The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/june2,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

I now have even greater sympathy for people suffering a spyware infection than ever before. I spent the better part of Tuesday night fighting off the worst spyware infection I have ever seen or heard of.

Someone was kind enough to donate a copy of VMWare for me to use for testing. VMWare is software that pretends to be an entire computer and lets you install operating systems on it inside of a window. It makes it much faster and easier to test things than using a whole test PC. If I destroy the operating system, I can just shut down VMWare, restore a back up and have it up and running again within seconds.

I have spent the last two days playing with VMWare and decided Tuesday to go visit a certain wrestling fan site, a site infamous for installing all manner of spyware. I was told that this site was guaranteed to be a rich hunting ground for spyware. The person who said that sure wasn't kidding.

Let me begin this next part with an important note. Nothing at all happened until I said "Yes" to an ActiveX prompt. As bad as the infection is that I am about to describe, nothing would have happened if I had said "No" to that first prompt. Keep that in mind the next time you see an ActiveX prompt. NEVER SAY "YES" TO ACTIVEX PROMPTS THAT POP UP OUT OF NOWHERE!

There. Now that I've set off every spam filter in the world....

Warning! Geekspeak ahead.

By clicking "Yes" to the security warning, one spyware was installed. That first spyware downloaded and installed three other spywares. Those installed three new spywares each. Spyware was procreating on my computer at a geometric rate!

Six new toolbars showed up in Internet Explorer. Something deleted the Google Toolbar entirely. Three new icons appeared in the system tray. Three internet shortcuts appeared on the desktop and well over a hundred more showed up in my "Favorites" folder. Dozens of processes were loaded into memory. 200 new files appeared on the hard drive as well as over 400 new registry entries. And pop-ups were appearing at a rate of five per minute.

Within half an hour, my virtual computer was as infested with malware as anything I have ever seen at the message board.

I believe my favorite was the AdDestroyer program. That one sat in my system tray popping up ad windows, then declaring that "Your trial has expired. Click here to block pop-ups like that one.". It made a very obnoxious squealing noise every time it did it.

Verrry nice. I believe the Federal Trade Commission sued a company last year for doing that.

Once I had decided that all the spyware that was going to be installed was installed, I set about trying to remove it all.

Oh boy.

First, I tried three different antispyware scanners. No help there. If they didn't crash, anything they removed came right back. It took me over an hour to determine that this was a lost cause.

Giving up on the automated scanners, I fired up HijackThis. If you've never heard of that one, it is a small program created by Merijn (Dutch spelling of Merlin), a university student in The Netherlands. Based on my original Browser Hijacking article and expanded upon continuously ever since, this program finds, lists and optionally deletes most of the start up locations, registry entries, browser helper objects, toolbars, services and other things installed by malware.

I scanned with HijackThis, selected several dozen entries to remove and clicked "Fix". That killed most of it. Unfortunately, more than a dozen entries were reinstalled immediately. I rebooted and tried several more times with the same result. These particular malware programs had companion files loaded into memory watching for attempts at removal. Delete something and they immediately replace it. One of them even started to place randomly named start up entries for randomly named files placed in random locations on the hard drive. Sheesh!

The next thing I tried was the process killer bundled into HijackThis. I killed the memory processes that I suspected were protecting the malwares. Doing that allowed me to disable at least two more malwares. Still, a half dozen entries remained no matter how many times I tried to remove them.

After figuring out which processes were responsible for replacing these last few entries, I tried to kill them out of memory. That didn't go so well. Every time I killed one process, another process would reload it. Kill that one and the other reloaded it. When I tried killing them all at once, it nearly crashed the computer, so I stopped trying that.

The next thing I tried was Killbox. Killbox is a program for deleting stubborn files. It can delete files immediately, delete them on reboot, replace a file with a dummy file on reboot, force explorer.exe to exit while it deletes a file, unregisters DLL files, kills processes and even lets you delete a whole raft of files at once.

I told Killbox to delete the offending malware files on reboot and then restarted the computer. Nothing. Not a single one of those files was missing after Windows loaded again. Clearly, these little critters weren't going to give up without a fight.

I restarted the computer in safe mode next. That didn't help things very much at first as the spyware loaded even in safe mode. At this point, I realized that I had overlooked something. Some of the remaining malware was loading as NT services. I might have shaved an hour or two from this whole exercise if I had noticed that in the beginning. Chalk that up to my being a little rusty at killing hijackers.

I opened the Management Console to stop and disable those two services and things became a little easier. Still in safe mode, I had Killbox kill explorer.exe and delete the malware files one at a time. Then I ran HijackThis again and removed all of the entries. This time, they stayed gone.

I restarted normal Windows and scanned again with HijackThis. Nothing. Every single entry was gone. Then I scanned with Ad-aware to clean up the remaining trash and .... well .... take a look for yourself:
http://www.spywareinfoforum.info/stuff/aawscanofcrap.jpg
http://www.spywareinfoforum.info/stuff/aawscanofcrap2.jpg

Remember, HijackThis is not a spyware remover. It only allows you to *disable* hijacks and spyware while leaving the inactive files and nonfunctioning registry entries for other cleaners to tidy up. What you see in those screenshots is what was left behind, after I finally disabled all the garbage on the computer. Or rather, after I *thought* I had disabled everything.

While Ad-Aware was right in the middle of removing those hundreds of entries, one last stubborn malware managed to load from nowhere (I mean that literally, keep reading) and started spawning pop-up ads.

I have absolutely no idea what loaded this file or how. There was no start up entry for it. There were no suspicious looking memory processes or services running. It wasn't hooked into Explorer. When it was in memory, you could see the file. When it wasn't in memory, the file did not exist anywhere on the hard drive. It simply appeared out of nowhere, popped up a few ads and then vanished right back into nowhere. That's a nice trick. I intend to figure out how it did that.

During one of its appearances, I dumped its memory to a text file. Inside were the names of six other files scattered throughout the Windows folder. I had Killbox delete every one of those files as well as the Houdini file and that was the end of that (I think). I left the VM window open all night when I went to bed just to be sure. There were no more pop-ups and no malware present when I woke up.

I am fairly sure there were inactive remnants of this massive infection littered all over my virtual computer after I was done. Ad-aware cleaned up nearly 600 items. Spybot found several dozen more. X-Cleaner, SpySweeper and PestPatrol all found bits and pieces scattered all over the place. Finally I just gave it up as a lost cause and shut off the virtual computer. The important thing was that the active infection had been killed.

It took five hours to clean up a hijacked PC that was right in front of me. Someone just tooling around on their first computer, with no real knowledge of how a computer works, either would have given up and set the computer on fire or taken it to a PC repair shop. Most repair shops would just throw their hands in the air, format the hard drive and be done with it. Those that stuck with it as long as I did would have charged roughly $350 (assuming five hours at $70 per hour at a fairly cheap repair shop).

All of that because I clicked the "Yes" button on a security warning. Think about that the next time you see an ActiveX warning.

For those of you geeky enough (or masochistic enough) to think that all of this sounds like fun, I have something for you. Thousands upon thousands of people show up at SpywareInfo's message board every single day with infected PCs screaming for help. We have literally hundreds of experts, developers, advisors and other helpful members who do their best to walk these people through the steps necessary to fix their computers. Still, so many people show up that it often takes days for someone to receive any assistance.

If you would like to take a shot at helping some of these people, we would be happy to show you exactly how to do it. It's a little different to fix a computer when it's not in front of you and all you have to go by are text logs. We have a "boot camp" where all the tricks of the trade for fixing a malware infection over a message board are taught. Consider it a crash course in remote computer repair. If you are interested, read this page and follow the instructions.

Permalink | Top

Program: Spycop Antispyware
Price: $49.95 $39.96 [20% off until June 8, 2005]
Purchase Spycop [Use coupon code SPYC-YB5E-SCA]

Spycop + ET Bundle: $79.90 $69.93
Purchase Spycop + ET Bundle [Discount is applied automatically]

There is the sort of spyware that comes from installing programs like Kazaa and Imesh. This kind of spyware will track your web usage to produce more relevant pop-up ads. This is an annoying and unfair invasion of privacy. However, other than the aggravation of dealing with pop-up ads and spam, this kind of spyware usually is not dangerous (well, except to your blood pressure). These can be cleaned up relatively easily with Ad-aware and Spybot.

More dangerous are the surveillance and monitoring programs. These programs are used to steal passwords to bank and credit card accounts. A business rival can bribe an employee to install spyware on the company network. Or the company itself might install spyware to watch you while you work. These programs cost money to buy for testing and not all antispyware companies can afford to keep up with each new version.

SpyCop is the leading solution for finding computer monitoring spy programs, keyloggers, and commercially available software designed specifically to record your screen, email and passwords. SpyCop will detect the spy, tell you when it was installed, and disable it. SpyCop claims to have the largest database of surveillance spyware, 385 targets in all.

SpyCop also makes Evidence Terminator, a program that cleans out the traces of computer usage that Windows leaves lying around. This includes browser cache, temp files and recently opened documents among other things. You should shred paper documents at home and in the office if you don't want people reading them. The same goes for your PC.

More information about Spycop http://www.spywareinfoforum.info/downloads/spycop/
More information about Evidence Terminator http://www.spywareinfoforum.info/downloads/spycop/eterminate.php

Don't forget, even if you catch all the spyware on your computer, someone can still sneak up behind you and peek over your shoulder. Spycop won't help with that, so you might think about having this little gadget. ;-)

If you have any problems with the ordering page or with the coupon code (SPYC-YB5E-SCA), please email Catherine http://www.spywareinfoforum.info/email2.php.

Permalink | Top

As promised (long ago, in a newsletter far, far away), the list of clean and infected file sharing programs has been updated. I tested all of the new entries over the last week, so the information should be accurate. I had to fight off a couple of nasty spyware infections in the process.

If you know of a file sharing program not on the list or see an entry in the wrong section, please let me know and I'll take a look at it. Below is the entire article as it appears on the site (minus the update sections). Remember, the list below is as it appeared in this newsletter and will not be updated as clean program become infected and vice versa. Check the actual article for an up-to-date listing.

---

Wondering if your favorite peer-to-peer file-swapping program has spyware bundled into it? Chances are good that it does.

The information on this page is believed to be accurate. However, if any program is listed under the wrong section, please let me know immediately. If you know of a file sharing program not listed here, let me know about that as well and I will test it out.

Infected

The following file-swappers are confirmed to have spyware or other unwanted parasites bundled into them:

• KaZaa (offers a paid version without spyware)
• Limewire (Older versions only, see below)
• Audiogalaxy
• Bearshare (offers a paid version without spyware)
• Imesh
• Morpheus
• Grokster (offers a paid version without spyware)
• Xolox
• Blubster 2.x aka Piolet (Blubster 2.0 and higher and Piolet are adware and bundle other adware)
• OneMX
• FreeWire
• Exeem
• BitTorrent Ultra
• FileCroc
• Kiwi Alpha
• RockItNet
• Warez P2P
• MediaSeek (MediaSeek Lite from the same company does not bundle any spyware or adware)
• E-Donkey AKA Overnet (Claims to provide a spyware free paid version)
• Computwin AKA FileNavigator (While it doesn't bundle adware or spyware, this product is itself adware, pops up a full page ad in Internet Explorer upon loading and claims to track computer usage in its license)
• Ares (Official site offers a "Lite" version without the adware bundles)
• Various BitTorrent Clients (See warning below about open source clients)

Also see this page which details what most of the above programs bundle. This page has a similar list of clean/not clean programs.

Clean

The following file-swappers have been found not to have any spyware or other advertising parasites bundled into them:

• WinMX (recommended)
• Shareaza
• E-Mule
• Gnucleus
• Blubster 1.2.3 (Later versions include adware)
• Soulseek
• BitTorrent (See warning below about open source clients)
• Direct Connect
• Mute
• Limewire (Current versions of Limewire are clean. Older versions bundled spyware)
• ABC Bittorrent Client
• DC++
• KCEasy
• Azureus
• BitComet
• BitTornado
• Torrent Search
• TorrentStorm
• Zultrax (No spyware. No uninstaller either)
• Qnext
• BitSpirit
• Waste
• EarthStation5
• Burst! BitTorrent Client
• AudioGnome
• CQ_EX
• Filetopia
• mldonkey
• MediaSeek Lite (Another program, MediaSeek, by the same company does bundle adware)
• Ares Lite (Ares Lite is clean. Ares from the same company is not)
• BadBlue (No spyware, but requires a registration including name and email address. Not recommended)

Untested

Believed to be clean

The following programs are reported to be clean but have not yet been tested by me.

• XBC (Can't find an installer for this one)

Unknown

The following are P2P programs for which no reports are available. They eventually will be tested to see if they are clean or not.

• Aimster (Can't test. Possibly no longer available.)
• AudioSwap (Can't test. Installer corrupted.)
• Carracho (Can't test. Appears to be a Mac OS client?)

Regarding Open Source File Sharing Programs

Be very careful when installing an open source file sharing program. Open source programs are distributed under a license that allows for repackaging and redistribution. Unfortunately, many fine open source file sharing programs are repackaged to bundle various adware, spyware and other malware. Some examples of this are BitTorrent and KCEasy, both of which are clean, open source programs that have been repackaged by others to include malware.

If you see on this page that an open source program is free of spyware, that does not mean that some unscrupulous person hasn't repackaged a version that does bundle spyware and is passing it off as the real thing, on his own web site. Be very careful that you download file sharing programs ONLY from the official web site of the program's developer.

Cracks

There are two programs, Kazaalite and Groksterlite, about which you be wondering. Both programs are spyware-free versions of those file-swappers. Some people believe that they are alternative versions put out by the makers of KaZaa and Grokster.

Let's kill that myth right here. Neither of these are distributed by the owners of Kazaa or Grokster. They are cracks, meaning that the people distributing them violated their End User License Agreements to decompile them and remove the embedded spyware.

You may think that by using these products, you are giving the proverbial finger to the makers of spyware-ridden software. I'm sorry to say, this is not true. You merely show them that their software is so popular that you will go to any lengths to use it. This tells them that it is safe to keep selling out their millions and millions of users to the parasitical spyware companies. It also lets them point to the size of their network when spyware companies come sniffing around. By using these products, cracked or not, you contribute to the problem of advertising spyware.

It is recommended that you not use any version of a product that uses spyware, whether it is a spyware-free crack, or the normal version. Spyware companies pay good money to the developers who sell out their users. The only way to discourage developers from including spyware into their products is to show them that his/her users will go elsewhere. No users equals no sponsors equals no money. It's as simple as that.

This article is located at http://www.spywareinfoforum.info/articles/p2p/

Permalink | Top

I do not intentionally link to web sites that require registration before allowing visitors to read the article. At the time I read these articles, I was not required to register. If one of these sites requires that you register before allowing you to read the article, please let me know and I will blacklist that site.

http://www.guardian.co.uk/uk_news/story/0,3604,1495715,00.html :: £1,000 bills in dial-up net scam

http://www.dailycal.org/article.php?id=18768 :: Privacy Bites the Plastic

http://www.pcworld.com/news/article/0,aid,120914,00.asp :: Can You Trust Your Spyware Protection?

http://www.webpronews.com/news/ebusinessnews/wpn-45-20050601LoopholesInAntiSpywarePrograms.html :: Loopholes In Anti-Spyware Programs

http://publications.mediapost.com/index.cfm?fuseaction=Articles.showArticleHomePage&art_aid=30674 :: Adware Maven Investigates Google's Role In Distribution

http://www.11alive.com/news/news_article.aspx?storyid=59410 :: Driver's License Fingerprints Debated

http://news.com.com/Bank+of+America+takes+on+cyberscams/2100-1029_3-5722035.html :: Bank of America takes on cyberscams

http://news.com.com/Minnesota+court+takes+dim+view+of+encryption/2100-1030_3-5718978.html?tag=nefd.top :: Minnesota court takes dim view of encryption

http://www.msnbc.msn.com/id/7735192/ :: Spyware firms targeting children

http://www.iol.co.za/index.php?set_id=1&click_id=115&art_id=qw1116918720581B225 :: Now hackers can hold your files hostage...