Print Page | Close Window

Accusation from CNET

Printed From: www.exp-systems.com
Category: PDF reDirect
Forum Name: Using PDF reDirect
Forum Discription: Questions and Comments on using PDF reDirect Freeware and Pro
URL: http://www.exp-systems.com/Forum_exp/forum_posts.asp?TID=146
Printed Date: 12 Dec 24 at 2:08AM


Topic: Accusation from CNET
Posted By: ninterdo
Subject: Accusation from CNET
Date Posted: 20 Dec 05 at 5:34PM

I read many very positive reviews about your PDF product and was very excited about it until I found this one below. Its a shame - you have so many great reviews and a great product. I suggest that you respond to this here and on CNET.

Embeds a Keylogger-Winective PC keylogger in registry

20-Dec-2005 02:10:44 AM
Reviewer: http://www.download.com/3642-6675-2622765.html - altered

Pros: Didn't even use it, but it embedded a keylogger, so I don't like a darn thing about it.

Cons: I haven't even had a chance to use it, but when I ran the free edition of Spyroot Spysweeper, a Registry Key popped up as the Winective PC keylogger. Here is the keys name from my computer:*****

When I went in to regedit to check what this belonged to, well, imagine my surprise when it was PDF redirect's typelib key. So, I uninstalled and have deleted the key (which didn't get deleted with the uninstall). I am so disappointed, I thought that CNET was looking out for us when it came to spyware, especially something as dangerous as a keylogger. Get rid of this asap.




Replies:
Posted By: Michel_K17
Date Posted: 20 Dec 05 at 6:53PM

Yikes!

Thank you for the warning ninterdo. I appreciate it. I will investigate this further and report back here and on the CNET board as well. I will pull PDF reDirect off the market if what he says is true.

In the mean time, I have taken the http://www.exp-systems.com/downloads.htm - downloads page on this site "offline" to prevent any other downloads for now until I can confirm that PDF reDirect is a "clean" download.

Thanks again,

 



-------------
Michel Korwin-Szymanowski
EXP Systems LLC


Posted By: Michel_K17
Date Posted: 20 Dec 05 at 9:39PM

Hi Ninterdo,

   Here are the results of my investigation (see below for the boring technical details): the Spysweeper report seems to be a "False Positive" issue with Spysweeper. I have confirmed that PDF reDirect does NOT install any keylogger software. Therefore, I have re-opened the downloads page on the forum. I will provide Spysweeper's reply as soon as I receive it. Note that Norton Anti-Virus, F-Secure and Kaspersky had the same false positive problem, and all of them corrected their definition files to fix the problem. I am hopeful that Spysweeper will do the same.

   Thank you again for expressing your concern: I appreciate you bringing this to my attention. Once I get confirmation from Spysweeper that the issue was a false positive, would it be acceptable to you that I delete this post? I will keep the original post open though.

   Regards,

Michel Korwin-Szymanowski

--------------------

Description: The latest version of Spysweeper reports that “System Monitor found: wintective pc keylogger” after PDF reDirect is installed.

 

Explanation: PDF reDirect Pro (included with PDF reDirect) provides the user the ability to send e-mails of the newly created PDF file. This feature makes use of a 3rd party component I purchased called the “OstroSoft SMTP Component” which is manufactured by Ostrosoft ( http://www.ostrosoft.com/ - www.ostrosoft.com ) in Staten Island in New York. This component is (apparently) also being used by a Keylogger program called “wintective pc keylogger”, manufactured by Wintective ( http://wintective.terkud.com/ - http://wintective.terkud.com/ ).

 

When Spysweeper runs, it finds the registry key for the Ostrosoft component, and (incorrectly) reports that the “wintective pc keylogger” is installed. In the next page of the program, it more clearly states that it found “traces” of the keylogger. The “traces” it refers to is that of the e-mail SMTP component from Ostrosoft which is used by PDF reDirect (and many other legitimate programs).

 

Does PDF reDirect or PDF reDirect Pro install a keylogger? No.

 

What Next? This error is known as a “false positive”. Ostrosoft reported the same problem with Norton Antivirus who corrected their error a few days later. F-Secure and Kaspersky also started reporting the same thing and eventually corrected their definition files too. Ostrosoft and Spysweeper have been informed of the problem. I will report on their replies as soon as hear back from them.

 

Note: Spysweeper found a “registry key” not an actual keylogger. The registry key itself is harmless.

 

------------------------------------

 

For the sake of completeness: here is the log of my investigation.

 

 

  1. Closed the Downloads web page from the web site.
  2. Replied to concern raised on Forum (started investigation)
  3. Compared CNET Download to the Original File to determine if the CNET file was tampered with. Results are shown here and show that the CNET file is the original file that I uploaded back in June 2005, and was not tampered with.
    1. Downloaded PDF reDirect from the CNET web site.
    2. Compared size of the CNET Download to that of the original file:

                                                               i.      CNET Download:  6,150,595 bytes

                                                             ii.      Original File:         6,150,595 bytes

    1. Compared CRC of the two files. CRC stands for “cyclic redundancy check”. This value will change if someone tampers with the file and changes some of the data inside.

                                                               i.      CNET Download:  3E9607C

                                                             ii.      Original File:         3E9607C

  1. Run Anti-Virus (NOD32 by eset) check on both files. Both files came out “clean”. Here is the log:
    1. Scan performed at: 12/20/2005 19:09:39 PM
    2. Scanning Log
    3. NOD32 version 1.1318 (20051211) NT
    4. Command line: C:\EXP\Products\PDF_Redirect_Pro\Admin\Product Support\Keylogger Complaint\Compare Download to Original
    5. Operating memory - is OK
    6.  
    7. Date: 20.12.2005  Time: 19:09:45
    8. Scanned disks, folders and files: C:\EXP\Products\PDF_Redirect_Pro\Admin\Product Support\Keylogger Complaint\Compare Download to Original\
    9. Number of scanned files: 2
    10. Number of threats found: 0
    11. Time of completion: 19:09:45 Total scanning time: 0 sec (00:00:00)
  2. Downloaded and Installed the latest SpySweeper v4.5
  3. Ran Spysweeper v4.5 (note: I have PDF reDirect Pro v2.1 installed).
    1. I was asked if I wanted to download and use the latest definition file. I chose “yes”.

                                                               i.      Program version given as v4.5.5 (Build 604)

                                                             ii.      Definition File given as v588

    1. Results: Spysweeper reports that “System Monitor found: wintective pc keylogger
    2. On the next page, Spysweeper says that “traces” of the keylogger were found in the form of a registry entry, not the actual keylogger software.
    3. I decided NOT to remove the offending registry key for now so that I could investigate further. Closed Spysweeper.
    4. Ran RegEdit to look at the entire registry key – The TypeLib belongs (indeed) to a third party sub-component that is installed by PDF reDirect which is the e-mail component of PDF reDirect Pro. This component is manufactured by Ostrosoft and is used to send e-mail. Here are the details:

                                                               i.      Company: OstroSoft SMTP Component

                                                             ii.      Web Site: http://www.ostrosoft.com/

                                                            iii.      Filename: OSSMTP.dll

                                                            iv.      Where installed: C:\WINDOWS\SYSTEM32

 

  1. Researched “wintective pc keylogger”. What is it?
    1. From the manufacturer’s web site ( http://wintective.terkud.com/ - http://wintective.terkud.com/ ): Wintective is a stealthy monitoring spyware which allows you to secretly track all activities of computer users and automatically deliver logs to you via e-mail.
    2. Wintective (KeyLogger & Screen Shots Capture) is a Windows application capable of monitoring any user, and any activity on the computer where it is installed.
    3. It is a stealthy monitoring spyware which allows you to secretly track all activities of computer users and automatically deliver logs to you via e-mail
  2. Informed Spysweeper and Ostrosoft that they are experiencing a False Positive Problem.
  3. Updated Web Site Forum.
  4. Re-opened download section.



Posted By: altered
Date Posted: 21 Dec 05 at 7:22PM
Hey all-

I was the one that posted that review. I am in the process of replying to Michel's comments, and basically taking it all back. Everything Michel says is true...it's a false positive. After I posted this in this forum, Michel contacted me immediately to let me know that he had pulled the downloads page until he could research this further. He wanted to protect other people's machines. When he gathered his information, he emailed me the results, just as he posted here.

Michel went above and beyond in making sure that nothing in this program would cause any harm. I have to commend him, he responded with a lot of style and grace, especially since it turned out to be a false positive. I will be redownloading PDF Redirect, and like I said, am in the process of retracting my rating.

Thank you, again, Michel. You have restored my trust completely. You went far beyond the call of duty, and I very much appreciate it.


Posted By: Michel_K17
Date Posted: 22 Dec 05 at 12:20AM
Hi Altered,

   It was no problem: I shutdown the site because I would rather be safe than sorry. I learned my lesson from Ford and Firestone when they failed to recall the tires on their vehicle when a flaw was found.

   By the way, thank you for your kind words.



Posted By: Michel_K17
Date Posted: 03 Jan 06 at 10:47PM
One more update. I received a message from Ostrosoft, the manufacturer of the e-mail "engine" that I use in PDF reDirect. This is what he had to say:

____________________________________________________


I can assure you that OstroSoft SMTP Component is totally clean. Webroot's Spysweeper on other hand is notorious for creating false positives. The company is also not overly responsive to the complaints. We are going to put a public announcement on our website next week, maybe it'll help Webroot to reconsider flagging legitimate libraries. It sure helped in our fight against Symantec. But what helped even more was support from OSSMTP users,
submitting numerous complaints to Symantec. I hope it'll be the case again.

Best regards,
---------------------------------
Igor Ostrovsky
Director of Technology, OstroSoft
iostrovsky (at)ostrosoft.com
http://www.ostrosoft.com


Posted By: Michel_K17
Date Posted: 02 Feb 06 at 12:24AM
Ostrosoft has dedicated a web page on this problem with SpySweeper here:
http://www.ostrosoft.com/press/webroot.asp - http://www.ostrosoft.com/press/webroot.asp

It explains how and why this false-positive is occuring. In addition, another company (Avast! anti-virus) is having the same "false positive" problem. This problem has been brought to the attention of Avast, and I am awaiting their reply.


Posted By: Michel_K17
Date Posted: 03 Feb 06 at 8:33PM
GOOD NEWS!

The newest Spysweeper definition files no longer identify PDF reDirect as being infected. It seems like they have fixed the problem.


Posted By: Michel_K17
Date Posted: 08 Feb 06 at 10:07PM
More GOOD NEWS

   I have received the following e-mail from Avast (Alwil Software).

-----------------------------------------


Hi Michel

the false positive was fixed on monday this week. Since the database update, your product is no more detected as infected. Sorry for the problem.

Regards,

Karel Divis
Virus analyst
Alwil software



Print Page | Close Window