Spyware False Alarm
Feb 3rd, 2008 by Eats Wombats
Suddenly I have an inkling what it must be like to come home and find your house broken into and your privacy violated.
This evening I ran Webroot’s SpySweeper software on my main PC (running Windows Vista). I’d only installed it yesterday and it had found no problem after a lengthy full scan. Today, in contrast, a quick scan reported that a program called SpyPal was installed. This is a commercial keylogger and screengrabber, capable of uploading details of everything typed on my computer to a remote site, along with captured screens, passwords etc.
I was stunned, although this should have been completely implausible. First, installation of SpyPal ordinarily requires access to the computer and nobody else has ever used my computer — as far as I know (nobody else has the password to log on).
Nevertheless, it was also sickeningly possible, simply by virtue of being improbable rather than impossible.
The following is for anyone else who runs into the same problem, which in this case seems to have been a false alarm.
I bought a rechargeable Logitech Cordless Click! Plus mouse a few weeks ago. I didn’t bother to install driver software until yesterday, whereupon I used the latest version from Logitech’s web site. The mouse had worked without it, albeit without full functionality. It has forward and back buttons and the scroll wheel can move the cursor or window contents sideways. Yesterday a component called “Khal” failed to install. Afterwards, I found I had to click on things several times and when entering text via the keyboard it seemed to take a second or two to appear. The software proved impossible to remove.
Today I reinstalled the Logitech software, in order to be able to remove it–yes, this sometimes works. This time, however, the installation worked. Afterwards it indicated that there was an update available, which I installed. After that things seemed to work ok so I held off on the uninstallation, for now.
Then SpySweeper reported the existence of SpyPal.
Given the problems I’d been having with sluggish mouse and keyboard — classic symptoms of spy software — it wasn’t too hard to imagine that SpySweeper might be right. It too had been updated today. I found myself less certain when the problems I’d noticed really began.
I have User Account Control (UAC) turned off, not simply because it’s an annoyance but because of bugs that show up if you move the default locations of standard folders to another partition. UAC could have prevented an illicit, surreptitious installation of spyware. In practice it’s like a padlock on the fridge door — simply impractical — and, like many other users of Vista, I will not put up with it as it stands.
I allowed SpySweeper to quarantine the program. Next I needed to verify if it really was malicious software.
This site enabled me to confirm that the identification was probably a false positive. Yes, I had a directory called SPSS — I could tell from scanning my last backup — but it was not the SpyPal directory of the same name and which SpySweeper evidently looks for, but a copy of the Statistical Package for the Social Sciences (SPSS). Once the quarantining had been done, SPSS stopped working. This suggests that SpyPal was never installed.
I realized that I had assumed that it wouldn’t happen to me.
I used CounterSpy when I used Windows XP but I never bothered with it on Vista. From now on I’ll do my electronic banking and anything else confidential using a virtual machine which is used for nothing else, just in case.
Meanwhile, the long awaited Vista Service Pack 1 is due in 3 weeks or so.
I found spypal on two of my computers today and I also have SPSS statistical software on both of my computers. I’ll have to see whether my statistical software has now stopped working.
Any idea how SpyPal was installed? Locally or remotely?
After I released “SpyPal” from quarantine SPSS started working again. I’ve looked for the telltale files indicated here but haven’t found anything.
This post has drawn a lot of traffic from people searching on SPSS and SpySweeper. I registered the problem with WebRoot (case #102375).
Well it wasn’t Spypal at all but SPSS. I’m going to have to reinstall SPSS on my computers, having deleted the quarantined files. I did a restore on my system but SPSS is still not working. I hope I didn’t lose any data files.
I work in SPSS Technical Support — we were informed of this problem Monday (2/4/08) and immediately contacted Webroot to get the issue corrected. I’ve been assured that it’s been fixed in the next SpySweeper definition set (1083) that will be pushed to production by end of day today (2/6/08). I certainly hope that resolves the issue.
Thank you for the SPSS false alarm post. I was really concerned and had started thinking up conspiracy theories. Luckily I did not delete my SPSS data files; they have been restored and are in good working order. I have updated to the latest version of SpySweeper and found the SPSS issue corrected.