Microsoft Installing Spyware?

Discussion in 'other security issues & news' started by SecurityFan, Mar 19, 2006.

Thread Status:
Not open for further replies.
  1. SecurityFan

    SecurityFan Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    28
    I did a Windows Update (getting lastest critical patches) for my XP system today and was forced to install new software for the Windows Upate as part of this process.

    Before doing this I ran a Counterspy (version 1.0) scan and had no issues. After this I did another and it said I had iSearch.DesktopSearch spyware on my machine.

    Is Microsoft installing spyware now? Is this some kind of false positive? What gives?

    Here is info on this from Counterspy:

    Description: iSearch.DesktopSearch is a browser plug-in that adds a pop-out search box to the Windows system tray and spawns "in-page" browser pop-ups when the user visits search sites.

    iSearch.DesktopSearch also installs a Firefox add-on installer that can add a browser extension to Firefox if that program is on the system.

    This application may be bundled with "freeware" such as wallpapers and through force installs, without notice/consent, in security exploits from CoolWebSearch related sites.

    ISearch/iDownload claim that they do not collect any personally identifiable information (PII). It does appear that the software tracks users' behavior on the internet, including web pages visited and interaction with advertising served by iSearch software. Certain information about users' search queries including keyword query, time of day, browser type, default language, IP address and an anonymous unique ID code, is transmitted to the iSearch servers.

    Author: iSearch/iDownload
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    What files/registry entries did it detect? You might post a screenshot showing the detected items.

    If it's not a false positive, then I'm sure it's not from Microsoft. They really wouldn't have any reason to be doing that, and would be shot down very quickly if they were to do so with Windows updates.. it just doesn't make sense. Spyware generally gets bundled in with freeware or very small time stuff that can't make money the old fashioned way, and Microsoft doesn't have that problem.

    It's entirely possible that you picked something up along the way, however, and if you post what was detected then someone should be able to tell you what it really is. CounterSpy is a little prone to false positives, so it's always good to check. (Most anti-spyware apps are, for that matter, some more than others. CounterSpy usually picks up one or two per scan for me)
     
  3. SecurityFan

    SecurityFan Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    28
     
  4. SecurityFan

    SecurityFan Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    28
    I'd like to add another thing about this. When I first encountered this after scanning with CounterSpy, I quarantined the "spyware". I went back to Windows Update and again it forced me to install new software for Windows Update before letting me proceed further in checking updates. After I did this, I scanned with CounterSpy again and now the "infection" was back.

    I went back to Windows Update and it didn't force me to install new software for Windows Update. It allowed me to proceed without saying anything about needing to update the Windows Update software.
     
  5. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    That CLSID is indeed Windows Genuine Advantage. It points to
    C:\WINDOWS\system32\legitcheckcontrol.dll, which is a file belonging to WGA and used to check your OS is legit. If you delete (quarantine) those keys, WGA thinks it is not i9nstalled, so installs again.

    In my opinion this is a false positive in Counterspy.

    I have the keys\values\data that you list also in my registry and none of my apps flag them (Adaware, Spybot, Windows Defender, NAV 2005)
    PS. Found this info, googling

    iSearch.DesktopSearch ­ Removes the users access to use Windows Search and replaces it with C:\WINDOWS\isrvs\desktop.exe.

    So you could double check that C:\WINDOWS\isrvs\desktop.exe does not exist.
     
  6. SecurityFan

    SecurityFan Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    28
    JRosenfeld, thanks for your help! The registry is a mystery to me. I didn't realize I could GOOGLE an entry. Actually, I had no idea each entry refers to a specific dll. As you suggested, I looked for C:\WINDOWS\isrvs\desktop.exe and it doesn't exist. So, this was a false positive. Thanks!
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Hehe, indeed. What can't you Google these days? :D You might also be interested in this - http://castlecops.com/CLSID.html CastleCops has a few lists that you can use for looking up things that spyware tools may find :)
     
Loading...
Thread Status:
Not open for further replies.