Spyware Warrior

[WorfSOM]

Hi guys.

I don't know if you are aware of this, but this program, which is mentioned on the "Not Listed" part of the Rogue List, does seem to exhibit rogue behavior.

I downloaded the installer, and upon executing the program, avast! antivirus identified it as a trojan:



Also, Windows Defender shortly after blocked the installation of Virtual Bouncer. (Forgot to take a screenshot)

It is possible that one of these would be a false-positive, but two?

Anyway, just thought i would bring this to your attention.[/img]

[fcukdat]

Hi WorfSUm and welcome to the SWW forums

This sounds silly but can you point me in the direction of the installer you used so i can take a gander
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[WorfSOM]

[fcukdat]

Ok's a quick visit to Jotti to test the installer confirms your findings

http://virusscan.jotti.org/



I will unpack the toolbox later tonight to see if i can uncover what is lurking behind but fwiw this IMO is too many Vendors marking up the file for it to be a F/p(but i have been wrong before )

Thanks for bringing this information to the forum and kudos for posting the broken link
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[WorfSOM]

[quote=]

Thanks for bringing this information to the forum and kudos for posting the broken link [/quote]

Its no problem, glad to help.

[chrisr1uk]

Hmmmmm

After looking at a setup file in the directory, i saw this domain name mentioned and did a search.








Have a look at what google throws up:
http://www.google.co.uk/search?hl=en&q=Xctrk.com+spyware&meta=


Interesting

[fcukdat]

Gees i love Jotti

Here's what Jotti thinks of the original suspect file reported by
WorfSOM


_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[WorfSOM]

[wyrmrider]

worf
have you scanned with any of the anti spyware or anti trojan apps?
just to see if they pick it up?

[WorfSOM]

[Proactive Services]

[eburger68]

Hi All:

This is a most unusual situation. I've taken another look at MyCleanerPC. Here's what I found.

On the one hand, there are several things that are suspcious. In addition to reference to xctrk.com (Rawhide Search Solutions) in Settings.ini -- which looks to me to be a method for counting installations -- the IP address for MyCleanerPC.com is 24.249.226.14, which is quite close to the IP address for SpywareLabs.com and VirtualBouncer(24.249.226.22). Moreover, during installation of MyCleanerPC, there are several calls to 24.249.226.46/instcount/instcount.aspx, which resembles a similar call made during installation of VirtualBouncer. Finally, the tray icon for MyCleanerPC does bear an unusual resemblance to that for VirtualBouncer/AdDestroyer.

On the other hand, in my testing over the last few hours I observed no other unusual or malicious behavior. The program does not change browser settings or add foreign toolbars or BHOs to the system. Moreover, while it is a bit overenthusiastic about adding a slew of Microsoft libraries to the \Windows dir, this is just an instance of careless/unnecessary installation practices -- something I've seen among a number of other completely innocuous and legitimate applications. The program does configure itself to start with Windows via HKLM\...\Run -- again, not unusual behavior, even among anti-spyware programs. The program can be shut down via the system tray icon -- quite unlike Virtual Bouncer, as I recall. The program uninstalls relatively cleanly from Add/Remove Programs. Finally, in the several hours on my system, the program made no unexpected or worrisome calls out.

The program doesn't look to me to be a very good anti-spyware program, but that's no reason to list it on the Rogue/Suspect list -- plenty of mediocre anti-spyware programs are not on the list.

The potential relationship with VirtualBouncer is intriguing -- certainly possible that this program shares some code with VBouncer, just like many of the clones on the list share components because of a common origin.

The program behavior is quite different than VBouncer, though -- this looks to be primarily on on-demand scanner that presents scan results. VBouncer, by contarast, is/was a program that sat silently in the background monitoring god knows what and then popping up dire warnings about detected spyware/adware, without ever presenting scan results of any sort to back up those warnings.

At this point, though, I simply don't have a solid reason to list MyCleanerPC on the Rogue/Suspect list. And, sorry, but those detections by various anti-virus progams aren't sufficient grounds, because the question on the table is whether those detections are indeed legitimate or accurate. Anti-virus programs in and of themselves can't answer that question -- only human beings with powers of observation and reason can.

Best,

Eric L. Howes

[WorfSOM]

Thanks for taking the time to check it out.

[fcukdat]

Thanks Eric for confirming those strange findings i thought i was losing my marbles this end when the malware trail went cold after installation

Breaking news

According to this appointment cookies are dangerous and you need to buy this software to clean them yet further in the GUI it provides the full low down on tracking cookies

ffs....maybe a new rogue/suspect criteria in the form of conware due to misinformation/misleading marketing
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[eburger68]

fcukdat:

Many completely legitimate anti-spyware apps also present cookies as threats and even label them as "spyware" or some similar thing.

Unfortunately, there are a lot of users who demand -- vociferously even -- that cookies be included in the detections of anti-spyware apps. I got a first-hand look at this phenomenon last summer during the public beta for CounterSpy 1.5.

Sunbelt made a small change to the handling of cookies within CounterSpy during the public beta: the box to enable cookie detection/removal was unchecked by default, meaning that CS 1.5 would not detect cookies unless users opted in to the detection. Mind you, the app would still detect cookies if you wanted it to -- just not by default.

The response from users in the beta forums was swift and immediate -- many were disappointed, or angry, or even outraged. There was ominous talk of "sellout,""beytrayal," and "going over the dark side" -- that sort of thing. Things threatened to get real ugly real fast. And all because cookie detection/removal was disabled by default -- not removed, just turned off with the option to turn them on.

So, when you see anti-spyware apps flagging cookies, please keep in mind that they're doing so partly in response to user demand.

Best,

Eric L. Howes

[fcukdat]

Hi Eric

Fully understood what you are saying and maybe my comment was part tongue-in-cheek,no arguement with appointments detecting cookies but to list them as "Spyware" or to describe them as "Dangerous" is total marketing BS which whips up this public paranoia to sale their product

With that it has to be said that Sunbelt have always been very open &honest with their marketing information,its a pity that most of the other vendors don't use the same honest approach
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html