Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 8: Spyware

Advertising Spyware: Blackstone Data Transponder and its derivatives

It is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies. It is currently distributed under these names:

According to the VX2 website:

The software goes along with the user of the software as they are surfing around the web and builds reports on the activity.
The software monitors the click stream activity of the consumer and communicates with servers.
The software monitors some activity of the PC and communicates with servers.

It is a Browser Helper Object that is distributed with unknown third-party software, including AudioGalaxy Satellite. While the user is browsing the Web, it will pop up advertisements based on what page is being visited, what's being searched for, how quickly the user is surfing, etc. Transponder's ad-displaying algorithm appears to weight the occurrence of ads in such a way that they appear to come from the page(s) being visited.   

For the remainder of this document, the terms "VX2", "Transponder", etc. will be used interchangably to refer to this class of spyware product.

... ... ...

Privacy Concerns

The software covertly collects all sorts of information about your Web surfing habits, including lists of Web sites you visit (and even sites you've visited before installing their software), any terms you enter into a search engine, and contents of online forms--including "secure" forms using SSL encryption(!). The company has the audacity to claim that this is done "in order to save you the time and trouble of submitting such information to us yourself". It also stores cookies to persistently identify you across sessions.

The software collects and transmits your full name name and e-mail address as used by the Outlook mail client. It also transmits back a laundry list of information about your system, which is described in more detail below. Finally, the software transmits details about your interaction with the software.

The software also includes an auto-update capability with the stated purpose of updating not only the VX2 spyware itself, but also installing additional third-party programs, including additional spyware.

Information Gathered by Transponder

Upon its first load, VX2.dll will look for a file in your Windows directory called oeminfo.ini. If present, this file contains information about your computer provided by the OEM--who you bought it from, serial #/etc., processor and configuration, tech support info, and maybe your name. (IIRC, this information is displayed if you go to Start > Settings > ControlPanel > System and view the first tab.) More information about the oeminfo.ini file is available here.

Transponder then connects to sputnik.vx2.cc and transmits data. The information transmitted includes, but is not limited to, the following:

On first connection, or when triggered remotely:

The data transmission is most likely encoded (sample). At intervals after the initial contact, the software will perform at least two types of "calling home": the ROUTINE_CHECKIN and MOTS_CHECKIN (Message Of The Session checkin) to a server starting with transctl*. (These include transctl*.blackstonedata.net, transctl*.vx2.cc, etc.) Each checkin request transmits the user's country code, a cookie data string, a tracking GUID that was created during its installation, the software that installed the spyware, and its version number. Some other checkin "modes" exist but have not been observed in action.

A stated purpose of the information Transponder gathers is to send direct mail (a.k.a. spam), possibly with the help of NetGeo (see later). I am guessing this to mean Outlook users (or former Outlook users) will get more spam thanks to this spyware.

In the Privacy Policy, VX2 asserts "We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords." Examining the spyware's source code (more on that later as well), the "technical measures" are the following:

In either case, the field is overwritten with X's before transmitting. Interestingly, VX2 passes the buck when the high-precision (sarcasm intended) password check fails, by stating that surfing with their spyware "may result in some personal information being included in URL data [...] Such instances are rare and are the result of poor security practices by these third party websites." I get the feeling many third-party Web sites would beg to differ. (As if Blackstone has any right to talk about poor security practices.)

Portions from the VX2 Privacy Policy as of 10/21/01:

"VX2's software collects and transmits to VX2's servers the URLs of the Web pages visited on your browser. URLs are the addresses of the web pages that your browser visits (http://www.VX2.com, for example). The VX2 software collects and maintains information on both current and historical browsing. VX2 will use this information to build a summary of your interests and general web trends.

VX2's software also collects some information from online forms that you fill out. This information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself. We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords. If such data data were, despite VX2's best efforts, ever inadvertently collected VX2 would immediately purge such information from its database.

VX2's software also collects the query terms entered into search engines. VX2 uses this information to help generate a more complete summary of its users' interests and general internet trends.

When you install VX2's software, it collects several bits of information about the configuration of your computer. This information includes information about the computer's hardware configuration, such as the amount of free space on your hard drive, and software configuration, such as the version of the operating system. These examples are representative, and the specific information collected may vary from time to time. This information is used to determine whether the VX2 software is compatible with your computer. It may also be used to help generate a more complete summary of your interests when appropriate.

It is possible that, in some instances, the operation of certain third party websites may result in some personal information being included in URL data, which can result in that data being captured in the course of the normal operation of the VX2 software. Such instances are rare and are the result of poor security practices by these third party websites. In the unlikely instance that such information is captured, it may be stored in our database, but it will not be used or disclosed in any manner inconsistent with our Privacy Policy.

Occasionally, VX2 may collect information about your interaction with the VX2 software. This may include information such as how often users use the software. This information is used to access the effectiveness of our products and services. It may be shared with VX2's partners for the purpose of evaluating the success of marketing programs.

The VX2 software and cookies: The VX2 software uses cookies to identify itself to the VX2 server. The cookie maintains a unique anonymous id for you as a user. We use this information to allow you to opt out of the VX2 service if you so choose. It is also used to organize the information in our database and help our artificial intelligence algorithms to discern the various preferences and interests of each user."

Some other portions are of interest:

"From time to time, VX2 may decide to update it's software in order for it to work at it's peak performance. Upgrades may include third party applications. Certain third party applications may have to be installed in order for the software to work properly. VX2 users are not responsible for these additions and/or updates, they will be done automatically in the background while you are surfing the web in order to cause the least amount of inconvenience to our users as possible."

Security Concerns

Suffice it to say that I would not trust these fools with my grocery list. Those who have already been had by this spyware should be concerned about Blackstone's security practices (or lack thereof) as they pertain to users' personal information.

Much of the information you see below was gathered thanks to bad password security and generally bumbling idiocy on the part of your friendly neighbourhood spyware company. (We did not "hack" into their systems; they gave out their (un-changed software default) admin password complete with detailed instructions online explaining how to log into the administration system :) I stumbled on them when they came up in Google's search results. If you've ever wanted a sneak peek inside a spyware company, take the (un)Guided Tour.

For a period of a little over a week, Blackstone Data Transponder infectees may have seen this ad campaign, inserted into Blackstone's lineup by my fictional cohort, Jane Morgandorfer.. (Think it may have had something to do with Blackstone changing their passwords? :) I deactivated the ad-campaign when it caused the load on my server to suddenly quadruple, jumping from about 45k requests/day at that time to 170k. Apparently, Transponder infections are more widespread than I had previously thought.

This graphic, found on a Blackstone cohort's server, appears to give a detailed description of how Transponder works. Beware: apparently, the same idiots who run the Blackstone servers also did the graphic--much of the text is scrunched and very hard to read! The line "Periodic export to warehouse for mining & Direct mail" I found particularly unnerving.

Other in-the-clear files included keyword-hierarchy listings, code signers and what appear to be certificates and privatekeys (.spc, .pbk, .pvk).

Another anti-spyware advocate wandering Blackstone's unsecured servers obtained the complete c++ source code of the application. This has been very helpful in determining the software's capabilities and possible security concerns.

The newest incarnation, TPS108, was recently discovered in with Blackstone's files. Some mild digging leads to an interesting find :)

The Bad Guys


Suspected Supporters

Transponder Technology

I'm not suggesting ANY guilt on the part of the makers of these third-party tools used by AADCOM/Blackstone/etc. They are general-purpose software that has no apparent connection to these creepy scum.

Ad campaign insertion, management and billing are handled by OASIS (Open-source Ad Serving and Inventory System): http://oasis.sourceforge.net/

Communicating with Sputnik (VX2, yadayada) is done via Java servelets at transctl*.blackstonedata.net and transctl*.vx2.cc, which are for all intents and purposes the same server (e.g. accessing a bogus file on blackstonedata.net, *.vx2.cc is listed on the 404 error page). The servelets are run with Caucho Technologies' Resin 2.0.2 software: http://www.caucho.com/

The data for OASIS and other things is stored in an SQL database, periodically exported to Mindset Interactive and NetGeo.

Whois Data (further evidences that many of these companies are in fact one and the same)

blackstonedata.com
Registrant:
Blackstone Data Corporation (BLACKSTONEDATA-DOM)
PO Box 27103 C/o VX2 Corporation
Las Vegas, NV 89126
US

VX2.cc
Registrant:
vx2 (VX52-DOM)
po box 27103
Las Vegas, NV 89126
US

Both list a Hotmail address as their admin, tech. and billing contact.

aadcom.com
Registrant:
AADCOM (AADCOM2-DOM)
34700 Pacific Coast Hwy
Capistrano Beach, CA 92624
US

Admin., etc. contact is at internettechcorp.com

Transponder Advertisers

These advertisers are currently listed as active in Blackstone's system. However, some of them are test entries and many have invalid billing addresses. A number of these are listed as having unpaid invoices. (Maybe has something to do with the invalid billing addys? :)

AADcom.com Ad Power Zone alinq.com alinq468 ARS
Barnes And Noble (test) Bettergolf Bid Clix Casino CasinoOnNet
Civil War Facts Inc (test) creditcardmenu CyberErotica Fast Cash Feature Price
HomeGain JDR Media kentucky Lending Universe LowerMyBills
Magellan Magellan: Team Nova & Trim Life Mindset Opt-In / Opt-Out MyInk.com New York Times (test)
NextCard No Credit Card Needed OASIS OptionHotline Orbitz
Playsys PriceQuotes Pyramid Casino Shockwave Marketing SlickStreet
Steve Smith Test Advertiser TEST PYRAMIDCASINO The Baby Outlet Traffix
TranzAct Media X10.com Zmedia

Windows Failure issue associated with Transponder

It has been reported to me that a number of users have experienced complete failure of MSIE and Windows Explorer as a result of infection by the Transponder parasite. The common symptoms are that Internet Explorer will not start at all (nothing happens), and trying to restart Windows Explorer only repaints the existing desktop. One such occurance is reported on a Windows 2000 system. The symptoms cleared up once Transponder/VX2 was removed.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

Symantec Security Response - Adware.Binet

SpywareInfo Support Forums - Security Warnings

ABetterInternet.B
Overview

ABetterInternet.B shows advertisements based on the web pages you view and the web sites you visit. ABetterInternet.B may update itself without any input or user interaction, install third party software and add links to your desktop. It will also hijack the browser's error page.

From the developer:

During the process of accepting this Agreement, downloading and/or using the Software, you may be offered the opportunity by BetterInternet to download software ("Third Party Software") from third party software vendors ("Third Party Vendors") pursuant to the terms of sublicense agreements or other arrangements between BetterInternet and yourself or between the Third Party Vendors and yourself ("Third Party Software Agreements"). to enable BetterInternet to provide its Software, BetterInternet collects certain types of non-personally identifiable information about individuals who are served ads by the Software.
By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to BetterInternet; display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; automatically update the Software and install added features or functionality conveniently without your input or interaction; and install desktop icons and installation files and third-party software.
Source

Classification
Adware

Files
Belt.exe, Belt.ini

Vendor
BetterInternet Inc

Variants
ABetterInternet ABetterInternet.B ABetterInternet.C ABetterInternet.D ABetterInternet.E

End User License Agreement
2003-11-22

Privacy policy
2003-11-22

Detection
Bazooka Adware and Spyware Scanner detects ABetterInternet.B. Bazooka is freeware and detects spyware, adware, trojan horses, viruses, worms, etc. Read more "

Feedback, suggestions, support

Please let me know if you need support, have questions or would like to give me feedback. Please notice that I'm not the author and not in any way affiliated with ABetterInternet.B. This site is dedicated to help you with the detection and removal of spyware, adware, viruses, worms, trojans, keylogger, dialers, etc. Click here to contact me, the developer of Bazooka.

Manual removal

Please follow the instructions below if you would like to remove ABetterInternet.B manually.

  1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
  2. Browse to the key:
    'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
  3. In the right pane, delete the value called 'Belt', if it exists.
  4. Exit the registry editor.
  5. Restart your computer.
  6. Delete %WinDir%\Belt.exe
    Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
  7. Start Microsoft Internet Explorer.
  8. In Internet Explorer, click Tools -> Internet Options.
  9. Click the Programs tab -> Reset Web Settings.

Please support me
Thank you for using my site. Please help me to keep this site and software up-to-date.

WinXP belt.exe - Tech Support Guy Forums

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

Services:
Posts: 140 HELP Download trojan virus Belt.exe

I have Norton antivirus
it has latest definitions
today it identified a virus
report says

Belt.exe within C:\Documents and settings\one of my user names\Local settings\Temp\Belt.cab is infected with the Download Trojan virus

There was 2 files
Tried to quaranteen them 1 did but no joy with the other
tried to delete that one and it says it cant

read up on their further recommendations and it says to disable restore ( on XP) and scan in safe mode have done this it detected it but was unable to fix it

Tried adaware and spybot found loads of stuff but not what i was looking for

have looked on google and am now onto my third trojan detection program

It has detected loads of stuff but still not the one im looking for

Im now stuck over to you guys any ideas

Transponder Gang Historical Timeline - VX2, Blackstonedata, Better Internet, Direct-Revenue, and NetPal

Belt.exe and Susp.exe
Belt.exe and Susp.exe is part of the Transponder Better Internet Gang
Dec 11, 2003

As of Dec 10, 2003, I now have a sample of every known transponder from the first one that appeared in 1999 (IEHelper.dll) to the two newest ones that are now being seen on the Internet which are Belt.exe and Susp.exe.

Although many think both are trojans or viruses, they are in fact programs that work in conjunction with the Bi.dll for management of the popup advertising that is foisted by offeroptimizer.com which is registered to Alan Murray.

From inside the code of the Belt.exe and Susp.exe, they both have the same coding and information which directly links Better Internet Inc. to IPInsight.com that is not accessable but its server still is and is registered to Daniel Kaufman that was the CEO of Dash.com with Joshua Abram who is linked to Direct-Revenue.com and aBetterInternet.com, and the rest of the transponder sites with Alan Murray. All of which can be linked to Blackstonedata and VX2.cc.

The Fies:
Belt.exe
Modified: Friday, August 15, 2003, 3:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.

Container Belt.cab contains Belt.exe, Belt.ini, Belt.inf

Two known paths are to the Belt.cab and the Belt.exe
hxxp://69.20.5.39/download/cabs/BI5101/Belt.cab
hxxp://69.20.5.39/download/cabs/BI5101/belt.exe


Susp.exe
Modified: Friday, August 15, 2003, 4:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.

Container Susp.cab containing Susp.exe, Susp.ini, Sups.inf

The Code I found using NotePad:

Belt.exe code

V S _ V E R S I O N _ I N F O

S t r i n g F i l e I n f o 0 4 0 9 0 4 b 0

C o m m e n t s

C o m p a n y N a m e B e t t e r I n t e r n e t I n c

F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m 6

F i l e V e r s i o n 0 , 1 , 1 , 3

I n t e r n a l N a m e F

L e g a l C o p y r i g h t C o p y r i g h t © 2 0 0 2

L e g a l T r a d e m a r k s

O r i g i n a l F i l e n a m e

P r i v a t e B u i l d

P r o d u c t N a m e :

P r o d u c t V e r s i o n 0 , 1 , 1 , 3

S p e c i a l B u i l d D

V a r F i l e I n f o $

T r a n s l a t i o n

S e n t r y S t u b . e x e i s a s t u b i n s t a l l e r

f o r t h e c o m p a n y ' s I P - S e n t r y

a p p l i c a t i o n - b o t h d i s t r i b u t e d b y

I P - I n s i g h t C o r p o r a t i o n , a D e l a w a r e

C o r p o r a t i o n .

P l e a s e s e e h t t p : / / w w w . i p i n s i g h t . c o m f o r m o r e d e t a i l s

Susp.exe code


V S _ V E R S I O N _ I N F O

S t r i n g F i l e I n f o `0 4 0 9 0 4 b 0

C o m m e n t s

C o m p a n y N a m e B e t t e r I n t e r n e t I n c .

F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m 6

F i l e V e r s i o n 0 , 1 , 1 , 3

I n t e r n a l N a m e F

L e g a l C o p y r i g h t C o p y r i g h t © 2 0 0 2

L e g a l T r a d e m a r k s

O r i g i n a l F i l e n a m e

P r i v a t e B u i l d

P r o d u c t N a m e :

P r o d u c t V e r s i o n 0 , 1 , 1 , 3

S p e c i a l B u i l d D

V a r F i l e I n f o $

T r a n s l a t i o n

S e n t r y S t u b . exe is a s t u b i n s t a l l e r f o r

the c o m p a n y ' s I P - S e n t r y a p p l i c a t i o n

- b o t h d i s t r i b u t e d b y I P - I n s i g h t C o r p o r a t i o n ,
a D e l a w a r e C o r p o r a t i o n .
P l e a s e s e e h t t p : / / w w w . i p i n s i g h t . c o m f o r m o r e d e t a i l s .

The Original Sentry.exe from IP-Insight
File Properties:

Company: IP-Insight Corporation

Sentry.exe

Size: 76.0 KB (77,824 bytes)

Version: 0, 0, 1, 3

Internal Name: SentryStub

Original Name: SentryStub.exe

Product Name: IP-Sentry Stub

Comments: SentryStub.exe is a stub installer for the company's

IP-Sentry application -both distributed by IP-Insight Corporation, a

Delaware Corporation. Please see http://www.ipinsight.com for more details.

NOTE: Ad-Aware 6.181 with current Reference file detects all 3 objects


Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites


Transponder AdWare Program (Guest)


Information about Transponder (and derivatives)


SpywareInfo: Aadcom


and.doxdesk.com Parasite Detection Script - Alerts you if you have VX2, Toptext, etc. parasites installed!


BHO Cop - Hypnos' article on thehun.net walks you through using BHO Cop to remove Transponder.
Transponder Video from Hypnos - An informative video showing the Transponder parasite in action on an infected system. Note: In the video are pictures of "adult" popup ads--as always, view at your own discretion.


VX2 Homepage - some mentions of what it does and removal info.

Credits

Blackstone Data Transponder was and continues to be among the most difficult pieces of spyware to research. This would not be possible without the huge amounts of help and information provided by Robert (dualsmp), Dingo (SpywareInfo), Andrew (and.doxdesk.com) and others, as well as the grc.spyware community. A big thanks to everyone!

If anyone I have forgotten, please let me know!

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)


Top Visited
Switchboard
Latest
Past week
Past month

Registry Keys

HKEY_CLASSES_ROOT\clsid\{00000000-59d4-4008-9058-080011001200}
HKEY_CLASSES_ROOT\clsid\{00000049-8f91-4d9c-9573-f016e7626484}
HKEY_CLASSES_ROOT\clsid\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_CLASSES_ROOT\clsid\{38601801-2ff5-4a62-95da-d2007161c1b4}
HKEY_CLASSES_ROOT\clsid\{79849612-a98f-45b8-95e9-4d13c7b6b35c}
HKEY_CLASSES_ROOT\clsid\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_CLASSES_ROOT\dlmaxdll.dlmaxdllobj
HKEY_CLASSES_ROOT\dlmaxdll.dlmaxdllobj.1
HKEY_CLASSES_ROOT\interface\{bb0d5adc-028d-4185-9288-722ddce2c757}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_CLASSES_ROOT\tpusn
HKEY_CLASSES_ROOT\tpusn tpusn_once 1
HKEY_CLASSES_ROOT\typelib\{230c3786-1c2c-45bd-9d2d-9d277fce6289}
HKEY_CLASSES_ROOT\typelib\{92daf5c1-2135-4e0c-b7a0-259abfcd3904}
HKEY_CURRENT_USER\software\dlmax
HKEY_LOCAL_MACHINE\software\classes\clsid\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\dbi
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30000273-8230-4dd4-be4f-6889d1e74167}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{79849612-a98f-45b8-95e9-4d13c7b6b35c}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\guardian
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000049-8f91-4d9c-9573-f016e7626484}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000097-7c67-4ba6-8b42-05128941688a}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/kmg14100.exe\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/kmg14100.exe\{30000273-8230-4dd4-be4f-6889d1e74167}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\59ac6bev
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\belt
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\lkmkrlj
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\abi-1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dbi
HKEY_LOCAL_MACHINE\software\twaintec

Manual Removal

How to remove Aurora-Nailfix - TechSpot OpenBoards

Method 1) Manually.
---------------------
NOTE: this text was copied from TheJoker on the BroadbandReports Forum http://www.broadbandreports.com/forum/remark,13685446

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download, install, and update the free version of Ewido trojan scanner: http://www.ewido.net/en/download/

- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- From the main Ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Exit Ewido. DO NOT scan yet.

Download CCleaner from http://www.ccleaner.com/ccdownload.asp and install, but do not run it yet.

Please download the Nail/Aurora Spyware Fix from http://www.noidea.us/easyfile/file....050515010747824. (Alternate download link: dknoppix mirror http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix)

Unzip it to the desktop but do NOT run yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

- Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
- Select an option when the Windows Advanced Options menu appears, and then press ENTER.
- When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Once in Safe Mode, please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run CCleaner.

- Uncheck "Cookies" under "Internet Explorer".
- If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
- Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Now run Ewido again.

- Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
- If Ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
- When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
ANY O2 - BHO: that has (file missing)
ANY O2 - BHO: that has (no name) AND (no file)
ANY O3 - Toolbar: that has (no name) AND (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
OR
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing).

Finally, restart your computer in normal mode and post a new HijackThis log (as an attachment with .txt extension), as well as the log from the Ewido scan.

================================================== ===================================
Method 2) Automated, paid for.
--------------------------------
If the above is too complicated, you can download a trial version of Adware Away from: http://www.adwareaway.com/ which MAY get rid of it in trial-mode.
It DOES get rid of it in one go, if you BUY their program for $29.95

This is NOT a plug for them, and I can NOT verify that the program works as declared. I have not been infected (yet).

================================================== ===================================
Method 3) Automated, free, BUT...
------------------------------------
Some forum-users have reported success, using the (free) spyware removal tool from
http://www.mypctuneup.com/evaluate.php?b=aurora
Do NOT go anywhere else on that website!

Others have used a similar (or the same?) tool, downloaded from www-abetterinternet-com, AKA DirectRevenue.

Big CAVEAT:
To the best of my knowledge, all three (mypctuneup, ABetterInternet and DirectRevenue) are one and the same dubious outfit!

DirectRevenue are the MAKERS of Aurora, for Pete's sake!!

Check this out first, before you decide to go the FREE way (I wouldn't):
http://netrn.net/spywareblog/archiv...hreatens-again/

Examples

SWI Forums how to remove 'abetterinternet'

twine

Apr 4 2005, 06:14 AM

hi, i have the malware 'abetterinternet' on my pc, i have been trying various things but cannot seem to remove it. I did post about this last night but the heading was very poor and also my log will be different, so here is the fresh one:

Logfile of HijackThis v1.99.1
Scan saved at 12:14:32, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\procexp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiny.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099927694734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS3\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

smashcomp.gif

jw50

Apr 8 2005, 01:25 PM

Hi twine, welcome to the forums.


Run HijackThis and place checks beside each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll

After you check these items, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.


Run HijackThis and post a new log.

twine

Apr 8 2005, 02:31 PM

Hi jw50, thanks for the help. I did what you required, only the third line you asked me to check wasnt there. this one: O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll. Perhaps this was what i cured myself. But i did check the first two so here is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 20:30:51, on 08/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GlobeSoft\AbuseShield\NTx\AbuseShieldSrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\GlobeSoft\AbuseShield\NTX\ASTray.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiny.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AbuseShieldTray] "C:\Program Files\GlobeSoft\AbuseShield\\NTX\ASTray.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099927694734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS3\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AbuseShieldSrv - Globesoft AB - C:\Program Files\GlobeSoft\AbuseShield\NTx\AbuseShieldSrv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

jw50

Apr 8 2005, 03:07 PM

Hi twine,

That BHO was really the only thing that was bad in your log, it looks good now.

Are you still having any problems?


VERY IMPORTANT:
Your operating system and Internet browser are out of date. This can leave you seriously vulnerable to malware and hackers.
I strongly suggest you go to Windows Update and install all critical updates. To get to the Windows Update site using IE just click on Tools, Windows Update.


These are some recommendations that will significantly decrease the chances that you will have problems with malware in the future:

1) Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Microsoft Anti-Spyware

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

twine

Apr 9 2005, 09:28 AM

evrything seems ok now. I can resolve most issues on my pc but with this vx2 i panicked because i couldnt get rid of it, hence the submission on this forum. I already have installed all the programs you recommend, although i havent installed sp2 for xp yet. I may have to install it, all be it reluctantly. thanks for your help in this matter.

jw50

Apr 9 2005, 02:40 PM

Glad we could help. smile.gif

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Home - The home of Spybot-S&D!

Webhelper - Direct-Revenue Transponder Gang Fifth Columnists Adware Sleeper Agents

Direct-Revenue - Vx2 Transponder Gang Fifth Columnists with Adware Sleeper Agents

|Home |
Updated: 09/12/2017
Before I start, so that those reading this write up will understand why I have entitled this "Direct-Revenue - VX2 Transponder Gang Fifth Columnists Adware Sleeper Agents" below you will find two sets of difinitions, the first from the dictinary and the second is my own difinitions.
Transponder:
Transponder according to Webster Dictionary:
A radio or radar set that upon receiving a designated signal emits a radio signal of its own and that is used especially for the detection, identification, and location of objects.
Webhelper Transponder definition as it relates to the Transponder Gangs adware Variants
One of the transponder variant dll's that once installed transmits three types of signals to its controlling server.

The first is called a ROUTIN CHECKIN. This one transmits the users information along with a unique ID given along with the product that was installed to the controlling server, which creates or updates the users profile in their online database.

The second is called MOTTS CHECKIN which transmits the users information and checks for updates to reinstall or new objects that need to be installed. This transmission also updates the .ini files and cookies of theirs that will help the offeroptimizer.com ad server send back signals that will generate pop up ads on the users computer.

The last type is the standard transmission that sends the users data to its controlling servers, and any third party ad servers, tracks the users surfing habits, and collects and transmits any information from online forms filled out by the user from any of the popup ads generated by the offeroptimizer or through their 3 rd party ad server partners and affiliates.

Dictionary definition of a Fifth Columists

Secret or subversive group: a secret or subversive group that seeks to undermine the efforts of others and promote its own ends.
Dictionary definition of Sleeper Agent:

Spy inactive until called into action: a spy or secret agent who lives an ordinary life until called into action.
Now my own definitions of Fifth Columnists and Adware Sleeper Agents
Adware Fifth Columnist:

Online Marketing groups that seek to underminse the efforts of users to rid themselves of unwanted infestations or the marketing groups adware.

Adware Sleeper Agents:

Adware files that are inactive until called into action by scripts embedded into web site pages. These files are remains of past infestations that never were detected as they were never active, usually living in temp folders or the downloaded program folders and hidden from view by the average user.


As of December 26, 2004, I ran an infestation of the Transponder gangs LocalNRD.dll
transponder BHO adware variant and I went to MyPcTuneup.com to uninstall their adware per #12 Termination and Removal of Software of their EULA (End User License Agreement) at abetterinternet.com where they state the following

From their EULA at abetterinternet.com

By entering into this Agreement
, you represent to BetterInternet that you have intentionally chosen to install the Software and that you will personally uninstall the Software from your computer if you no longer wish the application to be present on your computer by going to http://mypctuneup.com/.

While you may choose to delete the Software from your computer at anytime by following the instructions herein, some third party applications may attempt to delete, disable or modify the Software with or without notice to you. You further represent to BetterInternet that BetterInternet may store a cookie, computer file or other unique identifier on your computer to identify you and automatically repair or reinstall the Software if any third party application attempts to delete, disable or modify the Software. BetterInternet may terminate this Agreement or your right to continue to use the Software at any time.

Further, you agree that you will not initiate, permit, authorize or assist any third party or application to remove the Software from your computer, or disrupt its operation or the operation of any other user. You agree that removal of the Software from your computer will only be performed by you pursuant to the instructions set forth herein.

The above EULA entries are made even more clearer when reading the Direct Revenue's Portfolio write up by the gangs newest software developer EnvionSoftware they have started using in the code of the transponder variants and other component files they use.

DirectRevenue

For this provider of contextual advertising services to Internet-based marketers, Envion Software developed a remarkable Windows application that is co-installed with Direct Revenue's modules by users who sign up for its marketing. Our app collects data from their systems (installed hardware and software), and watches for any changes to the system configuration or any attempts to remove Direct Revenue's modules. Our app also monitors for any ant virus or firewall programs that try to block or interfere with the modules. We are currently developing the data encryption piece for the client machines.
(12/27/2004, Envion Software, http://envionsoftware.com/portfolio/directrevenue/)

What the above EULA and Envion Software statements really mean is that the gang is starting to act like Fifth Columnists who place sleeper agents into users computers to later be able to re-infest those computers at a later time without the users knowledge or permission by stating it is illegal to use other 3rd party security software like Adaware, Pest Patrol, or even Anti-Virus and firewall software like that from Mcafee to help detect and remove the transponder adware and must use only their uninstaller at Mypctuneup.com.

In fact, right now in many of the transponder files there is hidden xml code that even list the above 3rd party security software and from the statements from EnvionSoftware "…any attempts to remove Direct Revenue's modules… monitors for any ant virus or firewall programs that try to block or interfere with the modules" they look like they are trying to set up software that would when called from a script that would be called from a site or rotational ad server, could stop or delete users Anti-virus and firewall software to be able to insure they can re-infest users computers without being blocked and also stop or delete Adaware and Pest Patrol if the security software tries to detect and remove their infestations of their transponder adware which they state they will do per their EULA.

When infesting myself with their localNRD.dll transponder variant, it registers the localNRD.dll as a BHO (Browser helper Object) and loads it as a process along with making over 10 registry entries. They also install various other executable files that one, their Polall*.exe (Calling home) generates a 38kb executable file in the users windows folder and an entry in the HKLM Run of the registry called mnklins.exe.

As of 12/26/2004, this file called mnklins.exe which replaced their kzgasg.exe that was being created in earlier infestations and is the file that actually when it transmits calls new installs, updates, and/or re-infest users while the transponder BHO variant localNRD.dll transmits users data and handles the calls for popup ads.

Along with the LocalNRD.dll, two other executables along with a third that is downloaded during the transponders first check in transmission were their conscorr.exe (Ipinsight Sentry.exe), ln_reco.exe, and randreco.exe which was downloaded after the first transmission and each contains the hidden xml code.

These files along with the Mnklins.exe all transmit at one time or another and are used to update, install new 3rd party adware, and re-install any missing transponder adware into the users computer.

Their Mypctuneup.com uninstall process has gone through at least three changes over the past six months since they first started offering help in uninstalling their transponder adware. The first was an online submission form. The second was a direct link to their uninstaller, and now the third being a direct download to run their uninstaller.

The first uninstall process found at Mypctuneup.com required users to fill out and submit an online form requesting the link to their uninstaller. This usually took up to seven days before receiving an email back with a special link that had a validation code in it. Once clicking on the link, you would then have to fill in a special form with another validation code which then would then run an online scan of the computer for any BHO registry entry of their transponder variants. If found, users would be required to run an install of their Remall.exe that would then delete only the BHO registry entry and then drop a file named Killpol.exe that would delete any IPinsght Sentry executables in the HKLM of the RUN of the registry and the file in the windows folder. What was bad is that if a user had the mxtarget.dll variant, it would transmit after the remall.exe was run and download a mx_reco.exe that would transmit and re-infest the mxtarget.dll variant and its file components before a user had a chance to restart their computers to unload the BHO from the processes.

Their second process came about only about two months ago where it dropped the emailing for their validation code and could run their scan immediately with the same results as that of their first uninstall process. However, it was here that they added their new uninstaller file that is now being used and was offered only after the first scan was completed or a message that none of their partner's adware was found.

Their latest uninstaller process uses their newest uninstaller file that still requires users to be connected and enter a validation code but this is after they have downloaded the uninstaller file and runs it.


Even though the transponder gang has changed their process in the use of their uninstallers, what is scanned and actually cleaned still remains unchanged. With all the files and registry entries made by a transponder infestation, the only two thing that their uninstaller does is scan the Internet Explorer Browser Helper Objects area of the registry and if one of their variants are found, the uninstaller file thunstall.exe deletes the registry entry and unloads the dll variant from the computers processes. The second is the uninstaller scans the HKLM Run of the registry and if it finds their callinhome file which right now is the mnklins.exe and then delete the actual file.

In conclusion, all the above can be condensed to mean that the Direct-Revenue Transponder Gang are now acting like a Fifth Columnist with all their files they leave behind as adware sleeper agents so that in weeks or months after using their Mypctuneup.com uninstallers can find that they may once again be infested with the same or even a newer transponder variant and could well find that their Adaware and/or Pest Patrol or even their Anti-Virus software like Mcafee and their firewall software may be disabled, blocked, or even worse still deleted from their computers because of the Transponder Gangs #12 of their EULA and from what their software developer EnvionSoftware has stated on their website on what their modules they create for Direct-Revenue are supposed to do.

Example of their XML found in their Ln_reco.exe : Names in red are valid security software and the black bold are the transponder variants while all else are other 3rd party adware groups.

<?xml version="1.0"?>

<queryRegistry partnerID="1" partnerData="CommandLine" bundleID="102" preHost="thinstall" prePath="bi/servlet/ThinstallPre" postHost="thinstall" postPath="bi/servlet/ThinstallPost" >

<key hive="HKCR" path="Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\180solutions" subtree="no"/>

<key hive="HKLM" path=<?xml version="1.0"?>

<queryRegistry partnerID="1" partnerData="CommandLine" bundleID="102" preHost="thinstall" prePath="bi/servlet/ThinstallPre" postHost="thinstall" postPath="bi/servlet/ThinstallPost" >

<key hive="HKCR" path="Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\180solutions" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\AboutURLs" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\Lavasoft\AD-Aware" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 5" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\BTGrab" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\BTIEIN" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\CLRSCH" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\ceres" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\DBi" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\DHost" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Gator.com" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\GatorTest" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\intexp" subtree="yes"/>

The intexp is the wupdt.exe

<key hive="HKLM" path="SOFTWARE\IPInsight" subtree="yes"/>

<key hive="HKCU" path="SOFTWARE\LocalNrd" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Main\ins" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\McAfee" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\McAfee.com" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\morphacl" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\180solutions\msbb" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\MSView" subtree="yes"/>

<key hive="HKCU" path="SOFTWARE\MultiMPP" subtree="yes"/>

<key hive="HKCU" path="Software\mxtarget" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCase" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\PestPatrol" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\RespondMiter" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Run" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Search" subtree="no"/>

<key hive="HKCU" path="Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" subtree="yes" />

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Toolbar" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\TPS108" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Twaintec" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Main\uni" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" subtree="keysOnly"/>

<key hive="HKCU" path="SOFTWARE\VB" subtree="no"/>

<key hive="HKCU" path="Software\VoiceIP" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\WhenUSave" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Zserv" subtree="yes"/>

<procList checkin="both"/>

<persist />

</queryRegistry>

History

Belt.exe and Susp.exe
Belt.exe and Susp.exe is part of the Transponder Better Internet Gang
Dec 11, 2003

As of Dec 10, 2003, I now have a sample of every known transponder from the first one that appeared in 1999 (IEHelper.dll) to the two newest ones that are now being seen on the Internet which are Belt.exe and Susp.exe.

Although many think both are trojans or viruses, they are in fact programs that work in conjunction with the Bi.dll for management of the popup advertising that is foisted by offeroptimizer.com which is registered to Alan Murray.

From inside the code of the Belt.exe and Susp.exe, they both have the same coding and information which directly links Better Internet Inc. to IPInsight.com that is not accessable but its server still is and is registered to Daniel Kaufman that was the CEO of Dash.com with Joshua Abram who is linked to Direct-Revenue.com and aBetterInternet.com, and the rest of the transponder sites with Alan Murray. All of which can be linked to Blackstonedata and VX2.cc.

The Fies:
Belt.exe
Modified: Friday, August 15, 2003, 3:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.

Container Belt.cab contains Belt.exe, Belt.ini, Belt.inf

Two known paths are to the Belt.cab and the Belt.exe
hxxp://69.20.5.39/download/cabs/BI5101/Belt.cab
hxxp://69.20.5.39/download/cabs/BI5101/belt.exe


Susp.exe
Modified: Friday, August 15, 2003, 4:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.

Container Susp.cab containing Susp.exe, Susp.ini, Sups.inf

The Code I found using NotePad:

Belt.exe code

V S _ V E R S I O N _ I N F O

S t r i n g F i l e I n f o 0 4 0 9 0 4 b 0

C o m m e n t s

C o m p a n y N a m e B e t t e r I n t e r n e t I n c

F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m 6

F i l e V e r s i o n 0 , 1 , 1 , 3

I n t e r n a l N a m e F

L e g a l C o p y r i g h t C o p y r i g h t © 2 0 0 2

L e g a l T r a d e m a r k s

O r i g i n a l F i l e n a m e

P r i v a t e B u i l d

P r o d u c t N a m e :

P r o d u c t V e r s i o n 0 , 1 , 1 , 3

S p e c i a l B u i l d D

V a r F i l e I n f o $

T r a n s l a t i o n

S e n t r y S t u b . e x e i s a s t u b i n s t a l l e r

f o r t h e c o m p a n y ' s I P - S e n t r y

a p p l i c a t i o n - b o t h d i s t r i b u t e d b y

I P - I n s i g h t C o r p o r a t i o n , a D e l a w a r e

C o r p o r a t i o n .

P l e a s e s e e h t t p : / / w w w . i p i n s i g h t . c o m f o r m o r e d e t a i l s

Susp.exe code


V S _ V E R S I O N _ I N F O

S t r i n g F i l e I n f o `0 4 0 9 0 4 b 0

C o m m e n t s

C o m p a n y N a m e B e t t e r I n t e r n e t I n c .

F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m 6

F i l e V e r s i o n 0 , 1 , 1 , 3

I n t e r n a l N a m e F

L e g a l C o p y r i g h t C o p y r i g h t © 2 0 0 2

L e g a l T r a d e m a r k s

O r i g i n a l F i l e n a m e

P r i v a t e B u i l d

P r o d u c t N a m e :

P r o d u c t V e r s i o n 0 , 1 , 1 , 3

S p e c i a l B u i l d D

V a r F i l e I n f o $

T r a n s l a t i o n

S e n t r y S t u b . exe is a s t u b i n s t a l l e r f o r

the c o m p a n y ' s I P - S e n t r y a p p l i c a t i o n

- b o t h d i s t r i b u t e d b y I P - I n s i g h t C o r p o r a t i o n ,
a D e l a w a r e C o r p o r a t i o n .
P l e a s e s e e h t t p : / / w w w . i p i n s i g h t . c o m f o r m o r e d e t a i l s .

The Original Sentry.exe from IP-Insight
File Properties:

Company: IP-Insight Corporation

Sentry.exe

Size: 76.0 KB (77,824 bytes)

Version: 0, 0, 1, 3

Internal Name: SentryStub

Original Name: SentryStub.exe

Product Name: IP-Sentry Stub

Comments: SentryStub.exe is a stub installer for the company's

IP-Sentry application -both distributed by IP-Insight Corporation, a

Delaware Corporation. Please see http://www.ipinsight.com for more details.

NOTE: Ad-Aware 6.181 and Newer detects all!



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

 

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September 12, 2017