Friday, December 29, 2006

Beware SpywareBot & antispyware.com!!

Thanks to some info from the Sunbelt blog, this website, which was recently sold for $500,000 has an app associated with it that is less than dependable to say the least, SpywareBot.

Need to purchase to remove 3 mild registry entries, and over look dozens of malware files stored in a regular folder. Can you say 'scam'? Sure ya can, say it with me now.......[Read | Discuss Here]

Wednesday, December 20, 2006

Scam Sites Storm!!

Scam sites have been on the upswing as of late, so I decided to make a sticky thread just to deal with them. They include sites that try to trick users into downloading some sort of POS anti-spyware (rogues)along with sites that try to goad users into downloading a codec file to view a particular video clip. Nine times out of ten, the user gets infected with Zlob\SmithFraud infections or goodness knows what else is lurking. [Read Discuss Here]

Monday, December 18, 2006

New Rogues & Fake Codec Sites

Three new anti-spyware rogues and two more fake codec sites appear for the week, guess the malware scumbags were busy getting ready for a holiday push. [Read|Discuss Here]

Thursday, December 14, 2006

PC Butts: Liar Extraordinaire

PCButts, Internet thief, liar and overall scumbag has now laid claim that he is an MS MVP. On the SiteAdvisor review page he claims he is and has been for 4 years. I think not. [ReadDiscuss Here]

Wednesday, December 13, 2006

Spam & Phish On The Menu Today

Well today has brought a few very interesting reads about spam\phish. One on how it's not going away, one about a new start up that wants to charge for access to your email account and another about a phishing group which may be responsible for nearly one third of all phish messages sent. Read and Discuss Here

MS Updates Available Now!

MS has readied a few critical updates for the month of December, go and get yours!! See Here

Phishers Ratchet Up Spoof Sites

Phishers use machine gun method to hit-and-run victims with record number of spoofed domains. Read and Discuss Here

MessPlus!: Adware As Usual

Prompted by a comment on her blog by a Patchou troll, Sandi Hardmeier, noted MS MVP gives Mess Plus! another scathing review.
Read and Discuss Here

Sunday, December 03, 2006

Zango, PG, MySpace & My First Article

Well it was yet another Paperghost\Zango bust fest. PG finds a profile on MySpace using an exploit which leads to a Zango site pushing Zango content vids. And of course you need to view the vids with the ever present Zango crapware. This stuff is almost as bad as the
codecs
I wrote about last week. Read and Discuss Here

This week was my first article to appear in the Dave's Computing Tips newsletter. Check The Forum

And we broke the record for the most ever users online too. Read and Discuss

Monday, November 27, 2006

No, you DON'T Need To Download That Codec!!

Codecs are all the rage these days with malware writers. They trick users into downloading them to watch content on a website. Then you get some nice adware bundles, the most popular seem to be of the Zlob\SmithFraud variant. Rest assured tho, they will also have some other fun stuff included. Read More and Discuss Here

MySpace + Fake Profile = Zlob\SmithFraud

Well Paperghost and the team at SpywareGuide have stumbled upon a scam on MySpace to infect users with a variant of Zlob\SmithFraud. Nice. MySpace users beware of any profiles wanting you to download anything to view something. Read and Discuss Here

Monday, November 20, 2006

Zango 1-2 Punched by 'Zealots'!!

Two great anti-spyware legends, Ben Edelman and Eric Howes team up to show proof that Zango has not lived up to their recent agreement with the FTC. Go figure.

And to think Zango has always been so candid and honest in all their other dealings when caught using less than ethical tactics. NOT!!

Read More & Discuss Here

Friday, November 17, 2006

In Forums

We have a couple of interesting threads in the forum. One about the latest trend by malware authors to get users to malware sites. Look for this to take off.

Another shows a Flickr slide show put together by Sunbelt Software of all the fake security warnings generated by a ton of rogue anti-spyware apps. Read more about both the aforementioned in the Countermeasures News Forum

Over in the Phishing and Spam Forum forum see what could happen when you open an E-Card and it's packed full of nasties.

Friday, November 10, 2006

PCButts, aka Internet Scumbag Thief Strikes Again

Well this time the target of Mr. Buttwipe is yet another security tool, created by an MS MVP. And of course he got caught due to his own stupidity.


Gotta love it when morons try to take credit for something and screw up.
Read More Here

Gromozon Authors Acknowledge Prevx By Trickery

It seems the Gromozon authors are a little annoyed at the good folks over at Prevx. They have now coded their Gromozon malware with a false claim that the developers at Prevx, are the authors of the infectious code, instead of the ones who have created a tool to remove it. Read More Here

Tuesday, November 07, 2006

Zango & SiteAdvisor In The News

Some new items in the Countermeasures forum today:

  • Zango poll & news

  • SiteAdvisor Plus Released

Read More Here

Friday, November 03, 2006

FTC Nails Zango Scumbags For 3 Ml

The FTC has finally gotten those scumbags at Zango\180Solutions to 'admit' they are lowlife scumbags, and used less than ethical means of delivering their software. Of course paying 3 million dollars and stopping delivery of the software, in their eyes is no admission of guilt, now is it?? ROCK ON FTC!! Read More Here

Thursday, November 02, 2006

WinPatrol PLUS 30 Day Trial

BillP, creator of WinPatrol has decided to offer his users, or any users for that matter a trial version of their PLUS version. This is an excellent time to see just how well the program works and for a one time fee, you can't beat it. Read More Here

Tuesday, October 31, 2006

One Site + Three Minutes = System Destroyed

Well this past weekend I got my test box in a heap 'o trouble! In a very small amount of time, less than five minutes, about maybe three, my system got decimated and a reformat was the only option.

Keep your systems patched, security defense installed and do your best to keep on safe sites kids, it's a nasty place out there on the Net.
Read More Here

Monday, October 30, 2006

IE7 + XP Repair Update

In my previous blog about IE7 I pointed to info indicating that users who had to for whatever reason make a repair to XP would wind up with a broken IE.

It turns out, that this has allegedly been fixed in the IE7 FR version. My source, another MS MVP had been informed of the fix but due to NDA restrictions I can not share any 'official' info about it. But the IE team still recommends users uninstall IE7 before making any repairs.

And that leaves me to think that perhaps it's not quite repaired. At the very least the KB article should be updated.

Friday, October 27, 2006

IE7 + Win XP Repair = Busted IE!!??

Well it would seem that if you were one of the 3 million plus users who installed IE7, you better hope you don't have to repair XP. If you do and don't uninstall IE7 first, boy are you in for a surprise! How the hell did they overlook this? Read More Here

Sunday, October 22, 2006

Latest Threats Update

There have been several new variants added to some of the more pervasive infections in recent weeks. And a new international player is in the mix as well. SmithFraud, Vundo, HackerDefender and Chinese infections...OH MY!! Read More Here

Wednesday, October 18, 2006

IE 7 Final Release Available & Fake IE 7 DL Site

Final release for IE 7 from Microsoft available.
Read More Here

Fake IE DL site being spread. Installs trojan instead.
Read More Here

Saturday, October 14, 2006

Forum Accesss Down.......AGAIN!! Grrrr......

Well it seems my hosting company is yet again having problems with forum access.

Apologies to all, guess I'll be looking for a new hosting company come 2007. This is getting ridiculous.

AVG\Ewido Anti-Spyware False\Positives, Except They Are Not!!

It seems there is some new malware out that is corrupting legit files. Users who scan with Ewido may be presented with findings which appear to be false\positives, but they are not. Read More Here

Tuesday, October 10, 2006

Update Your OS Today, But Be Patient

Microsoft released a record number of patches today, 26 to be exact. But it appears that with so many being released, that Windows Update sites are not delivering everything. So be patient, and go back later in the day or the next. Read More Here

Adware Pusher MVP Award Revoked By MS

Adware pusher MVP Award revoked after MS confirms connection to LOP. Read More Here

VirusBurst: New Infector Files

Two new infection files found by Bleeping computer:

C:\WINDOWS\System32\tazth.dll
C:\WINDOWS\system32\dpfwu.dll
C:\WINDOWS\System32\ficqv.dll

Read More Here

Thursday, October 05, 2006

Site Access Problems Persist

Sorry to say my hosting company is still having troubles with my domain. I apologize for these problems and hope they can fix things on their end.

Access is still sporadic to both forum and site.

Adware Vendor Now MS MVP!!!???

Well in all their infinite wonder, Microsoft has elected to award a well known adware pusher to join the ranks of their MS MVP Awardees. Yeah, that's right, a guy who makes a program which installs LOP if the user isn't very careful what he's installing. Read More Here

Tuesday, October 03, 2006

PestCapture: New SmithFraudRogue

UPDATED w\Screen shot and file info

Latest SmithFraud infection making the rounds. It places a huge alert saying your infected, which cannot be resized or moved and is on top of all open applications.

So far Ewido finds it as SpySheriff, Ad-Aaware SE finds it as SpywareNo & AdwareSheriff. Spybot S&D does not detect it at all. Read More Here

Sunday, October 01, 2006

WinPatrol v10.0.5.0 Beta Testing

BillP, developer of WinPatrol has a new build he'd like users to try. It is in beta phase and users should exercise caution if they are not used to the pitfalls of beta software. Read More Here

Saturday, September 30, 2006

Site & Forum Update

Well nothing to talk about. No word from my hosting company since last nite.
Both site and forum are up, tho I'm not sure how consistent it's going to be. I still cant publish or update the main site tho.

Friday, September 29, 2006

Site & Forums Down

Well it seems my hosting company has been experiencing some glitches in their hardware\software in the last week. Well, actually more like the last 6 weeks give or take, off and on, mostly with the forum access tho.

At first I was unable to publish the main site, but the forums were there, tho sometimes sporadiclly. Now, as a result of trying some things they recommended I try in my C-Panel, both the site and forums are now offline.

Needless to say this is very frustrating and they have told me that they are working with the vendors to try and resolve the issue.

I'll keep posting updates here as things progress.

Sorry for any inconveniences this is causing any of you. With a little luck they will get things fixed quickly.

Tom\TeMerc

Thursday, September 28, 2006

VirusBurst: New Infector Files

New variants of VirusBurst have yet again reared an ugly head. The two latest files:

C:\Windows\System32\httge.dll

C:\Windows\System32\ggagksr.dll
Read More Here


Wednesday, September 27, 2006

SurfSideKick Kissin Kousin: Deluxe Communications

I found the latest from the gang at SurfSideKick while VML trolling. The relationship is noticeable in more than one way. Bleeping Computing have a nice write up here and compares file names and paths.

You can read about what my experience with was here in our forums

Forums down for maintenance

UPDATE 2: Forums will have sporadic access until posted here as of 1030AM MST

UPDATED: Forum is now up as of 9:45AM MST

The forums are down due to some hosting maintenance. In the mean time, why don't you check out whats on the the main site. Seems like a perfect opportunity, doesn't it?

From there you can check out a bunch of my favorite blogs or some of the newsletters I link to.

Tuesday, September 26, 2006

MS Fixes IE Exploit Hole

MS releases out of cycle patch for most recent VML IE exploit. Read More Here

Friday, September 22, 2006

IE Exploit Beginning To Spread

IE exploit begins to stretch its legs as more reports come in about entire servers being hacked and more users getting infected. MS responds that they may just even patch out of cycle and then there is a third party patch out too. Read More Here

Thursday, September 21, 2006

SmithFraud\Zlob Updates

Another variant was found this week to be added into the removal tools for those infected with SmithFraud\Zlob infections. These guys try hard, but the anti-malware gang stays pretty much on top of these, not likely users will get so heavily infected with this one. Read More Here

Two Exploits Found This Week For IE

Two exploits have been discovered out in the wild this week, making MS look pretty incompetent. The potential for 10,000 sites to be using this code is a real threat. Read here and here

Thursday, September 14, 2006

Slightly OT:Email Address Collection via Chain Mails

Seems some spammers are finally doing what I thought was a regular thing, collecting email addresses via chain letters or jokes. One of my pet peeves is the ridiculous amount of email sent with 150 email addresses in the header. And it usually seems to be that AOL dipshits are the worst offenders. Read More Here

Saturday, September 09, 2006

StopBadware.org & FunWeb Products

The people behind StopBadware.org seem to have a connection to FunWeb Products. I happened across this while reading the latest from BillP, Bits From Bill whom for those not in the know, is the developer behind WinPatrol.

While investigating the description of an application in the WinPatrol PLUS database he found that one of the board members of the company behind FunWeb, IAC Interactive is also behind the Berkeley
Center For Internet & Society at Harvard Law School
. And they just happen to be the primary backers of StopBadware.org.

Interesting to say the least. FunWeb's rep is less than stellar, tho not nearly as bad as other adware bundled types of apps.
Read More Here

Friday, September 08, 2006

Zango Dismissal: Requested by Plaintiffs

The other day I mentioned that a lawsuit against Zango had been dismissed. Sad news all around, except for the asshats at Zango. They proclaimed:

"We have maintained from its inception that this case had no merit. The dismissal vindicates that position," said Ken McGraw, Zango's general counsel in the statement. "[This] serves to confirm that Zango's desktop advertising software is not spyware in any shape or form and that our business model is entirely legitimate," he added.

But the truth of the matter was, the lawyers for the plaintiffs requested the suit be dropped!! Yeah thats right. The merits of the case itself were not in question, but rather the case could not stand up to the qualifications to become a class-action lawsuit. The lawyers at The Collins Law Firm are anxious to talk to any other litigants to move forward and begin action again.

Read More Here

Thursday, September 07, 2006

PCBUTTS: Internet Software Thief?

This person has for the last year or so has been laying claim to several pieces of software which are used to fight malware. To just name a few:
SmithRem-Used against many of the SmithFraud\Zlob infections.

NailFix- Used against Aurora\Nail infections.

RogueFix- Used against some variants of SmithFraud


There are others as well. Some of these people he has allegedly ripped off are Microsoft MVPs.

When confronted he slanders his accusers, calls them vile names and is overall not someone who you would trust. He changes his Whois info and tries to hide his identity. He even began to offer help to users via email to avoid any detection by the security community.

Some of the originators of these scripts are contemplating legal action. But we all know how well that works on the Net.


The only other recourse is to try and shame him into doing the right thing. But based on comments found via a Google search for pcbutts it's an unlikely thing he will because it appears the right thing just isn't in his genetic make up.

But you can do the right thing, by spreading the word about this person. You can also do your part by complaining to the ISP hosting his site at:

Mr. Scott Knowles
Interland Shared Abuse Department Interland, Inc.
303 Peachtree Center Avenue, Suite 500
Atlanta, GA 30303
voice: 404-260-2477, opt 9 (ext 5260)
abuse@interland.com

Sites to seek assistance with your malware problems can be located in a collection of links located on the ASAP directory.

Wednesday, September 06, 2006

WinPatrol PLUS Info Free For September

BillP lets all users of WinPatrol access PLUS Info for September.

Read More Here

Friday, September 01, 2006

Gromozon Rootkit Removal Tool

The group over at Prevx have made a stand alone removal tool for this nasty bit of work. You can find it at here at Prevx

Thursday, August 31, 2006

SmithFraud Rogue: VirusBurst

The latest rogue makes no obvious effort to appear to be much different than many of the other rogues. We need to be thankful these guys have a limited resource in their imaginations. Read More Here

SiteAdvisor Glitches

It would seem that McAfee SiteAdvisor has developed a bit of a hiccup with it's ratings system, or, perhaps their crawler has a bug in it.

Many of the well known anti-malware forums have been red-flagged in the last few days. Sites like Tom Coyote, CEXX and Ad-Aware Support forum.

These are obvious mistakes in the system somewhere. The SiteAdvisor group has been made aware of these mistakes and are taking action to correct them. It just won't be as fast as we would like.

I am rated as an 'Experienced Reviewer' and as such, my comments carry a little bit of weight in the ratings of sites. If you're aware of a site which needs some corrective commentary, be they good sites flagged as bad or visa versa, let me know and I'll work my mojo magic on them.

UPDATE: SiteAdvisor is attempting to whitelist these types of security forums and correct the problem.

Thursday, August 24, 2006

Gromozon Rootkit: Mutha Of Rootkits

Malware writers have out done themselves with this one. Variable DLs, dependant on browser. Hourly changes of said files from DL sites.


Rootkit detection tools don't detect in many cases. Fried test machines when researchers attempt analysis.

Oh and did I say there isn't really any fix for it yet? Well there is one, but it's not for the faint of heart or the technically challenged either.
Read More Here

Wednesday, August 23, 2006

Dircect Revenue Scumbags Get Off Light

The scumbags at Direct Revenue get off lightly as a suit brought by the state of California gives very little if any real punishment.
That's truly a major disappointment. These lowlifes needed to be crushed.
Read More Here

Friday, August 18, 2006

New SmithFraud\Zlob Variant: VirusRescue

Yet another SmithFraud\Zlob variant has hit the streets.


They call this one VirusRescue. But rest assured the only thing that will be needing rescuing will be your sanity as you come to find, after being duped into purchasing this POS that your system is running ragged and you have al sorts of pop ups.


And the scumbags who created this thing then tried to post into a fellow security advisor's forum and defend the app.

Mistake. BIG mistake. HUGE even.

Then people like PG and Moore from Bluetack get their engines revved up and carnage ensues. Not to mention the kick ass reply from Security Cadets. But it's the good kind of carnage, the kind where the bad guys get their asses whooped.

Read More Here

Monday, July 31, 2006

The Skinny On Warner Bros, Zango & Porn

Well it seems an article posted on digg incorrectly stated some facts in the relationship with Zango and porn. As it turns out (if you followed this, you're aware), Zango was not distributing porn but their association with YapBrowser certainly didn't help matters. Paperghost gives the lowdown on the facts.


Read More Here

Friday, July 28, 2006

Warner Bros. Drop Zango Over Porn

Well hot on the heels of Zango being exposed for advising affiliates on how to insert their software onto MySpace, comes great news!!

Warner Bros. is dumping Zango as an adware vendor!!

Read More Here

Zango:Busted Advising Affiliates On MySpace

Another chapter, this the latest in a series of amazing articles chronicling just how Zango pushes their software on MySpace.

But this time we have a confirmed, (by Zango)legit email to one of thier affiliates on how to proceed and suggestions on how much to pay and how to link to other Zango sites. Things like moving gifs because according to the email, 'people love that sh*t". And also mentioning adding in a karate guy doing flips, because it turns out that it's 'wayyyy more profitable'

Here is a snippet from the email:

"Zango is fairly new with MySpace sites and it took me some time to see what works and what doesn't." "Put one of our videos on to your MySpace profiles and all of your friends will see it" ...more profitably, *go to a bunch of your friends* who have popular profiles and pay them (it's up to you so much. One of my partners said 5$..maybe offer to split the money with them?) to put a Zango video into their profile through your site. This will give you hundreds of extra installs a day (this probably works even better than having them on your actual site).

So for all the posturing Zango has been doing you can only imagine how much this is going to twist the Zango PR guys shorts. And I bet he thought he was going to have the weekend off too.

Guess again scum, because if there is one thing we all know is that
Paperghost never takes time off. And is always honing his killer moves against adware bad guys.

Full read w\links @ VitalSecurity





Friday, July 21, 2006

Zango Bait & Switch

Zango once again gets capped in another drive-by 'zealot' attack. At least they would lead you to believe it's some sort of vendetta.

Anyone with half a brain could see right through all their excuses and double speak. Read More Here

New Version WinPatrol v10.0.3 [July 21]

BillP continues to improve upon Scotty's abilities to ensure users are safe, offering another version with some bug fixes and a requested feature. Read More Here

Wednesday, July 19, 2006

Zango + Teen Site = Pr0n

Well it seems that once again, Zango, our favorite provider of adware found in some amazingly perverse content, has been exposed by Paperghost.

They really should just add him to the payroll, he does more to regulate their affiliates that the guy who is supposed to be doing it for them. Read More Here

Tuesday, July 18, 2006

New Rogue? ProtectionBar

Looks like this app is one in the same as the others in the SmithFraud family. Panda claims to have found it. Read More Here

Thursday, July 13, 2006

Another Adware Vendor Using MySpace

Still yet another case of an adware company using MySpace to spread its bundles of 'joy'. This is the second company in two weeks caught doing this. Lets hope MySpace gets on the ball and tries to do something about it. Until then, MySpace users beware.

Read More Here

Monday, July 10, 2006

More Zango & MySpace Shenanigans

Well after getting some negative press back in May, the newly formed but still-doing-business-as-usual 180Solutions-cum Zango is once again duping users on MySpace.

See, you really can't change the spots on a leopard. Or is that the stripes on a zebra? Regardless, read more here

Friday, July 07, 2006

New Rogue: SpyHeal

This rogue is very new and so far no users have claimed to be infected by it, but give it time, they will begin to popup by weekends end I'm sure. I even took the time to add a comment as a reviewer of the app for SiteAdvisor. Read More Here

Thursday, July 06, 2006

Infection Removal Tools Updated

Several specialty tools were updated today with new
variants and better scanning and fixing:

Friday, June 30, 2006

CEXX Forums Return To The Fight

I am returning to a forum where I originally began my interest in helping others remove malware. They had been over run with spammers and all but abandoned. CEXX forums is now undergoing a revival. Read More Here

Thursday, June 29, 2006

Malware Posing As MS WGA File

Malware writers craft fake files imitating MS WGA to trick users and load a bundle of junk wares. MS MVPs are franticly gathering info to spread the word and submitting files to malware vendors to be added to databases. Read More Here

New Version WinPatrol v10 Free

WinPatrol keeps on improving and delivering one of the best system monitoring applications on the Net. PLUS users get even greater control over any system changes and can find out when files were created, monitor hidden files and more!! Read More Here

Tuesday, June 27, 2006

Webhelper Back With A Vengance

Well, it didn't take Patrick long, but he's up with a
new Net address:

http://www.webhelper4u.net/


And he now has a page devoted to all of DollarRevenue's Net activities to expose them even more for the lowlife scumbags they are.
DollarRevenue Activity Page

Monday, June 26, 2006

New Rogue: Adwarefinder (or Adware Finder)

Latest rogue shows not much in way of creativity, just claims that it destroys spyware but with it's affiliation with known bundlers of malware, it's highly unlike to do much of anything useful.
Read More Here

Sunday, June 25, 2006

New Vundo Variant, Tool Updated

The latest variant sometimes carries a rootkit in it, but the tool seems to catch the ones that do not. This new variant also hides when using HijackThis, so users need to rename the tool to trick the malware. Read More Here

Related Link

Saturday, June 24, 2006

MS, WGA & You

Lots of talk about the latest from MS, their Windows Genuine Advantage and its notification tool. Most of the talk is about how to disable the notification tool.

We have a couple of threads in the forum, one here that talks about the many ways to do just that. And another one here which has links relating to the implementation of the tool over all. Don't forget to take the poll in the second link.


Related links:
How Windows Product Activation Works

Special Fix Thread In Forum

I have a new thread in the forums dedicated to specific infections and fixes for those infections. Users should use caution when applying these fixes and take note that machines may still have other infections after the specific fix is used. Read More Here

Monday, June 19, 2006

Webhelper Under Attack

Webhelper's site has been under attack since the 16 of June by DollarRevenue. It seems that after being blogged about here and here they got a little pissed off and decided to attack him!! Read More Here

Saturday, June 17, 2006

New SmithFraud Variants Found

Three new variants of SpywareQuake were found the last 24-36 hours. And both SmithFraudFix and SmithRem have been updated and deal with all three, including BHOs and CLSIDs. Way to go guys!!

New files:

oybgrql.dll
yvvdj.dll
xuefh.dll
SmithFraud Updates in forum.

Thursday, June 15, 2006

SmithFraud Updates

Two SmithFraud variants found recently, fix tools updated and working so well that this infection has come down to running two steps to remove it.

Kudos to the experts who craft these tools to fight off the scumbags who create them. New variants have been found almost on a weekly basis and the tools are updated within 24 hours in most cases. Read more about SmithFraud Infection Family Here

Saturday, June 10, 2006

Latest Rogue: Titan Shield

A new rogue has been uncovered in the last 24 hours or so: Titan Shield. It is part of the SmithFraud rogue family and many of it's files have already been added for removal by the SmithFraudFix tool by Siri

Read More Here

Wednesday, June 07, 2006

New Version WinPatrolPLUS v10

New version sneak peek of WinPatrol for PLUS users only, some neat new features, a must have for all. Read More Here

Saturday, June 03, 2006

SmithFraud Removal Tool Updated

Noahadfear, noted MS MVP has returned to the malware fight and updated his SmithRem tool. Read More Here

Update To Forum Problems

Well it appears as tho the hosting company has temporarily fixed the problem, which turned out to be a router failure. Keep an eye here for any other updates.

Site & Forums Down

Well it seems my hosting company is having some troubles with our IP blocks 'not being announced to our upstream providers'. Read More Here

Sorry for any inconveniences, hopefully we will be back
up soon.

Tuesday, May 30, 2006

Latest SmithFraud Variant

Still yet another new SmithFraud variant found: C:\WINDOWS\system32\higjxe.dll"<<<<---new
file

C:\WINDOWS\system32\hvnwm.dll"<<<<---new
file

Read More Here

Sunday, May 28, 2006

New SmithFraud Variant Found

Another variant found, Siri SmithFraudFix updated:

Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{f5947202-e9cb-4a72-88e7-22f2cbd2b124}"="chenopodiaceae"

[HKEY_CLASSES_ROOT\CLSID\{f5947202-e9cb-4a72-88e7-22f2cbd2b124}\InProcServer32]
@="C:\WINDOWS\System32\bolnyz.dll" <<<<---new file

[HKEY_CURRENT_USER\Software\Classes\CLSID\{f5947202-e9cb-4a72-88e7-22f2cbd2b124}\InProcServer32]
@="C:\WINDOWS\System32\bolnyz.dll"

Friday, May 26, 2006

PG Scores 180 On Botnet

PG finds yet another instance of a rogue 180Delusions affiliates. But this time they are distributing the software via a botnet!! When will the madness end? Read More Here

Monday, May 22, 2006

Whacky IM Malware

IM malware installs its own browser without consent. Crazy style of infection plays music too! Read More Here

Thursday, May 18, 2006

New SmithFraud Variants

Three new SmithFraud variants found this week. Read More Here

180Solutions Invades MySpace With Zango

Well it seems that the scum over at 180Solutions have figured a way to nestle their crapware into MySpace.

It's amazing that the most notoriously infamous adware pushing company can get their stuff added to so many huge sites.

How is it that the people who approve these deals don't know about them? Maybe there is a stronger element behind it? Maybe the VC groups that back these scumbags at 180 have connections far beyond the basic hallways and inner circles of affiliate worlds.

How else could you explain it? Read More Here

Friday, May 12, 2006

FF or IE Get Specific Infection

Browser dependant malware payloads give users tailored infections. Read More Here

Don't Trust All Search Results

SiteAdvisor and Ben Edelman join forces to show that search engine results can lead to some unwanted malware being DLed to your machine. Read More Here

Wednesday, May 10, 2006

Warner Bros Partner With 180Solutions?

Warner Bros today announced a partnership with 180Solutions. Yes, that's right, the people who have brought you all sorts of wonderful entertainment have joined forces with the people who have brought you all sorts of......adware, popups, unethical installs, excuses and in another case, even child porn, via the wonderful world of their affiliates. Read some about it here in the forums.

Tuesday, May 09, 2006

E-cards For Mom....& Malware?

Before you send Mom that e-card, you better read about what else she may get along with the pleasant sentiments....some not to pleasant malware. Read More Here

Thursday, May 04, 2006

2 Rogue Anti-Spyware Vendors Hit By FTC

FTC has fined one anti-spyware rogue $4Million dollars and barred another from collecting users info. Read More Here

Tuesday, May 02, 2006

New EULA Tool From SpywareGuide

My good friend Wayne Porter of SpywareGuide, FaceTime and ReveNews has a new product he is touting, an EULA Analyzer. While this is not necessarily a new idea, I'm certain it will be tic above any other analyzers currently available. Read more about it here in our forum.

Friday, April 28, 2006

SpywareQuake\SpyFalcon Variants Found

There have been two new variants of SpywareQuake and SpyFalcon found this week. Files have been collected and analysed and the removal tool has been updated already.

Read More: Latest Malware Threats

Tuesday, April 25, 2006

New SpyFalcon Variant Found

Researchers at Bleeping Computer came upon a new variant today:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


The Bleeping Computer self-help guide has been updated along with the reg file.

Tuesday, April 18, 2006

New Spyware Quake Variant Found

Another variant has been uncovered: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"="XenaDot Software"

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}\InProcServer32] @="C:\WINDOWS\system32\xenadot.dll"<<<--Bad File

Monday, April 17, 2006

180Solutions & Kiddie Porn

Well, once again an affiliate of 180Solutions has gone rogue. Of course, we all knew this would happen yet again. Especially since all it takes is one line of code to break their bulletproof software. You know, the software they said would stop all the rogue activity, yeah that software.
I can hear the the clowns over there now rummaging thru the Official 180Colusions Pile Of Excuses For Affiliates file cabinet.

Wanna bet they come out with something interesting? At the very least, they are good for that.

Read More:
180Solutions Affiliate Installs Kiddie Porn

Saturday, April 15, 2006

New SpywareQuake Variant Found

OK, we have a new variant of SpywareQuake, just found today. Here are the references to it: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"="USB Mouse Driver"[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}\InProcServer32]@="C:\WINDOWS\system32\suprox.dll" <---new file

Tools at Bleeping computing and a new site have already been updated.
New site: http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Wednesday, April 12, 2006

New Winfixer Clone, w\Vundo

There is a new Winfixer clone out, called SysProtect. It does not install Vundo, but in many cases is bundled with it. Some files to look for:
syp.exe
SysProtectScannerInstall.exe

Atribune's Vundo Fix has already been updated to deal with a new variant, tho I'm not 100% sure it's from SysProtect or not.

Read more: New WinFixer Clone

Sunday, April 09, 2006

New SpyAxe\SmithFraud Variant

A couple of new sites have been found using the same tactics as previous versions, pop ups which claim you are infected with something and homepage re-directs. The new sites are:
BestsecurityguideDOTcom securityfeatureDOTcom

New files and a BHO:
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpAD57.tmp

The file names are not quite entirely new, Vundo infections use similar names, with the 'hp' followed by a random number and .tmp extention.

Users can still use the fix as previously recommended at Bleeping Computer

Friday, April 07, 2006

MessengerPlus: Now Includes Rogue & Adult Content

Just found this posted by one of the MS MVPs. Pretty amazing stuff, just goes to show you how greedy this scumbag is. It would appear as tho Patchou has tweaked his sponsor program yet again, but this time he has added some links and things to Adult Friend finder, which is not something any right minded coder would do, unless of course they were just a greedy bastard.

And btw, due to the fact that so many young people use this app, how is it that a guy could add something like this? Does this clown any sense of morality? Young kids may be subjected to some adult type of popup or dating services?

Come on, I'm amazed anyone can use this program with or wothout the sponsor program and support the person behind it. Oh yeah, and now they are also pushing a anti-spyware app that, guess what? It's on Eric Howe's rogue list!!! This guy has really done it this time.
Sandi Hardmeier MS MVP-Security Blog

Thursday, April 06, 2006

NY AG Targets Direct Revenue

A lawsuit filed in Supreme Court of the State of New York seeks an order barring Direct Revenue from secretly installing spyware or sending ads through existing spyware programs. Reuters

Direct Revenue Rebuts New York Attorney General's Charges April 05, 2006

Direct Revenue has recently come under fire from Spitzer's office for a wide range of questionable practices. See Chris Boyd's write up. Now the company is going on the offensive and rebuts the charges.

Quote:
"This lawsuit is a baseless attempt by the Office of the Attorney General to rewrite the rules of the adware business. It focuses exclusively on the company's past practices - practices we and other industry leaders changed long ago - and says not a word about what we're doing today," said a company spokesperson. "We are proud of our products and the value they bring to both advertisers and consumers?the former by delivering positive, measurable results for their ad dollars, and the latter by offering free content and applications in exchange for viewing a few targeted advertisements per day.
ReveNews

80 Nails And Counting
Everyday brings with it an even more tightening coffin lid. Well it would seem that the clowns over at Direct Revenue have really gotten themselves into a pickle. Not only is NY AG Spitzer on their collective asses, which is bad enough, Ben Edelman has created a detailed and very damaging list of documents which outline the case. So if you want to read some extremely damaging accounts of how they:

1. Joked about user complaints
2. Conceded they don't much worry about if users get their software legitimately
3. Discuss the use of installing a Control Panel to ease removal, but worry more about the success rate of said removals.

Click this link to Ben Edelman's write up You won't believe your eyes....no joke.

Tuesday, April 04, 2006

I'm An MS MVP

My nomination to MS MVPs has been accepted. I'm proud to be part of this prestigious group. Read more:
TeMerc Gets Certified MS MVP!!!!

Monday, April 03, 2006

Phishing Analysis

U.S. academic group deeply studies the reasons behind successful phishng ploys. The findings are rather astounding, especially for those who were 'very experienced' in computing and security. Read more at:
The secret of phishers' success

ASC Releases 'Tip Sheets'

The coalition offers both home and corporate users advice on how to recognize unwanted software. Read more at:
ASC Releases Two 'Tip Sheets' To Consumers

Claria Starts Up New Adware.....errr Business Model

Seems Claria has begun its transformation, from an alleged adware company to one that pushes something they call 'PersonalWeb'. Of course this is what it does, and I quote:
Claria is expected to then use the software to offer users personalized content, as well as to target ads based on users' Web-surfing habits.

Uh-huh...Call it what you want, it's still adware. Read more at:
Claria Leaving Adware Biz............Kinda

Sunday, March 26, 2006

Spyware Quake Update

Some new files found with this infection:
%SYSDIR%\dxmpp.dll
%SYSDIR%\ginuerep.dll
%SYSDIR%\dfrgsrv.exe

And the aforementioned stickrep.dll has been found to have a brother, with a different MD5. There is also an installer being analyzed as we speak.


This fix
is fully automated, no need for users to manually delete any files.

Friday, March 24, 2006

Possible New Rogue: SpywareQuake

UPDATE MAR 25-1:25MST:

There has been a fix created over at Bleeping Computing. Spyware Quake Fix

********************************

OK, it appears the culprit dll in this variant is: stickrep.dll

It will be located in the system32 folder. Deleting that along with the Spyware Quake related folder and SpywareQuake.exe may remove the infection entirely. Still waiting for more reports, first one in seems to have worked. Unsure if running the SmithRem fix is absolutely needed at this time, seeing as it can't be included in the database as yet. See here

******************

There are 4-6 of these in a few forums. And all are exhibiting the same types of symptoms as SpyFalcon\SpywareStrike\AlphaCleaner and all the other variants. More to come soon.

Thursday, March 23, 2006

180Solutions Loses 3 Contracts Over CDT Report

Gotta love this. As its clients discover the oh-so-shady business practices of 180, they drop 'em like hot potatoes. Read More Here

Wednesday, March 22, 2006

180Solutions Responds To CDT Report

180Soloutions posts some great propaganda over at their blog in reply to the CDT report. Read: 180Solutions Fires Back At CDT

Tuesday, March 21, 2006

Adware Reports Posted

Both the CDT & StopBadware.org have released their respective reports. Read CDT & STopBadware.org Adware Reports Now Listed

Claria Leaving Adware Biz

Abandons current practices to concentrate on new adware tactics, 'web portals'. See: Claria Leaving Adware Biz............Kinda

Exposing Botnets

Great write-up by Brian Krebs of Security Fix on how volunteers keep track of botnets. Read More Here

Monday, March 20, 2006

Adware Reports This Week

CDT & StopBadware.org to release adware reports this week. They will name names and give details on how and why adware proliferates. Following closely behind that Ben Edelman provides major vendors supporting 180Solutions.

Sunday, March 19, 2006

Winfixer\Blackworm

Well for the last week or so there has been a semi-new variant of Winfixer purporting to users they are infected with the 'Blackworm virus'. Note that this has been around for a little while, but just recently has begun to really get around.

The good news is that the infection it carries with it, is actually Vundo\Virtuamondo (Blackworm), and is easily removed with this fix from Atribune.

As usual, I always like to get users who are infected with it to post a HijackThis! logfile into our forum so we can help with removal and look for any other nasties which may be present.

Thursday, March 16, 2006

Why Anti-Spyware Apps Fail With Keyloggers

In this article, Brian Krebs of Security Fix talks about the inherent flaws in which anti-spyware apps use to detect keyloggers and has some good info from a couple of researchers. Read More Here

Instant Messagings E-Commerce Exploits:PART II

In this part, PG interviews the guy who gave him the inside info about these botnets. Very cool reading for sure. Read More Here

Wednesday, March 15, 2006

Spam Moderation Now Enacted

Well I got my first bit of blog spam today, and it will be the last. Moderation is now on and will stay on. Screw you greedy scumbags who do this and turn blogging into a money making venture. Don't be so F-ing cheap, go buy advertising, you cheap bastards.

Instant Messaging E-Commerce Exploits

Paperghost and SpywareGuide once again have sunken deep undercover into the Dark Side of the Net and uncover a botnet comprised of nearly 150,000 boxes!! And just how did many of these machines get taken over? You guessed it, via IM.

Unsuspecting users who click on links sent by other compromised machines can have files installed which search their machines to get critical information to access all sorts of sensitive data. The botmasters even install special script to look for exploits in many of the e-cart applications such as CCBill, Comersus Cart and CactuShop.

If these couple of articles and their follow ups don't prevent you from clicking links all the time, I don't know what will. Read More Here

Monday, March 13, 2006

Direct Revenue Settle Lawsuit

Direct Revenue make unprecedented concessions, yet still are not required to keep an eye on the ever present, all powerful, excuse invoking affiliates. Read More Here

Paperghost On Infection Analysis

Paperghost on why it's important to consider nearly every angle of an infection. From what it is, to what it does to who made it and why they made it. Not to mention what they have done in the past. As
Webhelper says: "
One must know the past in order to understand the future, if one is to change the future" Read More Here

Saturday, March 11, 2006

Aluria\Earthlink\WhenU Connection

CatleCops has another article recapping the Aluria\WhenU 'whitewash' and subsequent missteps taken by one of Aluria's outgoing executives. Seems in this Spyware Warrior thread he was caught giving false reviews (called astro turfing) to the Aluria product at download.com. There is also more info in the CastleCops Forum Newsletter

BraveSentry Install Documented

Blogger documents a BraveSentry unauthorized install. Nicely done with screenshots and everything. Found via Sunbelt Blog. NetSato Blog

Zone Alarm Suite Vulnerability

Some white hat researchers have found a vulnerability in the popular system suite. Zone Labs was informed in December and has yet to reply to the info provided. More Here

Friday, March 10, 2006

Rogue\Suspect Anti-Spyware Updates

In the last 24 hours, 7 new rogues have been added to the Rogue\Suspect Anti-spyware list. Be sure and check it out via the link to the right.

New SpySherriff Clone:Pest Wiper

Another day another rogue. This time it's a SpySherriff clone: PestWiper. Hosted on the same servers as other rogues and blacklisted by everyone. Read More Here

Wednesday, March 08, 2006

Viewpoint: Spyware or Not?

Viewpoint media player called spyware by one journalist, he tells users how to prevent its installation. Viewpoint didn't like it. Read More

UPDATE on Aluria\WhenU Whitewashing

This thread is now over at Spyware Warriors and it's not a pretty sight for Aluria, they ignore obvious lies and refuse to answer questions put forth. Read Here

New Rogue: Brave Sentry

New rogue found, pushing two anti-spyware apps on users. Found by Sunbelt Software researchers. Read More

Saturday, March 04, 2006

New Vundo Variant, Tool Updated

New variant of Vundo found, tool created by Atribune updated and working.

Friday, March 03, 2006

New SpyFalcon .dll

A new file has been found in the SpyFalcon infection:

ginuerep.dll

Located in the C\WINNT\system32 folder.

The fix at Bleeping Computing has been updated to include its removal.

Aluria & WhenU on Digg

Now posted on digg, in security section, go digg it!!

Thursday, March 02, 2006

Anti-Spyware Vendor Caught Erasing History

Aluria software vendor is trying to remove traces of its scandal from back in October 2004 which involved their reclassification of WhenU software.

It appears all references of press releases are disappearing from their website at an alarming rate. And it seems there is a new classification in the anti-spyware business: 'consumer ware' which is what they now call WhenU. Oh, and what else is listed as this new found section of consumer ware? 180Solutions. More to read here

Wednesday, March 01, 2006

SiteAdvisor Public Version Available

Public version of SiteAdvisor now available. More details here

Wednesday, February 22, 2006

I've Got Great News!!

The RSS Reader that is. I was turned onto this reader by one of my forum mods, MysyeryFCM. And I love it. The feeder is called Great News and since I installed it, it's saving me tons of time, checking over 80 feeds in just a few seconds. Check the link out, give it a try........oh, and did I say it's free?? Yup, free.

Paperghost Asks, We All Want To Know

Well it seems Paperghost has seen fit to examine the contents of the latest 180Delusions press release and raise some other interesting questions which he is so adept at.

This I'm sure has their spin doctors in hyperdrive trying to explain what they really meant, or will it be what they thought they meant? Or maybe it will be what they thought the zealots want? Or maybe......well just follow the link. Read On Here

Monday, February 20, 2006

18oSolutions Caught Yet Again

Ben Edelman exposes yet another one of 180Solutions unauthorized installs. Will their madness ever end? Read More Here

Sunday, February 19, 2006

Friday, February 17, 2006

Off Topic: Olympic Winner Adware Scammer

It has come to the attention of sports fan across the globe, that a recent Gold medal winner in Torino's Winter Olympics is\was an adware scam artist. Read More & Follow Links

Wednesday, February 15, 2006

SpyFalcon Screenshots

Nick posted some of the fake screenshots that SpyFalcon uses to trick the unknowing.

Monday, February 13, 2006

Hoster Hosts File Manager v3.1 Released

The latest version of Hoster is now available. Details & DL Here



Saturday, February 11, 2006

SpyFalcon Fix Now Available

The latest clone of SpyAxe\SpywareStrike, SpyFalcon is now included for targeting by the SpyAxe\SpywareStrike SmithRem fix. An extra step has been added to deal with the extra files. You can find the modified fix here

Friday, February 10, 2006

Winfixer: Using Spoofed Windows Pop-Up

Winfixer is now using Windows Live Safety Center spoof pop-up, which then prompts to install the product. Read More @ Sunbelt Blog

ASC Hosts Spyware Workshop

The Anti-Spyware Coalition held it's first public workshop this past week in Washington, DC. Lots of our favorite spyware researchers were present. Read about some of the highlights here

Thursday, February 09, 2006

Freedownloadhq Follow Up

In a follow up to my first mention of Freedownloadhq, the gang at SiteAdvisor have posted a detailed account of the non-existent customer service they have encountered. Amazing how sites like this stay in business, but if we all spread the word, perhaps they will be taken down for the count, or, at the very least, have a significant decrease in traffic. Read More Here

Wednesday, February 08, 2006

SpyAxe\SpywareStrike Clone: SpyFalcon

UPDATED FEB 9: Files found, MD5s also, along with info from Castle Cops

Newly found by Sunbelt Software the latest SpyAxe\SpywareStrike is called SpyFalcon. It too installs without the users consent via exploits. Add the domains to your block lists. Read More Here

Tuesday, February 07, 2006

New SpyAxe Variant?

UPDATE FEB 8: It appears that Sunbelt Counterspy has it listed And Ewido may also be cleaning it, per a comment over at SWI bootcamp, by Calamity Jane.

New variant of SpyAxe: Alphacleaner. Possible files involved:

shell***.exe and intell***.exe

***=random numbers

Stay Tuned.

Webroot: Spyware Up, Not Down

UPDATED FEB 7 6:40 PM MST

Their researcher's year long findings dispute recent university research findings, instead indicating spyware tripled in 2005. Read More Here

Monday, February 06, 2006

Freedownloadhq: Rip Off Site!!!

It takes a lot of balls to charge unsuspecting users for free apps readily available from other sites all over the Net. But FreeDownloadHQ does just that, and worse Read More Here

Thursday, February 02, 2006

Vundo\Winfixer\Virtuamundo Fix Updated

UPDATE FEB 4: New variant has just been added for removal

Direct from the creator, Atribune, the latest fix for the Vundo\Winfixer\Virtumundo infection. It's best if you have been told by an experienced HJT analyst that you have this specific infection before running this tool. Atribune's Fix

Wednesday, February 01, 2006

Hoster v3.0 Hosts File Manager

UPDATE FEB 4: Hoster is now Final Release

Excellent, easy to use hosts file manager to manage your hosts file. Prevent known malicious sites from loading and block lots of ad server sites. Latest version: Hoster vRC3.0 Read More & Direct DL

Tuesday, January 31, 2006

New YaHoo! IM threat

Just a reminder, we don't click links when they appear out of nowhere on our IMs do we?? No, we don't. And why don't we? This is why

Monday, January 30, 2006

Surf Safe, Surf Secure: No Spyware Worries

There is a new way to surf the Net safely and securely. It's free and it's from Microsoft too!! It's called the Windows Shared Computer Toolkit For XP SP 2. There is a lengthy discussion and detailed info provided by one user @ this DSLR thread.


This appears to be a much better, easier solution than the one posted by Mike Healan recently. And more importantly, almost everyone agrees. I couldn't find a single person to say Mike's solution was a good one. There were far too many potential problems. Check this MS app out.