SurfSpy & IsUninst.exe

[yooper]

I just ran Spybot Search & Destroy and it came back with:

SurfSpy - executable - C:\WINDOWS\IsUninst.exe

But everything I find on the internet shows that file is a legitimate InstallShield uninstall file. That file exists on my other PC as well. I ran S&D on it, and it didn't find a problem with it. I also ran LavaSoft AdAware and MS Defender on both PCs and it didn't flag any spyware.

It looks like SurfSpy was added to S&D as of 2007-08-29

http://forums.spybot.info/showthread...hlight=SurfSpy

Is it a false positive?

[robertplattbell]

I typed a long response to your post and then the spybot page said I was not an authorized user and after I logged in for the 3rd time, the message was gone....

[robertplattbell]

I guess I hit the wrong "submit reply" in my previous post (I hit the one on "additional options").

Lng stopry short, I copied the file to a new directory called QUARANTINE and let spybot delete the original.

I re-ran spybot and it did not find any problems.

I copied the file back to the C:\WINDOWS directory and spybot again detected it as a problem.

Again, deleted it and Spybot says everything is OK, even though the file is still on the computer.

One website (sypware.net) claims IsUninst.exe is spyware called intraspy but the reference to its source (natasoft) leads nowhere.

When you figure this out, let me know.

From spyware.net

Component Name: isuninst.exe

Description of isuninst.exe
This is a component of IntraSpy 2.3. Intra Spy 2.3 is licensed software published by Natasoft that invisibly and silently keeps a record of your machine's activity; it tracks everything you type or click, all documents you open online/offline, everything you do in chat or e-mail, and all websites you visit.

Recommendation for isuninst.exe It is highly recommended that this application be removed. Non-removal of this spyware will leave you defenseless against anyone attempting to spy on your computer activities.


Trusted: No
Trojan: No
Chronic: No
Adware: No
Carrier: No
Browser Hijacker: No
Dialer: No
Commercial Keylogger: No
Remote Administration Tool: No
Suspected: No

Company Name: NataSoft
Platforms Affected:
Methods of Distribution: This spyware is found on the company website.
Variants/Versions:
Release Date: Nov-00

[robertplattbell]

After copying the file to the QUARANTINE directory and deleting the original, the UNINSTALL feature of Windows seems to work OK.

So what does IsUninst.exe do, anyway? And what is the -F feature?

--Bob.

[ScottM99]

I had run Spybot a few days ago and it didn't detect SurfSpy; I updated the definitions today (9/1) and ran it again, and it detected IsUninst.exe as SurfSpy.

I ran AdAware earlier today, and it didn't detect it.

None of the files or registry entries that Symantec reports for SurfSpy exists on my hard drive.

http://www.symantec.com/security_res...071412-1348-99

Also, the default directory given in the SurfSpy FAQ doesn't exist.

http://www.sureshotsoftware.com/surf...sonal/faq.html

As far as I've been able to figure out, SurfSpy has to be installed and configured manually. It seems to be intended for computer owners (such as parents) to track the use of their own computers. It doesn't look like it's something that gets downloaded and installed without the user's knowledge.

So, I'm assuming false positive.

[tashi]

Hi there,

Thank you for reporting, I made a note for the Team.

FYI: When reporting a possible F/P, it can be helpful to see the path.

Producing a short log (showing items flagged)

• Open SpyBot.
• Check for problems.
• When finished, right click and choose copy results (not the full report) to clipboard and post that into topic.

Regards.

[robertplattbell]

Here are the search results I obtained:

SurfSpy: Executable (File, nothing done)
C:\Windows\IsUninst.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-29 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-29 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-08-29 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-29 Includes\KeyloggersC.sbi (*)
2007-08-29 Includes\Malware.sbi (*)
2007-08-29 Includes\MalwareC.sbi (*)
2007-08-29 Includes\PUPS.sbi (*)
2007-08-29 Includes\PUPSC.sbi (*)
2007-08-29 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-29 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-29 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-08-29 Includes\Trojans.sbi (*)
2007-08-29 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

[robertplattbell]

I also researched on the net, and it seems that Surfspy is something that an employer or jealous spouse (or nervous parent) might use to track someone's web use. It does not appear to be the type of program that you can get on your computer without manually loading it.

I asked my spoouse some pointed questions....

[Yodama]

hello,

thanks for reporting.
We rechecked the file in question: IsUninst.exe

It appears to be a generic uninstaller that is also used by SurfSpy and other applications. Thus this will be treated as a false positive and removed from detection with the next update scheduled for the middle of this week.

[yooper]

Thanks for all the help!