New YaHoo! IM threat

Just a reminder, we don't click links when they appear out of nowhere on our IMs do we?? No, we don't. And why don't we? This is why

Surf Safe, Surf Secure: No Spyware Worries

There is a new way to surf the Net safely and securely. It's free and it's from Microsoft too!! It's called the Windows Shared Computer Toolkit For XP SP 2. There is a lengthy discussion and detailed info provided by one user @ this DSLR thread.

This appears to be a much better, easier solution than the one posted by Mike Healan recently. And more importantly, almost everyone agrees. I couldn't find a single person to say Mike's solution was a good one. There were far too many potential problems. Check this MS app out.

SpywareStrike\SpyAxe Target List

You can find a complete listing of files and folders,
along with many other bits of information regarding the many modifications made by these programs by viewing the Official SpyAxe\SpywareStrike\SmithRem Tool Target List.

New SpyAxe\SpywareStrike Variant?

Possible new rogue associated with SmithFraud
infection\SpyAxe\SpywareStrike: Adware Punisher. Oddly tho, it is already listed on Eric Howes list of rogues, along with many other aliases. Eric's Rogues here.

Total Spyware Protection For Free

Mike Healan of Spyware Info fame has written about what he thinks is the total solution to your spyware problems. Check it out to see if you agree.

Interview: Mike Nash MS VP Security Tech

Interviewed on Slashdot, answers a dozen questions regarding a multitude of topics. Read More Here

MS AS: Round 2 Beta Testing

MS Anti-Spyware ready for the second round in beta testing, to include versions for Win2000, WinXP, WinServer 2003 and Vista. Read More Here

Spyware Via Google Searches

Researcher Ben Edelman gives his take on Spyware being pushed via searches, specifically, Google searches.
Read More Here

MS & WA. To Announce Spyware Lawsuits

UPDATED: JAN 25 8AM MST
Legal action will be among the first filed under a new state antispyware law that went into effect. Read More

University researchers launch anti-spyware site

UPDATED: JAN 25 12:00 AM MST

A corporate-backed Web site being launched by researchers from Harvard and Oxford universities seeks to become a clearinghouse for Internet users on spyware and other malicious software.

The site, which Google Inc., Sun Microsystems Inc. and Chinese computer maker Lenovo Group Ltd. are underwriting, will ultimately identify purveyors of such programs by name and provide information to help consumers decide whether a program is safe to download.

Read More

New SpywareStrike Variant? [CONFIRMED]

New file found and registry point:

[HKEY_USERS\S-1-5-21-2581581100-4246374879-3904722870-1007\Software\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]

@="C:\\WINDOWS\\system32\\replmap.dll<<<--new file

"ThreadingModel"="Apartment"

Stay tuned.

UPDATE:Noahadfear SmithRem tool updated to remove latest variant!!!

CDT Urges FTC to Sue 180Solutions

The Center for Democracy and Technology today urged the FTC to sue 180Solutions for routinely allowing distributors to deceptively install its online ad-serving software. Read More Here

CoolWebSearch Gang Update

UPDATED: JAN 27

From Webhelper, CWS Transponder Gang Update. Read More Here

Spyware Help: Intent Matters Alot

In a forum I recently came across, which was set up by a highly respectable Windows expert, I saw a user offering help to another user. Nothing odd there, happens millions of times per day I'm certain. As it was pertaining to a specific infection, I clicked the links posted to investigate to see if there was some new tool which I could recommend that would clean it all out. (As an aside, I know of no one single app which can eliminate this infection entirely on its own)

I immediately recognized some of the apps recommended as at one time or another, being on Eric Howe's Rogue\Suspect List (one still is). Again, nothing all that earth shattering. Being involved in this business we call anti-spyware for nearly two years you get familiar fairly quickly with the vendors who are not quite up to snuff, so to speak. Specifically using borderline methods of advertising, having apps which use similar names, to confuse users into thinking they are getting some other closely resembled legit app, databases that are obscenely outdated, scanning which produces multiple false\positives and other things.

After recognizing this information on the site was outdated and incorrect, and seeing that users could be perhaps tricked into buying something they thought would work, I posted information for the fix which had been being used for weeks with amazing success, and it was free. I then also informed users that the previously posted info, was posted not necessarily to help, but to generate click-thrus and perhaps gain some monetary rewards.

I then noticed in another thread, the same user offering help to another person for a different infection. It's one thing to want to get the word out about your site and\or product. Quite simple, buy advertising from other sites to promote it. It's entirely another thing to post your links into a forum for the sole purpose of driving users to your site to buy your products. And most all forums have rules against it, mine does. This is spamming a board. It should not be tolerated and should be pointed out immediately to the moderators or administrators of the board. Which was done by me, no reply as yet tho from anyone.

That user who posted the self serving links tried to defend himself saying it was his right to offer help to others by driving them to pay sites. Why in the world would anyone want to do that? Go to a pay site, when it can be cleaned for free? Simple answer: they may not be properly informed. More importantly, why would anyone try to drum up business in this fashion? Simple answer, greed. But this isn't really anything new, anti-spyware vendors have been doing this for a long time, and it's doubtful it will ever stop.

The user then went on to flat out lie and say he visited my site and saw ads on it!! And that I should get off of my high horse and stop slamming my 'competitors'. You will never see ads on any site I own or that I am the sole administrator. I'm not in it for the money, I just want to offer help to unsuspecting Internet users and new-to-the-Internet uneducated users. Plain and simple.

I also found in the same week, the same user offering the same self serving links to users in another forum. I contacted the mods and was immediately replied to, and they would be watching the user.

My whole point of this is to try and inform users that sometimes, help being offered is not being offered with the best intentions. It's being offered with the caveat that the one offering is going to be rewarded monetarily.

And in my opinion, it is the worse kind of help, driven by personal gain, not personal satisfaction. JMHO

Addendum to 'Freeware with Spyware!'

Just a quick reminder about DLing freeware.

This was passed onto Paperghost by one of his fellow security researcher at FaceTime. In order to DL a version of Webroot's Spy Sweeper, this site insisted on you also DLing a 'download
manager'. Hmmmm.... betcha can't guess what that wound up being?

See my my forum write up referencing Site Advisor, a tool which may have prevented you from using that freeware site.

Spyware Name Games

What's in a name you ask? Well for many companies it's brand recognition and changing it isn't something you do if your a successful brand. After all, if your customers can't easily find you, they can't easily buy your product.

So what would drive a company to change it's name? Well, because this blog is about malwares, lets see why some anti-spyware vendor companies do that.

So, lets say I'm the guy behind SpyAxe. I put my product out there because I'm a sneaky, greedy bastard and want to sell (errr...infect) as many users as possible via questionable unethical installs. Great, I'm off to a grand start and my product is just being DLed as fast as I can add\change domains.

But wait, it appears the gendarmes are on to me. Damn, what to, what to do? Wait, I know, I'll just make a little change and now I'm SpywareStrike. Whoohooo......I'm really on my way now.

This is the latest example of a popular business model rogue anti-spyware vendors use. For another example, see this DSLR thread about the name changes one company goes thru, from SpywareNo, to SpySherriff, to SpyTrooper, to SpyDemolisher and all of them are part of the CoolWebSearch Gang.

Well, if you followed along those links you can see what exactly is in a name. Or, rather what could be behind a name, specifically people who are more interested in underhanded, lowlife degenerate ways of making money. You can see a whole lot more of these types of applications by The Rogues List of Family Resemblances, created and maintained by Eric Howes .

As in the real world, in the world of anti-spyware, its buyer (user) beware.

Spyware or Not? Identifying Files and Processes

Got any suspicious files sitting on your hard drive? Perhaps you noticed an odd looking process running and your curious as to what it is, and what it's doing.

Getting acquainted with your computers files and running processes is a good thing. Familiarity can stop some bad things from getting worse. By using Google and couple of online scans, you can indeed begin to manage your security simply
and effectively at no cost. Running processes can be accessed via your task manager (XP).

For odd files you have noticed, but are unsure what their purpose is, you can just use Google. All you need is the files name, for instance:
lsass.exe

Googling this exe brings up many results:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2003-52,GGLD:en&q=lsass%2Eexe

In this case, the very first hit is from WinTasks 5. An excellent source for process information. Just about all the hits are pointing to this exe being a legit, required process.

Some other file source info:
Answers That Work

SysInfo

Well, now you know how to find info on a file. Lets say you Google a file and it comes up with results that are not too clear on it's legitimacy, what then? Take for instance the info contained on the above mentioned SysInfo site about the same file:

Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder.

Here we get some detailed info for the correct file path that the file is supposed to be for your OS. So, now your really confused. Well there is another option. You can scan the file online.

There are a few sites which will scan any file (some size restraints) for free with immediate results. All you have to do is go to the selected site and download the file to their servers. They are very handy in trying to determine what an unusual file is, and they serve as a resource point for the many vendors that offer them with regards to new malware, or viruses,
trojans and worms.

Two highly regarded sites for file scanning:
Kaspersky File Scanner

Joti File Scanner (extremely busy, server can show 'page not displayed', be patient, try again)

Now you can go and track down every file on your PC, provided of course you have a few hours. But it would be a good exercise in learning what some files are on your PC and what they do, I'm certain you will find some interesting results.

Ben Edelman Replies To 180Solutions

Recently, Ben Edelman reviewed 180Solutions new affiliate DL practices. Despite claims of that these new practices would nearly eliminate 'unauthorized installs', Ben found the truth to be less than accommodating to those claims. To refute his findings, 180Solutions responded here, on Spyware Confidential.

Today, Ben responded to 180Solutions claims that his analysis was wrong or misleading. As usual, Ben's targeting is like that of Robin Hood, he splits 180's replies with facts and documentation.

Ben Edelman's Affiliate Hall Of Shame

Ben Edelman begins a topic to be updated when new info is received regarding how affiliate practices have gotten out of hand, leading to multiple 'unauthorized' installs and complete disregard by the larger companies when informed of 'rogue' affiliates. He tracks many of the big vendors as well as some smaller ones. Good info as usual from Ben. Read More In Forum

SpyAxe\SpywareStrike-SmithFraud Fix Updated

Noahadfear has updated his SpyAxe\SpywareStrike-SmithRem Fix to include more files and registry keys to search for removal. The version remains the same however.

After much research, he has come to the conclusion that 2 other apps were frequently DLed along with SpywareStrike to be included for removal with his search tool.

Video iCodec & Crystalys Media both installed on so many users machine it was an unlikely coincidence. He now also recommends using DelDomains to remove any 015 Trusted Zone entries in your HijackThis! logfile.

Users should upload new files if they have not since this evening. The detailed fix can be seen at Nick's Malware Removal Blog

If you are infected with SpywareStrike \SpyAxe feel free to post a HijackThis! logfile into my forum. I'll be more than happy to assist you in removal.

Rogue List Update 1-15-06

Eric Howes has just updated his Rogue\Suspect Anti-Spyware List. Total number of applications now listed: 257

Be sure to check this list before installing any anti-spyware application you find. If it's not on this list, or any of his other lists, post a query in our forums.

Freeware With Spyware!!

There are all types of freeware sites out there which offer freebies of all sorts. Need some graphic applications? Plenty of freeware available. Looking for an office type of application? Loads to choose from. Anti-Spyware? Well, if you read this blog for any length of time or have visited my forum or website, you know better to only trust what you find on Trustworthy Anti-Spyware List by Eric Howes, or some others recommended in our forums.

You should never blindly DL freeware. Always try and look for a reliable source, a friend you know who may be into security or someone of that nature.

If you don't know someone (now ya do, ME!) then Google the freeware, see what others may have to say about it. If there is a company name on it, along with the title, Google the company. With some minimal researching, you should be able to find some info on it or the freeware. There are a few reliable sources of freeware:

Pricelessware

SnapFiles
46 Best Ever Freeware Utilities

There are many more, and you can also visit FreewareWiki for an amazing list of freewares that have been tried and tested through and through.

And you can always drop a note about anything you find in my
Freeware Research forum.

To see what can happen when you don't pay much attention to those freebies read the following detailed freeware DLs and what other 'freebies' came with them:
SpywareGuide: Game Installs Malware

SunbeltBlog: Persistent Malware

SiteAdvisor: Freeware DL Disasters

The potential for abuse in freeware is fairly high. Do the right thing by exercising caution before DLing that neat screensaver or game. It could turn out to be the biggest mistake you have made.

DL Tip: For a more concise, tho not foolproof way to check a file before you install it, save it to your desktop and run it thru a file checker such as Jotti or KAV Online File Checker.
Both of these will scan the file for any nasties.

SpywareStrike: Latest Rogue on The Net

Fix referenced below updated Jan. 11 6PM MST

The latest rogue anti-spyware application has hit the Net, and it's called SpywareStrike.

Infected users began to get popups and redirects with their browsers along with an annoying taskbar popup indicating an intrusion.......yeah, no kidding!! Redirects were taking users to securitycenterDOTcom. This was one of several malware installing websites added to a new batch recently found by Sunbelt Software

At first check, nothing could be found on this new variant of what turned out to be a clone of SpyAxe. Spyware Confidential blogged the details of it's ownership, once again, an offshore group cashing in. It was quickly added to Rogue\Suspect Anti-Spyware List.

By the following morning the forums were beginning to get flooded by users, all having the same symptoms. Frustration, anger and rage were the typical reactions.

But there was another reaction as well. This came from a group of users who's determination equally matches if not surpasses the determination of the writers of malware, ASAP members. They quickly sprang into action, using a network of backrooms where experts talk about and search for files, locate Windows registry points and other aspects of malware installations.

In just under 24 hours, with the help of users in security forums, they had found the newest files which were being hidden to prevent the infection from being easily removed. After the new files were dissected and evaluated, a way to find them was developed and instituted into the fix which had already been set up for SpyAxe.

By Saturday morning the fix was a raging success. Users were able to reclaim their machines and carry on with the usual Net activities they enjoy and they had also gained some basic knowledge in security to help prevent these kinds of intrusions from happening again.

36 hours after SpywareStrike was first uncovered, the fix from SpyAxe was modified and the Net is safe yet again for users throughout the world. You can find Nick's removal instructions here.

That's what I call results.

If your uncomfortable trying the fix without some guidance, feel free to join my forum and post a HijackThis! logfile for me to analyse.

How'd I Get Infected?

This is a question asked all too often by many people who get infected and are not fully aware of the dangers out on the Web. On this page I will address the most common ways and offer solutions to prevent infections from implanting themselves on your PC.

• 
  Problem: Infected via known exploits in the OS. IE/Windows OS is not properly updated with current critical patches from MS.
  Solution: Visit the Windows Update Page to ensure your completely up to date. You can also set up windows update to automatically run.
• 
  Problem: Infected by virus either by email or hacker because you have no AV or firewall installed.
  Solution: See the Must Have AV\Firewall Page. Several options there, some free, some not. No excuse not to have both, even if your behind a router.
• 
  Problem: Infected because you have no Countermeasures protection.
  Solution: See the Security Must Haves page for all your needs. Once again, most all are free with a couple of upgrades to pay for.
• 
  Problem: Infected because your IE security settings are improperly set.
  Solution: See this IE Security & Privacy Tweaks page. Excellent settings to keep most malwares at bay.
• 
  Problem: Infected by drive by download.
  Solution: Firstly, read this article by Eric Howes. A fascinating look into the sneaky way things get installed via a simple process. Then see the above page, for IE tweaks.

Symptoms of Infection

• The homepage of your browser is changed suddenly, and you have no clue as to how it happened. This is commonly called a browser hijack, and one of the most notorious of these infections is CoolWebSearch.
• 
  You suddenly notice an 'extra' toolbar on IE and once again you didn't install it. Toolbar infections are of a wide variety, coming in many forms and names.
• 
  Your firewall alerts you to an unknown program trying to access the Internet. This usually means something has already gotten by your defenses and you need to take action, and in many cases most infections rarely travel alone. Another firewall indicator is that it is actually turned off by the malware. Many aggressive malwares target multiple av\anti-spyware applications.
• 
  New shortcuts appear on your desktop or your task bar, or even your system tray that you didn't put there nor know what they are.
  New entries appear in your favorites folder that you didn't put there.
  Your computer starts acting sluggish and slow with massive CPU numbers. This could also be from any number of unrelated reasons too, so this symptom in and of itself, may not be an indication of malware problems.
• 
  Excessive popup windows, unable to stop or close. One famous infection which had this symptom was a plague over this past summer was the Bube Trojan. It required a special, detailed fix to remove. I had the pleasure of trying to remove one of these nasty infections, and it was beyond my abilities, and I had to call in the cavalry. This was while the experts were still trying to fine tune the fix with several applications.
  If you have AdAware or Spybot S&D, should either one open, and appear for a few seconds, then disappear without scanning, more than likely, it's a variant of CoolWebSearch infection. Yes, that's right, as the popularity of these two applications is so high, the malware writers wrote code to specifically turn these two applications off if found to be present on the machine.
• 
  Every time you do a search, you wind up at the same unusual and unknown web site-search engine, or you get 1-3 pages of unrelated search results, before getting to your actual search. Typically referred to as a 'search page hijack'. This too is a common symptom of CoolWebSearch.
• 
  There is a new program or multiple programs in the Add/Remove Programs section of your control panel. If you're lucky, they will remove via Add\Remove, but more times than not, this does not work.
  You're unable to access any of these: task manager, regedit, MSCONFIG, they just pop up and disappear. The idea behind this little trick is to prevent you from being able to access key sections of your computer for removal of the infection. Usually a special registry merge is required just to fix this part.
• 
  Your desktop has been changed to a web page or some type of notice that your PC is infected and you cannot change it. There are several alleged anti-spyware applications which actually do this. Imagine, claiming to remove infections, when in fact they cause them!! The most noted are PSGuard, RazeSpyware, World AntiSpy and SpyTrooper.
• 
  You get a lot of returned emails from people you don't know. This could be a sign of your machine being a zombie.

Things you should NEVER do!

NEVER open email from anyone you don't know.

NEVER give out personal info to an inquiery via email. Call the company\institution in question or go to the company site you have bookmarked to verify they have indeed contacted you to validate.

NEVER click the link embedded into an email from any company to avoid phishing tactics.

Possible consequences of ignnoring above advice

NEVER click on any popup that appears on your desktop.

NEVER use the 'Close' button, instead use the Windows "X" (upper right corner) to close a pop up ad that looks like a Windows warning. You may already be infected, see here on what to do next: I think I'm infected, what now?

NEVER surf without av\firewall or anti-spyware security apps, all properly updated, as well as an updated OS.

NEVER click 'OK' to a download box, unless you know what it is for. NEVER DL anythng without first reading the EULA.

NEVER DL anything without first checking it out.(forums, magazines, reviews)

Possible consequences of ignnoring above 4 items of advice

NEVER surf the web without getting more security tips and information at TeMerc Internet Countermeasures

Knowledge, Prevention, Security, Assistance

On this blog you will find information to help the everyday user keep his PC secured from invasive unwanted programs being installed.

All the information here has been culled from many long hours cruising the finest security websites on the Net and from helping many users in over 15,000 posts in a variety of security forums.

By continual reading here you will gain up to the minute info on the latest fixes and variants concerning the most recent of infections currently plaguing users on a global scale.

You will learn to configure preventative tools for optimum security and learn the importance of keeping them updated on a regular basis against latest threats.

When new tools are introduced which will either simplify or increase your security, they will be reported and reviewed here sooner than most sites.