View Full Version : SurfSpy & IsUninst.exe
I just ran Spybot Search & Destroy and it came back with:
SurfSpy - executable - C:\WINDOWS\IsUninst.exe
But everything I find on the internet shows that file is a legitimate InstallShield uninstall file. That file exists on my other PC as well. I ran S&D on it, and it didn't find a problem with it. I also ran LavaSoft AdAware and MS Defender on both PCs and it didn't flag any spyware.
It looks like SurfSpy was added to S&D as of 2007-08-29
http://forums.spybot.info/showthread.php?t=17357&highlight=SurfSpy
Is it a false positive?
robertplattbell
2007-09-01, 19:03
I typed a long response to your post and then the spybot page said I was not an authorized user and after I logged in for the 3rd time, the message was gone....
robertplattbell
2007-09-01, 19:08
I guess I hit the wrong "submit reply" in my previous post (I hit the one on "additional options").
Lng stopry short, I copied the file to a new directory called QUARANTINE and let spybot delete the original.
I re-ran spybot and it did not find any problems.
I copied the file back to the C:\WINDOWS directory and spybot again detected it as a problem.
Again, deleted it and Spybot says everything is OK, even though the file is still on the computer.
One website (sypware.net) claims IsUninst.exe is spyware called intraspy but the reference to its source (natasoft) leads nowhere.
When you figure this out, let me know.
From spyware.net
Component Name: isuninst.exe
Description of isuninst.exe
This is a component of IntraSpy 2.3. Intra Spy 2.3 is licensed software published by Natasoft that invisibly and silently keeps a record of your machine's activity; it tracks everything you type or click, all documents you open online/offline, everything you do in chat or e-mail, and all websites you visit.
Recommendation for isuninst.exe It is highly recommended that this application be removed. Non-removal of this spyware will leave you defenseless against anyone attempting to spy on your computer activities.
Trusted: No
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No
Company Name: NataSoft
Platforms Affected:
Methods of Distribution: This spyware is found on the company website.
Variants/Versions:
Release Date: Nov-00
robertplattbell
2007-09-01, 19:09
After copying the file to the QUARANTINE directory and deleting the original, the UNINSTALL feature of Windows seems to work OK.
So what does IsUninst.exe do, anyway? And what is the -F feature?
--Bob.
ScottM99
2007-09-02, 07:34
I had run Spybot a few days ago and it didn't detect SurfSpy; I updated the definitions today (9/1) and ran it again, and it detected IsUninst.exe as SurfSpy.
I ran AdAware earlier today, and it didn't detect it.
None of the files or registry entries that Symantec reports for SurfSpy exists on my hard drive.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-071412-1348-99
Also, the default directory given in the SurfSpy FAQ doesn't exist.
http://www.sureshotsoftware.com/surfspy/personal/faq.html
As far as I've been able to figure out, SurfSpy has to be installed and configured manually. It seems to be intended for computer owners (such as parents) to track the use of their own computers. It doesn't look like it's something that gets downloaded and installed without the user's knowledge.
So, I'm assuming false positive.
Hi there,
Thank you for reporting, I made a note for the Team.
FYI: When reporting a possible F/P, it can be helpful to see the path.
Producing a short log (showing items flagged)
Open SpyBot.
Check for problems.
When finished, right click and choose copy results (not the full report) to clipboard and post that into topic.
Regards. :)
robertplattbell
2007-09-02, 19:05
Here are the search results I obtained:
SurfSpy: Executable (File, nothing done)
C:\Windows\IsUninst.exe
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-29 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-29 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-08-29 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-29 Includes\KeyloggersC.sbi (*)
2007-08-29 Includes\Malware.sbi (*)
2007-08-29 Includes\MalwareC.sbi (*)
2007-08-29 Includes\PUPS.sbi (*)
2007-08-29 Includes\PUPSC.sbi (*)
2007-08-29 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-29 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-29 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-08-29 Includes\Trojans.sbi (*)
2007-08-29 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
robertplattbell
2007-09-02, 19:08
I also researched on the net, and it seems that Surfspy is something that an employer or jealous spouse (or nervous parent) might use to track someone's web use. It does not appear to be the type of program that you can get on your computer without manually loading it.
I asked my spoouse some pointed questions.... ;)
hello,
thanks for reporting.
We rechecked the file in question: IsUninst.exe
It appears to be a generic uninstaller that is also used by SurfSpy and other applications. Thus this will be treated as a false positive and removed from detection with the next update scheduled for the middle of this week.