Potentially unwanted software installation practices - summary, video clip and user feedback

During the last years new types of software have appeared, some show advertisements, monitor the web sites you visit, change the browser's search settings, change the browser's result, redirect you to a new site when you miss-type an URL, etc, and are generally advertised with wording such as "enhance your online experience", "assist you when you reach a non-existing page", and "improve your internet searches", while many end users call it "adware", "hijacker" and "spyware".

The vendors generally claim that the user - at the time of installation - is fully aware that the software will be installed and what functionality the software offers. The following document will show videos of installations practices - where some may be acceptable and some may not - along with a discussion and a poll where you can submit your opinion about the installation.

Do you know of a site or a program that you should think should be investigated here? Of particular interest are sites that use security holes to install software or installers that neglect to disclose that it contains third party advertising software. Please let me know.

perlink.biz - 18 Jan 2006

Visiting various web pages resulted in a large number of downloaded files and changed settings done by exploiting security hole(s). The files were downloaded from wellspring-uk.net, 85.255.113.84, 85.255.115.187, 85.255.116.186, www.perlink.biz, 85.255.115.230 and 82.179.170.82. The following are some of the new settings that appear in the Hijackthis logs:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=2175
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L�nkar
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tdwaa.dll
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tdwaa.dll
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [NTCommLib3] C:\WINDOWS\System32\NTCommLib3.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\private.exe internat.dll,LoadMouseCarpetProfile
O4 - HKLM\..\RunOnce: [tlc] C:\WINDOWS\update13.js
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\System32\idemlog.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht! http://82.179.170.82/e9xr2.chm::/file.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\ {BC24B697-4C1E-4D3C-89B7-B171BA2A583F}: NameServer = 85.255.116.21,85.255.112.210
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll

Permalink

game4all.biz - 11 Jan 2006

Visiting a web page at game4all.biz resulted in a large number of downloaded files and changed settings done by exploiting security a hole. The files were downloaded from game4all.biz, evko.biz, core.psyche-evolution.com, burgostar.info, maxysearch.info, 216.255.179.234 and download.winhound.com. . The following are some of the new settings and files that appear in the Hijackthis logs:

C:\Program\WinHound\WinHound.exe
C:\WINDOWS\System32\kernels64.exe
C:\WINDOWS\System32\priva.exe
C:\WINDOWS\batserv2.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\sachostx.exe
C:\WINDOWS\System32\intell32.exe
C:\winstall.exe
C:\WINDOWS\System32\sywsvcs.exe
C:\WINDOWS\System32\vxh8jkdq1.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\qvxgamet3.exe
C:\WINDOWS\System32\qvxgamet4.exe
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\System32\sysc.exe

F3 - REG:win.ini: run=C:\WINDOWS\System32\vxgame6.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\priva.exe internat.dll,LoadMouseCarpetProfile
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\RECYCLER\svwhost.exe /s
O4 - HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\System32\vxgame6.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [WinHound] C:\Program\WinHound\WinHound.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\System32\vxgame6.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\RECYCLER\svwhost.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: htproc - C:\WINDOWS\SYSTEM32\htproc32.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll

Permalink

beehappyy.biz - 18 Nov 2005

Visiting a web page at beehappyy.biz resulted in a large number of downloaded files and changed settings done by exploiting a security hole. The following are some of the new settings that appear in the Hijackthis logs:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20099\services.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20099\services.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\wfwall1.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20099\socks.exe 20099
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\Roger\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [noC=] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [ecsiin] c:\ecsiin.stub.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] c:\windows\adtech2005.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\System32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20099\services.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [wmfk] C:\Program\DELADE~1\wmfk\wmfkm.exe
O4 - HKCU\..\Run: [kfmw] c:\stub_113_4_0_4_0.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O20 - Winlogon Notify: chk - C:\WINDOWS\SYSTEM32\chke.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\rIsppp.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\dcbfpbim.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGVzdA\command.exe

After rebooting, the machine locked up before to showing the login screen.

For more details, please examine the Hijackthis logs (1, 2, 3, 4, 5, 6, 7), network log, the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Permalink

66.250.131.174 - 18 Nov 2005

Visiting 66.250.131.174 resulted in the change of Internet Explorer's custom stylesheet, by exploiting a security hole. The following is the new entry that appeared in the Hijackthis log:

O19 - User stylesheet: C:\WINDOWS\windows.dat

When the browser was restarted it opened http://www.martfinder.com/index.htm, which subsequently redirected me to http://66.28.233.173/security/warning.htm, which promotes PSGuard.

For more details, please view the network log.

Permalink

Lookoutsoft.net - 11 Nov 2005

The lookoutsoft.net video shows how SearchMiracle/Elitebar is installed without any notice with a free game called "Balloon Pop Word Game" from Lookoutsoft.net. This version of EliteBar directs your toolbar searches to www.searchtheworld4you.com, replace the HOSTS file and communicate with empnads.com, e.rn11.com and c.rn11.com.

The following is the new entry that appear in the Hijackthis log:
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe

For more details, please examine the Hijackthis log, network log, the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Alex Eckelberry has also tested the lookoutsoft game, and reports that 180 Search Assistant and Internet Optimizer are also installed "without any notice, disclosure, consent, anything."

This undisclosed bundling has been going on for quite some time. Please see Lookoutsoft's Elitebar install from June 2005 for more details.

Comments | Permalink

85.255.113.242 - 07 Nov 2005

85.255.113.242 makes numerous changes to your computer settings and installs software without user consent by exploiting a security hole. Here are some of the new entries that appear in the HijackThis logs:

O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B711} - C:\WINDOWS\adsldpbd.dll
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\Run: [WindowsUpdate] c:\windows\sstray.exe /s
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\RunServices: [multitran] C:\WINDOWS\System32\multitran.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q7513093.dll
O20 - Winlogon Notify: gg - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

For the full details, please examine the HijackThis logs (1, 2, 3), network log, the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Comments | Permalink

Pacimedia.com - 05 Oct 2005

Ben Edelman's article New.net Installed through Security Holes shows unwanted software installing through a security hole. I decided to try it in my lab and the result was essentially the same.
The installation started by visiting a web site, which exploits a security hole to launch a dialog asking you to accept some terms and conditions that cannot be found. Clicking the "CLOSE THIS WINDOW" button (without unchecking the box) will result in a computer filled with unwanted software without any further notice. Command, Internet Optimizer, ISTsvc, ItalMgr, Media-motor, New.net Domains 6.38, Power Scan, Search Assistant, Select CashBack, SideFind, Surf Accuracy, Surf SideKick and YourSiteBar appears in the Add/Remove programs dialog.

The following are some of the new entries that appear in the logs:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.xosearchox.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [adcomplusanalytic.exe] C:\WINDOWS\System32\adcomplusanalytic.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lx4dp4.exe reg_run
O4 - HKLM\..\Run: [mc-58-12-] C:\WINDOWS\System32\mc-58-12-
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\etb\pokapoka73.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\Program\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [elos] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\Roger\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [sais] c:\program\180searchassistant\sais.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [services32] C:\Program\Delade filer\Windows\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [DNS] C:\Program\Delade filer\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program\Cas\Client\casmf.dll
O20 - AppInit_DLLs: repairs302972943.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9nZXIA\command.exe

For more details please look in the network log and the HijackThis logs (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14).

Update: I have revisited pacimedia.com on three additional occasions, and there have been some minor changes. The security hole launched dialog has now been modified with an EULA link - http://www.pacerd.com/terms.html - which you have to type in manually in your browser. A large number of new programs will appear on your computer if you forget to uncheck the box, before clicking "CLOSE THIS WINDOW".

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.aaawebfinder.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\System32\italllde.dll
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\System32\bho.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsb12.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nstD.dll
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe
O4 - HKLM\..\Run: [cgipgrv] C:\WINDOWS\cgipgrv.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program\CMSystem\CMSystem.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lx4dp4.exe reg_run
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Roger\LOKALA~1\Temp\bwf1003.exe run
O4 - HKLM\..\Run: [VBouncer] C:\Program\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program\System Files\System.exe"
O4 - HKLM\..\Run: [zuprojc] C:\WINDOWS\zuprojc.exe
O4 - HKLM\..\Run: [zTZJA7] "C:\WINDOWS\System32\AOP2.exe" /PC=CP.AOP2
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKCU\..\Run: [CAS Client] "C:\Program\Cas\Client\casclient.exe"
O4 - Startup: AdDestroyer.lnk = C:\Program\AdDestroyer\AdDestroyer.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O20 - AppInit_DLLs: repairs302972949.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program\CMSystem\plugin.dll
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program\System Files\plugin.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program\Cas\Client\casmf.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9nZXIA\command.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\sjrrlpr.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\faavxmd.exe

For more details please look in the logs (1, 2, 3, 4, 5) (1, 2, 3, 4, 5, 6) (1, 2, 3, network log, md5 , sha1, systemsherlock log)

Another update: Once again there have been some changes in the PacerD bundle. I was surpised to see "RelevantKnowledge/MarketScore", "The BullsEye Network" and "NaviSearch" installing without any references in the EULA at http://www.pacerd.com/terms.html. (As usual PacerD use their security hole launched dialog.) The following are some of the entries appear in the Hijackthis logs:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {38E34A3C-E573-DF9F-41D7-68C21A620992} - C:\WINDOWS\twqlcooo.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nshD.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe
O4 - HKLM\..\Run: [VBouncer] C:\Program\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wqroar.exe reg_run
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [OSS] c:\windows\rlvknlg.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program\System Files\System.exe"
O4 - HKCU\..\RunOnce: [OSSProxy] c:\windows\rk.exe -bootinstall
O4 - Startup: AdDestroyer.lnk = C:\Program\AdDestroyer\AdDestroyer.exe
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program\System Files\plugin.dll
O20 - AppInit_DLLs: repairs302972964.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGVzdA\command.exe

For more details please look in the logs (1, 2, 3, 4) network log, md5 , sha1 and systemsherlock log.

Comments | Permalink

Perfhost.com - 28 Sep 2005

The perfhost.com video shows how applications are installed without consent, by exploiting a security hole. The following programs appear in the Add/Remove programs dialog: "Google Toolbar for Internet Explorer" and "PremiumSearch StartPage". A short while after I ended the video capture a program called "WorldAntiSpy" also appeared. The following are some of the new entries that appears in the log:

C:\WINDOWS\System32\usbhdctl.exe
O1 - Hosts: 69.31.81.22 www.google.de
O1 - Hosts: 69.31.81.22 www.google.dj
O1 - Hosts: 69.31.81.22 www.google.dk
O1 - Hosts: 69.31.81.22 www.google.es
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program\WorldAntiSpy\WorldAntiSpy.exe

For more details please look in the HijackThis logs (1, 2, 3).

I notified Google Toolbar Support about this issue on the 28th of September 2005. I am convinced Google will track down and stop the individual or company behind the non-consensual toolbar install.

Comments | Permalink

Behost.biz - 27 Sep 2005

The behost.biz video shows how unwanted applications are installed without consent, by exploiting a security hole. The following programs appear in the Add/Remove programs dialog: "Best Search Engine", "Internet Optimizer", "ISTsvc", "PowerScan", "SideFind", "Surf Accuracy", "The BullsEye Network", "Uninstall 180 Search Assistant" and "YourSiteBar".

For more details please look in the HijackThis logs (1, 2).

Comments | Permalink

Zviframe.biz - 22 Sep 2005

Zviframe.biz makes numerous changes to your computer settings and installs software without user consent by exploiting a security hole. Here are some of the new entries that appear in the HijackThis logs:

O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent003.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker010.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb010.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb010.dll
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O21 - SSODL: System - {804254AE-E271-4846-9B19-A7C7B95A1564} - ssmc.dll (file missing)
O21 - SSODL: Best Search Engine!!! - {B63199FC-5E91-0DCA-EA98-8F4CDBD7AB11} - \wincxerme32.dll

For the full details, please examine the HijackThis logs (1, 2, 3), network log, the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Comments | Permalink

Serialkey.net - 12 Sep 2005

Josh has posted a detailed description of a security hole exploit when visiting serialkey.net. The following are the some of the new entries that appear in the logs:

C:\WINDOWS\system32\d3fk32.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mdfkj.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4A6D173C-FEB5-A78F-B935-68286B007E44} - C:\WINDOWS\system32\winlr32.dll
O4 - HKLM\..\Run: [crda32.exe] C:\WINDOWS\crda32.exe
O23 - Service: Workstation NetLogon Service ( 11F��.#��`I) - Unknown owner - C:\WINDOWS\system32\d3fk32.exe

Comments | Permalink

Highconvert.com - 17 Aug 2005

My previous summary about highconvert.com showed a large number of software products installing without consent. Today I visited highconvert.com (ip 81.9.5.7) again. The security hole exploit is still live but there are a few differences. The Add/Remove programs dialog now shows a slightly changed setup of programs. "Windows More Choices" is a newcomer while others no longer appear, such as "Select Cashback" and "Offer Agent". Another difference is that 180Search Assistant popped right into the system tray without any notice. There are also additional software installed which only appear in the logs generated with HijackThis. Here are some of the entries that appear in the log:

c:\slinstaller.exe
O4 - HKLM\..\Run: [Windows More Choice] C:\WINDOWS\TopContext.exe
O20 - Winlogon Notify: avpu32 - C:\WINDOWS\SYSTEM32\avpu32.dll

For the full details, please examine the network log, the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Highconvert.com registrant: Big Buks John Miller, 38-1 Main St New York null,12042 US Tel. +212.4490399.

John Miller was also the registrant of sp2fucked.biz and crazy-toolbar.com. Mr Miller has also registered BIGBUKS.INFO which resolves to same server as highconvert.com.

Update: Thanks to Josh for testing this exploit on a US based system which shows a slightly different setup of unwanted programs and network communication. For the full details, please examine the the clean hijackthis log, the log after visiting highconvert.com, the network log and the Microsoft Antispyware log.

Comments | Permalink

Highconvert.com - 11 Aug 2005

The highconvert.com video shows how unwanted applications are installed without consent, by exploiting a security hole. "Internet Optimizer", "Internet Update", "ISTsvc", "OfferAgent", "Power Scan", "Select CashBack", "SideFind", "Surf Accuracy", "Surf SideKick", "The BullsEye Network" and "YourSiteBar" appear in the Add/Remove programs dialog. 180Search Assistant also appear in the video as the only program asking the user to agree to their license agreement by showing a dialog with the following message: "180Search Assistant is a component of a program you recently installed. This program is represented by an icon in your system tray and can be easily uninstalled from Add/Remove Programs in your Control Panel. You will receive an average of 2-3 advertiser referrals daily, based solely on the keywords from websites you visit to help you find exactly what you are looking for, faster.." There are also additional software installed which only appear in the logs generated with HijackThis (1, 2).

Here are some of the new entries that appear in the logs:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [srvprc] C:\WINDOWS\System32/srvprc.exe /i
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\Roger\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [sac] c:\program\180searchassistant\sac.exe
O4 - HKLM\..\Run: [IST Service] C:\Program\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [CJv0U] C:\WINDOWS\nrtrow.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht! http://highconvert.com/system/users/dimpy/chmjpeg//x.chm::/open.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll

For the full details, please examine the network log, the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Comments | Permalink

Toolbarpartner.com - 11 Aug 2005

Warning! Toolbarpartner.com runs an exploit that will result in system settings changes and unwanted applications installed without any notice. Some of the files that appear on the system is part of the "Keylogger from Hell", also known as Srv.SSA-KeyLogger. The actual exploit is most likely done at http://toolbarpartner.com/adBLOCKEDverts/bigbaks/load.js

New entries that appear in the logs, here are some:

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru [..snip..] www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O4 - HKLM\..\Run: [gkij] C:\WINDOWS\System32\hlxkvn.exe
O4 - HKLM\..\Run: [svchost] c:\Program Files\Internet Explorer\shttps\svchost.exe
O4 - HKLM\..\Run: [svchost] c:\Program Files\Internet Explorer\shttps\svchost.exe
c:\$$$_.log
c:\Program Files\Internet Explorer\shttps\svchost.exe
c:\Program Files\Internet Explorer\shttps\http.exe
c:\Program Files\Internet Explorer\shttps\php\php.exe
c:\Program Files\Internet Explorer\shttps\start.exe
c:\Program Files\Internet Explorer\shttps\www\tools\backup.exe
c:\Program Files\Internet Explorer\shttps\www\tools\cls.exe
c:\Program Files\Internet Explorer\shttps\www\tools\reboot.exe
c:\Program Files\Internet Explorer\shttps\www\tools\restore.exe
c:\WINDOWS\msxmidi.exe
c:\WINDOWS\wmplayer.exe
c:\WINDOWS\wmplayer1.exe
c:\sys275834209.exe
c:\sys7520315.exe
c:\sys8566296.exe
c:\web.exe
c:\winld32.dll
c:\winloadhh.dll

For the full details, please examine the network log, the Hijackthis log, the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Comments | Permalink

Vxiframe.biz - 11 Aug 2005

Another security hole exploit, resulting in lots of software installed without user consent. Here are some of the new entries that appear in the logs:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker006.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb006.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb006.dll
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O21 - SSODL: Best Search Engine!!! - {894D5487-970D-A52D-633B-AA5E4D0FCC5D} - \akzagx32.dll
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe

For the full details, please examine the network log, the Hijackthis logs (1, 2, 3), the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Permalink

Lookforthe.net - 10 Aug 2005

Warning! Do not visit Lookforthe.net! Merely visit this site with Internet Explorer resulted in system settings changes and unwanted applications installed, by exploiting a security hole. The actual exploit is triggered at http://traffcash.com/traffBLOCKED/index.html.

The following are some of the new entries that appear in the logs:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new-access.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L�nkar
O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\Roger\Application Data\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program\PSGuard\PSGuard.exe
O15 - Trusted Zone: www.contentcooler.biz
O15 - Trusted Zone: www.new-access.biz
O15 - Trusted Zone: www.sgrunt.biz

For the full details, please examine the network log, the Hijackthis logs (1, 2), the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Permalink

Maiden4u.biz - 10 Aug 2005

Warning! Do not visit Maiden4u.biz! Merely visit this site with Internet Explorer resulted in system settings changes and unwanted applications installed, by exploiting a security hole. The actual exploit is triggered at http://85.255.113.4/dl/BLOCKEDadv453.php.

The following are some of the new entries that appear in the logs:

C:\WINDOWS\tool2.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\tibs.exe
C:\WINDOWS\ms1.exe
C:\WINDOWS\ms3.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\dima.exe
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\sys5430.exe
C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\system32\init32m.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: System - {ABFF9C19-5D63-4824-ADF9-47CE6BA5D82D} - vr_sys.dll (file missing)
c:\WINDOWS\System32mscore.bin
c:\WINDOWS\desktop.html
c:\WINDOWS\hammer.exe
c:\WINDOWS\kl.exe
c:\WINDOWS\loadnew.exe
c:\WINDOWS\ms1.exe
c:\WINDOWS\ms2.exe
c:\WINDOWS\ms3.exe
c:\WINDOWS\ms4.exe
c:\WINDOWS\sys5430.exe
c:\WINDOWS\sys5432.exe
c:\WINDOWS\sys5434.exe
c:\WINDOWS\sys5544.exe
c:\WINDOWS\sys5546.exe
c:\WINDOWS\sys5547.exe
c:\WINDOWS\system32\$$$_.log
c:\WINDOWS\system32\abc.exe
c:\WINDOWS\system32\config\SSL
c:\WINDOWS\system32\cssrs.exe
c:\WINDOWS\system32\init32m.exe
c:\WINDOWS\system32\latest.exe
c:\WINDOWS\system32\mdms.exe
c:\WINDOWS\system32\msnethlp32.dll
c:\WINDOWS\system32\msnethlp32.exe
c:\WINDOWS\system32\newdial.exe
c:\WINDOWS\system32\paydial.exe
c:\WINDOWS\system32\paytime.exe
c:\WINDOWS\system32\ps.a3d
c:\WINDOWS\system32\spanner.exe
c:\WINDOWS\system32\symcsvc.exe
c:\WINDOWS\system32\tibs.exe
c:\WINDOWS\system32\winacpi.dll
c:\WINDOWS\system32\zlbw.dll
c:\WINDOWS\system32\~update.exe
c:\WINDOWS\tool2.exe
c:\WINDOWS\tool3.exe
c:\WINDOWS\uniq
c:\WINDOWS\vr_sys.dll
c:\winld32.dll

For the full details, please consult the network log, the Hijackthis logs (1, 2, 3), the log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Permalink

Imbuddy.net - 06 Aug 2005

April 2005 I visited a site called imbuddy.net which opened up a download dialog for a program called ChangeYourIcon.exe. When starting ChangeYourIcon a large number of additional software components were installed, without giving proper notice. Google's cache shows that ChangeYourIcon has been in use since October 2004 (screenshot), possibly even before that.

Today I visited imbuddy.net once again. ChangeYourIcon.exe is still available and installs "Internet Optimizer", "ISTsvc", "Media-motor", "Search Assistant" (from 180Solutions), "SideFind", "The ABI Network - A Division of Direct Revenue", "The BullsEye Network" and "YourSiteBar", which appear in the Add/Remove Programs dialog.

For your reference I have generated a HijackThis log, a network log, a log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

aimface.com and buddy-icons.us are also hosting ChangeYourIcon.exe.

Update 2005-08-09: Vitalsecurity.org offers more information about buddy-icons.us.

Permalink

Aimface.com - 05 Aug 2005

April 2005 I visited a site called aimface.com which opened up a download dialog for a program called ChangeYourIcon.exe. When starting this .exe file a large number of additional software components were installed, without giving proper notice.

Today I visited aimface.com once again. ChangeYourIcon.exe is still available and installs "AdDestroyer", "Internet Optimizer", "ISTsvc", "Media-motor", "Search Assistant" (from 180Solutions), "SideFind", "The ABI Network - A Division of Direct Revenue", "The BullsEye Network", "Virtual Bouncer" and "YourSiteBar", which appear in the Add/Remove Programs dialog. ChangeYourIcon.exe does still not give any notice that it installs roughly 20 MB of additional software.

For your reference I have generated a HijackThis log, a network log, a log of modifications done on the file system and registry and logs with the md5 and sha-1 sums for the files that were downloaded on the system.

Update 2005-08-13: Josh has kindly assisted with me with some testing and it appears that US based systems get more unwanted software than I get on my machine. For the full details, please examine the HijackThis log before running ChangeYourIcon, the log after installing and the Microsoft Antispyware log.

Permalink

195.95.218.84 - 30 Jun 2005

The 195.95.218.84 video shows how software is installed without user consent by exploiting a security hole. "The ABI Network - A division of Direct Revenue" and "WareOut" appear in the Add/Remove programs dialog, but there are also additional software installed which only appear in the logs generated with HijackThis (1, 2).

Permalink

IOWrestling.com Part I - 30 Jun 2005

The iowrestling.com part I video shows the installation practices used by two Panamanian corporations.

The first application is developed by a company called "much media", according to the EULA available at http://newsh.com/terms.html. Much media's custom installation dialog (01:39) is launched by exploiting a security hole and use the misleading text "Close this Window, Continue" on the button that should be clicked if you accept the software. The standard close button in the upper right corner does not close the window. Furthermore, no entry is available to remove the software from the "Add/Remove programs" dialog (05:20).

The second application named "Browser Enhancer Tools software" from "KVM Media" opens an ActiveX dialog (03:03), with the misleading message "IE Browser update available. Your browser is not fully upgraded". If you choose to install it, no entry will be available in the "Add/Remove programs" dialog (05:20) to remove the software. "Browser Enhancer Tools" may also download third party software, some of them are named and have their EULAs attached. The following products names, company names, web sites and EULA links can be found in http://icannnews.com/eula.html.

Free Questionnaire

For your reference I've created logs with HijackThis (1, 2, 3), generated a list of all files and registry entries which were added, deleted or modified during the installation, md5 and sha1 hashes for some for the files created during the installation and a network log.

The following are the new entries that appear in the HijackThis logs:
C:\DOCUME~1\Roger\LOKALA~1\Temp\nsh_115.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\sgftpub.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\stmpsnap.dll

Vitalsecurity.org has documented a similar installation at IOWrestling.

Permalink

Crazy-toolbar.com Part II - 29 Jun 2005

Warning! Do not visit crazy-toolbar.com! The Crazy-toolbar.com part II video shows how unwanted applications are installed without consent, by exploiting a security hole. "Content Devlivery Module", "Internet Optimizer", "RichEditor", "Spy Sheriff", "The ABI Network - A division of Direct Revenue", "The BullsEye Network", "TSA", "UCMore - The Search Accelerator" and "WeirdOnTheWeb" appear in the Add/Remove programs dialog, but there are also additional software installed which only appear in the logs generated with HijackThis (1, 2, 3, 4, 5).

For your reference I've also created a list of all files and registry entries which were added, deleted or modified during the installation, md5 and sha1 hashes for some for the files created during the installation and a network log.

See also "Crazy-toolbar.com Part I".

Permalink

Lookoutsoft.net - 19 Jun 2005

The Lookoutsoft.net video shows how SearchMiracle/Elitebar is installed without notice with the "Ant Run Pro Jr" game from Lookoutsoft.net. The toolbar redirects traffic to yupsearch.com.

The following are the new entries that appear in the Hijackthis log:
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteneo32.exe

You can find more details in the logs.

Permalink

Webbet.ru - 16 Jun 2005

Warning! Do not visit Webbet.ru! The Webbet.ru video shows how browser settings are changed and unwanted applications installed without consent by exploiting a security hole. "MDS Search Booster", "SB Soft" and "Winds 2.4" appears in the "Add/remove programs" dialog and there are additional software installed which appears in the logs generated by HijackThis (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11), Bazooka and CounterSpy.

The following are some interesting entries that appear in the HijackThis logs during the installation:
C:\WINDOWS\System32\down0.exe
C:\WINDOWS\System32\down1.exe
C:\WINDOWS\System32\down2.exe
C:\WINDOWS\System32\down3.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\x.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\loader.exe
C:\WINDOWS\System32\sew.exe
C:\WINDOWS\System32\popupreporter.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/to.php? ID1=1871&ID2=60037513&ID3=343262034642& ID4=0&ID5={33399B37-E94D-409A-BF0D-50C35C59C722}
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\system32\webdlg32.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\system32\webdlg32.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteyel32.exe
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/6.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://start1.aaa1screensavers.com/30005.exe

Permalink

Crazy-toolbar.com Part I - 16 Jun 2005

Warning! Do not visit crazy-toolbar.com! The Crazy-toolbar.com video shows how unwanted applications are installed without consent, by exploiting a security hole. "180search Assistant", "Content Devlivery Module", "Internet Optimizer", "MaxiFiles", "Media-motor", "Spy Sheriff", "The ABI Network - A division of Direct Revenue", "The BullsEye Network", "UCMore - The Search Accelerator" and "WeirdOnTheWeb" appear in the Add/Remove programs dialog, but there are also additional software installed which only appear in the logs generated with HijackThis (1, 2) and CounterSpy. For your reference I've also created a list of all files and registry entries which were added, deleted or modified during the installation.

WebHelper documents similar behaviour in his write-up "Admin2Cash.B Trojan that Over Writes Explorer.exe".

Permalink

Searchterror.com - 15 Jun 2005

Warning! Do not visit searchterror.com! The Searchterror.com video shows how unwanted applications are installed without consent, most likely by exploiting a security hole. For your reference I have generated logs with HijackThis (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14), Microsoft Antispyware, Bazooka and a list of all files and registry entries which were added, deleted or modified during the installation.

The following are some of the new entries that appear in the logs:
C:\WINDOWS\tool1.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\ms1.exe
C:\WINDOWS\ms3.exe
C:\WINDOWS\shop1003.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\SskUpdater3.exe
C:\Program\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\msxct.exe
C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe
c:\windows\system32\wqqomc.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\Services\ {F960E869-4B83-4605-8C60-D59650741D76}\SVCHOST.EXE
C:\WINDOWS\System32\newdial1.exe
C:\WINDOWS\msmsgr2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {07441A0F-A453-93E4-AF78-D009089F153C} - C:\WINDOWS\cdmweb\wfpbktxiei.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolk.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolber.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolber.dll
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Roger\LOKALA~1\Temp\shop1003.exe run
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\ {F960E869-4B83-4605-8C60-D59650741D76}\SVCHOST.EXE
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe zolk.dll, DllRegisterServer
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\ {F960E869-4B83-4605-8C60-D59650741D76}\SECURITY.EXE
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\RunOnce: [ICDRegOCX0] rundll32.exe advpack.dll,RegisterOCX C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O15 - Trusted Zone: *.bestcounter.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: System - {51BCC091-D024-4BFD-80D6-BB7AAF31A28E} - vr_sys.dll (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

WebHelper documents similar behaviour in his write-up "Searchterror.com/SpywareNo.com. More information coming...

Permalink

Ebs.fuck-access.com - 14 Jun 2005

Warning! Do not visit ebs.fuck-access.com! The ebs.fuck-access.com video shows how unwanted applications are installed without consent, by exploiting a security hole. For your reference I have generated logs with HijackThis (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15), Microsoft Antispyware, AdAware, Bazooka and a list of all files and registry entries which were added, deleted or modified during the installation.

The following programs appear (17:55) in the "Add/Remove programs" dialog: "Content Delivery Module", "Internet Optimizer", "Internet Update", "PSGuard", "Select CashBack", "The ABI Network - A Division of Direct Revenue", "The BullsEye Network", "UCMore - The Search Accelerator" and "WierdOnTheWeb"

Here are some of the new entries that appear in the logs:
c:\xxxxx.exe
C:\WINDOWS\inet20057\winlogon.exe
C:\WINDOWS\mm.exe
C:\WINDOWS\System32\intronsad.exe
C:\WINDOWS\winsocks5.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\i8.tmp
C:\DOCUME~1\Roger\LOKALA~1\Temp\SskUpdater3.exe
C:\Documents and Settings\Roger\Internet Optimizer\optimize.exe
c:\windows\system32\ngirgk.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\180sainstaller.exe
C:\Program\180searchassistant\sac.exe
C:\Program\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\msxct.exe
C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\System32\s2hcq4m0.exe
C:\WINDOWS\System32\l5fhmk2h.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\lolbiomd.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\2C.tmp\THNALL~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20057\winlogon.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20057\3.00.05.dll
O2 - BHO: (no name) - {70444A14-CDE1-623C-F5F0-F22D28B4BDD2} - C:\Program\UPD\lnkdfvtlwi.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20057\winlogon.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\Roger\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ysypuuf] c:\windows\system32\ngirgk.exe r
O4 - HKLM\..\Run: [BullsEye Network] C:\Program\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [sac] c:\program\180searchassistant\sac.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [s2hcq4m0] C:\WINDOWS\System32\s2hcq4m0.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20057\winlogon.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/website.ocx
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Permalink

Crackz.ws Part III - Key Generators and Adware - 11 Jun 2005

The Crackz.ws video Part III - Key Generators and Adware video shows how "Cheats Explorer Add-in" (start.exe) is distributed side by side with a license key generator (keygen.exe) for Nero 6 Ultra Edition CD burning software. A license key generator is designed to create a license key without paying for it, in this case avoiding to pay $79.99. "Cheats Explorer" links to a license agreement, http://www.ysbweb.com/terms, which disclose that it will install additional software described at the following web pages:

http://www.exactadvertising.com/product_eulas/Be.html
http://www.internet-optimizer.com/legal/EULA/
http://www.contextplus.com/license.html
http://www.shopathomeselect.com/TermsAndConditions.asp
http://www.180searchassistant.com/eula.aspx
http://www.dealhelper.com/agreement/terms2.html
http://www.targetsaver.com/eula.html

In the video "Cheat Toolbar", "Internet Optimizer", "ISTsvc", "Power Scan", "Side Find", "The BullsEye Network" and "Uninstall 180search Assistant" appears in the "Add/Remove programs" dialog after running start.exe and clicking "I AGREE". For your reference I have generated logs with HijackThis (1, 2).

Permalink

Free online poll

Crackz.ws Part II- 11 Jun 2005

Warning! Do not visit Crackz.ws! The Crackz.ws video Part II shows how browser settings are changed and unwanted applications installed without consent, by exploiting a security hole. For your reference I have generated logs with HijackThis (1, 2, 4, 5, 6, 7, 8, 9, 10, 11) and a list of all files and registry entries which were added, deleted or modified during the installation.

The following are some of the entries that appear in the logs:

C:\WINDOWS\System32\ucsl.exe
C:\WINDOWS\System32\ipconfig.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4100
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=4100
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchcentral.cc/index.php?v=4&aff=4100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll
O4 - HKLM\..\RunOnce: [tlc] C:\WINDOWS\update13.js
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exe
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll

CRE c:\WINDOWS\system32\TCPService2.exe
CRE c:\WINDOWS\system32\WStart.dll
CRE c:\WINDOWS\system32\tksrv99.exe
CRE c:\WINDOWS\system32\tmksrvu.exe
CRE c:\WINDOWS\system32\tmp3.txt
CRE c:\WINDOWS\system32\uc1362.exe
CRE c:\WINDOWS\system32\ucsi.exe
CRE c:\WINDOWS\system32\ucsl.exe
CRE c:\WINDOWS\system32\xplugin.dll
CRE c:\WINDOWS\update13.js

Permalink

Crackz.ws - 10 Jun 2005

Warning! Do not visit Crackz.ws! The Crackz.ws video shows a large number of unwanted applications installing without consent, by exploiting a security hole. For your reference I have generated logs with HijackThis (1, 2, 3, 4, 5, 6, 7, 8, 9, 10) Microsoft Antispyware, AdAware and Bazooka.

The following programs appear (01:04:30) in the "Add/Remove programs" dialog: "Content Delivery Module", "Internet Optimizer", "Internet Update", "OIN", "PSGuard", "Select CashBack", "The BullsEye Network", "UCMore - The Search Accelerator" and "WierdOnTheWeb"

The following are some of the new log entries that appear during the installation:
c:\xxxxx.exe
D:\WINDOWS\System32\intronsad.exe
D:\WINDOWS\System32\sssdfgbsdfghbnj.exe
D:\WINDOWS\System32\sssdfgbsdfghbnj.exe
D:\Program Files\Internet Optimizer\optimize.exe
D:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe
D:\Program\ptwh\lruc.exe
D:\Program\BullsEye Network\bin\bargains.exe
D:\WINDOWS\System32\msxct.exe
D:\WINDOWS\System32\0pfq9qor.exe
D:\WINDOWS\system32\??mbols\arpa.exe
D:\WINDOWS\System32\sssdfgbsdfghbnj.exe
D:\WINDOWS\TEMP\ehfflhmd.exe
D:\Documents and Settings\radmin\Skrivbord\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = D:\WINDOWS\System32\msblank.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe D:\WINDOWS\System32\wininet.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - D:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {0E008A64-CDEF-1C24-9396-26EAE89F773C} - D:\WINDOWS\System32\drvi\naumakpjhv.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - D:\WINDOWS\drexinit.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - D:\Program\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [wininet] D:\WINDOWS\System32\wininet.exe
O4 - HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "D:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [BullsEye Network] D:\Program\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [0pfq9qor] D:\WINDOWS\System32\0pfq9qor.exe
O4 - HKLM\..\Run: [PSGuard] D:\Program\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Ucwd] D:\Program\ptwh\lruc.exe
O4 - HKCU\..\Run: [Eyvibof] D:\WINDOWS\System32\??mbols\arpa.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/website.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4699

Permalink

FasterXP.com - 08 Jun 2005

Fasterxp.com by Optisoft offers a program that according to the developer will boost your hard drive's speed, increase your connection speed by up to 200%, decrease your HDD's access time and fragmentation, block IE pop-up and pop-under ads, enhance your system, make it more effective, improve the reaction time of the Start menu, launch Internet Explorer much faster, search the web without loading search engines and promise to be 100% spyware free. The download page states that it is 100% free from virus, spyware and trojans.
What is not that clearly disclosed is that the FasterXP program bundles additional software such as, "My Search Bar", "Search Assistant - My Search", and "The ABI Network - A Division of Direct Revenue" (all identified by the names in the "Add/Remove programs list") as shown by the FasterXP installation video (sorry for the low update rate). In order to find out FasterXP bundles additional software you have to click a tiny link at the fasterxp.com web page, scroll down to the end of the FasterXP license where a link to BetterInternet's EULA appears followed by the MySearch and TopRebates EULA.

Free surveys

For your reference I have created a log with Microsoft Antispyware and three HijackThis logs (1, 2, 3), where the first is generated before installing FasterXP. Microsoft Antispyware reports "Transponder.ABetterInternet.Aurora Spyware", "Transponder.ABetterInternet.Ceres Spyware", "My Search Bar Browser Plug-in" and "My Way Speedbar Browser Plug-in".

These are the new HijackThis entries/files that appeared during the installation:
d:\windows\system32\ytaxgwck.exe
d:\windows\system32\calc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fasterhomepage.com
R3 - URLSearchHook: (no name) - {04079856-5845-4dea-848C-3ECD647AA554} - D:\Program\MySearch\SrchAstt\2.bin\MYSRCHAS.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - D:\WINDOWS\ceres.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - D:\Program\MySearch\bar\2.bin\S4BAR.DLL
O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - D:\Program\MySearch\SrchAstt\2.bin\MYSRCHAS.DLL
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - D:\Program\MySearch\bar\2.bin\S4BAR.DLL
O4 - HKLM\..\Run: [seaWDurlIE] D:\WINDOWS\System32\seaWDurlIE.exe
O4 - HKLM\..\Run: [ytaxgwck] d:\windows\system32\ytaxgwck.exe

Other observations from the videos:
1) Internet Explorer's homepage changed to fasterhomepage.com. (I am not able find where this is disclosed in the FasterXP EULA, can you? The EULA is available at http://198.87.3.82/fasterxp/eula.html.)
2) fasterhomepage.com does not offer any help how to change the homepage.
3) fasterhomepage.com is reported to violate Google's terms of service.
4) Entering a non-existing domain name redirects the browser to ms126.mysearch.com

Other observations:
1) ArcaVir reports "Trojan.Downloader.Multi.M30", Fortinet reports "W32/AGENT.OO-tr" and Kaspersky Anti-Virus reports "Trojan-Downloader.Win32.Agent.oo" when scanning fasterxp.exe with Jotti's malware scan.
2) OptiSoft S.L. Madrid is the owner of the Blubster P2P software.
3) fasterhomepage.com registrant: Alfredo J. Bravo C. Pavones 34B 4B Madrid 28032 Spain.
4) fasterhomepage.com administrative contact: Soto, Pablo pablo@pioletBLOCKED.com Av. Mediterraneo 24 Madrid 28007 Spain 915011239 Fax.
5) You may redistribute the unmodified FasterXP software, as stated in the FasterXP EULA: "USER MAY NOT, UNDER ANY CIRCUMSTANCES, REDISTRIBUTE SOFTWARE, UNLESS THE SOFTWARE IS IN ORIGINAL UNMODIFIED FORM AS DOWNLOADED FROM THE Optisoft WEBSITE. .." Can OptiSoft, BetterInternet, My Search and Top Rebates make sure that the EULA is displayed if someone else redistribute FasterXP?
6) FasterXP appears to have file-sharing capabilities, according to the FasterXP EULA: "FasterXP OR Optisoft DO NOT OWN OR CONTROL ANY FILE SHARED USING THIS SOFTWARE. FasterXP IS ONLY THE SOFTWARE THAT ALLOWS YOU TO CONNECT TO OTHER USERS. WE DO NOT HAVE ANY CONTROL OVER THE CONTENT OF USERS OR THE ACTIONS OF OTHER USERS, AND WE ARE NOT ALLOWED TO EXAMINE THE INFORMATION THAT YOU CAN TRANSFER WITH THE SOFTWARE. THE GATEWAYS AND NODE CACHES THAT THE FasterXP SOFTWARE USES DO NOT INDEX ANY FILE LISTINGS, NOR DO THEY ENABLE FasterXP OR Optisoft TO CONTROL OR MONITOR THE ACTIONS OF ANY USER..".
7) The seaWDurlIE.exe file mention "Piolet" as the company name. According to WikiPedia "Piolet is a MANOLITO servent developed by Pablo Soto. Piolet shares the same codebase as Blubster; the name change is a result of concerns from Pablo Soto's employer, Optisoft."

Permalink

ImBuddy.net - 13 Apr 2005

ImBuddy.net has a large archive of buddy icons and away messages for instant messaging clients. When visiting some of the icons' web pages at imbuddy.net a download dialog will appear asking you to download a file called "ChangeYourIcon.exe". I scroll down the page look for links named "EULA", "License", "Terms", "Terms of Use", etc, something that would give more details about ChangeYourIcon.exe. None of these links appear, so I hope that ChangeYourIcon.exe file will launch a standard install wizard guide where it give me more details of the functionality. Unfortunately, the installation starts immediately without showing any additional information and adds a large number of software componenent on my system, failing to show any end user license agreements, failing to show a general description of the bundled software, even failing to inform the user that additional software will be installed. (ImBuddy.net documents the fact that additional software might be installed by the software provided from their website, however you must 1) scroll to the bottom of the web page, click "Privacy Policy" and scroll down to "VIII. Third Party Advertising", which mentions the same products and links to the same end user license agreements as the installation documented at aimface.com 2005-04-12, or 2) scroll down to the bottom of the web page, click "Uninstall", which mention the following "Add/Remove " entries: ShopAtHomeSelect Agent, 180search Assistant, Bullseye Network, WebSearch Tools, WinTools, WebSearch Toolbar, e2giveSoftware and Surf Sidekick. This list of products does not match the software products that are installed.

The installation is documented with a video captured of ImBuddy.net. There are also logs from Microsoft AntiSpyware, Adaware and HijackThis available for reference of what was added to the system during the installation.

Microsoft antispyware reports the following threats:

Aimface.com - 12 Apr 2005

AimFace.com offers a large collection of buddy icons and away messages for AOL Instant Messenger. When visiting somes of the icons' web pages at aimface.com a download dialog will appear asking you to download a file called "ChangeYourIcon.exe". Instead of immediately running this file, I decide to look for some sort of description of what the ChangeYourIcon programs does. The name of the file and the web site indicate that it will modify the icons in my AIM client, however I would not take it for granted, so I scroll down the page look for links named "EULA", "License", "Terms", "Terms of Use", etc, something that would give more details about ChangeYourIcon.exe. Since none of these links appear, I hope that ChangeYourIcon.exe file will launch a standard install wizard guide where it give me more details of the functionality. Unfortunately, the installation starts immediately without showing any additional information and adds a large number of software componenent on my system, failing to show any end user license agreements, failing to show a general description of the bundled software, even failing to inform the user that additional software will be installed.

There is a video captured during the install processes were you can study the installation procedure more in detail. I wanted to show the "Add/Remove programs" list, but it had become inaccessible after the bundled software was installed so there is also another video captured after restarting the machine where the "Add/Remove list" is displayed showing some of the bundled software products. The following software was installed, identified by the names in the "Add/Remove Programs" dialog: "Ad Destroyer", "Internet Optimizer", "ISTSvc", "Media Access", "Media-motor", "OfferAgent", "ShopAtHomeSelect Cash Back", "SideFind", "Uninstall 180search Assistant", "Virtual Bouncer" and "YourSiteBar".

A scan with Adaware reports 397 critical objects, summarized as :

Free online poll

Other observations from the videos:
1) Inaccessible "Add/Remove programs" dialog.
2) Process named such as ytaxgwck.exe, IconPop-aimface.., VT09.exe, ysbinstall_1000029.., AdStatServInstPa.., AdStatServ.exe, AdStatKeep.exe, fCgeEjb.exe, ffInst.exe, istsvc.exe, TargetSoftSetup.., NCASEP~1.exe, SixtyPopSix.exe, ctdib.exe, thin-143-1-x-x.exe, salm.exe, optimize.exe, BUNDLE~1.exe, ADDEST~1.exe, VBOUNC~1.exe, SAHAGE~1.exe, offeragent.exe, farmmext.exe, Polall1p.exe, MEDIAA~1.exe, MediaAccess.exe, MediaAccK.exe, calc.exe, switpa.exe, thnall1p.exe, desktop.exe, packager.exe, spike.exe, etc.
3) New browser window opened displaying. http://www.ysbweb.com/install/welcome.html.
4) Popups from http://www.loadingwebsite.com/normal/sweden.html and http://www.loadingwebsite.com/normal/yyy23.html. No information given how to prevent further pop-ups.
5) Pop-up dialogs from VirtalBouncer stating that it found a security hole in the system.
6) Pop-ups labeled "sixty six".
7) DOS prompt running %WinDir%\isrvs\edmond.exe.
8) Browser redirect to http://help.internet-optimizer.com/. No information easily available how to prevent further browser redirections.
9) Claria/Gain dialog shaped ads promoting "WebSecureAlert". Image loaded from dist.benlk.com.
10) New icon added on the desktop named "Online Dating", "Cheap Holiday Travel", "Free Online Music", "Virus Hunter Security" and "Spyware Avenger". Virus Hunter and Spyware Avenger are owned by iDownload. More information available at http://www.idownload.com/products/.
11) New programs called "Desktop Search", "Ad Destroyer", "Virtual Bouncer" and "pop64" listed in the Task Manager's program list.
12) Pop-up from http://j.2004cms.com/HTM/406/1/JavaSiteRequest.asp, promoting Tradera.com, a well-known auction site for swedish users. No information given how to prevent further pop-ups.
13) Pop-up window opened triggered by a Google search on "Adware". The pop-up first open http://64.192.130.141/cgi-bin/KeywordV2?query=adware which redirects the web browser to finally end up at mamma.com. No information given how to prevent further pop-ups available at 64.192.130.141 or mamma.com.

Observations from aimface.com's web site:
1) When viewing the first video you can see a link called "uninstall" at the bottom of the aimface.com web page, if clicked will give an indication that additional software is bundled with some of aimface.com's products. The uninstall page says: ") From the Start menu, choose Control Panel (may be listed under Settings) 2) Then choose Add/Remove Programs 3) Select the following items and click Change/Remove Programs and follow the onscreen instructions: - ShopAtHomeSelect Agent - 180search Assistant - Bullseye Network - WebSearch Tools - WinTools - WebSearch Toolbar - e2giveSoftware - Surf Sidekick 4) Once those items have been removed, please visit the following link to finish the uninstallation: http://www.ysbweb.com/uninstall.html 5) All items should be successfully uninstalled." However, the list above does not appear to match the programs that actually appear in the "Add/Remove programs" list as shown in the video captured after restarting the machine.
2) By using a search engine you will find an end user license agreement located at http://www.aimface.com/eula.php, which mention the following companies: CDT Inc., Blazefind, Inc, Integrated Search Technologies INC, Media-Motor INC and links to the following licenses: http://eula.winadclient.com/4/ (Media Access), http://www.blazefind.com/license.html, http://www.ysbweb.com/terms.html (YourSiteBar) and http://www.media-motor.com/terms.html (Joystick search enhancment). These licenses above link to http://www.180searchassistant.com/eula.aspx (180 search assistant), http://www.internet-optimizer.com/legal/EULA/ (Internet Optimizer), http://www.shopathomeselect.com/TermsAndConditions.asp, http://www.websearch.com/legal/terms.aspx (IBIS WebSearch Toolbar, Win-Tools Easy Installer), http://www.exactadvertising.com/product_eulas/Be.html (BullsEye Network), http://www.shopathomeselect.com/TermsAndConditions.asp, http://www.contextplus.com/license.html (ContextPlus), http://www.dealhelper.com/agreement/terms2.html, http://www.slotchbar.com/180solutions_terms.html (180 search assistant), http://www.targetsaver.com/eula.html

Permalink

ABC Scrabble - 17 Jan 2005

ABC Scrabble, published by 2M Games, bundled a large number of software products. The video starts with the viewing of the ABC Scrabble license, which at the end says: "WARNING. This software is supported by third party ads. By accepting this agreement you agree that one or more ads bundle will be installed along with this software." The license does not mention the name of the "ads bundles", the name of the vendors, what functionality the bundles offer or where the End User License Agreements are located.

The following software was installed along with ABC Scrabble, identified by the names in the "Add/Remove Programs" dialog: "Active Alert", "ATP", "Internet Optimizer", "ISTsvc", "NavExcel Search Toolbar", "NavHelper", "ShopAtHomeSelect Agent", "SideFind", "SlotchBar", "The BullsEye Network", "Uninstall 180searchAssistant" and "WSEM Update".
AdAware detected 371 critical objects summarised as: "180Solutions", "BargainBuddy", "DyFuCA", "FavoriteMan", "istbar", "NavExcel", "NetPal", "Possible Browser Hijack attempt", "PowerScan", "SahAgent" and "SideFind".

Free surveys

Other observations from the video:
1) it is not possible to contact any web site with Internet Explorer
2) Internet Explorer appears to have become unstable and crashed,
3) PowerScan does not have an entry in the "Add/Remove programs" list,
4) the new toolbars contacts resultdigger.com and slotch.com
5) 180 Search Assistant's uninstall process does not work
6) you have to read carefully when uninstalling BullsEyes network when the "Do you want to discontinue the uninstall process?" question appear,
7) browser redirection to trustedsearch.com, etc.

Permalink

Note: The date given in the headlines above refers to the date when the videos were captured, not when they were pubished.