis.
There was no ?R(Start Page and Search Page changes)? entries identified.
But SpyOnThis detected this StartPage as hijacked page.

You can download HijackThis log from the following link.

e-Surveiller object found!!!
Object: e-Surveiller
Class: REGKEY
Type: KEY LOGGER
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Classes\.zlg
RiskLevel: 6

e-Surveiller object found!!!
Object: e-Surveiller
Class: REGKEY
Type: KEY LOGGER
FoundIn: HKEY_CLASSES_ROOT:.zlg
RiskLevel: 6

The original keys in system which is flagged as a KeyLogger,

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zlg]
@="ZAMailSafe"
"Original Extension"="LNK"

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.zlg]
@="ZAMailSafe"
"Original Extension"="LNK"

The above mentioned keys are related to Zone Alarm firewall. Zone alarm uses it for mail protection.
Does anyone want to remove the registry keys related to personal Firewall??
This is extremely problematic as the user would be removing the keys for their firewall- a key part of defense-in-depth!

e-Surveiller changes the key like the following
(This information listed in Symantec in the http://www.symantec.com/avcenter/venc/data/spyware.esurveiller.html">following link

"Adds the value:

"" = "e-Surveiller.Logfile"

to the registry subkey:
HKEY_CLASSES_ROOT\.zlg

so that the risk runs every time Windows starts.?

Note: Value of the key when SpyOnThis detected is ?ZAMailSafe?.
This value is related to Email protection of Zone Alarm.

Bargain Buddy Bundle object found!!!
Object: Bargain Buddy Bundle
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Code Store Database
RiskLevel: 3

Look at the original key when the key flagged it as Spyware.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6414512B-B978-451D-A0D8-FCFDF33E833C}]

"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\Contains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\Contains\Files]
"C:\\WINDOWS\\system32\\wuweb.dll"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
\{6414512B-B978-451D-A0D8-FCFDF33E833C}\DownloadInformation]
"CODEBASE"="http://update.microsoft.com/windowsupdate/v6/V5Controls/en
/x86/client/wuweb_site.cab?1138367055140"
"INF"="C:\\WINDOWS\\Downloaded Program Files\\wuweb.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
\Distribution Units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\InstalledVersion]
@="5,8,0,2469"
"LastModified"="Thu, 26 May 2005 12:21:52 GMT"

Only one subkey (Distribution Units) listed under this key when the above key flagged as spyware. Distribution units enable the Microsoft Internet Explorer Internet Component Download services to pull down and install software on users's computers. In the above key it enabled the Microsoft Internet Explorer Internet Component Download services to pull down the updates for windows and installed in user machine.

None of these keys are related to Bargain Buddy. Does SpyOnThis prevent the user from updating Windows??.

AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\COPYING
RiskLevel: 3

AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\LICENSE
RiskLevel: 3

AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\README
RiskLevel: 3

The above three files are plain Text files. The directory belongs to UPX(Ultimate Packer for Executables). It detected only the plain text files(some more text files also left out). How is that detecting plain text files could be confused with a Cracking Tool?
Note:
UPX definition:
Ultimate Packer for Executables (UPX) is an extendable software high-performance executable file compression packer for a number of diverse executable file formats.

This detection reminds me sometime back of a rogue anti-spyware called privacytools2004 which detected plain text files as "bad" which can be found in this http://spywarewarrior.com/viewtopic.php?p=25393">Spyware Warrior thread:

??the beta completely misidentified the app, as when it flagged a plain text license file for UPX as part of "AGM65's FileCD Key Harvester 0.1."??

The only difference I can see in this detection is the version. PrivacyTools2004 detected the UPX license file as AGM65's FileCD Key Harvester 0.1. SpyOnThis detecting the same as AGM65's FileCD Key Harvester 0.2.
Does any reputable anti-spyware programs detect the plain text files as a Cracking Tool?

Check out the following screenshot. I have tried to update the signatures. But it says:

? your security signatures are already up to date! Please check again later.?

Click Image to enlarge

So the database is updated last time was on 4/17/2006. This can be viewed in the next screenshot. There is no change in detections list. You can download the new scan result from this link.

Now check out the following screenshot for the False Positives on 5/4/2006,

Click Image to Enlarge

Note: I have downloaded SpyOnThis from the site to-day and installed in another clean VM.
There is absolutely no difference in False positives from the original test.

Our opinion: Avoid.

2 Comments

I am new to posting at spywarrior and Ihope someone here can help me out. You see I recently purchased SpyOnThis from their website. Like many, I did not realize the results of the scan were false positives since the machine in question was infected considerably with various malware. Luckily I did not run SpyOnThis on that machine even though I did purchase the program. I wish now I would have checked spywarrior's website first before I fell prey to SpyOnThis and their misleading testimonials about the product on their website
My question is this..does anyone know what I can do to try and get my money back from SpyOnThis? Where or with whom can I speak to lodge a formal complaint?
Any help would be greatly appreciated.

Lilbit,

You would want to contact the transaction processor-Clickbank.

http://clickbank.com/contact/ has all the details.

Leave a comment

About this Entry

This page contains a single entry by published on May 2, 2006 4:03 AM.

Welcome to The New Spyware Guide.com Site & Greynets Blog was the previous entry in this blog.

How Much is Too Much? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.