Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Fighting Adware/Spyware Paranoia

Spyware is far from being something magically complex and difficult to remove. Formally it is any software which uses an internet connection from your computer in the background (as "backchannel") without user knowledge or explicit permission. This backchannel represent one way to detect even the most sophisticated spyware and a regular sniffer is an adequate tool for this. Spyware is connected with advertising revenue so it is more sophisticated then either viruses or worms. Some spyware/adware programs are primitive and just uses one Run key to launch itself (and removal of this key disinfects computer). 

Generally any use of an Internet "backchannel" connection should be preceded by a complete and truthful disclosure followed by the receipt of explicit, informed, consent for such use. Often spyware is disguised as a useful utility (atomic clock,  toolbar or other useful utility), but does not discloses that in addition to openly stated function it is using PC Internet connection to send information to the third party, for example about user browsing (WeatherBug is one such example). Often spyware deliberately complicates its removal from the computer or tried to reinstall itself by downloading missing components if one component is removed.

The spyware problem is not a pure Windows security problem. Situation is more complex. While the insecurity of the operating system is a problem that aids malware in general, having a more secure browser would help to fight this. The improvements to Internet Explorer [microsoft.com] due to appear in Service Pack 2 should help stop the spread of spyware somewhat.  Another useful step is to get Yahoo toolbar that includes antispyware component. A firewall with Internet filter also helps as you can tune it to prevent any re-infections.  Even without firewall host file can be used to block sites that spyware connects too. Most of those site should also moved to restrictied sited in intenet explorer.

Yes, spyware can be complex, extremely annoying and obnoxious and rather difficult to remove. But paranoia about spyware is completely unwarranted. A typical example of this paranoia is NYT article  By MATT RICHTEL and JOHN MARKOFF "Corrupted PC's Find New Home in the Dumpster" (July 17, 2005 ).  The main hero of this article (who, actually, holds PhD in computer science) demonstrates simply amazing level of ignorance of Windows OS. 

SAN FRANCISCO, July 15 - Add personal computers to the list of throwaways in the disposable society.

On a recent Sunday morning when Lew Tucker's Dell desktop computer was overrun by spyware and adware - stealth software that delivers intrusive advertising messages and even gathers data from the user's machine - he did not simply get rid of the offending programs. He threw out the whole computer.

Mr. Tucker, an Internet industry executive who holds a Ph.D. in computer science, decided that rather than take the time to remove the offending software, he would spend $400 on a new machine.

He is not alone in his surrender in the face of growing legions of digital pests, not only adware and spyware but computer viruses and other Internet-borne infections as well. Many PC owners are simply replacing embattled machines rather than fixing them.

"I was spending time every week trying to keep the machine free of viruses and worms," said Mr. Tucker, a vice president of Salesforce.com, a Web services firm based here. "I was losing the battle. It was cheaper and faster to go to the store and buy a low-end PC."

In the face of a constant stream of pop-up ads, malfunctioning programs and performance slowed to a crawl or a crash - the hallmarks of spyware and adware - throwing out a computer "is a rational response," said Lee Rainie, director of the Pew Internet and American Life Project, a Washington-based research group that studies the Internet's social impact.

While no figures are available on the ranks of those jettisoning their PC's, the scourge of unwanted software is widely felt. This month the Pew group published a study in which 43 percent of the 2,001 adult Internet users polled said they had been confronted with spyware or adware, collectively known as malware. Forty-eight percent said they had stopped visiting Web sites that might deposit unwanted programs on their PC's.

Moreover, 68 percent said they had had computer trouble in the last year consistent with the problems caused by spyware or adware, though 60 percent of those were unsure of the problems' origins. Twenty percent of those who tried to fix the problem said it had not been solved; among those who spent money seeking a remedy, the average outlay was $129.

By comparison, it is possible to buy a new computer, including a monitor, for less than $500, though more powerful systems can cost considerably more.

Meantime, the threats from infection continue to rise, and "the arms race seems to have tilted toward the bad guys," Mr. Rainie said.

The number of viruses has more than doubled in just the last six months, while the number of adware and spyware programs has roughly quadrupled during the same period, said Vincent Weafer, a senior director at Symantec, which makes the Norton computer security programs. One reason for the explosion, Symantec executives say, is the growth of high-speed Internet access, which allows people to stay connected to the Internet constantly but creates more opportunity for malicious programs to find their way onto machines.

Mr. Weafer said an area of particular concern was infections adept at burying themselves in a computer system so that the cleansing programs had trouble finding them. The removal of these programs must often be done manually, requiring greater technical expertise.

There are methods of protecting computers from infection through antivirus and spyware-removal software and digital barriers called firewalls, but those tools are far from being completely effective.

"Things are spinning out of control," said David Gelernter, a professor of computer science at Yale.

Mr. Gelernter said his own family's computer became so badly infected that he bought a new one this week. He said his two teenage sons were balking at spending the hours needed to scrub the old one clean of viruses, worms and adware.

Mr. Gelernter blames the software industry for the morass, noting that people are increasingly unwilling to take out their "software tweezers" to clean their machines.

Microsoft executives say they decided to enter the anti-spyware business earlier this year after realizing the extent of the problem.

"We saw that a significant percentage of crashes and other problems were being caused by this," said Paul Bryan, an executive in the company's security business unit. Windows XP Service Pack 2, an upgrade to the latest Windows operating system that has been distributed to more than 200 million computers, includes an automated malware removal program that has been used 800 million times this year, he said.

At least another 10 million copies of a test version of the company's spyware removal program have been downloaded. Yet Microsoft executives acknowledged that they were not providing protection for people who have earlier versions of the company's operating system. And that provides little comfort for those who must navigate the perils of cyberspace.

Terrelea Wong's old computer now sits beside her sofa in the living room, unused, except as a makeshift table that holds a box of tissues.

Ms. Wong, a physician at Kaiser Permanente Medical Center in South San Francisco, started getting a relentless stream of pop-up ads a year ago on her four-year-old Hewlett-Packard desktop computer. Often her entire screen would turn blue and urge her to "hit any key to continue." Sometimes the computer would freeze altogether.

After putting up with the problem for months, Ms. Wong said she decided last November that rather than fix her PC, she would buy a new one. Succumbing to the seduction of all the new bells and whistles, she spent $3,000 on a new Apple laptop.

She is instituting new rules to keep her home computer virus-free.

"I've modified my behavior. I'm not letting my friends borrow my computer," she said, after speculating that the indiscriminate use of the Internet by her and her friends had led to the infection problems.

Peter Randol, 45, a stockbroker for Charles Schwab in Denver, is at his wits' end, too. His family's four-year-old Dell computer has not been the same since last year when they got a digital subscriber line for high-speed Internet access. Mr. Randol said the PC's performance has slowed, a result he attributes to dozens of malicious programs he has discovered on the computer.

He has eliminated some of the programs, but error messages continue to pop up on his screen, and the computer can be agonizingly slow.

"I may have no choice but to buy a new one," he said, noting that he hopes that by starting over, he can get a computer that will be more impervious to infection.

Buying a new computer is not always an antidote. Bora Ozturk, 33, who manages bank branches in San Francisco, bought a $900 Hewlett-Packard computer last year only to have it nearly paralyzed three months ago with infections that he believes he got from visiting Turkish news sites.

He debated throwing the PC out, but it had pictures of his newborn son and all of his music files. He decided to fix it himself, spending 15 hours learning what to do, then saving all his pictures and music to a disk and then wiping the hard drive clean - the equivalent of starting over.

For his part, Mr. Tucker, the Salesforce.com executive, said the first piece of software he installed on the new machine two weeks ago was antivirus software. He does not want a replay of his frustrations the last month, when the attacks on his old machine became relentless.

"It came down to the simple human fact that maintaining the old computer didn't pay," he said.

 Just from the ecological point of view the position of "Mr. Tucker, an Internet industry executive who holds a Ph.D."  is rather strange not to say more. With all due respect to this Ph.D holder I think that any BS in computer science holder should be able to reinstall windows OS as even BS degree presuppose some interest and level of understanding of OS internals ;-)

Of course it is perfectly suit job description to propagate FUD about spyware/adware by  Vincent Weafer, a senior director at Symantec. But this is slightly sketical site and we shoud know better.

Actually cleaning spyware it's not a rocket science in 95% of cases. 5% of cases when due to misguided attempts of cleaning or bug in removal program or both the user destroys the OS (possible in complex cases of if spyware removal program has bugs).

But in all such cases reinstallation works perfectly well and for anybody who is professional in the field (and not a lazy misfit with CS degree that has no backups and does not know what is installed on his/her computer) should take less an hour. I doubt that anyone can find a  plausible case when you cannot clean spyware by reinstallation. But I encourage you to try and submit such case in a letter to the editor.

Many vendors (HP and IBM for sure) provide a special partition with the image of initially
installed OS and software (factory install image).  In the case computer has such a partition the manual always has a special chapter about restoring the image where description is
understandable for everybody with an average IQ ;-). For the guys who assemble computer themselves that also holds: they should be able to create their own "initial image" using Norton Ghost or any other similar utility.

Anyway, if you are seeing new toolbars in your browser, excessive popups, or your homepage has been switched, PC became very slow or periodically reboot itself chances are that you are infected.  Other typical symptoms:

Spyware is a more serious problem than just a simple annoyance.  Your privacy is being invaded. Spyware has the ability to install additional software in your machine without your consent.  and the fact that you are doing on your computer is being watched right now does not provides any comfort... 

Deceptive advertising is still the major channel of penetration of  spyware into PCs, but it is not the only.

Spyware authors like virus authors look for a particular category of gullible users: despite all this bad experience there are some people who just can't avoid a "Get Kool Mouse Pointerz Here" type of links ;-).

There are several prominent groups of spyware:

• Winsock 2 Layered Service Provider (LSP) based spyware. A typical representative of this category is SAHAgent (aka Golden Retriever, ShopAtHome and ShopAtHomeSelect). The latest version of SAHAgent installs under Windows as a Winsock 2 Layered Service Provider (LSP) and does sneaky things such as redirect browsers to merchant sites to generate affiliate fees. if you try to delete SAHAgent's registry entries and files, you will probably find your network connections no longer function because SAHAgent is an LSP, something that is pretty tricky to remove.
   
• Mutating Spyware. This is a fuzzy category that is distinguishable not so much by the method of installation but by the variety (the number of variants). A typical representative would be CWS (CoolWebSearch) is a particular nasty Spyware that hijacks Web searches, home page, and Internet Explorer settings. Most of these web sites that the homepage is set to appear to have an affiliate relationship with coolwebsearch.com in which coolwebsearch pays them for every visitor they refer. See Merijn.org/cwschronicles for listing of the variant (several dozens). In variants were removal of file breaks Internet connection there are a couple of tools that could fix a broken Internet connection due to this problem. LSPFix can be tried.

  Some variants of CWS add several Google addresses, search.yahoo.com, and search.msn.com to the HOSTS file, redirecting them to 127.0.0.1. A small web proxy, contained in a an exe file (for example svchost32.exe) is listening to this redirections.

  Some variants of CWS lists the hijacker's web site in Internet Explorer's trusted security zone. Domains listed in the trusted security zone have no restrictions on what they can do. This allows that web site to have virtually unlimited access to the infected computer's file system.

  The main source of infections are probably installers located on hardporno web sites.  CWShredder is able to remove many variants of SWS. Adaware can remove some variant too.  For manual removal see Symantec Security Response - Trojan.Norio
   

• BHO-based spyware.  BHOs are similar to programs that run from autoexec.bat but they run during the start of IE not DOS. MS article Browser Helper Objects: The Browser the Way You Want It explains the concept.  Spyware BHOs can  conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance. BHOList contain the list of know BHOs with classification into several categories.  To view the list of the BHOs that are installed on your machine you can use HijackThis or more pecialized program BHODemon (freeware).

  Example 1: The LOP spyware creates random BHO identifiers (as well as corrsponding files):

  Registry entries look something like this:

  {1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
  or
  {9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
  or
  {DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll

  Be aware of this possibility if you discover an unknown BHOs with random names. Several other spyware products random of semi-random BHO names.
  
  Example 2: Vx2 and its derivatives (Data Transponder, etc). Vx2 is a browser helper object (BHO) that was included in the AudioGalaxy Satellite file-sharing system, but a user outcry got it removed in November 2001. Today, vx2 and its variants can be found in a "free" viewer for adult video content and the "free" products from Mindset Interactive. According to PestPatrol, "it is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies." PestPatrol lists the aliases of the code and sources of each as Transponder from Blackstone Data; vx2, RespondMiter and Sputnik from vx2, Corp.; Aadcom Extreme Targeting from Aadcom; NetPal from NetPalNow and also Mindset Interactive.

Two approaches to fighting Spyware

Businesses want an inexpensive software tool that can be used to clean up a Spyware infection on a one-time basis. Vendors must offer such products, making sure they're affordable. We will classify tools into two broad ranges:

• Scanner-based. This is a strategy similar to antivirus scanners. It also involved a problem of false positives and false negatives.
• Non-scanner based. This broad class of tools includes everything else and will be discussed on this page.  We will advocate a simple protection strategy (called "Sofpanorama strategy" that consists of two simple steps:
  • creation of the second partition on the harddrive
  • periodic writing to it images created by Norton Ghost or similar utility.

Scanner based-strategies of fighting spyware

They are the most simple and yet effective against almost all but the most complex spyware.  And that's why they should be tried first. There are two prominent free Spyware scanners (Adaware and  Spybot S&D).  Spybot S&D usage is discussed in a separate page.

The main problem with of the Spyware scanners is that Spyware is repeating the ath of file viruses and newer variants are designed with the specific mechanism to aviod detection by the scanners (polymorthic spyware). One such example is  vx2 Spyware (SAHAgent, aka Golden Retriever, ShopAtHome and ShopAtHomeSelect). Another example is CoolWebSearch or ‘CWS’ as many refer to it.  With more the a hundred know variants CWS has surpassed a lot of other annoying hijackers such as Lop, Xupiter and Whazit etc  (see such sites as allhyperlinks.com, coolwwwsearch.com, youfindall.com, etc ).  You might need to use a specialized software like CWShredder to remove CWS.

Never buy or download a Spyware scanner without checking reviews on independent sites. Many such products are very questionable, some ask you to buy an expensive version after scanning, some can be classified as Spyware.  An attempt to hide Spyware under the disguise of Spyware scanner can be viewed as yet another example of deceptive advertising.  See for example Trustworthy Anti-Spyware Products

Non-scanner-based Strategies

The non-scanner based strategies of fighting spyware includes several lines of defense:

1. Restoring an image of your C partition ("Softpanorama strategy"). Splitting your harddrive into two (or more) partitions (using for example Partition Magic), formatting the second partition as FAT32 and writing a clean snapshot of a C: partition (for example via Ghost) to this partition, so that you can restore it anytime your system stops functioning properly (whether because of spyware or other problems).
    
2. Systematically updating your OS and IE. It's really important to keep your computer up-todate. Spyware often rely of IE vulnerabilities so the latest and greatest version of IE from Microsoft helps to protect your computer. The improvements to Internet Explorer [microsoft.com] in Service Pack 2 should help stop the spread of Spyware somewhat.
    
3. Using a special toolbar that blocks popup and Spyware components. Yahoo toolbar now contains antispyware component in addition to popup blocking (they beat Google toolbar in this area ;-)
    
4. Running selected free tools via scheduler to detect and remove Spyware.  There are very useful and effective tools outside a typical anti-Spyware troika (Hijackthis, Adaware and Spybot S&D). For example watching registry, and the process list  (see  command line process listers) after startup as well as content of major windows directories is very important and one can greatly benefit from using an appropriate tools to achieve that. For example I can recommend a registry watching tool like RegistryProt. There are several command line process listing utilities that can be configured to run during your startup.  To add the Integrity checker to the mix is more complex as there is no clearly suitable candidate, see Fighting Rootkit and Similar Trojans: Integrity Checkers and Trojan detectors
   
   Hijackthis this can provide a useful baseline that includes integrated list of relevant registry entries and a process map,   but currently I do not know how to run it in a batch mode (other then via Expect).   Still this is the simplest way of manual creation of a useful baseline. It you are reading this page and do not yet have a problem, please create at least a process baseline. It might turn to be extremely helpful in the future. using. You cannot overestimate the value of  the baseline in fighting complex Spyware beasts.
    
5. Blocking (via proxy or redirection in the host file) Internet sites that download such pests.  This is a useful method of defense in a corporate environment when each detected "backchannel" can be instantly clocked on proxy and in many cases the site that is responsible for the infection can be detected and blocked. This is not that effective in a home environment. but still host file can be used to block obnoxious advertisers on one by one basis.
    
6. And the last but not least. Read the license of products that you are installing on your computer. Never ever install anything that is advertised via junk email or, worse, pop-ups. Most apps that install spyware usually have something in their license that says "we have the right to install whatever we want on your system". 

Creating an image of your C partition on other partition (should be FAT32 partition) is very effective strategy of fighting spyware. In this case if you cannot delete a particular beast using scanners and baseline-based methods, you can just restore the C: partition from the image and forget about the problem This is the easiest way to fight complex, mutating spyware like CoolWWWSearch.

Old News ;-)

[Feb 25, 2007] Allaple.B (aka Rahack.W and Rahack.WW) description

Standard Softpanorama spyware defense strategy based on Ghost does wonders against this worm but additionally on infected computers passwords need to be make stronger (min length 10 can help here) and patches need to be installed (automatic installation of patches on desktop is highly recommended).

Allaple.b worm was discovered somewhere in late 2006 and was active for several month after that.

It propagates rather slowly and does not create "avalanche epidemics" but it does propagate and at the beginning signatures for detecting and removing the worm were very weak. In March 2007 they got better and for example F-secure (which uses Kaspersky engine) which was unable to disinfect strain B completely with signatures older then, say,  Feb 28, 2006 ( I do not know the exact date) now is doing better, although far from perfect, job.  It looks like with signatures later then March 3, 2007 DrWeb detects it but still cannot disinfect completely this particular strain of the worm (I checked a free version called cureit)

Allaple is a polymorphic network worm that contain just one executable. Polymorphism means that every copy of the worm is slightly different from each other as for the content (probably due to polymorphic decryptor), but paradoxically the length of all instances is constant (57856 bytes)

Also when scanning the drive for HTML files and generates and drops a lot of executables with random names that contain exactly eight characters. The only exception in the first executable which always has name  urdvxc.exe which is hardwired in the worm code (see below).

Also when worms executable runs it behaves like old polymorphic file viruses -- the polymorphic decryptor decodes the body and then control is passed to the this static part of the worm code that allocates a memory buffer and extracts the main worm's code into it.  Only after then the control is passed directly to the extracted worm's code.  At the same time while going to such length as for encryption the worm body author(s) left the size of the worm's executable file constant.

continued...

[Apr 28, 2006] Port25 Recovering remote NT-W2K-XP desktops with a network boot CD-DVD 

re: Recovering remote NT/W2K/XP desktops with a network boot CD/DVD

Friday, April 28, 2006 12:58 PM by fluke

g4u is a very interesting project.  I have been using Novell's ZEN Image which boots a light (less than 12MB) version of SuSE to do imaging.  And just like g4u, it supports be started via CD boot or PXE network boot.

However, you did not answer the question about *RECOVERY* of an existing installation at all.

At the University, we have several students that are getting hit with the "Blackworm."  Several of these Dell laptop users don't even have a Windows install CD, but rather a Ghost boot CD that puts the drive back to OEM default (in some cases also without SP2).  It would be nice to have a "Live CD" based on the XP kernel.  This way, even if the user has hardware not supported by alternative OSes, a recovery enviroment could be booted that is ensured not automatically start any rootkits from the hard drive.  We could then use network access to the "Live CD" enviroment to try to remove the infection or at least remotely back up critical data files.

But the problem is one of license terms instead of any technical issue.  While several people claim that Windows is simply a victim of it's own popularity and if Mac OS or Linux became the popular desktop then it would also be the target of malware.  To some extent that might be true but the people that make this claim do not seem to take into account what methods of recovery could be made available to the different personal desktop users.

If a Mac OS port of Blackworm came out, we could create a bootable recovery CD based on Darwin that uses Apple's offical HFS+ file system code and is able to support all the same hardware drivers as the hard drive installed OS.  Once such a recovery CD is created, we could then redistribute it to the students under the licensing terms of Darwin.

If a GNU/Linux port of Blackworm came out, we could create a bootable recovery CD based on the GNU/Linux distribution that uses the distribution's offical file system code and is able to support all the same hardware drivers as the hard drive installed OS.  Once such a recovery CD is created, we could then redistribute it to the students under the licensing terms of the GNU/Linux distribution.

But now that XP version of Blackworm is out, we have tried creating a bootable BartPE CD that uses the offical MS kernel, NTFS driver and other XP drivers.  But, then the terms of redistribution on any work derived using the XP kernel and other resources prohibits us from redistributing it to the students.

We don't want to cheat Microsoft but we don't want to cheat our students either.  Ultimately, copyright law wins out and our ability to help the students is greatly hindered.  Our Microsoft sales rep will only confirm that we don't have any reasonable method of redistributing BartPE CDs regardless of what our intentions are.

Much like you, Dell and Microsoft's answer involves re-imaging the laptop which does not address keeping any of the data they need to pass their classes.

"and went for coffee (anytime is a good time for coffee J )"

Well... if you can recommend any good coffee, it might at least make our students feel better about loosing to the Blackworm their end of semester papers that are due today.

If only malware authors where restricted by the same laws that hinder us from fighting their creations.
 

[Jan 16, 2006] http://www.bleedingsnort.com/staticpages/index.php?page=bleeding-projects interesting approach to detecting spyware using Snort:

Spyware Listening Post

The goal of the Spyware Listening Post is to build a self-sustaining spyware prevention and detection framework.

We hope to accomplish this by using existing tools such as the Black Hole DNS project, the User-Agents project, and our existing Bleeding Snort Spyware Signatures to funnel known traffic to analysis points to identify the unknown.

We believe that in general we're all losing the fight to spyware and malware. This project we hope will move us into the driver's seat rather than continue our current reactionary tactics.

This project is maintained by Matt Jonkman.

There is a public mailing list available here:

http://lists.bleedingsnort.com/mailman/listinfo/listeningpost

Users wishing to be volunteer analysts for the data collected should subscribe to this list: http://lists.bleedingsnort.com/mailman/listinfo/lp-analysts

Snort ClamAV

The Snort ClamAV project brings you a patched snort that using the ClamAV virus database can alert and/or block viruses at the network level.

This project is maintained by William Metcalf and Victor Julien.

Snort-ClamAV CVS Web Interface

Project Page

[Jan 2, 2006] Nasty mix of spyware found on one computer (it looks like this mix is somehow linked with http://www.spy-sheriff.com (see hijacked home page for browser below). Some components are recognized by Ad-aware. Proved to be very difficult to delete using usual tools (I spend an hour or so trying and ended re-Ghosting the computer). It dowloads a lot of files, with some onto the root directory of C: drive and instlalls more then 30 files. Here are files in the root directory:

C:\

• 01/02/2006 03:22 PM 14,848 stub_113_4_0_4_0.exe
  01/02/2006 03:21 PM 52,480 drsmartloadb.exe
  01/02/2006 03:20 PM 4,096 inst_0004.exe
  01/02/2006 03:20 PM 40,960 drsmartload1.exe
  01/02/2006 03:19 PM 3,082 secure32.html
  01/02/2006 03:19 PM 32,256 winstall.exe
  

Similar cases found via Google:

• Adware-SpySheriff
• HiJackThis Log - secure32.html, SpySheriff, paytime & others - Free Antivirus Forum
• How to remove SpySheriff - Winstall.exe - Spysheriff.exe - BleepingComputer.com
• What this program does:
  
  These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (SpySheriff).
  
  
  
  SpySheriff Image
  
   
  Tools Needed for this fix:
  • HijackThis
  • Killbox
  • Smitfraud.reg
  • Ewido Security Suite
  • Cleanup!
     

  It also installs html file c:\secure32.html that became your home page:

 (data below were collected by Microsoft Antispyware Tool Advanced Tools/file analyzer)

Spyware component found on infected computer: winstall.exe (originally found at C:\winstall.exe)

• Display name: winstall.exe
• Name: winstall.exe
• Publisher: Unspecified
• Path: H:\Spyware_infection\C_root\winstall.exe
• Size: 32256 bytes
• Create date: Monday January 2, 2006
• Access date: Monday January 2, 2006
• Modified date: Monday January 2, 2006
• MD5: 91e82df36f657bdc4158fa65e06cdd69

 Spyware component found on infected computer: newfrn.exe

• Display name: URLBrowserNew
• Name: newfrn.exe
• Description: Unavailable
• Original file name: URLBrowserNew.exe
• Publisher: _
• Path: H:\Spyware_infection\windows\newfrn.exe
• Version: 1.0.0.0
• Size: 110592 bytes
• Copyright: Unavailable
• Create date: Monday January 2, 2006
• Access date: Monday January 2, 2006
• Modified date: Monday January 2, 2006
• MD5: 0ccc055a24cce2fbdbbd24f81e6c5d48

Spyware component found on infected computer: toolbar.exe

• Detailed File Analysis
• Display name: loader
• Name: toolbar.exe
• Description: Unavailable
• Original file name: 103.exe
• Publisher: .
• Path: H:\Spyware_infection\windows\toolbar.exe
• Version: 1.0.0.6
• Size: 23936 bytes
• Copyright: Unavailable
• Create date: Monday January 2, 2006
• Access date: Monday January 2, 2006
• Modified date: Monday January 2, 2006
• MD5: 1e1b8da7694e8900d2e289fd4592a7dd

 

The 46 Best-ever Freeware Utilities

Best Free Browser Protection   Updated October 20, 2005
There's a scumware  plague at the moment. All it takes is a visit to a pushy web site or a loaded shareware install and next minute your Internet Explorer homepage has been changed, your default search setting altered, unwanted ads pop up on your screen and worse.  You can help protect Internet Explorer against these attacks by using SpywareBlaster [1].  It's is not a system scanner rather it is monitor that's designed to prevent an initial infection. It provides active protection for Internet Explorer users against thousands of malevolent products that use ActiveX based exploits and offers defenses against hostile sites and unwanted cookies as well. SpywareBlaster can be used with Firefox but there's not much point as Firefox doesn't need to be protected against ActiveX exploits. SpywareBlaster is free but the automatic update service costs $9.95 annually. A companion program to SpywareBlaster is SpywareGuard [2]. It is also a protective program that checks programs before they are run for malware behavior and also does some signature checking as well. However of late SpywareGuard seems to have been rather neglected with no new updates for more than a year so I can only give it a qualified recommendation. SpywareBlaster though, is a terrific product and a must-have for Internet Explorer users who also use the free version of Ad-Aware. If you are using Microsoft Antispyware, Ad-Aware Pro or other anti-spyware utility with a real-time monitor, you don't really need it.
http://www.javacoolsoftware.com/spywareblaster.html (2.2MB)
[2] http://www.javacoolsoftware.com/spywareguard.html  (1.96MB)

Best Free Trojan Scanner/Trojan Remover 
Ewido is the best of a new crop of anti-Trojan programs. On my recent tests over at www.anti-trojan-software-reviews.com it emerged as was one of the few products that could reliably detect polymorphic and process injecting Trojans that were totally missed by anti-virus products like Norton and AVG. Unfortunately the free version of Ewido doesn’t have a memory monitor and this omission significantly  reduces the level of active protection provided. However the on-demand scanner is excellent. I recommend that all average PC users who don't have an anti-trojan scanner download Ewido and scan their PCs weekly. I suspect you may be surprised at what you will find. Ewido is also pretty good at removing some spyware infections so bear that in mind next time you encounter a spyware product you can't remove with normal anti-spyware products like Ad-Aware. Note that Ewido only works with Windows 2000 and later so Win 9X users should consider the free version of a2 (a-squared) anti-trojan as an alternative. It's not quite as effective as Ewido but is still an excellent product.  High risk PC users such as P2P file sharers and frequenters of hack sites, should however consider the industrial strength protection of Trojan Hunter or the full version of Ewido both of which offer the active protection they need. Note: The free version of Ewido is actually the same as the paid version but after 14 days the active protection (i.e. memory monitor) becomes non-functional.
http://www.ewido.net/en/  (2.2MB)
http://www.anti-trojan-software-reviews.com/review-ewido.htm <= review of Ewido

Best Free Rootkit Scanner/Remover Updated October 24, 2005
Rootkits are a special kind of software tool used to hide trojans, viruses and other malware from your anti-virus scanner and other security products. Unfortunately, they are extremely effective which means that some of you reading this will be infected even though you believe your PC to be totally clean. Thankfully there is a new class of  security product now available called rootkit detectors that use specialized techniques to detect these dangerous intruders.  Most of these detectors require quite a bit of technical skill to interpret the results but one of the simplest to use and most effective is also free. It's called BlackLight [1] and is currently available as a free beta from F-Secure until the 1st of January 2006. I suggest everyone download this product and scan their PC. The chances of you being infected are small but for five minutes work it's not worth taking the risk. BlackLight will detect most rootkits missed by AV scanners but can still be fooled by state-of-the-art rootkits like Hacker Defender. To detect this and a few other insidious rootkits, you need heavier artillery. Currently the biggest gun in the rootkit detection war is a free Chinese product called IceSword. It will reveal just about everything running on your PC. Usage, however, requires considerable skill together with the patience to work out the program. It was originally only documented in Chinese but an English version [2] has now appeared. In the hands of an skilled user, its an amazing tool.
[1] http://www.f-secure.com/blacklight/cure.shtml Windows 2000 and later, 911KB.
[2] http://www.xfocus.net/tools/200509/IceSword_en1.12.rar <= slow Chinese site, 565KB
[3] http://www.techsupportalert.com/rootkits.htm <= How to deal with the threat of rootkits

Fighting Spyware Through Your Task Manager

Toss on the ol' investigator's cap and let's take a look at some of these mysterious processes running on my system. This is the crux of this article...how to decipher what all that junk is and deciding what is important and what may possibly be dangerous!

If you learn to regularly check the current processes running on your system, you'll be much less likely to be zapped by some notorious program. Granted, you need those other programs discussed at the top of this article to really protect you, but if you regularly check here...it'll help you stop anything that may have slipped by. You'll learn to recognize those processes that should be running, so you can quickly research mysterious ones further.

You'll note the first process listed is called Point32.exe. Well, I know that that is my mouse driver. But if I didn't know that, I could easily find out more about this by enlisting the valuable services of the Internet.

... ... ...

I zip over to my trusty Google.com and enter the process name, using quotes to search for it as a whole word and hit enter to start my investigation.

...I learn that this process is running because I use the Microsoft Intellimouse and this is the monitoring process that keeps my mouse running properly. If I ended this, my mouse might not work the way I want. Yet it seems to not be a vital process to its operation, so I could disable it if I was currently stressed for more memory. However, if I was strained for resources, I might want to consider using a simpler mouse. But resources are not a problem on this system and I love my intellimouse! So this process is not an issue.

The next process running shows a file named: ~e5d141.tmp. Now one thing I know is that any file starting with a tilde (~) is a temporary file that is called into memory for the moment while some other program is being run...as part of its process. That is further verified by the fact that the file ends in .tmp, as in temporary.

But what the heck is this temporary process that's running? This could be some type of spyware! Let's give Google a run by entering this file name into a search, enclosed in double quotes, and see what's up.

HA! It appears that this one is not a problem either. It is a licensing file that Dreamweaver requires when it is running.

can check that fact further by closing Dreamweaver. Sure 'nuff...when Dreamweaver is gone, so is that temp file, as you can see in the updated view below. When I reopen DW, that file should reappear...and upon testing, it did. So I can feel pretty confident that this is yet another process I don't need to worry about.

But now I want to see what processes are eating up the most memory on my system. I closed Outlook, so that's not in its normal top of the list slot. My files are still chewing up space with Explorer. A system file is running, and because I'm taking screen shots, SnagIt is running.

But what is that next file? Let's find out.

I check Google and the first entry leads me to the I Am Not a Geek web site. Normally a site that provides fairly accurate answers.

But this time I question the site's accuracy. Note in the image below, this site warns me that this file is an unidentified Worm or Trojan virus! YIKES! Rip it out!!! NO WAIT! Before you go ripping out your PC's guts, let's get a second opinion and research this a bit further!

I check another site and they tell me not to worry because this file is part of the Microsoft anti-spyware program I'm running. Whew! But now there's some confusion...who is right?

... ... ...

I move into my Windows Explorer and ferret into the c:\Program Files\Microsoft AntiSpyware folder and look for that file. It's there. I right click on the file and choose Properties. The properties dialog box opens and tells me that this is a file that is part of the Microsoft AntiSpyware Data Service.

Thanks for recommending this freeware -  I recently cleaned my pc from a Trojan which disabled the wallpaper and gave a warning tool in the task bar telling me to buy some anti malware software. I knew this was a hack from the start and set about cleaning the registry , resetting dodgy files in SYSTEM32 to a .doc extension, etc but I was not able to clean certain items - I was not allowed to delete certain entries from the registry (in particular the RUN key) - seemed like a permissions problem. I ran recommended program in safe mode booting of XP and I cleaned everything it found and the machine seems much happier now!

What I would like to know is how you remove an item from the registry when you know its bad . I tried messing about with the permissions on the item but nothing worked.

... ... ...

Keep up the great work!

Regards

Peter

Peter,

There are several good free registry editors,  watchers. See Free Registry Tools for more information. But the first step is easy to do with regular Windows registry editor (regex.exe):

Often spyware is pretty primitive and removal of the component that is installed in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

registry key disinfects the PC.

To do this follow the step outlines below. Be very careful working with the registry and do not delete entries just because they look suspicious. check each of them as outlined below:

1. Open your registry in regedit
   • Click "start" (bottom left of your screen)
   • Select "Run"
   • Type "regedit"  in the command line displayed
   • Click OK. 
2. In a tree that is shown select HKEY_LOCAL_MACHINE
   • then click on + sign for the key SOFTWARE
   • then click on + sign for the key Microsoft
   • then click on + sign for the key Windows
   • then click on + sign for the key CurrentVersion
   • then click on + sign for the key Run
3. Put a bookmark for the Run entry (Click Favorites, Add to Favorites and preserve the name Run that Microsoft Registry Editor suggests, so that you can gat tot he same place quickly if you need to.
4. Print all entries (File, Print).  Look for suspicious entries, that have strange names, load programs from strange locations, etc but don't take any actions on them.
5. Open Windows Explorer  Click on  Tools, Folder options , View and and Details View and
   • uncheck:
     • Hide extensions for know file types
     • Hide protected operating system files
   • check
     • Show hidden files and folders
     • Remember each folder view setting

   click apply to all folders and OK.
    

6. Find each suspicious file from the printed list of Run section and check the creation date. After that go to the listed directory find the file, left click and click on properties. Check Version section.  If Description is missing, Version is missing or this is an unknown company, then the file is suspicious.
7. For each suspicious file search Goggle. If Google search proves that this entry belongs to spyware  simply delete the key.
8. For each other file try to search Google. But be critical as for results. do not rush to delete it without additional consultation in one of the recommended in Fighting Adware/Spyware Paranoia page forums.

[Aug 3, 2005] NetworkComputing/Claria Software Unsafe At Any Speed  Network Computing By Mitch Wagner. Originally Published in InternetWeek The software formerly known as Gator has been widely accused of being spyware. We took a look for ourselves, and didn't like what we saw. Originally Published in InternetWeek

The spyware case against Claria comes down to one of disclosure. Critics of the adware vendor say that Claria does not adequately disclose to users the information it's collecting and how it will use that information. Claria counters that its disclosures are complete.

We decided to see for ourselves. We downloaded and installed two Claria applications from the company Web site: Weatherscope and Date Manager. We also downloaded and installed a third product, the file-sharing program Kazaa, which includes Claria software. We took a look at the installation process, trying to see things with the eyes of an intelligent but uninformed user.

Another frequent accusation against spyware is that it actively fights against user attempts to uninstall it. We haven't heard that accusation against Claria, but, in the name of completeness, we decided to test how gracefully Claria uninstalled itself. As part of our testing, we ran four separate anti-spyware programs, both before and after installing the Claria software and Kazaa, to see how well Claria did at cleaning itself off the system.

That information is spelled out in a lengthy End-User License Agreement (EULA), which very few users are likely to read. The EULA also gives Claria the right to track — and report back — an inventory of all the software on your PC and the first four digits of your credit card number, so it knows which banks you use. The install screens also don't disclose that the monitoring part of the application continues running even when users shut down the useful part of the application.

Even more confusingly, the EULA itself isn't accurate as to what information Claria actually collects; it's a grab-bag of some information Claria now collects, and other information that it used to collect but has stopped collecting. Scott Eagle, Claria's chief marketing officer, said the only information the company now collects is activity of "commercial intent" — meaning online shopping and product research. The information is filed by anonymous computer ID number. Claria does not collect user names, e-mail addresses, credit card numbers, or ZIP codes.

Another thing that you're not told unless you read the EULA: You're forbidden from using anti-spyware software to remove Claria software from your PC. The only way you're permitted to remove it is by using the Microsoft Windows Add/Remove Programs utility.

Simply including this important information in a dense packet of fine print is insufficient notification.

Inadequate Disclosure
The installation screens say that Claria will display ads based on the sites a user visits. But the installation screens do not say that, for as long as the software is running, it will monitor the URL of every site the user visits and report that information back to a Claria database.

That information is spelled out in a lengthy End-User License Agreement (EULA), which very few users are likely to read. The EULA also gives Claria the right to track — and report back — an inventory of all the software on your PC and the first four digits of your credit card number, so it knows which banks you use. The install screens also don't disclose that the monitoring part of the application continues running even when users shut down the useful part of the application.

The Claria EULA says, "In exchange for offering you free software products, we collect anonymous usage information from your computer that we and our partners may use to select and display pop-up and other kinds of ads to you and to perform and publish research about how people use the Internet."

Here's all the data Claria collects about users: "GAIN collects certain non-personally identifiable information about your Web surfing and computer usage. This includes the URL addresses of the Web pages you view and how long you view Web pages; non-personally identifiable information on Web pages and forms including the searches you conduct on the Internet; your response to online ads; Zip code/postal code; country and city; standard web log information and system settings; what software is on the computer (but no information about the usage or data files associated with the software); software usage characteristics and preferences; and, for Gator(R) eWallet users, your first name and master password, if you choose to create one. For more information regarding the data we collect, click: www.gainpublishing.com/rdr/70/datause.html...."

That page contains a couple of more pieces of information on what Claria collects. In particular, the Claria apps are monitoring the Web forms you fill out, and collecting the first four digits of your credit card number, which tells it what bank you use.

They share the information with advertisers, partners who give the company information for displaying search results, and in "other limited circumstances" with "third parties who help us perform a business function (their use of such information is limited by our internal policies and/or confidentiality agreements, as applicable); to protect our rights, or if under a legal obligation."

One egregious term of service, buried in the license agreement: "You agree that you will not use, or encourage others to use, any method to uninstall the Licensed Materials other than through the use of the Add/Remove Programs feature of the Microsoft operating system. Use of any robot, spider, other automatic or non-automatic manual device or process intended to interfere or attempt to interfere with the proper working of the Licensed Materials is prohibited."

In other words, if you install Claria software, the only way you are permitted to uninstall it is through the Microsoft Windows Add/Remove Programs. You are forbidden from uninstalling the software using anti-spyware utilities. That's an outrageous imposition on the user, and it's unfair to bury that in a EULA.

Eagle says that license provision is never enforced. The Date Manager installation and uninstallation processes are virtually the same as Weatherscope. Kazaa's installation and uninstallation is very similar to the Claria programs. I won't talk about Kazaa much here, partially because of the similarity and partially because Claria plans to sever its relationship with Kazaa in a few weeks.

Uninstalling

For both Date Manager and Weatherscope, running Add/Remove programs to remove programs did not immediately remove the entire program.

A few seconds after completing the uninstall process for Weatherscope, I got a warning from StartupMonitor indicating that a program called GStartup registered the executable "c:\program files\common files\gmt\gmt.exe" and "C:\Program Files\Common Files\CMEII\CMESys.exe." StartupMonitor is a program I use to block software that tries to register itself to run at system startup. Likewise, WebRoot SpySweeper notified me that a GAIN program was trying to run — GAIN is the name of Claria's adware network.

Why were these applications running after I'd already uninstalled Claria?

Eagle explained that it's a function of the architecture of its products. Each package uses a separate add-delivery and traffic-tracking package, called GAIN. Each user is only required to run one copy of GAIN; if you use two or more Claria applications, you only need to use one copy of GAIN for all of them. The way to remove GAIN is to remove all of your Claria software. Each time you remove a different Claria application, GAIN wakes up, and looks around the PC to see if there are any Claria applications left on the PC. When there are no more, GAIN automatically uninstalls itself.

So the activity I was seeing was GAIN automatically uninstalling itself; if I'd waited a few seconds or minutes after uninstalling the application to run WebRoot, I would have seen no activity, and no active GAIN files, left on my PC.

And that was indeed what happened when I tested Eagle's claims.

My anti-spyware software did detect other detritus left by Claria after the uninstall process ran, including several registry entries and a couple of log files. But this is not unusual behavior for any Windows program; many perfectly legitimate programs leave some residue behind after you've installed them; it's one of the reasons why some users install third-party registry cleaners.

The bottom line: Claria did quite well in my unistall tests. The software requires user action to install — it doesn't just install itself onto a computer when that computer visits a Web site, as some of the worst spyware does. And the software uninstalls gracefully — it doesn't resist uninstalling, as some of the worst spyware does.

Conclusion
Overall, I found Claria software to be easy to install and remove. But Claria has the right to collect too much data about the user, and its disclosures about what data it's collecting are too vague and inaccurate.

Claria makes a convincing case in interviews and product literature that it takes its customer privacy seriously, but our evaluation of its products — in particular, reading the End-User License Agreement — tells a different story. Claria collects far too much information about user activity, and is far too cavalier about disclosing what it collects.

I've removed Claria from my test computer. If you're a consumer, I recommend you stay away from Claria's software, and if you're a network administrator, keep it off your company network.

Read the in-depth report: Claria Software Seeks Legitimacy

[Jul 27, 2005] Ben Edelman - Home

Details: 180solutions's Misleading Installation Methods - Ezone.com

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I'm not inclined to say that consumers "consent" to the resulting ads and to the resulting transmission of personal information.

[Jul 27, 2005] Ben Edelman - Home

More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars

June 6, 2005 - Permalink

Google's "Software Principles" set out reasonably high standards for notice and consent to install advertising software. And Google's "Principles" strongly discourage doing business (even indirectly) with companies that violate these rules. But apparently Google wants others to do as they say, not as they do. In practice, Google has large relationships with companies widely violating these rules.

In More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars, I offer two separate examples of Google partners who break Google's Software Principles rules. First, Ask Jeeves. AJ's toolbars are sometimes installed without any consent at all. But even when users supposedly consent, installation procedures are often seriously deficient. For example, users who download iMesh get an AJ toolbar too -- though the only way to find out is by scrolling to page 27 of iMesh's license. These practices notwithstanding, Google's payments to AJ apparently total hundreds of millions of dollars per year.

 PPC advertisers
money viewers
   Google AdWords  
money viewers
Go2Net
money viewers
IBIS WebSearch

Second, the IBIS WebSearch toolbar installs in a variety of ways that don't meet Google's standards -- including security exploits, poorly-disclosed bundles, and ActiveX popups. But IBIS also shows many Google ads, obtained from Google through InfoSpace's Go2Net.

I see at least two distinct problems here. First, Google's payments are helping to fund purveyors of unwanted software -- making the spyware problem that much larger. Second, even advertisers who hate spyware are inadvertently advertising through these channels -- intending to rely on Google's promise of "high-quality" partner sites, although this promise may be overly optimistic.

Perhaps Google will make excuses for its so-called "partners." But the company's "don't be evil" slogan and its Software Principles document suggest another possibility: That Google entirely disassociate itself from those who use tricky practices to get their advertising software onto users' PCs. Stay tuned.

Continued: Details on installation methods; Google's rules; big money; enforcement challenges.

[Jul 27, 2005] Spyware Warrior Rogue-Suspect Anti-Spyware Products & Web Sites

Vendors of "rogue/suspect" anti-spyware products advertise heavily via Google's "AdWords" ("Sponsored Links" on Google's own search pages) and "AdSense" (Google-driven advertising delivered to third-party web sites).

Users should be aware that a search on the term "spyware" (or any related term) at Google will turn up a variety of anti-spyware products and web sites -- some reliable and trustworthy, some not. The key to distinguishing trustworthy anti-spyware products and sites from non-trustworthy products and sites in Google's search results is learning to distinguish "regular search results" from "paid search results," otherwise known as "Sponsored Links."

[Jul 26, 2005]  WinRAR recommended software list

Spyware Doctor is a top-rated malware & spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, Trojans, keyloggers, spybots and tracking threats. Protect your privacy and computing habits from prying eyes and virtual trespassers with the help of Spyware Doctor.

[Jul 26, 2005] Spyware Doctor - User reviews and free download at Download.com Found a bug that AdAware didn't

11-Apr-2005 09:24:27 AM
Reviewer: The Doober

Pros: Everything about this program warrants high marks: it's easy to install and use, scans relatively quickly, slick looking interface, and IT'S FREE!! I honestly thought the free scanner market was monopolized by AdAware and Spybot, looks like they have competition now. SpyDoctor found a tracking cookie that AdAware missed but they all find bugs that others miss. I'm sure that AdAware and Spybot will tag something that SpyDoctor doesn't someday.

PcTools makes excellent products you can trust. I also have RegMechanic and it's a fine product as well.

Thanks to steve89z for recommending this fine product. :)

Cons: None. And I really do mean that.

I also use AdAware, Spybot, and Bazooka for spyware scanning, AntiVir for virus/trojan scanning, and Hijack This! for browser hijackers. All are free and can be found on this site.

THE SINGLE BEST WAY TO KEEP ADWARE OFF YOUR COMPUTER: Use a web browser OTHER than Internet Explorer. I personally and highly suggest Mozilla Firefox.

Microsoft Windows AntiSpyware (Beta) Home

M