Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Google   

Fighting Adware/Spyware Paranoia

News See also Recommended Links Recommended Books Recommended Papers Spyware Scanners Non-scanner antispyware tools
Spyware fighting strategy Spyware Removal Using Spybot S&D Anti-spyware forums Microsoft antispyware
articles 		Microsoft antispyware tool
Recommended		 Fighting PopUps with toolbars

Blocking lists
Identity theft Adding sites to the hosts file Phishing AbetterInternet BHO Fighting
HomePage Hijacking		  Etc

Spyware is far from being something magically complex and difficult to remove. Formally it is any software which uses an internet connection from your computer in the background (as "backchannel") without user knowledge or explicit permission. This backchannel represent one way to detect even the most sophisticated spyware and a regular sniffer is an adequate tool for this. Spyware is connected with advertising revenue so it is more sophisticated then either viruses or worms. Some spyware/adware programs are primitive and just uses one Run key to launch itself (and removal of this key disinfects computer). 

Generally any use of an Internet "backchannel" connection should be preceded by a complete and truthful disclosure followed by the receipt of explicit, informed, consent for such use. Often spyware is disguised as a useful utility (atomic clock,  toolbar or other useful utility), but does not discloses that in addition to openly stated function it is using PC Internet connection to send information to the third party, for example about user browsing (WeatherBug is one such example). Often spyware deliberately complicates its removal from the computer or tried to reinstall itself by downloading missing components if one component is removed.

The spyware problem is not a pure Windows security problem. Situation is more complex. While the insecurity of the operating system is a problem that aids malware in general, having a more secure browser would help to fight this. The improvements to Internet Explorer [microsoft.com] due to appear in Service Pack 2 should help stop the spread of spyware somewhat.  Another useful step is to get Yahoo toolbar that includes antispyware component. A firewall with Internet filter also helps as you can tune it to prevent any re-infections.  Even without firewall host file can be used to block sites that spyware connects too. Most of those site should also moved to restrictied sited in intenet explorer.

If you detected spyware on your computer before removal try to "cut an oxygen" by adding sites that it access to hosts file and to the restricted zone. That helps to prevent re-infections

Yes, spyware can be complex, extremely annoying and obnoxious and rather difficult to remove. But paranoia about spyware is completely unwarranted. A typical example of this paranoia is NYT article  By MATT RICHTEL and JOHN MARKOFF "Corrupted PC's Find New Home in the Dumpster" (July 17, 2005 ).  The main hero of this article (who, actually, holds PhD in computer science) demonstrates simply amazing level of ignorance of Windows OS. 

SAN FRANCISCO, July 15 - Add personal computers to the list of throwaways in the disposable society.

On a recent Sunday morning when Lew Tucker's Dell desktop computer was overrun by spyware and adware - stealth software that delivers intrusive advertising messages and even gathers data from the user's machine - he did not simply get rid of the offending programs. He threw out the whole computer.

Mr. Tucker, an Internet industry executive who holds a Ph.D. in computer science, decided that rather than take the time to remove the offending software, he would spend $400 on a new machine.

He is not alone in his surrender in the face of growing legions of digital pests, not only adware and spyware but computer viruses and other Internet-borne infections as well. Many PC owners are simply replacing embattled machines rather than fixing them.

"I was spending time every week trying to keep the machine free of viruses and worms," said Mr. Tucker, a vice president of Salesforce.com, a Web services firm based here. "I was losing the battle. It was cheaper and faster to go to the store and buy a low-end PC."

In the face of a constant stream of pop-up ads, malfunctioning programs and performance slowed to a crawl or a crash - the hallmarks of spyware and adware - throwing out a computer "is a rational response," said Lee Rainie, director of the Pew Internet and American Life Project, a Washington-based research group that studies the Internet's social impact.

While no figures are available on the ranks of those jettisoning their PC's, the scourge of unwanted software is widely felt. This month the Pew group published a study in which 43 percent of the 2,001 adult Internet users polled said they had been confronted with spyware or adware, collectively known as malware. Forty-eight percent said they had stopped visiting Web sites that might deposit unwanted programs on their PC's.

Moreover, 68 percent said they had had computer trouble in the last year consistent with the problems caused by spyware or adware, though 60 percent of those were unsure of the problems' origins. Twenty percent of those who tried to fix the problem said it had not been solved; among those who spent money seeking a remedy, the average outlay was $129.

By comparison, it is possible to buy a new computer, including a monitor, for less than $500, though more powerful systems can cost considerably more.

Meantime, the threats from infection continue to rise, and "the arms race seems to have tilted toward the bad guys," Mr. Rainie said.

The number of viruses has more than doubled in just the last six months, while the number of adware and spyware programs has roughly quadrupled during the same period, said Vincent Weafer, a senior director at Symantec, which makes the Norton computer security programs. One reason for the explosion, Symantec executives say, is the growth of high-speed Internet access, which allows people to stay connected to the Internet constantly but creates more opportunity for malicious programs to find their way onto machines.

Mr. Weafer said an area of particular concern was infections adept at burying themselves in a computer system so that the cleansing programs had trouble finding them. The removal of these programs must often be done manually, requiring greater technical expertise.

There are methods of protecting computers from infection through antivirus and spyware-removal software and digital barriers called firewalls, but those tools are far from being completely effective.

"Things are spinning out of control," said David Gelernter, a professor of computer science at Yale.

Mr. Gelernter said his own family's computer became so badly infected that he bought a new one this week. He said his two teenage sons were balking at spending the hours needed to scrub the old one clean of viruses, worms and adware.

Mr. Gelernter blames the software industry for the morass, noting that people are increasingly unwilling to take out their "software tweezers" to clean their machines.

Microsoft executives say they decided to enter the anti-spyware business earlier this year after realizing the extent of the problem.

"We saw that a significant percentage of crashes and other problems were being caused by this," said Paul Bryan, an executive in the company's security business unit. Windows XP Service Pack 2, an upgrade to the latest Windows operating system that has been distributed to more than 200 million computers, includes an automated malware removal program that has been used 800 million times this year, he said.

At least another 10 million copies of a test version of the company's spyware removal program have been downloaded. Yet Microsoft executives acknowledged that they were not providing protection for people who have earlier versions of the company's operating system. And that provides little comfort for those who must navigate the perils of cyberspace.

Terrelea Wong's old computer now sits beside her sofa in the living room, unused, except as a makeshift table that holds a box of tissues.

Ms. Wong, a physician at Kaiser Permanente Medical Center in South San Francisco, started getting a relentless stream of pop-up ads a year ago on her four-year-old Hewlett-Packard desktop computer. Often her entire screen would turn blue and urge her to "hit any key to continue." Sometimes the computer would freeze altogether.

After putting up with the problem for months, Ms. Wong said she decided last November that rather than fix her PC, she would buy a new one. Succumbing to the seduction of all the new bells and whistles, she spent $3,000 on a new Apple laptop.

She is instituting new rules to keep her home computer virus-free.

"I've modified my behavior. I'm not letting my friends borrow my computer," she said, after speculating that the indiscriminate use of the Internet by her and her friends had led to the infection problems.

Peter Randol, 45, a stockbroker for Charles Schwab in Denver, is at his wits' end, too. His family's four-year-old Dell computer has not been the same since last year when they got a digital subscriber line for high-speed Internet access. Mr. Randol said the PC's performance has slowed, a result he attributes to dozens of malicious programs he has discovered on the computer.

He has eliminated some of the programs, but error messages continue to pop up on his screen, and the computer can be agonizingly slow.

"I may have no choice but to buy a new one," he said, noting that he hopes that by starting over, he can get a computer that will be more impervious to infection.

Buying a new computer is not always an antidote. Bora Ozturk, 33, who manages bank branches in San Francisco, bought a $900 Hewlett-Packard computer last year only to have it nearly paralyzed three months ago with infections that he believes he got from visiting Turkish news sites.

He debated throwing the PC out, but it had pictures of his newborn son and all of his music files. He decided to fix it himself, spending 15 hours learning what to do, then saving all his pictures and music to a disk and then wiping the hard drive clean - the equivalent of starting over.

For his part, Mr. Tucker, the Salesforce.com executive, said the first piece of software he installed on the new machine two weeks ago was antivirus software. He does not want a replay of his frustrations the last month, when the attacks on his old machine became relentless.

"It came down to the simple human fact that maintaining the old computer didn't pay," he said.

 Just from the ecological point of view the position of "Mr. Tucker, an Internet industry executive who holds a Ph.D."  is rather strange not to say more. With all due respect to this Ph.D holder I think that any BS in computer science holder should be able to reinstall windows OS as even BS degree presuppose some interest and level of understanding of OS internals ;-)

Of course it is perfectly suit job description to propagate FUD about spyware/adware by  Vincent Weafer, a senior director at Symantec. But this is slightly sketical site and we shoud know better.

Actually cleaning spyware it's not a rocket science in 95% of cases. 5% of cases when due to misguided attempts of cleaning or bug in removal program or both the user destroys the OS (possible in complex cases of if spyware removal program has bugs).

But in all such cases reinstallation works perfectly well and for anybody who is professional in the field (and not a lazy misfit with CS degree that has no backups and does not know what is installed on his/her computer) should take less an hour. I doubt that anyone can find a  plausible case when you cannot clean spyware by reinstallation. But I encourage you to try and submit such case in a letter to the editor.

Many vendors (HP and IBM for sure) provide a special partition with the image of initially
installed OS and software (factory install image).  In the case computer has such a partition the manual always has a special chapter about restoring the image where description is
understandable for everybody with an average IQ ;-). For the guys who assemble computer themselves that also holds: they should be able to create their own "initial image" using Norton Ghost or any other similar utility.

Anyway, if you are seeing new toolbars in your browser, excessive popups, or your homepage has been switched, PC became very slow or periodically reboot itself chances are that you are infected.  Other typical symptoms:

  • changed search results
  • changes advertisements of pages that you browse
  • IE periodically crashes
  • Computer freezes and keyboard became irresponsive.
  • Loss of Internet connectivity

Spyware is a more serious problem than just a simple annoyance.  Your privacy is being invaded. Spyware has the ability to install additional software in your machine without your consent.  and the fact that you are doing on your computer is being watched right now does not provides any comfort... 

Deceptive advertising is still the major channel of penetration of  spyware into PCs, but it is not the only.

Spyware authors like virus authors look for a particular category of gullible users: despite all this bad experience there are some people who just can't avoid a "Get Kool Mouse Pointerz Here" type of links ;-).

Spyware authors like virus authors look for a particular category of gullible users

There are several prominent groups of spyware:

Two approaches to fighting Spyware

Businesses want an inexpensive software tool that can be used to clean up a Spyware infection on a one-time basis. Vendors must offer such products, making sure they're affordable. We will classify tools into two broad ranges:

Scanner based-strategies of fighting spyware

They are the most simple and yet effective against almost all but the most complex spyware.  And that's why they should be tried first. There are two prominent free Spyware scanners (Adaware and  Spybot S&D).  Spybot S&D usage is discussed in a separate page.

The main problem with of the Spyware scanners is that Spyware is repeating the ath of file viruses and newer variants are designed with the specific mechanism to aviod detection by the scanners (polymorthic spyware). One such example is  vx2 Spyware (SAHAgent, aka Golden Retriever, ShopAtHome and ShopAtHomeSelect). Another example is CoolWebSearch or ‘CWS’ as many refer to it.  With more the a hundred know variants CWS has surpassed a lot of other annoying hijackers such as Lop, Xupiter and Whazit etc  (see such sites as allhyperlinks.com, coolwwwsearch.com, youfindall.com, etc ).  You might need to use a specialized software like CWShredder to remove CWS.

Never buy or download a Spyware scanner without checking reviews on independent sites. Many such products are very questionable, some ask you to buy an expensive version after scanning, some can be classified as Spyware.  An attempt to hide Spyware under the disguise of Spyware scanner can be viewed as yet another example of deceptive advertising.  See for example Trustworthy Anti-Spyware Products

Non-scanner-based Strategies

The non-scanner based strategies of fighting spyware includes several lines of defense:

  1. Restoring an image of your C partition ("Softpanorama strategy"). Splitting your harddrive into two (or more) partitions (using for example Partition Magic), formatting the second partition as FAT32 and writing a clean snapshot of a C: partition (for example via Ghost) to this partition, so that you can restore it anytime your system stops functioning properly (whether because of spyware or other problems).
     
  2. Systematically updating your OS and IE. It's really important to keep your computer up-todate. Spyware often rely of IE vulnerabilities so the latest and greatest version of IE from Microsoft helps to protect your computer. The improvements to Internet Explorer [microsoft.com] in Service Pack 2 should help stop the spread of Spyware somewhat.
     
  3. Using a special toolbar that blocks popup and Spyware components. Yahoo toolbar now contains antispyware component in addition to popup blocking (they beat Google toolbar in this area ;-)
     
  4. Running selected free tools via scheduler to detect and remove Spyware.  There are very useful and effective tools outside a typical anti-Spyware troika (Hijackthis, Adaware and Spybot S&D). For example watching registry, and the process list  (see  command line process listers) after startup as well as content of major windows directories is very important and one can greatly benefit from using an appropriate tools to achieve that. For example I can recommend a registry watching tool like RegistryProt. There are several command line process listing utilities that can be configured to run during your startup.  To add the Integrity checker to the mix is more complex as there is no clearly suitable candidate, see Fighting Rootkit and Similar Trojans: Integrity Checkers and Trojan detectors

    Hijackthis this can provide a useful baseline that includes integrated list of relevant registry entries and a process map,   but currently I do not know how to run it in a batch mode (other then via Expect).   Still this is the simplest way of manual creation of a useful baseline. It you are reading this page and do not yet have a problem, please create at least a process baseline. It might turn to be extremely helpful in the future. using. You cannot overestimate the value of  the baseline in fighting complex Spyware beasts.
     
  5. Blocking (via proxy or redirection in the host file) Internet sites that download such pests.  This is a useful method of defense in a corporate environment when each detected "backchannel" can be instantly clocked on proxy and in many cases the site that is responsible for the infection can be detected and blocked. This is not that effective in a home environment. but still host file can be used to block obnoxious advertisers on one by one basis.
     
  6. And the last but not least. Read the license of products that you are installing on your computer. Never ever install anything that is advertised via junk email or, worse, pop-ups. Most apps that install spyware usually have something in their license that says "we have the right to install whatever we want on your system". 

Creating an image of your C partition on other partition (should be FAT32 partition) is very effective strategy of fighting spyware. In this case if you cannot delete a particular beast using scanners and baseline-based methods, you can just restore the C: partition from the image and forget about the problem This is the easiest way to fight complex, mutating spyware like CoolWWWSearch.

Notes:
  • This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
  • The site contain some broken links as it develops like a living tree... Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.
Google Search
Open directory
Research Index

Old News ;-)

[Feb 25, 2007] Allaple.B (aka Rahack.W and Rahack.WW) description

Standard Softpanorama spyware defense strategy based on Ghost does wonders against this worm but additionally on infected computers passwords need to be make stronger (min length 10 can help here) and patches need to be installed (automatic installation of patches on desktop is highly recommended).

Allaple.b worm was discovered somewhere in late 2006 and was active for several month after that.

It propagates rather slowly and does not create "avalanche epidemics" but it does propagate and at the beginning signatures for detecting and removing the worm were very weak. In March 2007 they got better and for example F-secure (which uses Kaspersky engine) which was unable to disinfect strain B completely with signatures older then, say,  Feb 28, 2006 ( I do not know the exact date) now is doing better, although far from perfect, job.  It looks like with signatures later then March 3, 2007 DrWeb detects it but still cannot disinfect completely this particular strain of the worm (I checked a free version called cureit)

Allaple is a polymorphic network worm that contain just one executable. Polymorphism means that every copy of the worm is slightly different from each other as for the content (probably due to polymorphic decryptor), but paradoxically the length of all instances is constant (57856 bytes)

Also when scanning the drive for HTML files and generates and drops a lot of executables with random names that contain exactly eight characters. The only exception in the first executable which always has name  urdvxc.exe which is hardwired in the worm code (see below).

Also when worms executable runs it behaves like old polymorphic file viruses -- the polymorphic decryptor decodes the body and then control is passed to the this static part of the worm code that allocates a memory buffer and extracts the main worm's code into it.  Only after then the control is passed directly to the extracted worm's code.  At the same time while going to such length as for encryption the worm body author(s) left the size of the worm's executable file constant.

continued...

[Apr 28, 2006] Port25 Recovering remote NT-W2K-XP desktops with a network boot CD-DVD 

In the comment below it's unclear why just don't let create students to use Norton Ghost and create their own images ?  Also only amateurs use one partition (C: for all the drive) on modern laptop with huge harddrive (40G or more), and if University wants to train idiots this is definitly a way to go ;-). It's very easy to link major user directories to the second drive.

re: Recovering remote NT/W2K/XP desktops with a network boot CD/DVD

Friday, April 28, 2006 12:58 PM by fluke
g4u is a very interesting project.  I have been using Novell's ZEN Image which boots a light (less than 12MB) version of SuSE to do imaging.  And just like g4u, it supports be started via CD boot or PXE network boot.

However, you did not answer the question about *RECOVERY* of an existing installation at all.

At the University, we have several students that are getting hit with the "Blackworm."  Several of these Dell laptop users don't even have a Windows install CD, but rather a Ghost boot CD that puts the drive back to OEM default (in some cases also without SP2).  It would be nice to have a "Live CD" based on the XP kernel.  This way, even if the user has hardware not supported by alternative OSes, a recovery enviroment could be booted that is ensured not automatically start any rootkits from the hard drive.  We could then use network access to the "Live CD" enviroment to try to remove the infection or at least remotely back up critical data files.

But the problem is one of license terms instead of any technical issue.  While several people claim that Windows is simply a victim of it's own popularity and if Mac OS or Linux became the popular desktop then it would also be the target of malware.  To some extent that might be true but the people that make this claim do not seem to take into account what methods of recovery could be made available to the different personal desktop users.

If a Mac OS port of Blackworm came out, we could create a bootable recovery CD based on Darwin that uses Apple's offical HFS+ file system code and is able to support all the same hardware drivers as the hard drive installed OS.  Once such a recovery CD is created, we could then redistribute it to the students under the licensing terms of Darwin.

If a GNU/Linux port of Blackworm came out, we could create a bootable recovery CD based on the GNU/Linux distribution that uses the distribution's offical file system code and is able to support all the same hardware drivers as the hard drive installed OS.  Once such a recovery CD is created, we could then redistribute it to the students under the licensing terms of the GNU/Linux distribution.

But now that XP version of Blackworm is out, we have tried creating a bootable BartPE CD that uses the offical MS kernel, NTFS driver and other XP drivers.  But, then the terms of redistribution on any work derived using the XP kernel and other resources prohibits us from redistributing it to the students.

We don't want to cheat Microsoft but we don't want to cheat our students either.  Ultimately, copyright law wins out and our ability to help the students is greatly hindered.  Our Microsoft sales rep will only confirm that we don't have any reasonable method of redistributing BartPE CDs regardless of what our intentions are.

Much like you, Dell and Microsoft's answer involves re-imaging the laptop which does not address keeping any of the data they need to pass their classes.

"and went for coffee (anytime is a good time for coffee J )"

Well... if you can recommend any good coffee, it might at least make our students feel better about loosing to the Blackworm their end of semester papers that are due today.

If only malware authors where restricted by the same laws that hinder us from fighting their creations.
 

[Jan 16, 2006] http://www.bleedingsnort.com/staticpages/index.php?page=bleeding-projects interesting approach to detecting spyware using Snort:

Spyware Listening Post

The goal of the Spyware Listening Post is to build a self-sustaining spyware prevention and detection framework.

We hope to accomplish this by using existing tools such as the Black Hole DNS project, the User-Agents project, and our existing Bleeding Snort Spyware Signatures to funnel known traffic to analysis points to identify the unknown.

We believe that in general we're all losing the fight to spyware and malware. This project we hope will move us into the driver's seat rather than continue our current reactionary tactics.

This project is maintained by Matt Jonkman.

There is a public mailing list available here:

http://lists.bleedingsnort.com/mailman/listinfo/listeningpost

Users wishing to be volunteer analysts for the data collected should subscribe to this list: http://lists.bleedingsnort.com/mailman/listinfo/lp-analysts

Snort ClamAV

The Snort ClamAV project brings you a patched snort that using the ClamAV virus database can alert and/or block viruses at the network level.

This project is maintained by William Metcalf and Victor Julien.

Snort-ClamAV CVS Web Interface

Project Page

[Jan 2, 2006] Nasty mix of spyware found on one computer (it looks like this mix is somehow linked with http://www.spy-sheriff.com (see hijacked home page for browser below). Some components are recognized by Ad-aware. Proved to be very difficult to delete using usual tools (I spend an hour or so trying and ended re-Ghosting the computer). It dowloads a lot of files, with some onto the root directory of C: drive and instlalls more then 30 files. Here are files in the root directory:

C:\

Similar cases found via Google:

>Detected SPYware! System error #384
>__________________________________________________________________________
 

>Your IP address is 99.999.99.999. Using this address a remote computer has gained an access to your computer and probably is collecting the information about the sites you've visited and the files contained in the folder Temporary Internet Files. Attention! Ask for help or install the software for deleting secret information about the sites you visited.

__________________________________________________________________________

Your computer is full of evidences!

ISP of transmission: OPTONLINE
Your IP address: 99.999.99.99
They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Your computer is: Windows XP
Risk status for further investigation: VERY HIGH RISK
 
 
 
>To protect from the Spyware - click here
>To prevent information transmission  - click here
>To delete the history of your activity, click here
 

 (data below were collected by Microsoft Antispyware Tool Advanced Tools/file analyzer)

Spyware component found on infected computer: winstall.exe (originally found at C:\winstall.exe)

 Spyware component found on infected computer: newfrn.exe

Spyware component found on infected computer: toolbar.exe

 

The 46 Best-ever Freeware Utilities

Best Free Browser Protection   Updated October 20, 2005
There's a scumware  plague at the moment. All it takes is a visit to a pushy web site or a loaded shareware install and next minute your Internet Explorer homepage has been changed, your default search setting altered, unwanted ads pop up on your screen and worse.  You can help protect Internet Explorer against these attacks by using SpywareBlaster [1].  It's is not a system scanner rather it is monitor that's designed to prevent an initial infection. It provides active protection for Internet Explorer users against thousands of malevolent products that use ActiveX based exploits and offers defenses against hostile sites and unwanted cookies as well. SpywareBlaster can be used with Firefox but there's not much point as Firefox doesn't need to be protected against ActiveX exploits. SpywareBlaster is free but the automatic update service costs $9.95 annually. A companion program to SpywareBlaster is SpywareGuard [2]. It is also a protective program that checks programs before they are run for malware behavior and also does some signature checking as well. However of late SpywareGuard seems to have been rather neglected with no new updates for more than a year so I can only give it a qualified recommendation. SpywareBlaster though, is a terrific product and a must-have for Internet Explorer users who also use the free version of Ad-Aware. If you are using Microsoft Antispyware, Ad-Aware Pro or other anti-spyware utility with a real-time monitor, you don't really need it.
http://www.javacoolsoftware.com/spywareblaster.html (2.2MB)
[2] http://www.javacoolsoftware.com/spywareguard.html  (1.96MB)

Best Free Trojan Scanner/Trojan Remover 
Ewido is the best of a new crop of anti-Trojan programs. On my recent tests over at www.anti-trojan-software-reviews.com it emerged as was one of the few products that could reliably detect polymorphic and process injecting Trojans that were totally missed by anti-virus products like Norton and AVG. Unfortunately the free version of Ewido doesn’t have a memory monitor and this omission significantly  reduces the level of active protection provided. However the on-demand scanner is excellent. I recommend that all average PC users who don't have an anti-trojan scanner download Ewido and scan their PCs weekly. I suspect you may be surprised at what you will find. Ewido is also pretty good at removing some spyware infections so bear that in mind next time you encounter a spyware product you can't remove with normal anti-spyware products like Ad-Aware. Note that Ewido only works with Windows 2000 and later so Win 9X users should consider the free version of a2 (a-squared) anti-trojan as an alternative. It's not quite as effective as Ewido but is still an excellent product.  High risk PC users such as P2P file sharers and frequenters of hack sites, should however consider the industrial strength protection of Trojan Hunter or the full version of Ewido both of which offer the active protection they need. Note: The free version of Ewido is actually the same as the paid version but after 14 days the active protection (i.e. memory monitor) becomes non-functional.
http://www.ewido.net/en/  (2.2MB)
http://www.anti-trojan-software-reviews.com/review-ewido.htm <= review of Ewido

Best Free Rootkit Scanner/Remover Updated October 24, 2005
Rootkits are a special kind of software tool used to hide trojans, viruses and other malware from your anti-virus scanner and other security products. Unfortunately, they are extremely effective which means that some of you reading this will be infected even though you believe your PC to be totally clean. Thankfully there is a new class of  security product now available called rootkit detectors that use specialized techniques to detect these dangerous intruders.  Most of these detectors require quite a bit of technical skill to interpret the results but one of the simplest to use and most effective is also free. It's called BlackLight [1] and is currently available as a free beta from F-Secure until the 1st of January 2006. I suggest everyone download this product and scan their PC. The chances of you being infected are small but for five minutes work it's not worth taking the risk. BlackLight will detect most rootkits missed by AV scanners but can still be fooled by state-of-the-art rootkits like Hacker Defender. To detect this and a few other insidious rootkits, you need heavier artillery. Currently the biggest gun in the rootkit detection war is a free Chinese product called IceSword. It will reveal just about everything running on your PC. Usage, however, requires considerable skill together with the patience to work out the program. It was originally only documented in Chinese but an English version [2] has now appeared. In the hands of an skilled user, its an amazing tool.
[1] http://www.f-secure.com/blacklight/cure.shtml Windows 2000 and later, 911KB.
[2] http://www.xfocus.net/tools/200509/IceSword_en1.12.rar <= slow Chinese site, 565KB
[3] http://www.techsupportalert.com/rootkits.htm <= How to deal with the threat of rootkits

Fighting Spyware Through Your Task Manager

Toss on the ol' investigator's cap and let's take a look at some of these mysterious processes running on my system. This is the crux of this article...how to decipher what all that junk is and deciding what is important and what may possibly be dangerous!

If you learn to regularly check the current processes running on your system, you'll be much less likely to be zapped by some notorious program. Granted, you need those other programs discussed at the top of this article to really protect you, but if you regularly check here...it'll help you stop anything that may have slipped by. You'll learn to recognize those processes that should be running, so you can quickly research mysterious ones further.

You'll note the first process listed is called Point32.exe. Well, I know that that is my mouse driver. But if I didn't know that, I could easily find out more about this by enlisting the valuable services of the Internet.

... ... ...

I zip over to my trusty Google.com and enter the process name, using quotes to search for it as a whole word and hit enter to start my investigation.

...I learn that this process is running because I use the Microsoft Intellimouse and this is the monitoring process that keeps my mouse running properly. If I ended this, my mouse might not work the way I want. Yet it seems to not be a vital process to its operation, so I could disable it if I was currently stressed for more memory. However, if I was strained for resources, I might want to consider using a simpler mouse. But resources are not a problem on this system and I love my intellimouse! So this process is not an issue.

The next process running shows a file named: ~e5d141.tmp. Now one thing I know is that any file starting with a tilde (~) is a temporary file that is called into memory for the moment while some other program is being run...as part of its process. That is further verified by the fact that the file ends in .tmp, as in temporary.

But what the heck is this temporary process that's running? This could be some type of spyware! Let's give Google a run by entering this file name into a search, enclosed in double quotes, and see what's up.

HA! It appears that this one is not a problem either. It is a licensing file that Dreamweaver requires when it is running.

can check that fact further by closing Dreamweaver. Sure 'nuff...when Dreamweaver is gone, so is that temp file, as you can see in the updated view below. When I reopen DW, that file should reappear...and upon testing, it did. So I can feel pretty confident that this is yet another process I don't need to worry about.

But now I want to see what processes are eating up the most memory on my system. I closed Outlook, so that's not in its normal top of the list slot. My files are still chewing up space with Explorer. A system file is running, and because I'm taking screen shots, SnagIt is running.

But what is that next file? Let's find out.

I check Google and the first entry leads me to the I Am Not a Geek web site. Normally a site that provides fairly accurate answers.

But this time I question the site's accuracy. Note in the image below, this site warns me that this file is an unidentified Worm or Trojan virus! YIKES! Rip it out!!! NO WAIT! Before you go ripping out your PC's guts, let's get a second opinion and research this a bit further!

I check another site and they tell me not to worry because this file is part of the Microsoft anti-spyware program I'm running. Whew! But now there's some confusion...who is right?

... ... ...

I move into my Windows Explorer and ferret into the c:\Program Files\Microsoft AntiSpyware folder and look for that file. It's there. I right click on the file and choose Properties. The properties dialog box opens and tells me that this is a file that is part of the Microsoft AntiSpyware Data Service.

ewido security suite - Protection against Spyware, Trojans, Dialers, Keyloggers and other growing threats

The ewido security suite can be used as a supplement for existing protection systems under Windows 2000 and XP to protect you also against the latest threats. That's why the ewido security suite also works with all current anti-virus programs and firewalls.

 
 
  If you are unsure whether your existing programs are compatible with the ewido security suite or they are not on the list, please contact us with further information about your security applications like name, version etc.  
 
 

cexx.org Message Boards View topic - HJT Log...Please take a look, Thanks

Posted: Tue Aug 23, 2005 11:50 pm    Post subject: HijackThis  
My MIE browser is bogged down so slow, it takes minutes to access a webpage or open email. Can anyone help me decide what to fix? Following is my HijackThis Log.

Logfile of HijackThis v1.99.1
Scan saved at 10:31:27 PM, on 8/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Hawking HWU54G Utility.lnk = C:\Program Files\Hawking Technologies\Hawking_HWU54G_Utility\HWU54G.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdq/downloads/msxml4.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe Back to top  
Posted: Wed Aug 24, 2005 5:28 am    Post subject:  
@ gdbarn:
Have you ever heard of a concept called netiquette? Or about reading up on forum policy before posting? PLEASE, create a new thread for your problems. There's no need whatsoever to bog down other threads - it'll just confuse people.

@ Forafriend:
Start by saving this info somewhere good, or better, print them out. Don't open a browser while fixing your computer, as you can be almost sure of reinfection.

After that, go to www.ewido.net, get ewido and their manual updates. Store them, don't run them yet.
If you don't have Lavasofts Ad-Aware, get a copy from here: http://www.lavasoftusa.com/support/download/. Again, don't run it yet.

Then, turn off system restore, restart the machine and boot to safe mode (check my signature for info). Run hjt and fix these entries:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Winsock2 driver] SYFGMIDCLBVFJCZ.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

You should check if these nameserver settings are in order - if not, fix them.
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EB65B6-9482-4636-9585-7A6EE65C4E55}: NameServer = 207.69.188.187 207.69.188.186

Then, open explorer, make sure you can view hidden files and folders (check my signature for info). Find these files and folders and delete them:
SYFGMIDCLBVFJCZ.EXE <-- check windows and windows\system32 for this

That done, install ewido, update it with the manual updates, then let it scan your box. Fix everything you find.
Install Ad-Aware, and let it run a scan. Don't bother about it not being updated, it should be able to run a scan anyway. Fix everything you find. Run it when all done, and update it then. Restart the machine, and turn system restore on again.

Then clean out your computer, by hand or by using CCleaner - get it here: http://www.ccleaner.com/

Come back with a fresh log, if problems persist.

Fake
_________________
Booting to safe mode? Here's how
Viewing hidden files and folders? Here's how

[Aug 24, 2005] Antispyware firm warns of massive ID theft ring - Computerworld

Officials at Sunbelt Software, a Clearwater, Fla.-based vendor of antispyware tools, said the company stumbled upon a massive ID theft ring that is using a well-known spyware program to break into and systematically steal confidential information from an unknown number of
computers worldwide.

The operation was discovered yesterday during research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS), according to Sunbelt's president, Alex Eckelberry.

CWS programs are extremely hard to detect and remove, and are used to redirect users to Web sites that use spyware tools to collect a variety of information from infected computers.

[Aug 24, 2005]  Dealing with Unwanted Spyware and Parasites -- useful document. Many good tips in one place. Recommended !

CWShredder 2.15.0.0 - CWShredder™ is now maintained by Trend Micro.
Download: direct from Trend Micro.  Removes most Coolwebsearch and affiliates infections read this first!

[Aug 24, 2005] What a great app! (Feedback for the page Spyware Removal Using Spybot S&D; slightly edited for clarity):

Thanks for recommending this freeware -  I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!

What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.

... ... ...

Keep up the great work!

Regards

Peter

Peter,

There are several good free registry editors,  watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):

Often spyware is pretty primitive and removal of the component that is installed in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

registry key disinfects the PC.

To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:

  1. Open your registry in regedit
    • Click "start" (bottom left of your screen)
    • Select "Run"
    • Type "regedit"  in the command line displayed
    • Click OK. 
  2. In a tree that is shown select HKEY_LOCAL_MACHINE
    • then click on + sign for the key SOFTWARE
    • then click on + sign for the key Microsoft
    • then click on + sign for the key Windows
    • then click on + sign for the key CurrentVersion
    • then click on + sign for the key Run
  3. Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
  4. Print all entries (File, Print).  Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
  5. Open Windows Explorer  Click on  Tools, Folder options , View and and Details View and
    • uncheck:
      • Hide extensions for know file types
      • Hide protected operating system files
    • check
      • Show hidden files and folders
      • Remember each folder view setting

    click apply to all folders and OK.
     

  6. Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section.  If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
  7. For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware  simply delete the key.
  8. For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.

[Aug 3, 2005] NetworkComputing/Claria Software Unsafe At Any Speed  Network Computing By Mitch Wagner. Originally Published in InternetWeek The software formerly known as Gator has been widely accused of being spyware. We took a look for ourselves, and didn't like what we saw. Originally Published in InternetWeek

The spyware case against Claria comes down to one of disclosure. Critics of the adware vendor say that Claria does not adequately disclose to users the information it's collecting and how it will use that information. Claria counters that its disclosures are complete.

We decided to see for ourselves. We downloaded and installed two Claria applications from the company Web site: Weatherscope and Date Manager. We also downloaded and installed a third product, the file-sharing program Kazaa, which includes Claria software. We took a look at the installation process, trying to see things with the eyes of an intelligent but uninformed user.

Another frequent accusation against spyware is that it actively fights against user attempts to uninstall it. We haven't heard that accusation against Claria, but, in the name of completeness, we decided to test how gracefully Claria uninstalled itself. As part of our testing, we ran four separate anti-spyware programs, both before and after installing the Claria software and Kazaa, to see how well Claria did at cleaning itself off the system.

That information is spelled out in a lengthy End-User License Agreement (EULA), which very few users are likely to read. The EULA also gives Claria the right to track — and report back — an inventory of all the software on your PC and the first four digits of your credit card number, so it knows which banks you use. The install screens also don't disclose that the monitoring part of the application continues running even when users shut down the useful part of the application.

Even more confusingly, the EULA itself isn't accurate as to what information Claria actually collects; it's a grab-bag of some information Claria now collects, and other information that it used to collect but has stopped collecting. Scott Eagle, Claria's chief marketing officer, said the only information the company now collects is activity of "commercial intent" — meaning online shopping and product research. The information is filed by anonymous computer ID number. Claria does not collect user names, e-mail addresses, credit card numbers, or ZIP codes.

Another thing that you're not told unless you read the EULA: You're forbidden from using anti-spyware software to remove Claria software from your PC. The only way you're permitted to remove it is by using the Microsoft Windows Add/Remove Programs utility.

Simply including this important information in a dense packet of fine print is insufficient notification.

Inadequate Disclosure
The installation screens say that Claria will display ads based on the sites a user visits. But the installation screens do not say that, for as long as the software is running, it will monitor the URL of every site the user visits and report that information back to a Claria database.

That information is spelled out in a lengthy End-User License Agreement (EULA), which very few users are likely to read. The EULA also gives Claria the right to track — and report back — an inventory of all the software on your PC and the first four digits of your credit card number, so it knows which banks you use. The install screens also don't disclose that the monitoring part of the application continues running even when users shut down the useful part of the application.

The Claria EULA says, "In exchange for offering you free software products, we collect anonymous usage information from your computer that we and our partners may use to select and display pop-up and other kinds of ads to you and to perform and publish research about how people use the Internet."

Here's all the data Claria collects about users: "GAIN collects certain non-personally identifiable information about your Web surfing and computer usage. This includes the URL addresses of the Web pages you view and how long you view Web pages; non-personally identifiable information on Web pages and forms including the searches you conduct on the Internet; your response to online ads; Zip code/postal code; country and city; standard web log information and system settings; what software is on the computer (but no information about the usage or data files associated with the software); software usage characteristics and preferences; and, for Gator(R) eWallet users, your first name and master password, if you choose to create one. For more information regarding the data we collect, click: www.gainpublishing.com/rdr/70/datause.html...."

That page contains a couple of more pieces of information on what Claria collects. In particular, the Claria apps are monitoring the Web forms you fill out, and collecting the first four digits of your credit card number, which tells it what bank you use.

They share the information with advertisers, partners who give the company information for displaying search results, and in "other limited circumstances" with "third parties who help us perform a business function (their use of such information is limited by our internal policies and/or confidentiality agreements, as applicable); to protect our rights, or if under a legal obligation."

One egregious term of service, buried in the license agreement: "You agree that you will not use, or encourage others to use, any method to uninstall the Licensed Materials other than through the use of the Add/Remove Programs feature of the Microsoft operating system. Use of any robot, spider, other automatic or non-automatic manual device or process intended to interfere or attempt to interfere with the proper working of the Licensed Materials is prohibited."

In other words, if you install Claria software, the only way you are permitted to uninstall it is through the Microsoft Windows Add/Remove Programs. You are forbidden from uninstalling the software using anti-spyware utilities. That's an outrageous imposition on the user, and it's unfair to bury that in a EULA.

Eagle says that license provision is never enforced. The Date Manager installation and uninstallation processes are virtually the same as Weatherscope. Kazaa's installation and uninstallation is very similar to the Claria programs. I won't talk about Kazaa much here, partially because of the similarity and partially because Claria plans to sever its relationship with Kazaa in a few weeks.

Uninstalling

For both Date Manager and Weatherscope, running Add/Remove programs to remove programs did not immediately remove the entire program.

A few seconds after completing the uninstall process for Weatherscope, I got a warning from StartupMonitor indicating that a program called GStartup registered the executable "c:\program files\common files\gmt\gmt.exe" and "C:\Program Files\Common Files\CMEII\CMESys.exe." StartupMonitor is a program I use to block software that tries to register itself to run at system startup. Likewise, WebRoot SpySweeper notified me that a GAIN program was trying to run — GAIN is the name of Claria's adware network.

Why were these applications running after I'd already uninstalled Claria?

Eagle explained that it's a function of the architecture of its products. Each package uses a separate add-delivery and traffic-tracking package, called GAIN. Each user is only required to run one copy of GAIN; if you use two or more Claria applications, you only need to use one copy of GAIN for all of them. The way to remove GAIN is to remove all of your Claria software. Each time you remove a different Claria application, GAIN wakes up, and looks around the PC to see if there are any Claria applications left on the PC. When there are no more, GAIN automatically uninstalls itself.

So the activity I was seeing was GAIN automatically uninstalling itself; if I'd waited a few seconds or minutes after uninstalling the application to run WebRoot, I would have seen no activity, and no active GAIN files, left on my PC.

And that was indeed what happened when I tested Eagle's claims.

My anti-spyware software did detect other detritus left by Claria after the uninstall process ran, including several registry entries and a couple of log files. But this is not unusual behavior for any Windows program; many perfectly legitimate programs leave some residue behind after you've installed them; it's one of the reasons why some users install third-party registry cleaners.

The bottom line: Claria did quite well in my unistall tests. The software requires user action to install — it doesn't just install itself onto a computer when that computer visits a Web site, as some of the worst spyware does. And the software uninstalls gracefully — it doesn't resist uninstalling, as some of the worst spyware does.

Conclusion
Overall, I found Claria software to be easy to install and remove. But Claria has the right to collect too much data about the user, and its disclosures about what data it's collecting are too vague and inaccurate.

Claria makes a convincing case in interviews and product literature that it takes its customer privacy seriously, but our evaluation of its products — in particular, reading the End-User License Agreement — tells a different story. Claria collects far too much information about user activity, and is far too cavalier about disclosing what it collects.

I've removed Claria from my test computer. If you're a consumer, I recommend you stay away from Claria's software, and if you're a network administrator, keep it off your company network.

Read the in-depth report: Claria Software Seeks Legitimacy

[Jul 27, 2005] Ben Edelman - Home

Details: 180solutions's Misleading Installation Methods - Ezone.com

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I'm not inclined to say that consumers "consent" to the resulting ads and to the resulting transmission of personal information.

[Jul 27, 2005] Ben Edelman - Home

More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars

June 6, 2005 - Permalink

Google's "Software Principles" set out reasonably high standards for notice and consent to install advertising software. And Google's "Principles" strongly discourage doing business (even indirectly) with companies that violate these rules. But apparently Google wants others to do as they say, not as they do. In practice, Google has large relationships with companies widely violating these rules.

In More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars, I offer two separate examples of Google partners who break Google's Software Principles rules. First, Ask Jeeves. AJ's toolbars are sometimes installed without any consent at all. But even when users supposedly consent, installation procedures are often seriously deficient. For example, users who download iMesh get an AJ toolbar too -- though the only way to find out is by scrolling to page 27 of iMesh's license. These practices notwithstanding, Google's payments to AJ apparently total hundreds of millions of dollars per year.

 PPC advertisers
money viewers
   Google AdWords  
money viewers
Go2Net
money viewers
IBIS WebSearch

Second, the IBIS WebSearch toolbar installs in a variety of ways that don't meet Google's standards -- including security exploits, poorly-disclosed bundles, and ActiveX popups. But IBIS also shows many Google ads, obtained from Google through InfoSpace's Go2Net.

I see at least two distinct problems here. First, Google's payments are helping to fund purveyors of unwanted software -- making the spyware problem that much larger. Second, even advertisers who hate spyware are inadvertently advertising through these channels -- intending to rely on Google's promise of "high-quality" partner sites, although this promise may be overly optimistic.

Perhaps Google will make excuses for its so-called "partners." But the company's "don't be evil" slogan and its Software Principles document suggest another possibility: That Google entirely disassociate itself from those who use tricky practices to get their advertising software onto users' PCs. Stay tuned.

Continued: Details on installation methods; Google's rules; big money; enforcement challenges.

[Jul 27, 2005] Spyware Warrior Rogue-Suspect Anti-Spyware Products & Web Sites

Vendors of "rogue/suspect" anti-spyware products advertise heavily via Google's "AdWords" ("Sponsored Links" on Google's own search pages) and "AdSense" (Google-driven advertising delivered to third-party web sites).

Users should be aware that a search on the term "spyware" (or any related term) at Google will turn up a variety of anti-spyware products and web sites -- some reliable and trustworthy, some not. The key to distinguishing trustworthy anti-spyware products and sites from non-trustworthy products and sites in Google's search results is learning to distinguish "regular search results" from "paid search results," otherwise known as "Sponsored Links."

[Jul 26, 2005]  WinRAR recommended software list

Spyware Doctor is a top-rated malware & spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, Trojans, keyloggers, spybots and tracking threats. Protect your privacy and computing habits from prying eyes and virtual trespassers with the help of Spyware Doctor.

[Jul 26, 2005] Spyware Doctor - User reviews and free download at Download.com Found a bug that AdAware didn't

11-Apr-2005 09:24:27 AM
Reviewer: The Doober

Pros: Everything about this program warrants high marks: it's easy to install and use, scans relatively quickly, slick looking interface, and IT'S FREE!! I honestly thought the free scanner market was monopolized by AdAware and Spybot, looks like they have competition now. SpyDoctor found a tracking cookie that AdAware missed but they all find bugs that others miss. I'm sure that AdAware and Spybot will tag something that SpyDoctor doesn't someday.

PcTools makes excellent products you can trust. I also have RegMechanic and it's a fine product as well.

Thanks to steve89z for recommending this fine product. :)

Cons: None. And I really do mean that.

I also use AdAware, Spybot, and Bazooka for spyware scanning, AntiVir for virus/trojan scanning, and Hijack This! for browser hijackers. All are free and can be found on this site.

THE SINGLE BEST WAY TO KEEP ADWARE OFF YOUR COMPUTER: Use a web browser OTHER than Internet Explorer. I personally and highly suggest Mozilla Firefox.

Microsoft Windows AntiSpyware (Beta) Home

Microsoft Windows AntiSpyware (Beta) is a security technology that helps protect Windows users from spyware and other potentially unwanted software. Known spyware on your PC can be detected and removed. This helps reduce negative effects caused by spyware, including slow PC performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. Continuous protection improves Internet browsing safety by guarding more than 50 ways spyware can enter your PC. Participants in the worldwide SpyNet™ community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, and updates are automatically downloaded to your PC so you stay up to date.

[Jul 25, 2005] Resources Ad Blocking Resources

Last Updated: Jul 17 '05

IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once you merge this list of sites and domains into the Registry, the web sites for these companies will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.

Please note that IE-SPYAD is not an ad blocker. It will not block standard banner ads in Internet Explorer. What this Restricted sites list of known advertisers and crapware pushers will do, however, is:

[Jul 25, 2005] Spyware-Guide.com Products with ActiveX

[Jul 25, 2005]  Internet Explorer Hardening Guide

[Jul 25, 2005] Spyware removal tools Page 1

When you've got malware on your computer, you don't want to mess around. Any time spent getting rid of it is time that could have been spent on more important things. If there's one program that works well and does a thorough job, use it and move on with your life. Simply put, Ad-Aware is that program. Given its quality and its price, it's hard to come up with reasons to use another program. Unless you require a resident scanner, Ad-Aware is the clear choice.

With all of this information presented about getting rid of malware, some things should be noted about not getting it in the first place. The built-in "immunization" features of several of these programs can help with part of the problem, but they can't block everything. There are many examples of malware which don't seep in through cracks in your web browser; you have to be the one to install them.

If you haven't already, read the first article in this series. Learn how to identify malware before it infects your computer. Start practicing "skeptical computing." You own your computer; it doesn't own you. As long as you remember this, you can keep your computing experience problem-free for a long time.

[Jul 21, 2005] Notice to Spybot S&D users! - I Am Not A Geek Forums

As with previous versions of Spybot Search&Destroy the new and noticeably improved version 1.4 has some ignored products which I recommend you uncheck after you are done updating it.

As seen on the attached screenshot:

1) Click on Mode and choose Advanced mode and click Yes at the prompt.
2) Click on Settings > Ignore products > All products tab (default)
3) Uncheck all the selected boxes (products).
4) Once done you could change the Mode back to Default mode

*** Note: As of this post, these 4 are the ignored products:

~ CDilla (2 instances)
~ New.Net
~ SideStep

[Jul 18, 2005] PC Hell How to Remove WeatherBug

WeatherBug is an software program powered by AWS WeatherNet that provides weather updates (for American cities) from a small icon in the systray. WeatherBug gives you current weather conditions, your local weather report, and storm alerts, however the free version is ad-supported containing both banner and pop-up ads. In some cases, it installs the My Search toolbar. Currently there are two versions of Weatherbug, a version 5 and a version 6.

Weatherbug is installed as a secondary application with many popular pieces of software including AOL Instant Messenger.

See also

[Dec 16, 2004] Microsoft acquires anti-spyware leader GIANT Company Software, Inc.  Beta of Microsoft antispyware tool is expected in Feb, 2005

Microsoft Acquires Anti-Spyware Leader GIANT Company

New Offerings Will Help Customers Keep Spyware and Other Deceptive Software Off Their Computers

REDMOND, Wash. -- Dec. 16, 2004 -- Microsoft Corp. today announced that it has acquired GIANT Company Software Inc., a provider of top-rated anti-spyware and Internet security products. Microsoft will use intellectual property and technology assets from the acquisition to provide Microsoft® Windows® customers with new tools to help protect them from the threat of spyware and other deceptive software. In addition, key personnel from GIANT Company will be joining Microsoft's security efforts.

"Spyware is a serious and growing problem for PC users, and customers have made it clear that they want Microsoft to deliver effective solutions to protect against the threat," said Mike Nash, corporate vice president of the Security Business and Technology Unit at Microsoft. "Through this acquisition we're excited to be able to provide near-term relief to Windows customers by offering new technology to help keep spyware and other deceptive software off their PCs."

Microsoft plans to make available to Windows customers a beta version of a spyware protection, detection and removal tool, based on the GIANT AntiSpyware product, within one month. The upcoming beta will scan a customer's PC to locate spyware and other deceptive software threats and enable customers to remove them. The tool will be configurable to block known spyware and other unwanted software from being installed on the computer. It will be available for Microsoft Windows 2000 and later versions.

Description of the Windows 2000 Recovery Console

Every 5th Call At Dell Is Spyware-Related

As a local (retail) PC Tech... (Score:4, Informative)
by Arctech (538041) on Sunday October 17, @07:13PM (#10552690)
(http://www.eccentrix...r/arcman/resume.html | Last Journal: Thursday December 12, @02:00AM)
...I fully concur with that estimation, if not higher.

At least 8 of the 10 computers that I fix follow this routine:

Update and run AV program, if possible.
Install Adaware, update, run.
Install Spybot S&D, update, run.
Run CWShredder.
Fire up a HijackThis! log and manually remove the leftovers.

I'm getting pretty damn good at filtering out the hijackthis logs, too. Seriously, if you familiarize yourself with spyware removal, you could make a killing on the home PC market. Manufacturers won't help you with spyware. It's getting to the point where the retail chains and PC shops won't deal with it either; they'll simply offer you a format/reinstall.
Re: Oh yeah, spyware is OUT OF CONTROL! (Score:5, Informative)
by King_TJ (85913) on Saturday January 03, @09:11PM (#7870265)
(http://home.swbell.net/kingtj | Last Journal: Sunday February 16, @04:43PM)
I can personally attest to this. I've been doing on-site PC service for a local company for the last couple months, and our #1 call by far is for problems that end up being spyware/ad-ware related.

In my experience, SpyBot works extremely well, but it has a few quirks in its interface that lead people to not get everything cleaned up that it can clean up.

Most importantly, when it finds spyware it tells you requires a reboot to remove, you'll notice that it rescans everything during the system restart. The thing is, though, it isn't *removing* everything during this stage. It's only setting itself up so it *can* remove what it finds successfully, if you click to "fix problems" on its console window after everything finishes and the Windows desktop comes back up!

Also, I'm seeing more and more virii/trojan horse type infections that are smart enough to kill processes of any known virus scanner. These wouldn't have the chance to infect a PC in the first place if people kept their virus scanner running and updated, but many people don't. Then when someone like myself comes in and tries putting an updated one on the PC, the install won't even complete successfully. (This also manifests itself as a scanner that shows itself as "disabled" in the system tray, but which won't ever stay enabled when you try to toggle it back on.)

I'm at a loss as to why Symantec, McAfee, AVG, and the other popular scanners don't allow doing a "reboot and scan/remove virii before system startup", so the virus code can't get a jump on the scanner??
Re:As a local (retail) PC Tech... (Score:2)
by user no. 590291 (590291) on Sunday October 17, @07:19PM (#10552718)
I usually follow that with an installation of Enough is Enough [uiuc.edu], SpywareBlaster [javacoolsoftware.com], the combination of which pretty much neuters IE (but provides an easy way to add the sites that only work with IE to Trusted Sites from a menu), and Firefox, making it the default browser.
Re:Spyware a necessary evil for some (Score:5, Informative)
by Zocalo (252965) on Saturday January 03, @07:11PM (#7869739)
(http://www.zocalo.uk.com/)
Care to justify that stance?

I can think of one, just ONE example where this is the case. The Google Toolbar [google.com]. It's an incredibly useful thing if you can use it (only works with IE5.5 or better) but it does contain one optional feature what might be classed as "Spyware". Specifically, in return for providing Google with some details of your browsing habits you gain access to some PageRank related features. Google does however provide extensive clickthroughs and documentation that detail just what this entails, which is more than most of the crap out there with a penchant to phone home.

Read the license or web to avoid spyware (Score:3, Insightful)
by samdaone (736750) <samdaone@hotmail.com> on Saturday January 03, @07:54PM (#7869928)
(Last Journal: Thursday January 01, @11:03AM)
Most apps that install spyware usually have something in their license that says "we have the right to install whatever we want on your system". When a license says something like that I usually back away and not install it. There is a certain sense of apathy where people no longer read the End User License Agreement, but with freedom, and freedom from spyware, you must read the EULA and make sure a phrase like this is not present.

Granted EULAs are usually long and cumbersome and rightfully so, that is what makes most end user just click 'accept' right away. Also if you search the program you want to install on the web you may come up with a review or someone else stating that spyware is installed with it.

A majority of spyware programs are installed with legally questionable software, file sharing. To minimize your chances of installing spyware do not install any "legally" questionable software and read the EULA!

Recommended Links

In case of broken links please try to use Google search. If you find the page please notify us about new location
Google     

**** Yahoo! Directory Internet Issues Spyware and Adware Yahoo IE toolbar is the only toolbar with some (primitive) anti-spyware capabilities.

**** Spyware - Wikipedia, the free encyclopedia -- general spyware information

**** Anti-Spyware Guide Good collection of relevant links. Recommended

Ad-Aware SE Personal - Software - Lavasoft

The home of Spybot-S&D!

PC Hell Spyware and Adware Removal Help

PestPatrol A  home of PestPatrol, site contains good database of known spyware.

Dealing with Unwanted Spyware and Parasites

[PDF] Chapter four Dealing with "spyware residue" Looking for remnants

SpywareInfo has a good forum  Support Forums - Security Warnings

List of all known Browser Helper Objects

Cexx.org A useful site that provides a new information on this topic is 

Spyware-Guide.com - list of known spyware

SysInfo.org cooperation -- list of all BHO objects

Symantec Security Response - Adware.Binet

 and.doxdesk.com (http://www.doxdesk.com/parasite/)
 CounterExploitation (http://cexx.org/adware.htm)
 PestPatrol (http://www.pestpatrol.com/)
 Spyware Guide (http://www.spywareguide.com/)

Dealing with Unwanted Spyware and Parasites

Browser Helper Objects

The Esposito article is still the best reference for BHOs.  See also BHODemon 1.0

Freeware downloads Security-Privacy - Internet Cleanup Tools at Spychecker.com

Slashdot The Battle Against Junk Mail and Spyware

SimplytheBest Spyware information spyware cleaners

Spyware Free Spy Software Blocking Tool

There is extensive info about spyware at https://grc.com/optout.htm .
This article and this website describe the Platform for Privacy Preferences (P3P) project.

Unsolicited Commercial Software Detector - http://and.doxdesk.com/parasite/

"There are a lot of dodgy programs out there that may get installed on users' computers without their knowledge or consent. Many applications described as "freeware" come infested with parasitic software that latches onto the web browser, provides little or no benefit to the user and can: plague you with unwanted advertising, watch and report on everything you do on your PC, open security holes on your PC, degrade performance just to mention a few."

Anti-spyware forums

 

Recommended Papers

Spyware removal tools Page 1

When you've got malware on your computer, you don't want to mess around. Any time spent getting rid of it is time that could have been spent on more important things. If there's one program that works well and does a thorough job, use it and move on with your life. Simply put, Ad-Aware is that program. Given its quality and its price, it's hard to come up with reasons to use another program. Unless you require a resident scanner, Ad-Aware is the clear choice.

With all of this information presented about getting rid of malware, some things should be noted about not getting it in the first place. The built-in "immunization" features of several of these programs can help with part of the problem, but they can't block everything. There are many examples of malware which don't seep in through cracks in your web browser; you have to be the one to install them.

If you haven't already, read the first article in this series. Learn how to identify malware before it infects your computer. Start practicing "skeptical computing." You own your computer; it doesn't own you. As long as you remember this, you can keep your computing experience problem-free for a long time.

Spyware-AdWare-Malware FAQ and Removal Guide - Table of Contents and Introduction

Spyware: what you need to know 2004  Introductory paper from SANS GIAC submissions.

Monitoring Registry Changes - Page 1-3

CERT Home Computer Security (recommended read)

Special Information about dealing with RapidBlaster  Download: RbKiller.exe [more info]

Microsoft's Articles

 

Home Page Hijacking

Home Page Hijacking Advice from Sandi Hardmeier:

http://209.68.48.119/inetexplorer/answers.htm#home_page
"This advice covers two types of home page locking - hijacking (by web sites) and locking (by ISPs when you install their software, and computer manufacturers)"

http://209.68.48.119/inetexplorer/Darnit.htm#hijackings Sandi's LOP (scumware) Uninstall Advice http://209.68.48.119/inetexplorer/Darnit.htm#lop

ABetterInternet or Adware.Binet

eTrust Spyware Encyclopedia - ABetterInternet

eTrust Spyware Encyclopedia - ABetterInternet.Ceres

Symantec Security Response - Adware.Binet

SpywareInfo Support Forums - Security Warnings

ABetterInternet.B shows advertisements based on the web pages you view and the web sites you visit. ABetterInternet.B may update itself without any input or user interaction, install third party software and add links to your desktop. It will also hijack the browser's error page.

From the developer: During the process of accepting this Agreement, downloading and/or using the Software, you may be offered the opportunity by BetterInternet to download software ("Third Party Software") from third party software vendors ("Third Party Vendors") pursuant to the terms of sublicense agreements or other arrangements between BetterInternet and yourself or between the Third Party Vendors and yourself ("Third Party Software Agreements"). to enable BetterInternet to provide its Software, BetterInternet collects certain types of non-personally identifiable information about individuals who are served ads by the Software.
 

By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to BetterInternet; display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; automatically update the Software and install added features or functionality conveniently without your input or interaction; and install desktop icons and installation files and third-party software. Source

Classification
 Adware

Files
Belt.exe, Belt.ini

Vendor
BetterInternet Inc

Variants
ABetterInternet  ABetterInternet.B  ABetterInternet.C  ABetterInternet.D  ABetterInternet.E 

End User License Agreement
2003-11-22

Privacy policy
2003-11-22

Detection
Bazooka Adware and Spyware Scanner detects ABetterInternet.B. Bazooka is freeware and detects spyware, adware, trojan horses, viruses, worms, etc. Read more »


Feedback, suggestions, support
Please let me know if you need support, have questions or would like to give me feedback. Please notice that I'm not the author and not in any way affiliated with ABetterInternet.B. This site is dedicated to help you with the detection and removal of spyware, adware, viruses, worms, trojans, keylogger, dialers, etc. Click here to contact me, the developer of Bazooka.

Manual removal
Please follow the instructions below if you would like to remove ABetterInternet.B manually.

  1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
  2. Browse to the key:
    'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
  3. In the right pane, delete the value called 'Belt', if it exists.
  4. Exit the registry editor.
  5. Restart your computer.
  6. Delete %WinDir%\Belt.exe
    Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
  7. Start Microsoft Internet Explorer.
  8. In Internet Explorer, click Tools -> Internet Options.
  9. Click the Programs tab -> Reset Web Settings.
     

Twain-Tech abettinternet Transponder Variant

HijackThis! Log Analyzer V1.1 

We ARE logging all submissions to this sytem to help us better serve you. We are now giving you a reference URL at the top of every log file which you can post in forums instead of reposting your complete log file. Also our staff will be sorting through these logs to add additional entries to the various databases we are searching. This means that with every new log you are contributing to these databases! We are looking for additional staff for building these DB's. If you are interested please help people in our HJT forum for a while and then PM an admin saying you'd like to help.

Databases being searched:
http://service.iamnotageek.com/
http://startup.iamnotageek.com/
http://www.iamnotageek.com/a/file_info.php
Tony Kleins BHO DB + our own additions.

Any feedback you can give us is appreciated! Please remember this is version 1.1 and we need some fresh new ideas for V2.0. Our primary goal for now will be adding as much data as we possibly can to the DB's.

Please paste your HJT log into this form. We will parse it and return some information that should help you determine what needs to be removed and what you can keep. Our DB was built to cover only the most popular filenames. Anything that appears to be a random filename is most likely bad! Anything not linked to in this system will need further investigation by you. You should always read and live by what we posted here. If you need further assistance please take your logs here.

Here” is a link to the Cease & Desist letter, a PDF file.

Vitalsecurity.org - A Revolution is the Solution Exploring Aurora

Threats Against Spyware Detectors, Removers, and Critics

Geeks To Go - abetterinternet, ceres, apropos, etc

ABetterInternet.imGiant

Twain-Tech abettinternet Transponder Variant

Webhelper4u - Webhelper4u - The VX2 Direct Revenue-aBetterInternet Fifth Columnists Transponder Gang

Spyware-Guide.com AbetterInternet

 

Vx2 and its derivatives

According to PestPatrol "VX2 is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software. There are two variants of this parasite with different file and internal names, but both work identically." See eTrust PestPatrol Pest Encyclopedia - VX2. Adaware has a plug-in that addresses this pest (see below)

Wired News Spyware, In a Galaxy Near You

VX2's spyware program comes bundled with other software. Audio Galaxy, a company that makes Napster-style file-sharing software, delivered it for a short time last fall, but says it no longer does so.

The VX2 program is currently bundled with a free screensaver program from Aadcom, an Internet advertising company, and may be included in other popular file-sharing programs.

Like other spyware, the program, once installed, tracks which websites the user visits, and reports the information back to the company's servers to build a user profile. It also serves pop-up ads so they appear to be coming from websites that don't actually serve the ads.

But that's not all it does. According to VX2's own privacy policy, "VX2's software also collects some information from online forms that you fill out."

The policy statement assures users it has engineered the program not to collect sensitive data, such as credit card numbers. However, "if such data were -- despite VX2's best efforts -- ever inadvertently collected, VX2 would immediately purge such information from its database."

But that should offer little comfort, according to privacy expert Richard Smith, because there's really no way to verify what VX2 does with the data it collects.

"The privacy policy says a lot of nice things," Smith wrote in an e-mail, "but I am not sure what to believe because the company refuses to identify itself, and the e-mail address given in the privacy policy does not appear to be valid."

A similar flap arose a few weeks ago over "ClickTillUWin" spyware bundled with file-sharing programs Kazaa, BearShare and LimeWire. But VX2 may be even more dangerous.

Trying to get to the bottom of who is behind VX2, what information it collects and what it does with it is a case study in just how insecure a place the Internet can be.

The only contact information available on the company is a Hotmail address and a post office box in Las Vegas, Nevada. The address belongs to a company that specializes in setting up corporate shelters. E-mail to the Hotmail address went unanswered.

Even Audio Galaxy, which bundled VX2's software with its software for a 34-day period ending Nov. 4, 2001, said it doesn?t know anything about VX2. Audio Galaxy spokesman Michael Merhej said he had never even heard of VX2 until he received an angry inquiry about it earlier this week from the editor of a website called Portal of Evil.

"We know nothing about VX2," Merhej said. The VX2 program file (called vx2.dll) was part of an advertising graphics enhancer made by the Onflow Corporation, he said. Audio Galaxy offered the Onflow program as part of its software package from Oct. 1 through Nov. 4, 2001, Merhej said. The partnership was cancelled due to unpaid bills.

Advertising Spyware VX2 RespondMiter (vx2.dll) - Blackstone Data Transponder - Sputnik - Aadcom - NetPal - TPS108

It is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies. It is currently distributed under these names:

Software - Lavasoft

Lavasoft’s new plug-in VX2 Cleaner detects the malware VX2 and offers you the ability to remove it from your computer. Some users have experienced a very difficult variant of VX2 which cannot be removed by Ad-aware. For those users which have this variant, we have developed a plug-in to help you remove this VX2 variant.  

This VX2 variant registers itself in a way, which gives it system privileges. It also prevents the user from viewing this information by removing the user’s rights to do so. Furthermore it constantly monitors the registry and prevents any attempts to remove its associated values. This makes it very difficult for the user to manually remove it.
The VX2 Cleaner works with all editions of Ad-Aware 6 build 181.
 
How to use Lavasoft’s VX2 Cleaner plug-in

Close Ad-Aware 6 build 181 and Ad-Watch (if running)
Download the free VX2 Cleaner here
Install the VX2 Cleaner
Start Ad-Aware 6 build 181
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close”.

BHO

BHOs are similar to programs that run from autoexec.bat but they run during the start of IE not DOS. MS article Browser Helper Objects: The Browser the Way You Want It explains the concept.  Spyware BHOs can  conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance. BHOList contain the list of know BHOs with classification into several categories.  To view the list of the BHOs that are installed on your machine you can use HijackThis or more pecialized program BHODemon (freeware).

Example 1: The LOP spyware creates random BHO identifiers (as well as corrsponding files):

Registry entries look something like this:

{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll

Be aware of this possibility if you discover an unknown BHOs with random names. Several other spyware products random of semi-random BHO names.

Example 2: Vx2 and its derivatives (Data Transponder, etc). Vx2 is a browser helper object (BHO) that was included in the AudioGalaxy Satellite file-sharing system, but a user outcry got it removed in November 2001. Today, vx2 and its variants can be found in a "free" viewer for adult video content and the "free" products from Mindset Interactive. According to PestPatrol, "it is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies." PestPatrol lists the aliases of the code and sources of each as Transponder from Blackstone Data; vx2, RespondMiter and Sputnik from vx2, Corp.; Aadcom Extreme Targeting from Aadcom; NetPal from NetPalNow and also Mindset Interactive.

Recommended Links:

 

IE-SPYAD List

IE-SPYAD: Restricted Sites List for Internet Explorer IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known advertisers, marketers, and spyware pushers to the Restricted sites zone of Internet Explorer. Once IE-ADS.REG is "merged" into your Registry, most direct marketers and spyware pushers will not be able to resort to their usual "tricks" (e.g., cookies, scripts, popups, et al) in order to monitor and track your behavior while you surf the Net.

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once this list of sites and domains is "merged" into your Registry, most marketers, advertisers, and crapware pushers on the Net will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on you.

Fighting PopUps

Newer version of IE have a pop-up blocker built-in.  Allt there major portals have now their toolbars too:

Microsoft Custom Toolbar

Prevent Popups by Atlas Solutions

Surely I'm not the only person to notice that Yahoo's been replacing
links with Javascript 'open window' links in its news section for
images:

javascript: rs("ss","http://story.news.yahoo.com/news?g=events/ts/082501plane&entry=1&tmpl=sl",610,490);

My feedback to Yahoo:

    Lose the Javascript in photos.

    Yahoo has long been, and remains, one of my primary Web resources.
    This has been because of its directness, simplicity, and value as a
    data resource:  Yahoo presents essential data, presents it clearly,
    and presents it in spades.  Though the web has evolved past the
    stage at which an ordered hierarchy was of critical importance,
    Yahoo's sections, particularly news and finance, are core resoures.

    I've been very disappointed to find that this simple directness has
    been adulterated with Yahoo's inclusion of Javascript in page code
    to view some images associated with news articles.  I dislike this
    on several fronts, two of the more significant being that:

      1.  *I* prefer that *my* specifications for how, where, and when, a
  window be opened are preeminant.  My browser is tabbed, I open
  content in new tabs, and new windows are distracting and
  disruptive.

      2.  I disable Javascript.  Period.  For all sites.  Its a feature
  of the Web landscape that's prone to both security issues and
  abuse, whether from ignorant webdesigners (God save us...) or
  malicious intent of advertisers or crackers.

    Simply:  toss the crap.  Keep it simple.  Let the user drive.  I
    realize that this requirement, like others utilized by Yahoo (eg:
    I've long since noticed that both contents and ads are served by
    your 'yimg.com' servers, and have managed to seperate ads from
    content in my filters) is geared at supporting an advertising and
    revenue model.  I'll modestly suggest that fighting with your
    customers is not a good or effective business model, and suggest you
    identify alternative approaches.

Cheers.
 

Slashdot Getting Law Enforcement Action for a Large-Scale Hack

"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).

On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.

Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.

With respect to the lnt issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.

I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.

I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?

With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?

I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"

The typical sign that spyware/adware is installed on your PC is when pop-up ads start appearing from out of no where, even when your browser is closed.

There is a new type of advertising/marketing that sneaks on to your system without you knowing it. Most of the time this new and infuriating marketing was piggybacked on software that you downloaded and installed or from a web page that you happened upon. It is infuriating to say the least and it really angers you that someone has made changes to your computer without your consent.

Well, there are several measures to follow to keep this from happening. NEVER EVER install anything that is offered to you while surfing.

Only install software that you recognize or trust. Before installing anything read the EULA (End Users License Agreement), often they disclose that the software you are installing contains other programs that will serve you ads or monitor you usage and browsing.

If the EULA states that, cancel the installation and delete the software. You can also set the security in your browser to stop the installation of desktop items and to no allow cut and past via script and and other security measures like not accepting unsigned activeX code, etc.

The best thing to do is be very skeptical of all software on the Internet you never heard of. For all you know it could contain a virus, trojan or scumware.

Make sure your Java VM is at least version 3805 to protect against a vulnerability that allows website operators to change your home page and several other vulnerabilities. This is the main way hijacking occurs via surfing the web via a web browser. The download is available here: http://www.microsoft.com/java/vm/dl_vm40.htm

Here are two registry keys for Windows users, that will lock or unlock your homepage. Don't worry they are safe. These are from Kent England (another fellow Microsoft MVP): HomePagelock-unlock.zip

As a side note make sure you have anti-virus software running on your PC and be sure to update it at least once a month. We update ours weekly just to make sure nothing sneaks through.

AD-AWARE from Lavasoft. It scans your registry and hard drive for spyware, sneak-ware, scum-ware, theftware and other deceptive software that has been installed on your system without your knowledge. You can download it or read about it at the link below. You can even set it to scan your PC each time you start up!

Examples of scumware: LOP (one of the worst and sneakiest - takes over as your home page and no uninstall feature in add-remove programs (control panel)), GATOR, TOPTEXT, Bargain Buddy, KazAa, Surf+, Spedia, eZula and there are many others. Read below to find out more about this rapidly growing deceptive advertising technology.

 

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer:

Last modified: November 08, 2008