Mark's Sysinternals Blog

Tuesday, January 03, 2006

The Antispyware Conspiracy

Since the release of the first antivirus products many people have believed in a conspiracy theory where antivirus companies generate their own market by paying virus writers to develop and release viruses. I don’t subscribe to that theory and trust the major security vendors, but recent trends show that there’s a fuzzy line between second-tier antispyware vendors and the malware they clean.

The most innocuous of malware-like antimalware behaviors is to advertise with web site banners and popups that mislead average users into thinking that they have a malware problem. Most of the advertisements look like Windows error dialogs complete with Yes and No buttons, and although the word “advertisement” sometimes appears on the dialog background, the notice is usually small, faded and far from the area where users focus their attention. Even more unlike Windows dialogs, however, is the fact that clicking anywhere on the image, even the part that looks like a No button, results in the browser following the underlying link to the target page. Here’s an example I ran across recently on a popular web site:

A click on the image took me to a page at www.myspwarecleaner.com. The page looks like an Internet Explorer error message, again probably to mislead unsophisticated surfers into following its directions, and it guides visitors to download and install an antispyware utility called Spyware Cleaner:

Even on a freshly installed copy of Windows XP, Spyware Cleaner reports close to a dozen “extreme risk” and “high risk” infections that include innocuous items like cookies left by MSN.com and several built-in Windows COM components, including RDSHost.exe, the Remote Desktop Service control, and Shdocvw.dll, a Windows shell COM object, both of which Spyware Cleaner identifies as spyware. It also lists each COM component twice, reporting their presence in HKLM\Software\Classes as well as HKCR, which for those objects is a symbolic link to HKLM\Software\Classes.

Of course, to remove the “infections” a user has to pay to register the software. Who makes Spyware Cleaner? You won’t find out on the Myspywarecleaner web site, which consists of only a handful of pages like the download page, a FAQ page, and one for affiliates. A Whois lookup of the domain name shows that it belongs to Gary Preston of Secure Computer LLC. The only reference I found on the web to the owner or his company was a thread at CastleCops from June of 2004 that complains of one of their tools falsely identifying systems as being infected with the Sasser worm.

A few days later I ran into the same banner on another site, one for Windows systems administrators that would be embarrassed if revealed, and clicked again. This time I was taken to www.spywarestormer.com. I downloaded their spyware cleaner, ran it on a the same clean Windows XP install, and it reported 7 different "infections":

Once again, the infections were false positives. One group was the Registry keys associated with Windows Internet Configuration Wizard, which Spyware Stormer reported as the "Surfairy" spyware package, and the other related to COM objects involved with the per-user configuration of Explorer that the tool labelled as "WinAD" adware. The Whois report for spywarestorm.com lists it has beeing registred by Domains by Proxy, Inc. through GoDaddy.com, so whoever is behind Spyware Stormer apparently wants to remain anonymous.

The user interfaces of both these antispyware tools look the same, but with different skins and icons, which leads me to believe that Myspywarecleaner and Spyware Storm are licensing core "antispyware" technology from someone else. It looks like the unscrupulous antispyware vendors are part of a ring.

Unfortunately, sleazy antispyware vendors aren’t just stopping with misleading banners and false infection reports. Either they, or partners that have a vested interest in sales of their products, are actually infecting machines so that users are essentially blackmailed into purchasing.

The most trafficked threads on the Sysinternals forums are ones related to an infection dubbed “Spyaxe.” It gets its name because it continuously pops up tray balloons informing users that their systems are infected. Clicking on a balloon opens the Spyaxe web site. Spyaxe of course denies any connection with the underhanded advertising, but it’s hard to believe someone would promote Spyaxe this way without some financial incentive.

SpySheriff is another antispyware vendor promoted in the same way as Spyaxe . About a week ago someone sent me a link to a web page, that if visited using a version of Internet Explorer that hasn’t been patched with December’s security updates, slams the system with deluge of malware (several sites download the same malware package using the recently discovered WMF vulnerability). After the infection is complete, which is so extensive it takes close to five minutes, a system is loaded with 8 viruses, 8 spyware packages and 7 adware products. Subsequent to the installation, Internet browsing is made virtually impossible by the constant popups and popovers and processes are constantly connecting to remote SMTP servers and web pages.

You can watch the initial infection process in a movie I made (the movie is only about three minutes long because I’ve deleted sequences with no visible change). Here’s a chronology of events:

0:00 The malware has started to download through a script visible in the script prompt dialog.
0:05 The first evidence of the infection appears as a grammatically-challenged tray icon and balloon announcing that Windows has detected that the computer is infected:

0:10 Internet Explorer crashes and exits, leaving visible the changed desktop background that also announces that the system is infected.
0:20 More evidence of infection shows up as items on the left side of the desktop.
0:30 I open Process Explorer, which is paused, perform a refresh and new processes show up in green. I navigate the mouse over the image names to reveal their image paths, most of which are under the \Windows directory. Later I refresh the display and the result is this:

Note that the malicious executables have some or all of the characteristics I described as common to malware in my Understanding and Fighting Malware TechEd presentation: they have no company name, description, are packed (shown as a purple highlight), and reside under the \Windows directory.

0:55 I highlight the fact that one of the malware processes, Paytime.exe, identifies itself as Explorer from Microsoft Corporation.
1:00 After unpausing Process Explorer purple highlighting appears on most of the malware processes.
1:10 I open the process properties for Paytime and click the Verify button to check it for a digital signature. Unlike most Microsoft images, it doesn’t have one:

1:20 The appearance and disappearance of new processes shows that the infection is still underway.
1:30 I open Autoruns and perform a scan with the Verify Signatures and Hide Signed Microsoft Entries options checked, which reveals a dozen different malware autostart items:

2:00 A click on the tray icon causes the installation of SpySheriff. It shows up as shortcut on the desktop and the CPU usage goes to 100% as it starts scanning the system in the background.
2:05 I double-click on the SpySheriff tray icon and its control panel opens.
2:10 SpySheriff begins to identify some of the many spyware and adware infections:

2:20 A Windows shutdown dialog box briefly appears and then disappears, followed by a crash and restart of Explorer.
2:30 Explorer processes its autostart entries during its re-launch, which direct it to execute one of the malware programs. A Windows security warning appears because the image has an Internet Zone alternate data stream attached to it that associates it with the Internet, an untrusted zone.
2:40 I click on the “Remove found threats” button and discover that I have to purchase the product:

Not surprisingly, the SpySheriff website reveals little about the company behind it. A Whois of the domain points to Popandopulos Ltd in Greece as the owner, but the associated email address is crystaljones@list.ru, which is a Russia-based domain. List.ru appears to be an ISP from its Whois information, so it’s doubtful that the Spysheriff domain registration is accurate.

Is the connection between the infestation and SpySheriff one simply created by a SpySheriff fan or is this evidence of an antispyware conspiracy? It’s hard to believe the former, and if it’s the latter then companies like Secure Computer LLC, which registered the myspywarecleaner.com domain in 2004, and Popandopulus Ltd, which registered spysheriff.com in May 2005, have been in business long enough to show that their business model is working – and that’s far too long. I know that at least one state Attorney General’s office is investigating the Spyaxe case and I hope that this blog post spurs more action. Misleading and outright malicious advertising for antispyware casts a shadow on the entire industry.

posted by Mark Russinovich @ 6:38 AM

Comments:

"Popandopulos" is _not_ a Greek name (I'm Greek, I should know what a Greek surname sounds like :) Most likely they were going for "Papadopoulos" or something like that.

Staying on the topic, I have already fixed 2 machines that were infected with these "so-called" anti-spyware (one computer had spy sherrif and the other spyaxe). Until I foud out about some uninstall utilities on the web, they both gave me a hard time (weird filenames like command.exe, svchost.dll (!!!), etc.)

I really hope they get the people involved behind these attrocities and make them pay for the time people are wasting uninstalling their crap.

# posted by George Nakos : 7:49 AM, January 03, 2006

Mike Healan posted a list of the top 10 most common rogue anti-spyware clients he's seen on his forums at www.spywareinfo.com in his most recent newsletter. Both SpySherrif and SpyAxe made the list. You can see the list here.

# posted by JR : 7:59 AM, January 03, 2006

Excellent article Mark.

Its amazing that these companies are still in operation. You would think this type of thing would be illegal. Kind of like a mechanic intentionally breaking your car so you use his 'repair' service.

# posted by Justin : 8:07 AM, January 03, 2006

The trojan downloader is pretty nasty in spy-sheriff.

I got hit by spy-sheriff twice... the time at work wasn't so bad... computer associates e-trust did a pretty good job... only 10 virus's and a locked desktop background that it couldn't fix.

My home computer has Norton Systemworks 2004. It failed miserably on Spysheriff. One of the virus's blocked the Norton LiveUpdate from executing, meaning I couldn't update my antivirus program. Then I tried installing other free Antivirus programs... and many of them would not install.

Although exe's wouldn't execute, many of the online scan's did.

That spy-sheriff infection was the nastiest thing I've ever seen. It spammed through Norton's email-proxy server. It added Browser Help Objects. It blocked anti-virus programs from updating and running. IE stopped functioning at some point. Network connection got shut down as well. Msconfig became infected.

There were hidden files in the windows and windows/system files... some of them not picked up by any AV company.... for instance... axxt32.dll, axxt32.sys, axxt64.dll... these files were hidden and would not appear using dir... but one file appeared in window explorer... very strange stuff. It kept re-adding itself to the registry, when I was removing in Spybot. Booting through the windows recovery console allowed me to delete them.

# posted by Rich : 8:28 AM, January 03, 2006

You're opening the door Mark... don't stop yor revelation!

# posted by Anonymous : 8:57 AM, January 03, 2006

I like your article, excel!

# posted by AName : 9:00 AM, January 03, 2006

It's a little off-topic I realize, but when you're writing a program/service for Windows, how do you specify the company name and description?

# posted by Anonymous : 9:06 AM, January 03, 2006

at least I am not the only one that thinks this way.
in a sense you can call this computer programmers turned con artists, why not.

# posted by Anonymous : 9:25 AM, January 03, 2006

I used to write a column online called Hoax du Jour, in which I explained and exposed what I coined "cyberban legends." I also wrote a bit about virus and Trojan topics, leaving much of it to Rob Rosenberger (vmyths.com). I gave up when the online trickle of misinformation became a deluge, and I neither could or wanted to keep up.

The advent of "false security products" and "system tune-up utilities" that entice users to install, report problems, then hold out the hat and make the sound of a cash register to do anything useful, irks me no end. The popups that fake Windows dialog boxes (must be amusing to Mac OS and Linux users) make me think, "fraud." They're trying to fool users using deceptive marketing. I wish the FTC would get involved.

Thank you for touching on this subject, Mark. After a week of catching up with Sony's Big Blunder of 2005 (a history-making event in computer fraud annals, surely) and the latest MS Windows vulnerability (%windir%\system32\shimgvw.dll), it's nice to see the online snake oil salesman taken to task.

# posted by David Spalding : 9:29 AM, January 03, 2006

I had to deal with a computer infected with "SpySherrif", but it was about 6 months ago, before the new vulnerabilities, so it's been around some time.

# posted by Toby : 10:16 AM, January 03, 2006

Spy-Sheriff is basically black-mail. Pay $30 or continue to get new virus's through a trojan-downloader. And there's no guarantee the program will work.

# posted by Anonymous : 10:23 AM, January 03, 2006

I have a question for you. Who is getting paid to install these trojans that popup adds? There has to be a way for the vendor to pay the person that has installed the trojans on these computers. I haven't heard of any stories of people backtracking who exactly is getting paid and holding them responsible. When this malware problem first started, I know that the software installation was sadly justified by someone clicking yes to the installation, but now they are simply using vulnerablities the install. Isn't that illegal?

# posted by Anonymous : 10:29 AM, January 03, 2006

Why is it amazing that these filthy companies are still in business? People are idiots, so they have a real niche to fulfill.

No, I'm not being hard on people. The "amazing" thing is that people see fit to devote energy to learning some new things, like how to drive, how to care for plants and pets, and other things--but when they get a PC, dammit, they want to be able to just sit their ass down and have everything be automatic, without learning a partition from a folder, or a menu from a malware.

# posted by Anonymous : 11:00 AM, January 03, 2006

Thanks for another great article. In their Dec. 28th blog, Websense has a link to a movie they made that shows an exploit using the wmf vulnerability to install one of these so called antispywares and of course, direct you to pay for it if you want to remove infections.

# posted by Anonymous : 11:00 AM, January 03, 2006

I really waste so much time for malware and viruses. There are still several in my registry, I don't know how to eliminate them at the moment. what you say makes me think of reformat, the only option I can choose now. I won't compliment again as I did in my previous post. Hope that won't make you unhappy.

# posted by AName : 11:52 AM, January 03, 2006

by the way, shdocvw.dll isn't just some obscure Windows COM object ... it's the main Internet Explorer dll! Anything that identifies *it* as spyware is a complete piece of crap.

# posted by Tim Hollebeek : 12:09 PM, January 03, 2006

I would note that this application has been on Eric Howes Rogue list and is also known under other names\variants: NoSpyX, SpyVest, Spyware Slayer, Spyware Stormer, Spyware Wizard, & X-Spyware.

And other domains as well:
checkforspyware.com/sc/
myspywarecleaner.com/sc/
spywarecleanerdownload2.com

And it's been listed for some time now, since 6-04

Here is Eric's page:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

# posted by TeMerc : 12:13 PM, January 03, 2006

None of the software I have here raise the positive flag of an identification over that dll if I am not mistaken.
And admittedly, the topic Mark chose to write about is very interesting to read...

# posted by Anonymous : 1:26 PM, January 03, 2006

Amazing. I got hit yesterday and since I was running as an Administrator on the machine, it ran in SYSTEM mode and disabled access to Task Manager. It was also a pain to remove (and I'm not even sure my computer is clean).

# posted by Anonymous : 2:00 PM, January 03, 2006

What are you guys doing to "get hit"? Seriously. I know malware is rampant these days, but I've been working with computers since 5 1/2" floppies were "awesome technology", and I've never been hit with anything. No spyware, no trojan, no ... nothing.

# posted by Anonymous : 7:09 PM, January 03, 2006

Yet another great article!

I will point out one ironic and amusing nit: in the phrase "The first evidence of the infection appears as a grammatically-challenged tray icon" you shouldn't hyphenate "gramatically-challenged." When using two words together as an adjective, only hyphenate if the first word is *not* an adverb. Since "gramatically" is an adverb, you shouldn't hyphenate that phrase.

# posted by Anonymous : 11:31 PM, January 03, 2006

Another excellent posting Mark. Your blog just keeps getting better and better.

# posted by Matt Davey : 3:22 AM, January 04, 2006

I found the same thing happening on my neices unpatched Win98SE box, about a year ago.

It gets to the stage where you can't do jack without surreptitious downloads choking your connection, often just trying to reload the same .exe.

At the time I just put it down to the OS being vulnerable to two years worth of accumulated exploits. But if this latest one uses the newer IE image bug, it sure shows an increasing level of malfeasance, if not sophistication.

Hate to gloat, but I've had Macs online for five years now, solid, without AV software. Apart from the ones I downloaded deliberately, I've never had a hit. Same with the Linux boxes.

Windows users should be fine if they switch to the latest Firefox for the time being, and use the built-in pop-up blocker.

I always wondered whether MS were turning a blind-eye to a lot of stuff, to run aground the backlog of old OEM-disks (not covered by some of the service packs), and create niche markets for other associated proprietary developers.

# posted by ruy_lopez : 6:26 AM, January 04, 2006

1/4/2006: I've updated the post to include my run in with Spyware Stormer.

# posted by Mark Russinovich : 6:36 AM, January 04, 2006

People::

If you don't know how to avoid the infection sources, it might be good idea to use either limited account or change the rights token for IE etc?

And update to Vista when it comes, the Windows Defender blocks even Microsofts own programs pretty nicely.

# posted by Anonymous : 7:15 AM, January 04, 2006

I think AV software should be made to "confront" the truth themselves to scan better and give more correct results of virus/spyware signatures rather than to contradicting themselves so much.

# posted by Anonymous : 10:47 AM, January 04, 2006

Mark, your help and information on this blog is useful.

# posted by Anonymous : 10:49 AM, January 04, 2006

Great way to avoid accidentally going to many of these sites is to use a hosts file or IE-SPYADS, all the apps mentioned here are in both databases.

New apps found are added almost immediately.

And Eric's list is a must check when you find any new supposed anti-spyware tools. And of course, never by security tools via email ads or Google links. Neither can be trusted.

# posted by TeMerc : 11:08 AM, January 04, 2006

One last thing I think is of importance and should be let known, that everything has been sincerely done, signatures are let seen, *backtracked*, *spotted*, etc. but antispyware writers ignored several facts, even asked us to pay for registrar code or even gave us so many fake reports after scanning.

# posted by Anonymous : 11:08 AM, January 04, 2006

Spywarestormer.com is run by Casale Media.

You can see their web page here:

http://www.casalemedia.com

See here:

http://www.webhelper4u.com/scams/spywarestromer.html

-John

# posted by Anonymous : 2:20 PM, January 04, 2006

Mark, I like your article very much. What is your opinion on a program like Deep Freeze? Trying to help family and friends with their spyware problems I almost fell like I need to do something like deep freeze.

# posted by Aron Pedersen : 2:35 PM, January 04, 2006

Absolutely fantastic, Mark!

Just as your investigation into Sony BMG has hit the headlines and forced change (congrats on the class action result btw), I'm sure this will too, so I'll look forward to watching politicians sit up and take notice at last - it's about time internet scammers & spyware was tackled properly.

Well done! Keep up the great work! :)

# posted by Marcus : 4:21 PM, January 04, 2006

The FTC is very interested in scam anti-spyware claims. They have prosecuted two cases so far to my knowledge. You should lodge a complaint at https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01

Believe me. The FTC would love to help crack down on these guys. Just one hitch. If the scammers are off shore the FTC has very little jurisdiction.

# posted by Stiennon : 5:41 PM, January 04, 2006

Fascinating!

Unfortunately I opened the video with Windows Media Player and I think I got infected ; )

# posted by Anonymous : 8:01 PM, January 04, 2006

Mail.ru is a free email service, where you can choose to use list.ru.

# posted by Anonymous : 8:39 PM, January 04, 2006

Mark,

These spyware popups appear when using Firefox with CentOS, Linux. They do fail if you try to do a scan. :) Love the Sysinternals site for MS info.

# posted by Jerry Hubbard : 9:54 PM, January 04, 2006

Excellent Mark

I had a lot of trouble with a "spy axe" contamination.
By the way, about the "conspiracy", I truly beleive tha most security companies that publish their findings about windows fails before a patch is applied are actually helping those virus makers...
Best regards

Tuty

# posted by Tuty : 3:47 AM, January 05, 2006

The look and feel of the above spyware removers share a resemblance with Spybot S&D. I can't say how good (or bad) Spybot is with false positives (perhaps someone with better registry nous than I, can test), but at least, from memory, I don't think Spybot charges the user to remove the offending hits. Regardless, the blurring of the lines between bona fide spyware removers and infiltraters is getting well beyond most end-users ability to differentiate.

# posted by ruy_lopez : 4:42 AM, January 05, 2006

Same thing happened to one of my laptops with SpyAxe and I ended up wasting hours trying to resolve the 'problem'.

# posted by Anonymous : 5:56 AM, January 05, 2006

Tuty said:

By the way, about the "conspiracy", I truly beleive tha[t] most security companies that publish their findings about windows fails before a patch is applied are actually helping those virus makers...

Ordinarily I'd agree, but with MS's sluggish response to this latest bug, you have to wonder, weren't there serious exploits out there in the wild, if MS would even bother to patch it at all.

Usually security firms give the proprietors good notice before going public. Remember with XCP there was a security firm sitting on the problem when Mark broke the news. Then, after the fact, they released their findings, only to be flamed for stealing Mark's thunder.

Untimely patching once an exploit is known is a greater threat to our security, than the timely publication of emerging threats. It seems some vendors need shocked into action.

# posted by ruy_lopez : 8:03 AM, January 05, 2006

This spy sheriff crap was really a headacke to remove. It drove me mad to a point that I was about to throw the computer out of the window. Then finally I discoverd a way to get rid of it by resetting the system to an earlier date (unfortunately had not added too much between that date and the date spy sheriff infected my computer). Is there a way we can make these people pay or bring them to court???

# posted by Anonymous : 9:59 AM, January 05, 2006

I'd point out that SpyAxe has been doing these types of installs long before the latest WMF exploit was exposed, so it's not news. And they are not the only ones using similar tactics. These rogues target users who do not have their OS properly patched up and one cannot blame MS for that. If users were more diligent in keeping things updated, and having some minimal security peripherals, they would not get infected.

# posted by TeMerc : 10:03 AM, January 05, 2006

The theif has snapped up in CCTV. Now lets see how the "long" (sic) arm of the law catches up with them

# posted by The Prince Of Lightning : 10:17 AM, January 05, 2006

Mark,

Thanks for the good work. My daughter trying to be helpful ended up loading SpySheriff and the next three days were spent to getting the infection off my machine. The final agrivating point was getting my hijacked desktop back. Registry was pointing to an active desktop page that continued to reinfect the machine.

# posted by bill : 12:01 PM, January 05, 2006

On a related note, did anyone see this earileir today:
http://blogs.washingtonpost.com/securityfix/2006/01/fake_antispywar.html

I guess they'll get them sooner or later.

# posted by TeMerc : 6:40 PM, January 05, 2006

Great post. This post will be somewhat circular as Brian Krebs of the Washington Post is referencing this site. Mr. Krebs reports:
---------------------------------------
Brian Krebs on Computer Security
Fake Anti-Spyware Makers Settle Fraud Charges
Two supposed anti-spyware companies that used misleading ads to frighten consumers into purchasing software to eliminate non-existent threats have settled deceptive trade practice charges brought by the Federal Trade Commission (FTC).
The civil lawsuits targeted the makers of the "SpywareAssassin" and "Spykiller" software titles. According to the FTC's complaint, Spyware Assassin and its many "affiliate" marketers used Web sites and e-mail, banner and pop-up ads to drive users to its site, which offered free spyware scans.
The scans invariably told consumers their computers were infested with spyware, whether they actually were or not. Consumers who freaked out and paid the $30 for the software were no better off after having done so, the FTC said, because the "protection" software was a worthless pile of garbage.
SpyKiller went a step further, the FTC said, by using banner ads and pop-ups to tell consumers their machines had been remotely scanned and that spyware had been detected. Again, frightened users who fell for the ruse and paid $40 for the software got sold a bill of goods, the FTC said.
The FTC also accused SpyKiller of sending junk e-mail ads using bogus "From:" addresses without providing a postal address or giving recipients a way to refuse future mailings, all violations of the CAN-SPAM Act.
It is not at all uncommon for the makers of these types of what I call "scareware" to produce multiple products that all use the same "engine" (for want of a better word) but are branded and marketed separately. A great place for finding everything you ever wanted to know and more about how these different products are related can be found over at SpywareWarrior.com.
In the case of Spykiller, for example, we can see that it is essentially the same product as Adware Filter, AdwareX and Adware Safe, all of which SpywareWarrior warns produce scans that "are almost worthless information-wise."
Under the terms of the settlement, both companies will be required to cough up all profits from scareware sold, which the FTC said amounted to about $2 million. One set of defendants will be barred from selling or marketing any anti-spyware product or service in the future.
For anyone interested in reading more about the brazenness of the scareware industry (with some nice pictures to boot) check out the most recent post over at Mark Russinovich's Sysinternals blog.
I've said it before but it bears repeating: Do your research before you buy (much less install) any software title, especially those that claim to affect some level of security on your computer.

http://blogs.washingtonpost.com/securityfix/2006/01/fake_antispywar.html

# posted by srynas : 7:19 PM, January 05, 2006

I have also seen a different vid with a "anti spyware" program called winhound (funny that it had a pic of a cat like species) Seems like a really nasty one. MS has a fix now tho!

# posted by Quasar : 8:41 PM, January 05, 2006

I use both Spybot and Adaware and they keep my computer runing pretty. As for some of you who help your less computer savy relitives and friends out, considering buying Deep Freeze for them.

I've seen Deep Freeze in use at the college I go to. You can just infect the heck out of those computers like there's no tomorrow until they crash. Shut the thing down and restart, and you got a clean installation again. They also run in a limited user account to also help prevent infection.

# posted by Anonymous : 10:59 PM, January 05, 2006

I just wanted to say that your guys' stuff on this sysinternals webpage has been the most valuable peices of software and information I have ever had the pleasure of reading/using.
I worked support for a rather large Bank in the U.S. from 03-05 (yes scary to think that these machines might have such malware on them...) and I was plagued with massive amount of spyware on these machines, mostly laptops.
It's because of the very same tools you used in this last blog presentation here that I was able to clean up these machines and ultimately help the user save what they needed before those machines were sent off to reimage (the only sure fire way to ensure the machine is clean).
Your tools are amazing and the investigation techniques one can utilize with these tools to see how a system has been affected are second to none. Things that even the "leading" or "real" anti spyware programs can't fix, one can, with the use of these tools.
This article is absolutely great and I thank you and hope this article does open a few more eyes at this plague we (as users and/or support folks) have been dealing with in masses for the passed few years.
Another killer blog - kudos on the Sony one as well.

# posted by jonofezz at gmail : 12:25 AM, January 06, 2006

My sister's XP laptop, when online, kept giving messages about needing to download and install similar supposedly anti-spyware packages. However, this was not (yet) due to an infection, even though (from memory) the messages claimed the machine was infected.

It seems this version of Windows has an option (enabled by default) to notify users of updates from MS. However, this feature allows/allowed anyone to pretend to be MS, and broadcast bogus messages to all similar XP machines that happen to be online.

Thus it is extremely easy for the average user to get fooled into downloading one of these bogus anti-spyware packages. Fortunately, I was present at the time and suspicious enough to Google the pop-up message and find out what was really going on. Then it was simply a matter of disabling this (utterly insecure) "update notification" feature ...

# posted by Anonymous : 1:27 AM, January 06, 2006

Anonymous said:

"Thus it is extremely easy for the average user to get fooled into downloading one of these bogus anti-spyware packages. Fortunately, I was present at the time and suspicious enough to Google the pop-up message and find out what was really going on. Then it was simply a matter of disabling this (utterly insecure) "update notification" feature ..."

This was probably related to the Messenger service which is unrelated to the Windows Update service.

Along with Adaware and Spybot I have found Mark's utilities RootkitRevealer, Auotruns, and Process Explorer extremely valuable for cleaning spyware. Besides using to tools above, another technique that helps me a lot is to clean out temporary internet files and then search the whole hard drive for files base on creation date for the last day, week, or month based on how far back you feel the invection stated.

# posted by Anonymous : 8:52 AM, January 06, 2006

Simple: get a Mac! now it may well be that it is not the Mac itself that makes the machine free of bad stuff but rather than small percentage of sales that makes hacker decide that Mac not worth attacking. In either case, you have done away with the problem. I use PC and have the same machine for some 6 years, using it a lot throughout the day. A few decent pieces of software, some free, clean up or prevent junk getting onto my machine. I cleanse often to root out junk if there.

# posted by Anonymous : 9:20 AM, January 06, 2006

woooooow this is utterly amazing. I've had to deal with removing spyware from dozens of computers at work, but never was I there to see it get infected in the first place. Kudos, I'm sending this onto others.

# posted by KumikoDee : 12:51 PM, January 06, 2006

Recently I got a computer virus that disabled my virus updater. I was able to get around it by using XP's System Restore, and restored my system to a time before the infection. Can't you do the same when infected with bogus anti-spyware?

Also, the free Lavasoft anti-spyware program seems to work well.

# posted by Anonymous : 12:55 PM, January 06, 2006

Some interested programer should get involved with this fake spyware problem, and write a program that would install through these phoney companys credit card page and infect their machine. That would be justice!

# posted by walt : 1:56 PM, January 06, 2006

Sysadmins: you will look bad in the eyes of the employees if this stuff happens. Here are some tips:

1) Limited or Restricted-User accounts will prevent stuff being installed, at least to the \Program Files directory. Stuff will have a hard time putting down deep roots from a Limited/RU platform. It could put itself in the user's profile and the user's Startup menu, and be a nuisance, but installing system services should be out of its reach.

2) On WinXP Professional Edition, consider using Software Restriction Policy to ensure the .exe can't even be RUN from anywhere that the Limited/Restricted-User account can save it to. Quick demo movie of setting SRP locally: http://www.omnicast.net/~tmcfadden/srp1.wmv

3) Use a current-generation antivirus software and FULLY configure it. Oftentimes the optional spyware/adware detections are NOT turned on by default.

4) Admins who happen to have McAfee VirusScan Enterprise 8.0i can make behavior-blocking rules that have a similar effect to Software Restriction Policy, I wrote some about that here if it helps anyone: http://www.antisource.com/forums/viewtopic.php?t=131 This test was aimed more at the WMF Exploit but the rulesets I discussed there would also stop people running .EXEs from their profile, keeping SpyAxe/et al from alarming your employees with the alleged EXTREME DANGER of the systems they trust you to keep safe. I intend to keep those rulesets for the long haul, after two of our employees were alarmed by the MySpywareCleaner banners (one of them downloaded and tried to run it, the other quarantined her computer and called me).

Hope that helps someone :) Home users, I made a page with Limited-account information here, and if you have WinXP Professional then do consider Software Restriction Policy too: http://www.mechbgon.com/build/Limited.html

# posted by Anonymous : 4:25 PM, January 06, 2006

hi guys dunno how far this will help but have the problem with spyware sherriff on another pc - (btw really need some help to remove it) - but after a bit of searching, i've found out that apparently it downloads the extra junk onto your pc using Win32.TrojanDownloader.Small.awa
and will continue to download more unless that is properly removed - so that is what i'm off to try now

I found this info from http://www.lavasoftresearch.com/spywareno1.shtml

also is this any use? http://www.spyware-removal-guideline.com/spysheriff-removal

# posted by matt : 5:31 PM, January 06, 2006

I've always been curious how much of this problem can be attributed to "rogue affiliates" who get a commission for each product they sell. . .
Since we often see the same "infection" delivering multiple bogus anti-spy apps one after another, is it a case of the app staying the same and just changing its name? Or, is it a case of the affiliate moving on to pushing a new bogus product (using the same Trojan type delivery system) after the previous one has gotten too much noteriety for them to make any more extorted sales?

# posted by PP : 5:46 PM, January 06, 2006

I got almost exactly the same behaviour, but the program was called spywarestrike.exe. It seems you are write, someone is distributing the core malware to different vendors.

# posted by Anonymous : 11:36 PM, January 06, 2006

Spyaxe has cost me many hours and a new virus protection software to correct. I wish something would be done to stop this kind of stuff. Spyaxe and other programs like it are nothing more than an attempt to commit theft and should be delt with as such.

# posted by Anonymous : 7:32 AM, January 07, 2006

It seems to me there is pretty good awareness of the spyware problem in the IT professional and IT enthusiast communities.

It isn't enough that one state attorney general is investigating spyaxe.

We need to help investigators and by creating awareness in the law enforcement community, the management of the law enforcement community of the size of the problem.

We need to do this to have this issue made a high priority that has adequate resources assigned to it.

And we need to provide law enforcements with enough reports that they can persuade judges to hand out sentences appropirate to the trouble these spyware companies have caused people, and the (private, corporate and national) security exposures these spyware companies have caused to us.

So getting to my first point, we should be encouraging everyone who is infected to take the 5 minutes to have their infection officially counted by visiting either:

1. For commercial malware (including anti-malware tools that lie (commit fraud) to get installed), the FTC here: https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01
(https://rn.ftc.gov/pls/dod/
wsolcq$.startup?
Z_ORG_CODE=PU01)

2. For other malware (viruses, worms, keystroke loggers), the DHS via US-CERT here:
https://forms.us-cert.gov/report/

And of course don't report tracking cookies.

Which brings me to my second point.

I suspect we are going to shortly see that the fact that certain widely accepted anti-malware companies have been calling ordinary tracking cookies "critical threats" for years is going to be a problem prosecutors have to overcome.

I believe this will be a problem because since we have tacitly accepted that definition (i.e. been aware of the definition and quietly accepted it), then an illegtimate anti-malware vendor can use that definition in their defense, as an accepted technical definition.

I think that because of this definition of relatively harmless non-executable files, illegitimate anti-malware vendors may be able to successfully persuade judges that any computer with tracking cookies is widely accepted by the industry as being infected with what the industry already defined as a critical threat.

In other words, the crooked anti-malware vendor may say, "I got the infection wrong, but the computer really was infected with critical threats."

So probably we should ask legitimate anti-malware vendors to stop calling ordinary tracking cookies "critical threats".

# posted by Keith2468fromDSLR : 11:30 AM, January 07, 2006

Q: can all this crap happen if one is running as a Limited User??

My daughter is in an online charter school and the school issues computers to kids which are horribly insecure. They setup Admin accounts for the kids. IE's internet zone is wide open so as not to interfere with Active-X laden sites they contract with for various lessons. I think it is all about minimizing support issues where security might get in the way of their legitimate stuff. They even put some sort of rule into play that *BLOCKED* installation of Mozilla/Firefox. Apparently, it was too trouble to take support calls where the "fix" was to say "Use IE with our sites." Oooooh, that's soooo harrrd! I can't help but believe that a large segment of this school's students PC are part of the zombie army.

I had my daughter's machine pretty tight. Limited user, school sites in Trusted zone and Internet zone more restricted. I got them to let me install FF and trained her to
use it to browse non-school sites. It is going back for repairs and will most likely be re-imaged. It will be interesting to see what they are doing these days. Based on phone conversations, I'm probalby going to have a lot of work to do again.

These guys are IMHO reckless and I intend to write to the school admistrators on this subject. I would like to know what sort of stuff running as a Limited User does and doesn't protect against...

Thanks for your great work on revealing the Sony caper. I intend to drive the point home by sending Sony a copy of the receipt for the Samsung DVD player/VCR I got us this Christmas which would have almost certainly been a Sony had they not trashed their reputation.

# posted by Anonymous : 12:23 PM, January 07, 2006

Sadly, the FTC will have no way of getting the gangsters who push things like SpywareStrike, or SpyAxe, because most of them are hosted on offshore countries and out of thier jurisdiction.

For the morons the likes of which the FTC did nab, it bodes well for those who decide to try this type of thing and are based on US ground.

# posted by TeMerc : 12:24 PM, January 07, 2006

>>Q: can all this crap happen if one is running as a Limited User??<<

I just attempted to install several SpyAxe-alike programs from a Limited account. Nothing doing. Windows' auditing showed that the attempts to create new directories in C:\Program Files failed (no surprise).

I tried installing one to the Limited account's own My Documents directory, and the install ran, but it put up an error box asking for the program to be run once from an Administrator account so it could register. As in, so it could install services and stuff.

Pic: http://www.mechbgon.com/misc/scareware_failure.gif

If the system is a WinXP Professional Edition one, then you can also enable Software Restriction Policy if you want to prevent the .EXEs from even running from the user's profile in the first place, successfully or otherwise.

# posted by mechBgon : 10:15 PM, January 07, 2006

There is a removal guide for spywarestrike here:

How To Remove SpywareStrike And Netwrap.dll

# posted by Flaxen : 11:27 PM, January 07, 2006

Mark, could you please tell me what you used to make the video recording of your desktop? I could do with something like that.

Thanks for another great blog.

# posted by Elwood Herring : 5:03 AM, January 08, 2006

I made the movie with VMWare 5.5's built-in movie recorder.

# posted by Mark Russinovich : 6:37 AM, January 08, 2006

Several posts in this thread remind me of the news by Sun about "dead man with loudspeakers in the restroom". :-D ;-)

# posted by Anonymous : 11:09 AM, January 08, 2006

Mark, you should take some days off, spend more time with relatives, chill out with friends around more. Don't keep yourself busy or it's hard to look things 'through'.

# posted by Anonymous : 12:27 PM, January 08, 2006

I have just spent a day getting the "spyaxe" out of my computer, your comment that this company is being looked into in the US is good news they should be put out of business, it is fraud

# posted by david coe : 12:46 PM, January 09, 2006

I have yet to try an antispyware program for the first time that does not find some kid of malware - and that includes the legitimate companies. The trouble is that almost every detection is a false positive, which is almost as bad as the real thing, because of the time it takes to investigate. I seems to recall that in the USA many years ago insurance companies were castigated for running "scare" ads....this is no different.

# posted by caught : 6:11 PM, January 09, 2006

I got hit with Spysheriff right after Xmas. The infection was as miserable Mark described. I took the cpu in to a tech who got most of the crap off, but there was still some residual garbage on it; frozen desktop etc. Except for the desktop, most evrything was running OK. However, after messing around with scans etc. I decided to go the reformatt route and reinstall Windows. In the aftermath, I discovered that Norton's Live Updates was disabled by the infection. My advice;get the most recent Windows Updates, make your AV is operational, and consider a reputatble anti-spyware program. Most of all, be careful of the websires that you surf, there are nasties out there!!!

# posted by Anonymous : 7:32 PM, January 09, 2006

I too had been infected by spy sherrif. It was the worst infection ever. And it had nothing to do with being stupid or uninformed, as one commenter has suggested. (I am a software engineering student). It was simply a malicous website, and there was nothing I could do that would have helped me, as I did not click anything. I had to do a clean reinstall of windows after performing a zero-fill format.

# posted by Anonymous : 11:12 AM, January 10, 2006

I believe that the people who have given the world such programming gems as SpyAxe and SystemWarning should be treated with compassion when they are finally brought to justice.

My definition of "compassion" includes the following:

* Burial in sand, honey, and plenty of fire ants.
* Hanging by thumbs.
* Hot coals, pokers, and the removal of fingernails.
* Electrical stimulus of the genitals.
* A bath of beef broth in the presence of some very hungry pit bulls.
* Bullets, but only to graze and maim.

Survivors should be prosecuted, tortured, and jailed with a number of hardened criminals who are told they are pedophiles. Upon release from prison, they should treated to the following < g >:

* Visits by a number of insurance salesmen who are members of a religous cult.
* A savings of 15% on their car insurance.
* A free Lexmark printer.
* Permanent assignment of AT&T as their long distance carrier.
* Hemorroids
* Calls from politicians and pollsters, who are exempted by law from the "Do Not Call" list.

If they can survive all of that they should be punished severely.

Thanks for a terrific blog!

# posted by Bob : 2:21 PM, January 10, 2006

Great article. Alot of people have mentioned that it's very hard to remove these savage spyware these infections. I've come across a few of them in recent months and have helped users remove them. For users with XP I don't bother trying to remove spyware at all, I simply rely on the XP system restore function to roll back to a previous date (usually the day before). Works a charm every time.

# posted by Ben Christian : 11:15 PM, January 10, 2006

Great article Mark! Very informative and it is true removal is a pain! My pc got infected too. I had lots of help at geekstogo.com and the tech there was able to help me resolve my problem within the same day. Afterwards, I became more aware of the dangers online and the extra measures I had to take to be safer. More power to you!

# posted by bzseal : 10:10 AM, January 11, 2006

If you aren't aware of it, there is a website dedicated to exposing bad companies. Please, if you have been taken by these anti-spyware companies and had your computer ruined, file your RipOffReport NOW!

The following is information about http://www.ripoffreport.com from 'the man himself', so you understand it better if you haven't paid the site a visit yet.
-------
Now or in the future, if your ever the victim of a Rip-off, ... here is what we tell consumers.....So we can better understand the situation to possibly try to help you...

If you’ve been the victim of a Rip-off, you should first file your own detailed Rip-of Report. Your report will be looked at by other consumers interested with your situation may post informative information on your Rip-off Report, so you and others may benefit by the rip-off you experienced..

The more Rip-off Reports on a company, the more educated other consumers will be when dealing with the reported company or individual. This will also help create a better working history on the company or individual that Ripped you off and give us the information needed if a lawsuit is filed.

Go to www.ripoffreport.com to file your Report. Those interested in joining a possible class action lawsuit should first file a detailed Rip-off Report; ..using your contact information, Rip-off Report Consumer Advocates will e-mail you once there are attorneys interested in working on a class action lawsuit against this company or individual, never costing you any money, or a lawyer might be interested in your particular case individually. That's why it is important to file a detailed Rip-off Report explaining exactly what happened also what you think you are owed. Once lawyers are interested, we contact you to contact them.

FTC, Attorney Generals, FBI, Secrete Service, Homeland Security, US Postal Inspectors, local & State Police all look at Rip-off Report, ... the more Reports that are put out in the open like this, the better. Rip-off Report was told by one Attorney Generals office that Rip-off Report embarrasses the authorities to take action and businesses into doing the right thing! ... those reports you file with Attorney General and the BBB, you never get to see. We are told by most authorities and the media, that they come to Rip-off Report to see how consumers are being taken advantage of, and your filed Report also immediately warns innocent unsuspecting consumers, so it is all out in the open. All other agencies just suck in all the information and never let you, the consumer see a thing! Businesses now realize the Internet is not going away, and a force to be reckoned with. Rip-off Report also puts you in contact with the Authorities when they are looking to prosecute and we put you in contact with TV News producers and News Paper Reporters when they are exposing consumer rip-offs.. Every day, Rip-off Report is involved with exposing consumer rip-offs..

Don't let them get away with it!™
Make sure they make the Rip-off Report™

Go to www.ripoffreport.com to file your Report

Once your situation is rectified, you can always come back and add an UPDATE on how they did or did not take care of you.

ED Magedson - Founder
EDitor@RipoffReport.com
badbusinessbureau.com
www.ripoffreport.com

We are not lawyers.
We are not a collection agency.

We are Consumer Advocates.
...the victims' advocate

WE are Civil and Human Rights Activists

We are a Worldwide Consumer Reporting News Agency
..by consumers, for consumers

Remember!
Don't let them get away with it!™
Make sure they make the Rip-off Report™
-------

See you all on ROR. If everyone affected writes their own report, it WILL get noticed and hopefully we can get these awful companies shut down for good!

# posted by LComeno : 4:28 PM, January 11, 2006

One person made the comment that he had been using computers since floppies were high-tech, well, I've been using PC's since I built my first 8088 machine. There are PLENTY of legitimate FREE programs out there that will prevent 99.9% of these infections and keep yor systems safe. I use AVAST (www.avast.com)anti-Virus' FREE program, which updates itself daily if not hourly sometimes automatically whenever you are online, you simply get a little pop up window in the corner of your desktop and a voice announces that the software has been updated. HIGHLY Recommended. Spybot S&D is OK but they don't update as often as Ad-Aware does though either free version will clean most of the nasties that are out there. The pay version of ad-aware will BLOCK the spyware before it is downloaded onto your puter'. I run em both. Zone Alarm is a very adequate firewall once you get it used to your surfing habits. ( very noisy at first warning you about everything, but quiets down after you use it for awhile) Spyware Blaster ia a passive blocker that keeps exploits from re-infecting your system. Surfing Guard Pro (www.finjan.com )is active protection that looks for anything trying to exploit your system and then sandboxes it until you decide what you want to do with it. (heck, you can even choose to let the bug run in safe mode to see what it would do to your system... not recommended but you can do it with this program) it USED to be free, but now I believe there is a nominal cost. This is what i run on my system and i have yet to experiance all the pain and drama many of the contributors have. Hope this helps..... Paladin

# posted by Anonymous : 8:40 PM, January 11, 2006

list.ru is one of the aliases for the free e-mail boxes at mail.ru.

Also, Popandopulos may not be a real Greek name, but it sounds pretty like a Greek name for a Russian ear (in a popular Soviet comedy movie, "The marriage ceremony in Malinovka", the protagonist bears that name).

Thus, it seems likely that the latter rogue anti-spyware is supervised by a malevalent compatriot of mine, a Russian.

# posted by Anonymous : 4:17 AM, January 12, 2006

Got a bunch of those fake "windows update" tray messages lately. (Forgot to disable messenger service after fresh install.)

# posted by Anonymous : 1:11 PM, January 12, 2006

...Well,I'm Greek too:
Greeks are famous for many things,
others are good,like our history for the most well-known example,
and others that are pretty bad,
for example "commerce fraud".
But I have to mention that "Popandopulos" is almost 99,9% not even a real name.

"Papadopoulos",as already said,
is the MOST well-known Greek surname,used by tens of thousands of people,to make it more clear:
it's equilevant in English/U.S. would be something like "Jones" or "Fisher".

The really "funny" thing would be,
if it was discovered that behind all this,there were both Greeks and Russians!
I say that because Greece hosts a lot of Russian refugees:
to avoid a misunderstanding,
most of them are very hard-working people and they are far more decent than my people,but then again,
I believe that we could definetely "ethically" corrupt them! ;-)

# posted by Anonymous : 1:13 PM, January 12, 2006

More likely this is a phishing attempt. Get you to send a credit card number to a hidden company in an unknown country. Think how much money you could make. Collect credit card numbers for a year, close your web site, charge $1000 on all cards.
Keep up good work. Much thanx from this user.

# posted by Anonymous : 7:30 PM, January 12, 2006

One very famous Greek, Archimedes, once said:[words to the effect]

If he was given a point outside the world, and a long enough lever, he could lift the world from its axis.

A nice analogy of the potential of strategic blogging, I'd say.

# posted by ruy_lopez : 4:40 AM, January 13, 2006

My friend brought me PC, which was infected by malware. He wanted if i can just clean it and to reinstall OS completely so. Also spy-sheriff participated in this, but the worst problem was virus which .dll-s were loaded by winlogon.exe. Every time i totally cleaned PC ( ProcExp - killing all malware tasks, disabling malware autoruns, removing all registry entries by malware ) after few minutes this virus downloaded again new malware and installed it in PC, really annoying thing. This malware also disabled internal Task Manager and wallpaper changes and so on. Malware created also file in c:\ called boot.inx. After malware download cca 25 malware process were started in short time and it showed about 3-6 popup warnings "Your computer were infected click here to download ...". I don't think about some conspiracy between malware writers and antispyware writers, i just think that there are Antispyware utilities and "(anti)-spyware" utilities.

# posted by Pessoft : 5:29 AM, January 13, 2006

Easy Way To Remain Spyware Free ;)

Install A Copy For WinXP With SP2 - New Install - Retail Copy - Do NOT Use Restore Disk Crap If You Bought Your Computer - Most Include Spyware / Adware Themseleves - So If You Do Then Your Infected From The Very First Boot - lol

Upon first boot download a copy of firefox 1.5 and install. Then vist windows update and install all updates and never use IE again but for windows update.

ALWAYS use firefox or opera or whatever thrid party broser that is NOT IE based. ;) So do all below in new NOT IE based broser. Again do NOT USE IE if you do not want to get infected!

Next install a firewall such as zone alarm, then an antivirus product such as f-prot anti-virus.

Then download process guard and never let anything run if you do not know what it is, ever.

Now your spyware free forever, as long as you stay up to date. That is latest version of firefox / browser / antivirus and firewall.

DO NOT need a single antispyware tool. That is if you follow what I typed to the letter.

If not or just feel better with antispyware then download microsoft antispyware. Leave it running constantly and check for updates daily. Same goes for antivurs and firewall.

Then download a copy of ad-aware, spybot search and destory, hijack this, bug off, BHO Demon, spyware blaster, and chs shredder. Run all and install latest updates daily. Or at least weekly. Highly recommand daily though.

Then download a copy of the host file from:

http://mvps.org/winhelp2002/hosts.htm

Then download and install both of these. Again always update at least weekly if not daily:

http://www.spywareguide.com/blockfile.php

https://netfiles.uiuc.edu/ehowes/www/

Next download a copy of startup monitor from:

http://www.mlin.net/StartupMonitor.shtml

Then download start right to help manage start up items. Why?

Because it has a nice option to set all new startup entries to disabled just in case one manges to get by startup montior or other antispyware program such as microsoft antispyware. That is before it allows the new startup item to run you must first aprove it. It's happened once before. Though was not spyware, in fact was just poor programming. ;)

Download here:

http://www.joejoesoft.com/vcms/113/

Now your never get infected again. :) Well maybe, if your smart and follow my instrucstions to the letter and that is if you have some commen sense and dont open emails from people you dont know. And dont vist "bad" sites such as hacker/virus/porn/cracking/warez related sites.

That should do it. Have never had a single "serious" spyware infection on my own personal pc, ever. Only had three infections in my life and all theree were from trusted sources. One from my own brother who had an infected file he sent me and did not know it.

And speaking of always scan files even from trusted sources. Cause they could have been comprissed. TRUST NO ONE, EVER!!

And for those wonder why not serious? Well because process guard stoped them all in the tracks and then I simply removed from pc using the tools above. :) So no damage at all since they never even had a chance in hell of running. :)

Take Care,

Will

PS: If you need help removing any of this crap send me an email.

# posted by war59312 : 8:01 AM, January 13, 2006

today I found a similar ad when I was redirected to the 404 page:

http://members.fortunecity.com/amru/apc/apc.htm
the ad contain this url:
http://adopt.euroclick.com/lnk.eu?aplcd=975;710;1147;2485;f.f.9.ML.f.f;;href=http://www.myspywarecleaner.com/fc/sc/default.asp?id=7508
I didn't dare to click it but I guess the www.myspywarecleaner.com site might infect your computer in the way mentioned in this blog

# posted by Anonymous : 8:30 AM, January 13, 2006

I totally agree with some of the above posts regarding Avast! Antivirus, Firefox, ZoneAlarm, SpyBot S&D, and AdAware. I use all the above. I once in a great while scan my computer with SpyBot S&D (after updating the signature files) and AdAware (again after updating the signatures) and I can say that I do not have any malware. For those of you that have infected systems that are very hard to get rid of, I recommend another product BART CD (Bootable Antivirus & Recovery Tool CD) by the same company that authors Avast! It is a 14 day trial, and I was very impressed! Basically it will boot into memory and then run the antivirus software, plus it has other tools as well. I highly recommend Firefox or Opera. I've been using Firefox since it was known as Phoenix 0.2. Good luck to y'all!

# posted by Anonymous : 9:55 PM, January 13, 2006

Regarding the WMF vulnerability and conspiracies (for those who like to partake) there's an intresting transcript here:

http://www.grc.com/sn/SN-022.htm

Particularly of note is MS's cloudy critical/non-crital classification of vulnerabilities, effectively ensuring that older versions of Windows, even if fully patched, will still remain vulnerable.

# posted by ruy_lopez : 2:30 AM, January 14, 2006

I wonder if this has been brought up here/ is thought credible?

"Leo: So you're saying Microsoft, or people at Microsoft maybe unbeknownst to Microsoft, intentionally put code in Microsoft Windows that will allow anybody who knew about it access any Windows machine, to get into any Windows machine and run any arbitrary code on it.

Steve: Well, it's not like a trojan, where they would be able to contact a remote machine. But, for example, if Microsoft was worried that for some reason in the future they might have cause to get visitors to their website to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on, basically if Microsoft wanted a short circuit, a means to get code run in a Windows machine by visiting their website, they have had that ability, and this code gave it to them.

Leo: And there'd be nothing anybody could do about it or - and in most cases detect it. So it sounds like - and I really want to be careful here because this is a very serious accusation. It sounds like this was done on purpose by Microsoft or somebody at Microsoft. It sounds like it was accidentally discovered. Microsoft reacted and has pulled it out now."

http://www.grc.com/sn/SN-022.htm

I would think you might be able ot help confirm/deny any of this Mark.

Or this related item

"What comes back, is that some time in the night the computer switched over to auto-update, installed the patch, switched back to manual, and then reset.

I pick another and check it. It comes back the same. EVERY one of the 35 did the same thing."

http://www.emailbattles.com/archive/battles/vuln_aacfhddccc_de/

# posted by Anonymous : 7:11 AM, January 14, 2006

1) List.ru initially provided free mass-mail services (subscripton to sites' update and so on)
Now it provides free mailboxes as well, like for example HotMail.com does

It might be correct onfromation, so.

Popandopulus ? I heard some software crack-maker had this nickname... Or not? I ain't sure.

2) worse thing is that no updates can save you from viri. You know, ASF/WMV file can contain virus bootstrap.
When anyone watches it, it ask to update Microsoft DRM libs, then to install license, then you had any code movie-maker did on Your PC.
Microsoft officially told that this can never (sic!) happen to official movies released by lawful authors, and user should not download any other movies.
Now, imagine such a movie, embedded into web-page a la SWF.

Mark. i do trust to movies, made by You, but i will try to watch it with VideoLAN or GStreamer, and only if it fails - with DirectX :(

# posted by Anonymous : 6:32 PM, January 14, 2006

I currently live and work in Greece and I can tell you from experience that if the Greeks are behind this then I would not be surprized one single bit. Greeks are like "wannabe Romanians" but completely lack the skill level to pull off the global scams/crimes that the Romanians do on an hourly basis.

And thus it is unlikely (but not impossible) that Greeks are behind this. This has the telltale signs of a Russian hand. Hell 80% of this crap comes from their neck of the woods anyway so it falls within reason. Could even be a Ruskie living in Greece.

# posted by Anonymous : 6:32 PM, January 14, 2006

In answer to "I wonder if this has been brought up here/ is thought credible?"

1) i believe grc.com is highly credible. And Microsoft, incorporating their ClearType into Windows XP, admits it too.

2) as a programmer, i would say if the facts told by Gibson are truth, then his conclusions looks like the only possible ones. Hope someone would find another explanation or mistake in his facts.
I also wonder what are the permissions given to the code inside WMF ? but even the lowest permissions, combining with potentional WM_* misuse - it is highly dangerous.

About computer turning on by itself to upgrade or do whatever it is programmed by someone.
Latest Intel network cards have something called like Active Management or so. It is the feature that allows any computer to be remotely powered on and managed. And Intel did not gave any technical details. So it exists and it can be anything.

No, about reactive protections like Antiviri and "i do not download programs from the internet"
1) Antiviri by their nature can hunt only massive virus and relatively old ones. While this is 99% of what one might meet, remember that no antivirus can reliably hunt virus:
a) written especially for you or you company.
b) written several days ago and not yet found and analyzed by antivirus vendor.

"i do not download software" - that does make no protection. Internet Explorer and Outlook Express can easily do it for You.
They are a kind of village-styled software, not city-styled. As i wrote eralier, ASF/WMV file can be embedded into web-page, and it can contain command to Windows DirectX to download and run virus. Since the very file does not contain virus itself - it would be considered clean by any antivirus software, and each time Your would review it - would download some virus and perhaps one day it would be brand new virus, not yet detected by antivirus You're using.

# posted by Anonymous : 2:23 AM, January 16, 2006

Spyspotter is scumware like this. Avoid it at all costs. It is sold by a rotten company named Oemtec.

# posted by Anonymous : 9:30 PM, January 16, 2006

On topic and off topic, but worth mentioning.

My dad continues to use IE despite what I say about its vulnerabilites. Spybot S&D's TeaTimer seems to help slow down any bad downloads in IE and I try to keep it updated regularly so that bad downloads won't be able to self-install or give him prompts to install. He uses it solely because of the way IE and Firefox process their bookmarks. IE stores them as individual shortcuts in C:\Documents and Settings\User\Favorites. Its the way he views the latest comic in Comics.com, he likes to simply bookmark the latest and have it overwrite the same file. Firefox stores all the user's favorites in a single HTML file so you can have two favorites listed with the same name pointing to entirely different places.

I myself use Firefox with the NoScript Plugin from Mozilla's site. When I close Firefox, all the browsing history is simply deleted including any and all cookies that might have been stored in the browser's temp file.

Also this may be off topic, but pop-ups can be related to spyware as well as drive-by downloads. Is it just me or is IE's pop-up blocker not as strong as it used to be? Firefox's was bypassed in a month with a simple flash movie where the movie plays an open new window event, just as if that event was triggered with a mouse click. I first saw the exploit in a homestarrunner.com strong bad e-mail movie where strong bad gets the 200,000+ viruses and all kinds of wierd crap happens including several simulated pop-up windows in the movie as well as a real pop-up window mixed in. Just now I'm seeing IE's pop-up blocker even on its maximum setting getting bypassed. It ususally happens on sites that are supported by blatent advertising. My dad regurarly goes to Comics.com using IE and that site is loaded with ads which may use nothing more than tracking cookies, but those are spies none the less.

Anyway, enough rambling. What I'm trying to say is, IE's security is weak and always flawed. Pop-ups can lead to drive by downloads, which can seriously f**k up your computer and also through the use of malicous scripts which do the same thing.

Oh well, I can't stop him, if he want's a computer slowed by spyware and resource hogs, that's fine by me. If I can't fix it, I'll reinstall the operating system and start it over from scratch.

If you have relatives who insist on using IE, try to talk them out of using IE or load Spybot's Tea Timer which runs automatically as an ActiveX control in IE. It's the Immunization option in Spybot's interface. Deeper in Spybot is an option to lock the hosts file as well add a list of known bad websites to it. Those are all pointed to 127.0.0.1, which as we all know is the NIC's loopback address.

Two other free and open-source programs to take a look at are ClamWin Antivirus and Winpooch Watchdog. They are both hosted on sourceforge.net.

# posted by Anonymous : 1:04 AM, January 20, 2006

Good article Mark. MyspywareCleaner caught a friend of mine, exactly as you describe.A big fan of sysinternals just got 'bigger'.

# posted by Miles : 8:37 AM, January 20, 2006

"If you have relatives who insist on using IE, try to talk them out of using IE"

I feel like a keeper of the non-secret that has sat right under Windows users' noses since WinNT days, or since time immemorial in the *NIX world:

Use a non-Administrator account when you don't actually need Admin powers for something.

I have about 70 "kids" down at the office, and this is the only antispyware we use, aside from decent antivirus software and a perimeter firewall. Works perfectly. But don't take my word for it, how about Spywareinfo.com: Surf More Safely With Any Browser.

"I created a low-level user account and then went surfing to some of the most spyware-infested web sites I could find. Guess what? Nothing happened. Not only did I fail to pick up a single hijacker, I never once saw as much as a single ActiveX prompt. As far as I could determine, I was immune to spyware infection."

Duh. And his next newsletter had tips on the practical aspects of using a Limited account. Think about actually solving the "root" of the problem, folks.

# posted by mechBgon : 11:59 PM, January 20, 2006

mmm,I have something more than just similar to spysherrif......-_- "spyware strike" or something.

They need some kind of law against this....

# posted by Anonymous : 9:06 AM, January 21, 2006

Great article Mark. You stated that clicking anywhere on the dialogue box (even No) led you to a website. Is there a way to get rid of the dialogue box without 'mouse' clicking on the 'No' button? I thought that one of the 'F' keys would clear/delete/close the dialogue box or any 'pop-ups' for that matter. Thanks.

# posted by Anonymous : 9:09 PM, January 21, 2006

So I have a very serious question. Is my system in danger? I am not liking seeing all of these other comments about Spy Sherriff. I feel like I got railroaded. Please provide some insight.

# posted by Bookman : 9:37 PM, January 24, 2006

Microsoft have joined with the Washington Attorney General McKenna to help protect consumers from ‘Spyware Deception’ and launched a lawsuit of their own. This should see the removal of those pop-up and in-line advertisements stating your PC may be affected by spyware.

http://www.microsoft.com/presspass/press/2006/jan06/01-25McKennaSpywarePR.mspx

# posted by Stephen : 1:44 PM, January 25, 2006

Great article. I had never been hit until about a month ago, just before leaving for vacation. I didn't have an antivirus (not that it would help) and I did fine with the same windows install for about 2+ years. Then I inserted Sony's "Buddy Guy" album, and 5 minutes after I was facing an avalanche of spyware infections that happened exactly as described in this post. It took a full reinstall. Watch out for Sony DRM rootkit guys! BTW popandopulos sounds like Greek for popup.

# posted by tamasko : 5:04 PM, January 25, 2006

SpySheriff infestation was definitely the worst such experience I had so far (I had to reinstall Windows XP.)

However, the whole thing started with my *not* selecting 'Yes' when a message box, similar to the one at the beginning of the article, appeared. Also, I may have actually closed the message box, instead of pressing No button (don't remember exactly anymore.)

# posted by Tony : 12:51 PM, January 28, 2006

I guess what I was trying to say above is that, after clicking No (or closing) the initial message box I was not redirected to any website.

I just got a bunch of message boxes that toook any answer as a Yes answer.

# posted by Tony : 4:09 PM, January 28, 2006

This information is of great use and benefit to all users. Keep up the excellent work..

I would like permission to put "The Antispyware Conspiracy" information up on our intranet site (no Internet connectivity on desktops) as a warning to our users please. Let me know if I can do this and under what conditions in a reply to this. Thank you.

# posted by MarkF : 7:40 AM, January 29, 2006

I had a real problem with spyware and rouge spyware on a server I have recently taken over running and supporting. it took two days to resolve the issues and kill everything off. the software here on sysinternals help greatly in tracking down the badware.

I have no time for spyware or anytype of badware so keep up the good work on this site providing quality information. :-)

# posted by Kelvin : 7:57 AM, February 01, 2006

I recently cleaned out a machine that was infected with SpySherriff ... and with around a dozen other malwares: Look2me, VX2, Trojan.small, Rustock, BW2, SurfSideKick, PurityScan, IstBar, DollarRevenue, NetOptimizer. Some might have been lingering for a while, but I get the distinct sense that one infection lets several more get in on its coat-tails.
This was the toughest cleanup I've ever conducted (a clean install would have been faster but the user had software they needed for which the installer CDs were with someone who was out of town that week.)
Reading up on SpySherriff and Look2me lead me to learning about "root kits" for Windows -- man, that stuff will make you paranoid!

# posted by Anonymous : 3:03 PM, February 03, 2006

Mark,
Thank you for posting the info on Spyware Cleaner. I'm sorry I purchased it and had suspicions from the start, I tried to get a refund and Secure Computer LLC (owner Gary Preston) stopped returning my emails. Interesting recent events must have caused him to shut down his web sites and his product is no longer available. Must have been caught for unscrupulous actions. Spyware Cleaner had hijacked my Host File and I kept finding this after scanning daily with Microsoft Anti-Spyware Beta 1. I had a difficult time trying to determine which program had hijacked my Host file and finally traced it back to Spyware Cleaner. I did some digging previously on their web site (when it was up and running) and there was a link for others who wanted to sell his product by placing banners on their web site. I remembered his catch was that most buyers will do the free scan and then pay for the program to remove and the profits we 60-70% commission! I could not believe it! Anway, I noticed that SpyBot Search and Destroy kept bringing up the program with Red Flag Warnings to remove the program. Just today, I was scanning with Spyware Doctor which I have on my system and they must have just updated their intelli-signatures to include all of the hkeys and other crap Spyware Cleaner loaded on my system. Spyware Doctor identified Spyware Cleaner as a "Rogue Anti-Spyware program" and prompted me to delete the infection, including all associated registry keys. Spyware Doctor found all of this even after I un-installed the program! If anyone has Spyware Cleaner from Secure Computer LLC installed on your system DELETE IT, including all associated registry keys, etc. I have the log file of registry keys Spyware Doctor found if anyone needs it. Just post your blog and/or include a temporary email address (found at www.sneakemail.com for free) so that your email is anonymous.

# posted by Anonymous : 6:26 AM, February 08, 2006

You write: the same, but with different skins and icons, ... "antispyware" technology from someone else.

This could just be like the 1990's books with the same authors and publisher: "wordperfect styles and macros" and "wordperfect macros and styles".

Whatever the details it obviously stinks - my penguins say so.

# posted by Anonymous : 11:08 AM, February 10, 2006

This blog is wonderful. I run my Ad-Aware and "SywareNo"(MY PROBLEM) keeps showing up. I "Never" knowingly downloaded anything. I delete it ,go on the Internet for a minute and It's back on. I have been following instructions everywhere for removal with no luck yet. There is nothing that shows up in the registry with all the tests/programs I've run. My 1st thought was to do a System Restore because It's only been on a short time. It was posted that someone did do this and it was gone because the poster makes it sound like it worked. Did this really work??? Would it work? Ad-Aware is the only program it shows up in. Not in Spybot,Windows Defender or Norton. I keep thinkng It's actually related to Ad-Aware at this point with this new Google partnership. I'm not advanced and I have been following instructions now to clean my entire PC from an advanced site which is a great site and I did manage to find 11 critical software /registry errors with doing part of it. They suggest & say I need to do and not skip one step and I'm afraid and don't know what I'm doing. ** I wanted to know if the System Restore really worked??? Problem...w/this process I've been tryinng to do after your PC is clean you delete all past Sytem Restore points...so they are gone! Any suggestions and would a System Restore have fixed this? Thank you in advance for anyone that posts back a comment. Jewels

# posted by Anonymous : 5:44 PM, February 14, 2006

Hi Mark,

Thanks a lot for the analysis. I was a victim this weekend. I thought the spyware problem was due to a lot of torrent files I downloaded last week and was cursing P2P for it.

This whole spyware thing ruined my weekend and I ended up reinstalling Windows. Is there any long term solution so that this problem never occurs again?

# posted by Amol : 11:19 PM, February 14, 2006

> This whole spyware thing ruined my weekend and I ended up reinstalling Windows. Is there any long term solution so that this problem never occurs again?

Backup your C:\ partition nightly to your secondary or an external HD. I've gotten infectedly badly too and I just click 'restore' and 5 minutes later it's like nothing ever happened. I use Drive Image 2002 fyi.

cold_ronald

# posted by Anonymous : 10:44 AM, February 15, 2006

Great article! That stuff is scary....

# posted by wilson : 8:50 PM, March 08, 2006

I wonder if I'm in on the conspiracy... I had a user here come down with SpyAxe, so I took his lappie home and spent 3 hours getting rid of it. When my boss found out that I had gone "above and beyond" he tossed me a $100 bonus.

I'm profiting from spyware!

# posted by Anonymous : 9:38 AM, March 21, 2006

mark your the best!!!

# posted by andy : 6:40 AM, March 23, 2006

To prevent spyware from entering your PC, disable all ActiveX, Java, and scripting features in IE. Tools, Internet Options, Security, Internet, then disable all of the above items. Bear in mind that web pages might no longer behave as expected (this is good, if spyware). Drop down menus will not appear, you may not be able to fill out forms, etc., that require Java or Active. So, put the sites that you need or trust in the Trusted zone. Disable File Downloads in the Internet Zone. You can also add a dicey site to the Restricted zone while testing it.

# posted by Anonymous : 10:15 AM, June 16, 2006

Hi Mark,

Thank You for the great information and userful tools.

Our fragile world is full of bad businessmen and crooks that prey on people's lack of accurate information and fear.

Your website has always been a central source of technical knowledge for me all this years.

I would like to see your opinion on the following popup message (and others like this but with slightly different messages and different website addresses) that I constantly receiving just after getting on the internet.

Thank You Very Much.

---------------------------
Messenger Service
---------------------------
Message from SECURITY MONITOR to WINDOWS USER on 7/7/2006 7:02:35 PM Important Windows Security Bulletin ====================== Buffer Overrun in Messenger Service Allows Remote Code Execution, Virus Infection and Unexpected Computer Shutdowns Affected Software: Microsoft Windows NT Workstation Microsoft Windows NT Server 4.0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Win98 Microsoft Windows Server 2003 Non Affected Software: Microsoft Windows Millennium Edition Your system is affected, download the patch from the address below ! FIRST TYPE THE ADDRESS BELOW INTO YOUR INTERNET BROWSER, THEN CLICK 'OK'. THE ADDRESS WILL DISAPPEAR ONCE YOU CLICK 'OK'. www.patchupdate.info
---------------------------
OK
---------------------------

# posted by Anonymous : 9:42 PM, July 07, 2006

There's a definitely a fuzzy line in that sort of advertising, and you are spot on - just the way that spyware prays on unsophisticated internet users, so does that sort of marketing. I think as times goes on though everyone will get more savvy. But then so will the marketers, eh!

# posted by Got to Remove BraveSentry : 12:32 AM, July 11, 2006

Mark's Sysinternals Blog

The Antispyware Conspiracy

RSS Feed

Index

Recent Posts

Archives

Other Blogs