You are here

SpyDLLRemover Portable 2.5 Test Release

34 posts / 0 new
Last post
John T. Haller
John T. Haller's picture
Online
Last seen: 59 min 28 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
SpyDLLRemover Portable 2.5 Test Release

I'm posting a test release of SpyDLLRemover Portable for folks to test out. This is a handy DLL analyzer that will be one of our earlier freeware releases once we have freeware going out on the site. The friendly folks at Rootkit Analytics have already given us permission.

The description from their site: "SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. It comes with advanced spyware scanner which quickly discovers hidden Rootkit processes as well suspcious/injected DLLs within all running processes. It not only performs sophisticated auto analysis on process DLLs but also displays them with various threatlevels, which greatly helps in quick identification of malicious DLLs. The DLL search feature helps in finding DLL within all running processes using just partial or full name. Then user can choose to remove the dll from single process or from all loaded processes with just one click."

You can download a copy from here:
Download SpyDLLRemover 2.5 Test Release (<1MB download / 1MB installed)
MD5: 6321b6dce27df22c7b2c9d5b6600d9ba

You can find out more at Rootkit Analytics' website here:
http://www.rootkitanalytics.com/userland/spy-dll-remover.php

Please give it a try and post your thoughts.

Thanks!
John

horusofoz
horusofoz's picture
Offline
Last seen: 1 year 1 month ago
Joined: 2008-04-03 22:45
Feedback

Seems ok though it doesn't like Songbird. Must have produced at least 30, maybe 50 items for it though all are listed as check online for threat info. Emailed scanned results to the developer email address. My thinking is that if these are forwarded to the developers it will help them improve their detection rate with regards to portable applications. Also is the ability to maximise disabled in the local version?

PortableApps.com Advocate

John T. Haller
John T. Haller's picture
Online
Last seen: 59 min 28 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Default

The "check online" result is the default if it's unfamiliar with it. It's just not familiar with Songbird at all (not just the portable version).

The window is a fixed size.

Sometimes, the impossible can become possible, if you're awesome!

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: Feedback

We never "hate" anything other than malicious stuff. I have requested the Dev to check on the timing issue that we faced in the past. Hopefully, it should get fixed by Sunday morning. Thanks for reporting. Also, if you could email it to contact.fingers@gmail.com with any snapshots or errors, it would be great.

We would try to fix as much as we can.

- EF

Thank you.
EF

steve_gutry
Offline
Last seen: 3 weeks 2 days ago
Joined: 2008-05-07 16:54
Ouch!

I'm running XP Pro SP2 nlite.
I was connected to the net at the time when I started the program & got an immediate BSOD. I restarted the computer, shut down the internet connection & tried again - my computer just froze - I suspect that my firewall (PC Tools) didn't like it. I'll try again in the future.

John T. Haller
John T. Haller's picture
Online
Last seen: 59 min 28 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
App Itself

An app itself can't crash the OS in theory (although it can in reality). It can trigger a driver or something running lower down that can.

Sometimes, the impossible can become possible, if you're awesome!

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re:

Our software has been tested for latency, effectiveness and algorithmic deficiencies. We performed, integrity tests, unit tests and other tests to determine such stuff. Only after it passes our test cycle, we release it to Production. Hence, I would doubt it that was the reason.

Although, there has been cases where we have been detected in the past as some tool modifying drivers and hence blocked by certain AV tools on the system. This happened 2 months ago, and has never happened again so far.

Thanks for reporting.

EF

Thank you.
EF

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: Ouch!

Hey Steve,

Thanks for pointing out BSOD. John, do you have the 2.5.7 or 2.5.8 [internal version #). Kindly, download the current 2.5 from the RootkitAnalytics site, since it should not have it. Thanks again Steve.

Kind Regards,
EF

Thank you.
EF

Nagareshwar Talekar
Offline
Last seen: 13 years 9 months ago
Joined: 2009-10-19 04:14
Its bug in Windows XP SP2

Its problem in the Windows XP SP2 manifest processing routine which cause csrss.exe to go down and cause blue screen. Microsoft has issues notification and update for this bug earlier. Looks like you may not have updated your Windows quite long.

As per the Microsoft notification we have altered the manifest to fix this problem in our app itself and same has been delivered to portableapps as well. Next version will be clean.

For your knowledge, manifest file is embedded in the executable file to make that application Vista compatible.

Thanks for reporting it.

Cheers
Nag
Dev Lead for SpyDLLRemover
Rootkit Analytics Team

spg SCOTT
spg SCOTT's picture
Offline
Last seen: 12 years 4 months ago
Joined: 2008-08-26 14:11
First, well done on the

First, well done on the release of this type of app, I know it was a long time coming, in terms of Open source vs freeware etc...

Second, the app itself:

No issues here,

Vista sp2 limited.

Installed fine, ran fine and also only found ones that it had to check online:
-Firefox (portable) DLLs
-Thuderbird (portable) DLLs
-Vista sidebar DLL
-Itunes Helper
-Dell Dock DLL

For the most part, this is ok, and I like the other features included.

Any others you got waiting, until the freeware comes into effect? Wink

The only thing is the window re-sizing, if it is possible, can you make it able to?

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Stevoisiak
Stevoisiak's picture
Offline
Last seen: 5 years 2 months ago
Joined: 2008-02-05 11:22
The fourth freeware

Technically, Java Portable, JAR launcher, and Mac-On-A-Stick were the first freeware apps on the site, but I digress.

The app definitely seems like something I will try out.

Simplifying daily life through technology

Devo
Offline
Last seen: 1 year 4 days ago
Joined: 2007-09-04 14:55
Doesn't Support Win 7

Apparently this app does not support Windows 7. That should probably be noted somewhere.

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Ooooh, Malware Checkers :-)

Downloaded and Installed as expected.

Ran without any noticeable problems as Admin on a fully patched XPSP3 system.

Note: I did not try to kill any dlls for obvious reasons.

Test: Verify DLL Online, It launched the default browser and went to http://www.processlibrary.com

Test: DLL properties: No problems

Test: Export: very nice feature [launched in default browser]

[Use is not intuitive to me and it should probably only be recommended to experienced folks who know what they are looking at. wxvault.dll was seen as suspicious and is being used by a quarter of the things on my system, including SpyDLLRemover itself]

Tim

Edit: Shouldn't the exported "ScannedResult.html" be in Data and not the root of path\SpyDLLRemover\ ??

Things have got to get better, they can't get worse, or can they?

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Thank you

Hey guys,

Thank you for all your comments. The Dev team is working actively on fixing any bug fixes, issues or support required here. This should be done by monday morning.

Win7 support is not there currently, and hence it is not listed on software page.
"Platform:
Windows XP, 2003, Vista, Longhorn (32 bit)
On 64 bit platform, only 32 bit processes are supported."

We are now working on Win7 support and as well.

Thanks for all your support once again. Keep it coming, suggestions, questions, issues, bugs, etc. Thank you.

Kind Regards,
EF

Thank you.
EF

cardshack
Offline
Last seen: 10 years 11 months ago
Joined: 2007-07-21 16:13
W2k ?

hello EF,

great to see you guys showing up here

the main SpyDLLRemover page (at PortableApps) lists Windows 2000 as a supported system, but when trying to run on my support machine, keep getting "the procedure entry point GetProcessId could not be located in the dynamic link library KERNEL32.dll" message

i take it from your comments above that W2k is not supported . . . could you please confirm, thumbs up or down ?

thanks

Edit:
i found confirmation in the Userland Section at Rootkit Analytics, no go on W2k

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: W2k ?

Hello Cardshack,

Sorry for delayed response. Nope, there is no Win 2000 support. Unfortunately, it is thumbs down because we support only WinXP and onwards. Win2k is totally different and if we give backward compatibility, we would end up messing our detection schemes. Hence, it is best to leave it this way. Thanks and do shoot more questions.

Kind Regards,
EF

Thank you.
EF

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: Ooooh, Malware Checkers :-)

Note: I did not try to kill any dlls for obvious reasons.
Try killing DLL, it doesnt kill the process Wink

Test: Verify DLL Online, It launched the default browser and went to http://www.processlibrary.com

The reason is because they give generic list on processes rather than biased listing. Also, we would be shortly coming up with one by ourselves once we have enough in the Knowledge Base to provide such information.

[Use is not intuitive to me and it should probably only be recommended to experienced folks who know what they are looking at. wxvault.dll was seen as suspicious and is being used by a quarter of the things on my system, including SpyDLLRemover itself]

I would agree and disagree. We try to educate our users to come to that level, in RootkitAnalytics.com and EvilFingers.com. We try to keep things up to date in our blogs : http://EvilFingers.blogspot.com and tweets http://twitter.com/evilfingers
But, since we cannot expect everyone to understand our tool right from the beginning, we are working on an expansion for the past 3 months with certain other feature that would/should help the novice.

Edit: Shouldn't the exported "ScannedResult.html" be in Data and not the root of path\SpyDLLRemover\ ??

I totally agree. This has been sent to Dev team as a fix. It should be done soon.
Thank you for your feedback.

Thank you.
EF

John T. Haller
John T. Haller's picture
Online
Last seen: 59 min 28 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Working Directory

If it just places it in the working directory, we can do that with the launcher, it's a single line I can add and repost a new test.

Sometimes, the impossible can become possible, if you're awesome!

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: Working Directory

Passed it to Nagareshwar, he should take care of it soon. We are working on 2.6 to push out the updates on what has been requested here. 2.8 would have more stuff, that involves logging, log correlation etc. We are also trying to work on Win7, but it might take some time.

Thank you.
EF

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Take your time

Take your time,
Good is better than fast Wink

Tim

Things have got to get better, they can't get worse, or can they?

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: Take your time

Agreed!

Thank you.
EF

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Contact Address

If you have any feedback that you could not paste in public, or any specific requests or need for support, contact us at our email contact.fingers@gmail.com. It is a freeware and everything is free as it sounds. If we could not end up doing something, we would keep you posted on either case.

Thank you.
EF

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 4 months 1 week ago
Joined: 2006-11-18 10:26
The body tag in the exported

The body tag in the exported HTML needs to be changed to "99%" so a scroll bar doesn't always show.

I had a lot more stuff typed as feedback, but it got wiped out somehow by another web page. LOTS of false positive "needs analysis" hits.

All of the following are false positives:

ACLIBEAY.dll 	Check Online	ActivIdentity	OpenSSL Shared Library	---	888 K	29-05-2008	c:\windows\system32\aclibeay.dll
aicext.dll 	Check Online			---	112 K	29-05-2008	c:\windows\system32\aicext.dll
redmonnt.dll 	Check Online			--- 	96 K	20-06-2008	c:\windows\system32\redmonnt.dll
mmfinfo.dll 	Check Online			---	156 K	28-12-2007	c:\program files\haali\matroskasplitter\mmfinfo.dll
mkunicode.dll 	Check Online			---	23 K	28-12-2007	c:\program files\haali\matroskasplitter\mkunicode.dll
nvshell.dll 	Check Online			---	456 K	01-05-2009	c:\windows\system32\nvshell.dll
mpich2shm.dll 	Check Online			---	1,148 K	11-10-2008	c:\f@h-smp\mpich2shm.dll
softokn3.dll 	Check Online	Mozilla Foundation	NSS PKCS #11 Library	---	152 K	04-12-2007	c:\program files\mozilla firefox\softokn3.dll
freebl3.dll 	Check Online	Mozilla Foundation	NSS freebl Library	---	244 K	04-12-2007	c:\program files\mozilla firefox\freebl3.dll

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: the Body tag in the exported

Thanks for your comments. We will make necessary changes before next release. Abt the false positives, I think in general people are finding it to be false positives when they see yellow or orange on good data. There is a cross view technique that we use, that gives dll's registered by some organization and used by some other. But this doesn't mean that we indicate that to be malicious. That is why we have the severity red to indicate malicious intended injected dll's. This is described in the tools page in rootkitAnalytics.com. But do send more suggestions. Thank you for your time bro.

EF

Thank you.
EF

The MAZZTer
The MAZZTer's picture
Offline
Last seen: 1 year 10 months ago
Developer
Joined: 2006-11-17 15:31
I checked out the HTML too,

I checked out the HTML too, here's my suggestions. It looks like you used some sort of HTML generation tool (an old and bad one at that, I'm guessing maybe Word, NEVER use Word for exporting HTML! It can't even import it right). I would suggest someone who knows HTML go into the template SpyDLLRemover uses with a text editor such as Notepad and make the following changes:

Changes to fix the scrollbar:

- Remove the width and height styles from the body tag, it will automatically adjust to the needed size.
- Remove the width: 100% from the logo, or set the padding of the body tag to 0px so that the image doesn't overflow the browser viewport when you do this.
- Remove the margin from the h1 and use text-align: center instead.
- Do not set a fixed width for the table, allow it to expand as needed.

Changes that aren't really necessary but they bugged me as a web developer:

- Run the source through HTML Tidy or something to make it easier to edit.
- Since you already have a stylesheet in the header, you should move any styles (for example, the blue color on the h1 tag) into there to keep all your style information in one place.
- Use a web-friendly format such as JPG or PNG for the logo.
- The logo is linked to a local file and so won't work if uploaded. You can try either using the common convention of having a directory saved with the HTML file that has resource files in it used by the HTML, or embedding the image directing using a data: uri (google for how to do this).
- is deprecated. To adjust spacing between the h1 and the table or the image use margin-top and/or margin-bottom CSS.
- Remove the <p class="footer"> and <b> tags before the table, they appear to have been left in by accident
- Enclose the first <tr> in a <thead>. <th> cells are only valid in <thead> and <thead> helps accessibility apps (such as screen readers) determine the first row is a header for the table. The rest of the rows should go in <tbody>:

Sample:

<table>
<thead>
<tr>
<th></thv
</tr>
</thead>
<tbody>
<tr>
<td></td>
</tr>
</tbody>
</table>

- Remove the target attribute from all the links. All modern browsers can open links in new tabs or windows with a special ctrl+click or middle click, so users who want to do that can. If I wanted to open a link in the current tab right now, your webpage wouldn't let me do that.
- Fix or remove the process id column from the report (mine is always ---).
- Not sure if there's a simple way to do the text-align: right; you have on every column. CSS supports a way to do it but IE doesn't support that aspect of CSS. The best way would probably be how it's done now, or to assign every td you want to right-align a specific class <td class="whatever"> and then style that class with text-align: right; in the stylesheet.
- <b> is deprecated, I suggest using <strong> in the footer instead. You can force the font-weight: bold; styling in the stylesheet if you want.

As a PS I have false positives as well: http://junk.mzzt.net/ScannedResult.html

And no, I didn't fix any of the problems I am complaining about... >_>;

Signature automatically removed for being too awesome.

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: I checked out the HTML too,

This is really informative. Thanks for taking your time in doing this for us. I have passed this to our dev team. They are actually working on the results page. It is actually not false positives. YELLOW only indicates that the cross-view of DLL shos that someone's/some-software DLL is used by some other software. In our next version, we are giving options page, where people can enable this if they would like to see it. Bare with us for a while, since we are working on other options that would give ease of use and more functionality to the tool.

Thank you.

Thank you.
EF

steve_gutry
Offline
Last seen: 3 weeks 2 days ago
Joined: 2008-05-07 16:54
I gave it another shot.

This time I manually added the program file to the list of allowable programs in the PC Tools firewall. At the first attempt I got another BSOD. I restarted the computer and tried again - this time the program started up & worked fine.

John T. Haller
John T. Haller's picture
Online
Last seen: 59 min 28 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
New Firewall

I'd check your event log to be sure, but it sounds like it's time for a new firewall that doesn't crash your PC.

Sometimes, the impossible can become possible, if you're awesome!

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: New Firewall

Hey guys,

Give us the firewall name/details and we will test it asap. Are you using http://www.pctools.com/firewall/

EF

Thank you.
EF

steve_gutry
Offline
Last seen: 3 weeks 2 days ago
Joined: 2008-05-07 16:54
Yes

I'm using the latest version 6. It scored 99% in the matousec.com tests.
Your follow up is appreciated.

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: Yes

Cool! I will keep ya posted.

Thank you.
EF

digitxp
digitxp's picture
Offline
Last seen: 13 years 1 month ago
Joined: 2007-11-03 18:33
Icon

[I didn't want to make a new forum topic, so this looked appropriate.]
The SpyDLLRemover's page has a rather fuzzy icon. Do you think something could be done with it?

Insert original signature here with Greasemonkey Script.

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Re: Icon

Thanks digitxp. John, did you get the Zip file that I sent you with all the different ICON sizes. Kindly, let me know if you haven't gotten it and I will resend.

Thank you.
EF

evilfingers
Offline
Last seen: 15 years 1 week ago
Joined: 2009-07-13 15:49
Win7 & Major Updates

With all your comments and support, we are coming up with a major release SpyDLLRemover v3.0 with Win7 compatibility and other major features and fixes.

Thanks to you guys.
EF

Thank you.
EF

Log in or register to post comments