KnujOn

KnujOn (nûj-ôn)

Spyware

Spyware "infects" your PC but does not have the same intent as a traditional virus. Spyware usually collects information from your cookies for advertising purposes, launches pop-ups and changes your default homepage. If your startup web page changes and you reset it but it changes back on reboot, you may have spyware.

Some spyware is legitimate, meaning it is part of something you intentionally downloaded. For example, you may have installed RealPlayer. RealPlayer checks your version for updates and upgrades and prompts you when new versions are available. They also launch popups for advertising. However, you are getting their product for free and if you uninstall it, the spayware goes away too.

It is important to note that these attacks are conducted by random hackers looking to damage personal PCs, but rather a targeted attempt by entities to control how you use the Internet and force advertising on you. They are doing this for money and it is not a prank.

The not-so-nice ones are very hard to get rid of sometimes. There are many free programs that can help:
SpyBot - Search and destroy
Spyware Blaster
Hijackthis
CWShredder


Lavasoft Ad-Ware, recomended purchase product for protection and removal


ZQuest

ZQuest is a Trojan that can be spread through email, web pages and instant messages. ZQuest forces pop-ups and modifies viewed web pages on the fly. ZQuest may show up along side an infection of SurfSideKick. The registry key needs to be deleted in safe mode:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22131A58-5F9A-3EAA-28A7-C3059A3D0632}

May force your browser to topconverting.com, revenue.net, zwoops.com, Z-QUEST.COM, and other sites.

Information and Removal
symantec.com
nai.com
scanspyware.net


More "It's Not Spyaware" Claims - SurfSideKick

According to the SurfSideKick website: "Surf Sidekick guides relevant web sites to you at the precise moment you are actually interested in them. Just browse the internet as you normally do and ... ." Similar to NewDot they claim that it is not spyware and "helps" users search the web. There is one problem with that claim, SurfSideKick installs without the user's permission or knowledge.

Registry key: HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe must be deleted in safe mode.

Information and Removal
Ssk - Ssk.exe - Process Information
Ssk.exe is Adware.SurfSideKick greatis.com
Alias: SurfSideKick 2 sunbelt-software.com
SurfSideKick Removal majorgeeks.com
SurfSideKick ca.com
HOW TO REMOVE SSK.EXE (surfsidekick 2) techsupportforum.com
Hijackthis logfile....please help techsupportforum.com


NewDot Saga

Not only is NewDot difficult to remove, but they will sue you if you talk about it. NewDot installs very easily by simply opening an email or web page. NewDot's registry entry will try to launch this DLL on start-up: C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL. If you delete the DLL and registry entry it will reinstall. It may only be removed completely in safe mode. Hijack this can help. But NewDot is not done with you yet! They insist that their hidden-install-forced-download-impossible-to-remove-browser-hijack is not "spyware" but simply a new type of marketing and they will sue you if you say that it is "spyware"(some call it "Foistware"). They have even filed a lawsuit against the Internet Corporation For Assigned Names and Numbers for discussing NewDot's business practices.

Letter to ICANN from NewDot
ICANN Response to NewDot


NewDot Sues Lavasoft (LavaSoft is a recommended PC security tool)


Here is a case of someone from NewDot going into a spyware discussion blog a telling users that NewDot is not spyware(see post #3): pcreview.co.uk

NewDot has a large amount of information on the subject at their site, but since we cannot guarantee that the site is safe we will not link to it directly.

Removal and Information
Removal Discussion Thread
spywaredata.com
cexx.org
cnet.com
Analyze your PC for threats
Lavasoft suit(pdf)



MIRAR

Have you noticed an additional toolbar on your Browser called MIRAR? If so you have a spyware virus on your PC. The "uninstall" link for MIRAR actually links to their website and phony form that requests personal information that has nothing to with uninstalling the program. Never fill forms like this out.

The purpose here is to a) deter people from uninstalling the spyware or b) gather more personal information.

The following sites are associated with this spyaware:
mirarsearch.com
getnirar.com
net-nucleus.com
mt-download.com
adservs.com
findthewebsiteyouneed.com

Removal
http://www.spyany.com/program/article_spw_rm_Mirar.html
http://www.nuker.com/container/details/mirar_toolbar.php


Fake Spyware Scans

You may have had a pop-up window like the one below:

Do not click on the links in this window. These advertised scans are often launched by viruses or spyware that have already infected your PC. Downloading the software will "fix" the virus problem and in turn expose you to more spyware and viruses. Some companies have infected PCs with spyware and then billed users to have them removed. The above pop-up links to web-update.org and scanandrepair.com. They are listed as "Rogue/Suspect Anti-Spyware Products & Web Sites" by spywarewarrior.com. Read more.

oneclicksearches.com and psguard.com

oneclicksearches.com and psguard.com use Trojan.ByteVerify and variants to infect your PC.


What do oneclicksearches.com and psguard.com do to you?
  • Sets default homepage to: oneclicksearches.com
  • Turns on Active Desktop and defaults the page to %SystemRoot%\system32\\wppp.html which is psguard.com
  • Installs these programs in c:\winnt\system32\
    down1.exe
    hhk.dll
    hpF443.tmp
    intell32.exe
    intmon.exe
    msmsgs.exe
    oleext32.dll
    shnlog.exe
    uninstIU.exe
    wppp.html
  • Sets up a fake "Virus Alert" in your task bar. Clicking on the "alert" brings you to psguard.com where they try to sell you anti-spyware software.
  • The oneclicksearches.com home page uses hijacked microsoft.com icons so the site looks like a Windows security page.
  • Sets hundreds, possibly thousands of registry keys pointing to oneclicksearches.com

What you can do about it
  1. If you don't already have anti-virus software, get some. If you do have it, update the definitions lists. There are free anti-virus packages available from symantec and mcafee. Download stinger.exe.
  2. Disconnect from the Internet/Network
  3. Reboot in Safe Mode with Network support(reboot and hold F8)
  4. Run the anti-virus software in Safe Mode
  5. Disable Active Desktop(Control Panel, Folder Options)
  6. Do a search for the files listed above and delete them
  7. Open the Registry editor(Start, Run, regedit) and do a search for all keys with "oneclicksearches.com" and delete them. Do the same for "wppp.html" and "psguard.com"
  8. If you know approximately when you got the virus, do a search on your PC for any file created since that time. More than likely you will see recently created EXEs in the system32 folder. Rename these files rather than delete them just in case they are not part of the virus.
  9. Open a browser(while stil off-line!) and delete all cookies, cache, temp files, bookmarks that were added by the virus and change your home page back to what it was.
  10. Reboot your PC and test to see if the viruses are gone
  11. oneclicksearches.com psguard.com are registered through ESTDOMAINS, file a complaint with estdomains.com.
  12. Email the admins for oneclicksearches.com psguard.com at dep@sexpicsporn.com and psguard@ua.fm and tell them how disgusted you are with their tactics.
  13. File a complaint with the BBB
  14. File a complaint with FTC


Gator/GAIN

One of the earliest and most well-known examples. Often comes bundled with downloaded freeware or shareware like KaZaA, weatherbug, Napster, and the like. Gator launches adds and redirects your searches to their selected products. Having Gator installed will expose you to other types of spyware.

Removal: In Gator's case you may be able to remove it through Add/Remove Software in the Control Panel. To be sure find and delete the following files:
iegator.dll
fsg.exe
fsg-ag.exe
GMT.exe
Do a Registry search for it also and delete the keys in ...\Current Version\Run and ...\Current Version\RunOnce



Xupiter

An example of Brower Hijacking is the Xupiter toolbar. Keeps resetting your homepage to Xupiter.com, adds a toolbar and launches popups. Use these instructions: pchell.com to remove it, then send an email to help@xupiter.com, support@xupiter.com, and dnsadmin@tucows.com telling them you do not like their spyware advertising tactics.



fastsearch.cc

What a pain this one is. Sets registry keys for startup pages to
http://%69%6e%2e%77%65%62%63%6f%75%6e%74%65%72%2e%63%63/%2d%2d/?%79%64%74%66%73.
Why? The % followed by numbers and letters are hexidecimal numbers. %69 = i, %6e = n, etc. The entire string decoded is: in.webcounter.cc/--/?ydtfs, this page redirects your browser to fastsearch.cc(.cc is Cocos Islands). The reasons: for one, you cannot put the % in your web blocking list. Then, your browser keeps resolving to fastsearch.cc, but if you search your harddrive, cache and registry "fastsearch.cc" wont come up. This is called obfuscation.

This was apparently caused by CWS.Tapicfg a variant of the CoolWebSearch. It's named so because CoolWebSearch.com was one of the first ones to use it.

SpyBot, spywareblaster, and HijackThis did not clean it out but CWShredder did get it.

After you have cleaned out webcounter.cc or fastsearch.cc send and email to:
Helen Bauer - webmaster@fastsearch.cc and Katsuji Yoneyama - webmaster@webcounter.cc expressing your disgust at their advertising tactics.

To reduce the risk of spywear infection, load Spyware Blaster which will block specific spyware packages and also increase the security on your browser settings, specifically blocking or prompting for stylesheet downloads.



More Info:
Anti-spyware guidelines get final version(msn-cnet.com 01/12/2006)
Information Kit: Spyware
Whatis.com
spychecker.com
cexx.org
grc.com
spywareinfo.com
Spyware forum
Privacy Policy and Mission Statement