Windows XP & Vista

95 / 98 / ME / 2000

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habit, sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party. Spyware can even change computer settings, resulting in slow connection speeds, different home pages, and loss of Internet or other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security best practices for Microsoft Windows desktop computers. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer.





Malware Infection

Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many computer users are unfamiliar with the term, and often use "computer virus" for all types of malware, including true viruses.

Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several American states, including California and West Virginia

Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.

Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."According to F-Secure, "As much malware [was] produced in 2007 as in the previous 20 years altogether."Malware's most common pathway from criminals to users is through the Internet, by email and the World Wide Web.

The Purposes

Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks generally intended to be harmless or merely annoying rather than to cause serious damage to computers. In some cases the perpetrator did not realize how much harm their creations could do. Young programmers learning about viruses and the techniques used to write them only to prove that they could or to see how far it could spread. As late as 1999, widespread viruses such as the Melissa virus appear to have been written chiefly as pranks.

Hostile intent related to vandalism can be found in programs designed to cause harm or data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the file system by writing junk data. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, these worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.

However, since the rise of widespread broadband Internet access, malicious software has come to be designed for a profit motive, either more or less legal (forced advertising) or criminal. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service (Ping of Death) attacks as a form of extortion.

Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affilate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications. It is not uncommon for spyware and advertising programs to install so many processes that the infected machine becomes unusable, defeating the intention of the attack.

Infectious malware: viruses and worms

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program which has infected some executable software and which causes that software, when run, to spread the virus to other executable software. Viruses may also contain a payload which performs other actions, often malicious. A worm, on the other hand, is a program which actively transmits itself over a network to infect other computers. It too may carry a payload.

These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms.

Some writers in the trade and popular press appear to misunderstand this distinction, and use the terms interchangeably.

Capsule history of viruses and worms

Before Internet access became widespread, viruses spread on personal computers by infecting programs or the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever the program is run or the disk is booted. Early computer viruses were written for the Apple II and  Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot floppies, so they spread heavily in computer hobbyist circles.

The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes in network server programs and started itself running as a separate process. This same behavior is used by today's worms as well.

With the rise of the Microsoft Windows platform in the 1990s, and the flexible macro systems of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications, but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a small number are also written for Linus and Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network for computers with vulnerable network services, break in to those computers, and copy themselves over. Worm outbreaks have become a cyclical plague for both home users and businesses, eclipsed recently in terms of damage by spyware.

Concealment: Trojan horses, rootkits, and backdoors

Trojan horses

For a malicious program to accomplish its goals, it must be able to do so without being shut down, or deleted by the user or administrator of the computer it's running on. Concealment can also help get the malware installed in the first place. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan.

Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting all the user's files, or more commonly it may install further harmful software into the user's system to serve the creator's longer-term goals. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local networks.

One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement which states the behavior of the spyware in loose terms, and which the users are unlikely to read or understand.

Root Kit Infection

Once a malicious program is installed on a system, it is often useful to the creator if it stays concealed. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious proces from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.

Some malicious programs contain routines to defend against removal: not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing system:

Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.

Similar techniques are used by some modern malware, wherein the malware starts a number of processes which monitor one another and restart any process which is killed off by the operator.

Backdoors

A Backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed, in order to allow the attacker access in the future. The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms or other methods.

Malware for profit: spyware, botnets, keystroke loggers, and dialers

During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank (although some viruses were spread only to discourage users from illegal software exchange.) More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.

Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.

Another way that financially-motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with Distributed denial-of-service attacks (Ping of Death).

In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or mallbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.

Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other information that may be useful to the creator. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD Key or password for online games, Operating Systems, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.

Data-stealing malware

Data-stealing malware is a web threat that divests victims of personal and proprietary information with the intent of monetizing stolen data through direct use or underground distribution. Content security threats that fall under this umbrella include keyloggers, screen scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file download or direct installation, as most hybrid attacks do, files that act as agents to proxy information will fall into the data-stealing malware category.

Characteristics of data-stealing malware

Does not leave traces of the event

• The malware is typically stored in the local cache which is routinely flushed
• The malware may be installed via a drive-by-download process
• The website hosting the malware as well as the malware is generally temporary or rogue

Frequently changes and extends its functions

• It is difficult for antivirus software to detect final payload attributes due to the combinations of malware components
• The malware uses multiple file encryption levels
• Malware kits sold via underground forums are able to generate different files on-the-fly

Thwarts Intrusion Detection Systems (IDS) after successful installation

• There are no perceivable network anomalies
• The malware hides in web traffic
• The malware is stealthier in terms of traffic and resource use

Thwarts disk encryption

• Data is stolen during decryption and display
• The malware can monitor keystrokes and passwords

Thwarts Data Loss Prevention (DLP)

• Leakage protection hinges on metadata tagging, not everything is tagged
• Miscreants can use encryption to port data

Examples of data-stealing malware

• LegMir, spyware that steals personal information such as account names and passwords related to online games and Operating Systems
• Qhost, a Trojan that modifies the HOSTS file to point to a different DNS server when banking sites are accessed then opens a spoofed login page to steal login credentials for those financial institutions
• Bancos, an info stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information
• Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis then serves targeted pop-up ads

Data-stealing malware incidents

• Eleven people were implicated in a massive identity theft and computer fraud scheme targeting nine U.S. retailers (BJ's Wholesale Club, TJX, DSW Shoe, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21). Over 40
  CrossLoop

  Loading history - please wait.

  CrossLoop

  4:35 pm

  A customer has contacted you, please greet them immediately, and then provide assistance.

  Nick Lockard

  4:35 pm

  Hi Doug
  Nick Lockard

  4:35 pm

  My names Nick, I hear that your interested in a Diagnostics, is this correct?
  Doug Wachter

  4:36 pm

  yes
  Nick Lockard

  4:36 pm

  Alright great I can help you with that, lets get started.
  Doug Wachter

  4:36 pm

  ready
  CrossLoop

  4:36 pm

  Nick Lockard has made an estimate:

  Description of Work:
  Diagnostics

  Duration: 0 hour and 15 minutes

  Amount: USD 9.99

  Doug Wachter: please indicate if you approve of this estimate by typing below.

  Doug Wachter

  4:37 pm

  ok
  Nick Lockard

  4:37 pm

  thanks
  CrossLoop

  4:37 pm

  Nick Lockard has submitted a charge:

  Solution Description:
  Diagnostics

  Duration: 0 hours and 15 minutes

  Amount: 9.99

  Doug Wachter: please submit payment on the right.

  Nick Lockard

  4:37 pm

  You should have an option to make the payment now
  Doug Wachter

  4:38 pm

  approve
  Nick Lockard

  4:38 pm

  you can use a credit / debit card, or paypal
  CrossLoop

  4:40 pm

  Doug Wachter has paid in full.

  Please provide feedback.

  Nick Lockard

  4:40 pm

  Alright great lets get the connection
  million credit and debit card numbers were stolen.

• A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users PCs.

• Customers of Hannaford Bros. Co, a supermarket chain based in Maine, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits.

Vulnerability to malware

In this context, as throughout, it should be borne in mind that the system under attack may be of various types, e.g. a single computer and operating system, a network or an application.

Various factors make a system more vulnerable to malware:

• Homogeneity  e.g. when all computers in a network run the same OS, if you can hack that OS, you can break into any computer running it.
• Defects  most systems containing errors which may be exploited by malware.
• Unconfirmed code  code from a floppy disk, CD-ROM or USB device may be executed without the user agreement.
• Over-privileged users  some systems allow all users to modify their internal structures.
• Over-privileged code  most popular systems allow code executed by a user all rights of that user.

An often cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance.

Most systems contain bugs which may be exploited by malware. A typical example is the buffer overrun, in which an interface designed to store data in a small area of memory allows the caller to supply more data than will fit. This extra data then overwrites the interface's own structure. In this way malware can force the system to execute malicious code, by replacing legitimate code with its own payload.

Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS makes one confirm a boot from removable media.

In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is a primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems and because typical applications were developed without the under-privileged users in mind. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users through virtualization, acting as a crutch to resolve the privileged access problem inherent in legacy applications.

Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of email attachments, which may or may not be disguised.

Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from untrusted sources. It is also common for operating systems to be designed so that device drivers need escalated privileges, while they are supplied by more and more hardware manufacturers, some of whom may be unreliable.

Eliminating over-privileged code

Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most anti-virus software almost redundant. It would, however, have appreciable consequences for the user interface and system management.

The system would have to maintain privilege profiles, and know which to apply for each user and program. In the case of newly installed software, an administrator would need to set up default profiles for the new code.

Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executables. Two techniques, used in VMS, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device.

Other approaches are:

• Various forms of virtualization, allowing the code unlimited access only to virtual resources
• Various forms of sandbox or jaill
• The security functions of Java, in java.security

Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model.

Spyware at first denoted hardware meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall.

Since then, "spyware" has taken on its present sense.  According to a 2005 study by AOL and the National Cyber-Security Alliance, 61 percent of surveyed users' computers had some form of spyware. 92 percent of surveyed users with spyware reported that they did not know of its presence, and 91 percent reported that they had not given permission for the installation of the spyware.

As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. Computers where Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not only because IE is the most widely-used,But because its tight integration with Windows allows spyware access to crucial parts of the operating system.

Before Internet Explorer 7 was released, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user naiveté towards malware and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of flaws in Javascript, Internet Explorer and Windows to install without user knowledge or permission.

The Windows Registry contains multiple sections that by modifying keys values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution. Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted even if some (or most) of the registry links are removed.



The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.

Most adware is spyware in a different sense than "advertising-supported software," for a different reason: it displays advertisements related to what it finds from spying on you. Claria Corporation's Gator Software and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many pop-up advertisements.

Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such. Many of these adware distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be malicious in nature. However, people are now profiting from these threats, making them more and more popular.

Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the 'parent' program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, recent test results show that bundled software (WhenUSave) is ignored by popular anti-spyware program Ad-Aware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) eDonkey client. To address this dilemma, the Anti-Spyware Coalition has been working on building consensus within the anti-spyware industry as to what is and isn't acceptable software behavior. To accomplish their goal, this group of anti-spyware companies, academics, and consumer groups have collectively published a series of documents including a definition of spyware, risk model, and best practices document.




Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses; however, spyware by design exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

BotNet

Don't Let Your Computer Become Part of a "BotNet"

Some spammers search the Internet for unprotected computers they can control and use anonymously to send spam, turning them into a robot network, known as a "botnet." Also known as a "zombie army," a botnet is made up of many thousands of home computers sending emails by the millions. Most spam is sent remotely this way; millions of home computers are part of botnets.

Spammers scan the Internet to find computers that aren't protected by security software, and then install bad software  known as "malware" through those "open doors." That's one reason why up-to-date security software is critical.

Malware may be hidden in free software applications. It can be appealing to download free software like games, file-sharing programs, customized toolbars, and the like. But sometimes just visiting a website or downloading files may cause a "drive-by download," which could turn your computer into a "bot."

Another way spammers take over your computer is by sending you an email with attachments, links or images which, if you click on or open them, install hidden software. Be cautious about opening any attachments or downloading files from emails you receive. Don't open an email attachment even if it looks like it's from a friend or coworker  unless you are expecting it or know what it contains. If you send an email with an attached file, include a text message explaining what it is.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

 

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some "rogue" anti-spyware programs masquerade as security software, while being spyware themselves.

The distributor of spyware usually presents the program as a useful utility for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm.

For example, Bonzi Buddy, a program bundled with spyware and targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE!!

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that add spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove

deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime.

The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system's screen.  By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

A spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet.

In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, Windows installation problems, or a virus. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.

Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. As a 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed.[citation needed] The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spywares disable or even remove competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.

Some other types of spyware (for example, Targetsoft) modify system files so they will be harder to remove. Targetsoft modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system too. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are significantly less susceptible to malware. This is because these programs are not granted unrestricted access to the operating system by default. As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to reduce the privileges of specific vulnerable Internet-facing proceses such as Internet Explorer (through the use of tools such as DropMyRights). However as this is not a default configuration, few users do this.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

Drive-by download

   1. Downloads which the user indirectly authorized but without understanding the consequences (eg. by installing an unknown ActiveX component or Java applet).
   2. Any download that happens without knowledge of the user.
   3. Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, it is an error report from his own PC or that it is an innocuous advertisement popup; in such cases, the "supplier" may claim that the user "consented" to the download though s/he was completely unaware of having initiated a malicious software download.
   4. Download of malware through exploitation of a web browser, e-mail client or operating system bug, without any user intervention whatsoever. Websites that exploit the Windows Metafile vulnerability may provide examples of "drive-by downloads" of this sort.


Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior.

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. Links to these sites may be added to the browser window, history or search function. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions.

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.

Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity�€”replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.

Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

In most cases, spyware has been closely associated with identity theft.

In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.", but it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS."

This case is currently under investigation by the FBI.
The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.

Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high call costs. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line.
Digital rights management Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology

Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas state attorney general Greg Abbott filed suit, and three separate class-action suits were filed.  Sony BMG later provided a workaround on its website to help users remove it.

Beginning in April 25, 2006, Microsoft's Windows Genuine Advantage Notifications application installed on most Windows PCs as a "critical security update". While the main purpose of this deliberately non-uninstallable application is making sure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware. It can be removed with the RemoveWGA tool.





Spyware has been used to surreptitiously monitor electronic activities of partners in intimate relationships, generally to uncover evidence of infidelity. At least one software package, Loverspy, was specifically marketed for this purpose. Depending on local laws regarding communal/marital property, observing a partner's online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.






Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them.




These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

    CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.

    Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.
 
    Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies.
 
    HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.

   Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay. The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers."

    Zlob trojan, or just Zlob, Downloads itself to your computer via an ActiveX codec and reports information back to Control Server. Some information can be as your search history, the Websites you visited, and even Key Strokes. More recently, Zlob has been know to hijack Routers set to defaults.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act and similar laws in other countries. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.

Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented.

Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be taken as consent to the entire text, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances. This does not, however, mean that every such agreement is a contract or that every term in one is enforceable.

Some jurisdictions, including the U.S. states of Iowa and Washington, have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.
In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.




An administrative fine, first of its kind in Europe, has been taken by the Independent Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting 22 million computers. The spyware is called DollarRevenue. The law articles which have been violated are art. 4.1 of the Dutch telecommunications law; the fines have been given based on art. 15.4 taken together with art. 15.10. A part of these fines has to be paid by the directors of these
companies in their own person, i.e. not from the accounts of their companies, but from their personal fortunes. Since a protest procedure has been taken, the fines will have to be paid after a Dutch law court will take a decision in this case. The culprits maintain that the evidence for violating the two law articles has been obtained illegally. The names of the directors and the names of the companies have not been revealed, since it is not clear that OPTA is allowed to make such information public.




Former New York State Attorney General and former New York State Governor Eliot Spitzer has pursued spyware companies for fraudulent installation of software. In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware.

The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court.

Courts have not yet had to decide whether advertisers can be held liable for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies which have run their ads in spyware.




Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware".  PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software. As a result, other antispyware and antivirus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.

Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. Contact now for your Free Diagnostics.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE (free scans for non-commercial users, must pay for other features) and Patrick Kolla's Spybot - Search & Destroy (all features free for non-commercial use) rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT AntiSpyware software, rebranding it as Windows AntiSpyware beta and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In 2006, Microsoft renamed the beta software to Windows Defender (free), and it was released as a free download in October 2006 and is included as standard with Windows Vista. Other well-known commercial anti-spyware products include:
    PC Tools's Spyware Doctor ( one free edition doesn't remove anything but protects, the other free edition removes but protects partially and uses a limited database)
    DriveSentry (free version (3.1) will remove spyware)
    SUPERAnti Spyware (free version fully detects and removes spyware, but does not provide protection)
    Sunbelt Software's Counterspy (15-day free trial)
    Trend Micro's HijackThis (free)
    Webroot Software's Spy Sweeper (free version does not remove spyware)

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses).

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

Recently, the anti-virus company Grisoft, creator of AVG Anti-Virus, acquired anti-spyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware Professional Edition. AVG also used this product to add an integrated anti-spyware solution to some versions of the AVG Anti-Virus family of products, plus made a freeware AVG Anti-Spyware Free Edition available for private and non-commercial use. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of Zone Alarm firewall have also released an anti-spyware program.
 









Anti-spyware programs can combat spyware in two ways:
    1. They can provide real time protection against the installation of spyware software on your computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across.
   2. Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto your computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software you can schedule weekly, daily, or monthly scans of your computer to detect and remove any spyware software that has been installed on your computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on your computer and will provide a list of any threats found, allowing you to choose what you want to delete and what you want to keep.

Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done.

Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs.
Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.

Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully (programs falling under the class of Hips such as BillP's WinPatrol) on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?"

Windows Defender's Spynet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete.

If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree can also work.

A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) is starting to hide inside system-critical processes and start up even in safe mode. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use, as is the use of NTFS alternate data streams. Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running.

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

See also: List of fake anti-spyware programs
See also: Rogue software

Malicious programmers have released a large number of rogue (fake) anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware or else, may add more spyware of their own.

The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. This software is called rogue software.
It is recommended that users do not install any freeware claiming to be anti-spyware unless it is verified to be legitimate. Some known offenders include:


PestSweeper Description:










Antivirus 360


Malware Defender 2009


SpywareRemover2009




SpywareRemover2009



VirusRemover2009

VirusRemover 2009 creates the following files and folders.

%programfiles%s\VirusRemover2009
%programfiles%\VirusRemover2009\ExtSecurityCenter.exe
%programfiles%\VirusRemover2009\ExtSecurityCenter.ini
%programfiles%\VirusRemover2009\ExtSecurityCenter.xml
%programfiles%\VirusRemover2009\ni_d.exe
%programfiles%\VirusRemover2009\PP.exe
%programfiles%\VirusRemover2009\Uninstall.exe
%programfiles%\VirusRemover2009\Viruses.bdt
%programfiles%VirusRemover2009\VRM2009.exe
%programfiles%\Desktop\VirusRemover2009.lnk
%programfiles%\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2009.lnk

WinPC Defender promote itself as a program that can defend and secure computers from virus threats and attacks. But this claims has no solid proof since WinPC Defender will scan computer and produce its false results. With these mtehod, it was tagged by Security expert as rogue program and should be avoided and remove immediately.

Common Symptoms:
1. It will first download initial trojan that will redirect website to win-pc-defender.com
2. After dropping and installing the rogue program, it will scan and produce fake results.

This website was created on February 24 2009.  This is one of the newest forms of fake security.  Warning do not visit this site, you risk a drive by download infection!!  If you ever see this website popup on your system then its infected.

Antivirus XP Pro 2009 Descriptions:

Antivirus XP Pro 2009, also known as AntivirusXPPro2009, is new variant of the astrocious Antivirus 2009 or Antivirus XP 2009. I don�€™t think this is a new story anymore, but the destruction of this type of malware remains. Technically, Antivirus XP Pro 2009 is just a fake software that created to disguise innocent users like us. Antivirus XP Pro 2009 usually comes up after you installed a video codec that come with Trojan, malware and virus. Antivirus XP Pro 2009 normally generates fake and misleading system popup error messages so end-users will be tricked into purchase Antivirus XP Pro 2009.

It is very critical to remove Antivirus XP Pro 2009 and all its components. To effectively remove Antivirus XP Pro 2009, we have created a manual removal instructions. We recommend you to back up all important data before proceeding. The removal process requires some patience and willingness to experiment. If it fails, try again due to the nature of rapid change of Antivirus XP Pro 2009. Here are the things that you need to do in order to remove Antivirus XP Pro 2009.

Manual Antivirus XP Pro 2009 Removal Instructions:

Stop Antivirus XP Pro 2009 Processes:
antivirusxppro2009.exe
AntivirusXP.exe

Find and Delete Antivirus XP Pro 2009 Files:
antivirusXPpro2009.exe
c:\Program Files\AntivirusXP
c:\Program Files\AntivirusXP\AntivirusXP.exe
c:\Program Files\AntivirusXP\Infected
c:\Program Files\AntivirusXP\Suspicious
%UserProfile%\Desktop\AntivirusXP.lnk
%UserProfile%\Start Menu\Programs\AntivirusXP
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusXP.lnk
%UserProfile%\Start Menu\Programs\AntivirusXP\AntivirusXP.lnk
%programs%\AntivirusXPPro2009\AntivirusXPPro2009.lnk
%programs%\AntivirusXPPro2009\uninstall.lnk
%program_files%\AntivirusXPPro2009\AntivirusXPPro2009.exe
%program_files%\AntivirusXPPro2009\uninstall.exe
%desktopdirectory%\AntivirusXPPro2009.lnk

Remove Antivirus XP Pro 2009 Registry Values:
HKEY_LOCAL_MACHINE\software\AntivirusXPPro2009
HKEY_LOCAL_MACHINE\software\AntivirusXPPro2009 info
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run Antivirus XP Pro 2009

Below are screens shots of Security Tool which is a new age infection.  Security Tool is one of the newest rogues out as of October 8th 2009.  NickLockard.com Remote Service has now successfully removed Security Tool infection from multiples systems which the following security scanners failed to detect all of it completely. Malwarebytes, AVG, Combofix to name a few big ones.  Security Tool is an infection that requires a manual removing

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

List below are some known directories and names of Security Tool if you need/wish to attempt a manual removal.


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyqtyqjwqo (Rootkit.TDSS)
HKEY_CLASSES_ROOT\CLSID\{d03ffaa3-5238-4df8-9a2a-97d2d80ae8d9} (Trojan.Vundo.H)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rotatigov (Trojan.Vundo.H)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31503719 (Trojan.FakeAlert.H)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d03ffaa3-5238-4df8-9a2a-97d2d80ae8d9} (Trojan.Vundo.H)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tufuridey (Trojan.Vundo.H)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rirawapola (Trojan.Agent)
C:\Documents and Settings\All Users\Application Data\31503719
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4946550101.bat 4946550101.cfg 4946550101.exe Security Tool.lnk Security Tool.lnk
%UserProfile%\Application Data\4946550101
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SecurityTool"
HKEY_CURRENT_USER\Software\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecurityTool
HKEY_LOCAL_MACHINE\SOFTWARE\SecurityTool
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SecurityTool"
HKEY_CURRENT_USER\Software\Vista Antivirus 2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecurityTool
HKEY_LOCAL_MACHINE\SOFTWARE\SecurityTool

The above are examples of how Security Tool infects a system, it will randomize the names and folder names for the numbers above. You may need to kill off the running process for SecurityTool in order to remove Security Tool. If you are otherwise unable to delete the files that you find, use the task manager to kill off the running process that matches the randomized name for the exe that you find. It will likely stick out like a sore thumb in the task manager. (Very few legit programs have 10 digit numerical names)

After the manual removal, or at least the manual disabling of the active rogue, go back and run a scan with an updated version of malwarebytes to make sure the system is clean.  The toughest part of the Security Tool infection, Security Tool will claim each program you try to run is a worm and is trying to send your credit card info to some host. 

Ready for help lets Chat 3pm - 3am PST Mon -Fri (some weekends)

Call (503) 383-9785 Email admin@nicklockard.com Book your Appointment Now Online

Below are pictures from Security Tool infection

TrustFighter is a a scareware program from the Wini family of rogues. This rogue is typically promoted through the use of Trojans that masquerade as an update to Adobe Flash. When the Trojan is downloaded and run it will install TrustFighter on your computer and configure it to start automatically every time Windows starts. The Trojan will also install a large amount of harmless files with random names in the C:\Windows and C:\Windows\System32 folder. Then, when TrustFighter scans your computer it will then detect these harmless files as infections and state that you need to purchase the program before it will allow you to remove it. This tactic of creating harmless files that will then be detected as infections is one that attempts to make you think you are infected in the hopes that you will then purchase the program. As you now see, the only infection is TrustFighter itself and you should not purchase the program as it will not do anything for you.


While the Trojan is running you will also see fake security notices and messages appear on your desktop. These alerts will give warnings that your computer is being hacked or that active malware has been detected. The Trojan will also display a window that impersonates the legitimate Windows Security Center. The only difference is that the imposter will suggest you purchase TrustFighter to protect your computer, while the original does not make any suggestions as to what programs should run on your computer. These alerts and the fake Security Center are just another tactic to make you think that your computer has a security problem and should be ignored.

If you find that you are infected with TrustFighter, then please use the guide below to remove it and any related malware from your computer. If you have already purchased the program, then we suggest you contact your credit card company and dispute the charges as this software is a scam.

O4 - HKCU\..\Run: [lil6.tmp.exe] C:\WINDOWS\system32\lil6.tmp.exe
O4 - HKCU\..\Run: [TrustFighter] C:\Program Files\TrustFighter Software\TrustFighter\TrustFighter.exe -min

Associated TrustFighter Files:

c:\Documents and Settings\All Users\Start Menu\Programs\TrustFighter
c:\Documents and Settings\All Users\Start Menu\Programs\TrustFighter\1 TrustFighter.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\TrustFighter\2 Homepage.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\TrustFighter\3 Uninstall.lnk
c:\Program Files\TrustFighter Software
c:\Program Files\TrustFighter Software\TrustFighter
c:\Program Files\TrustFighter Software\TrustFighter\TrustFighter.exe
c:\Program Files\TrustFighter Software\TrustFighter\uninstall.exe
c:\Documents and Settings\All Users\Desktop\TrustFighter.lnk
c:\WINDOWS\system32\d3d550c.dll
c:\WINDOWS\z9815spy765.dll
c:\WINDOWS\z9cfthreat4589.bin
c:\WINDOWS\za23d9wnload5r515.exe
c:\WINDOWS\system32\d98thi5f2122z.ocx
c:\WINDOWS\system32\f85a9dware256z.exe
c:\WINDOWS\system32\lil6.tmp.exe
c:\WINDOWS\system32\z105hackto5l709.cpl
%Temp%\lil6.tmp.exe
 

Associated TrustFighter Windows Registry Information:

HKEY_CURRENT_USER\Software\TrustFighter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustFighter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\TrustFighter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "lil6.tmp.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "TrustFighter"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe "GlobalFlag" "0x02000100"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe "VerifierDlls" = "d3d550c.dll"



Malware Description:
Should you come across Yourguardonline.com domain as you are surfing the web, move away from there because the site is a hijacker of Trust Fighter rogue and can damage your system. Yourguardonline.com hacks a randomly chosen computer by using its affiliate trojan viruses whose primary objective is to swindle the security barriers of the potential host system and get on board undetected. Those trojans make their way to the location of your web browser and modify its setting so that the browser gets messed up and barely useable. After that, your online activities will not do without redirections to Yourguardonline.com website that you don’t want at all. The first thing you acknowledge about Yourguardonline.com site is its being a weird-looking system scan that resembles MS DOS blue screen displaying a system scan interface. That scanner reports the detection of multiple computer parasites when through. This is done so that you start believing your machine is actually ill and needs a cure. Then, Yourguardonline.com will suggest you the cure – i.e. Trust Fighter commercial software version that requires (guess what) a payment first. Well, sticking to Yourguardonline.com hijacker’s tips is a completely unreasonable thing to do because Trust Fighter may do lots of harm to your system. You should immediately remove Yourguardonline.com hijacker before it makes you install rogue anti-spyware.e needed result

How to remove Yourguardonline.com hijacker manually:
Manual removal of Yourguardonline.com is feasible if you have sufficient expertise in working with program files, system processes, .dll files and registry entries.

The associated files to be deleted are listed below:

    * %Program Files%\TrustFighter Software
    * %Program Files%\TrustFighter Software\TrustFighter
    * %Program Files%\TrustFighter Software\TrustFighter\license.txt
    * %Program Files%\TrustFighter Software\TrustFighter\trustsoldier.exe
    * %Program Files%\TrustFighter Software\TrustFighter\uninstall.exe
    * %WINDOWS%\102z6w59m3c4.cpl
    * %WINDOWS%\1044zhackt9ol5b2.dll
    * %WINDOWS%\10683v9rzs656.cpl
    * %WINDOWS%\10915hief309z.cpl
    * %Documents and Settings%\All Users\Desktop\TrustFighter.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustFighter
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustFighter\1 TrustFighter.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustFighter\2 Homepage.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustFighter\3 Uninstall.lnk

The related registry entries to be removed are as follows:

    * HKEY_CURRENT_USER\Software\TrustFighter
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustFighter
    * HKEY_LOCAL_MACHINE\SOFTWARE\TrustFighter
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRUSTFIGHTERSVC
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustFighterSvc
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “TrustFighter”

Please, be aware that manual removal of Yourguardonline.com is a cumbersome procedure and does not ensure complete deletion of the malware, due to the fact that some files might be hidden or may automatically reanimate themselves afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of Yourguardonline.com, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.


Koobface Infection:











My PC - Best Defence Scanner is a fake online virus scanner commonly seen when visiting scam website
 such as bestantispyware7.com. My PC - Best Defence Scanner will display nothing but fake detection of malware that does not really present on computer
. This is a trick to attract users and get a copy of rogue security program Security Tool.










Soft Soldier (aka SoftSoldier) is one more rogueware from the family that encompasses such fake anti-spyware applications as Trust Fighter, Trust Cop, SecuritySoldier and SaveSoldier. Soft Soldier won’t be noticed while intruding on your computer because it’s known to be applying sophisticated rootkit techniques for infiltrating, which means, there’s hardly any antivirus that can spot Soft Soldier on the contamination stage. Having got into the PC, SoftSoldier alters the system registry and some other system settings to eventually win control over the essential processes running on your machine. As a consequence, Soft Soldier will not fail to interfere with your computer routine by repeatedly displaying its multiple bogus alerts and absolutely fabricated PC scans which report anything but true malware detection claims. The trick about those supposedly detected parasites is the fact that they are either imaginary ones or harmless files that Soft Soldier dropped onto your system once it penetrated inside. Through the above means, Soft Soldier tries to persuade you the PC you are using is severely contaminated with malware and the only thing you can use to remove them is Soft Soldier licensed software. That’s a lie so do not get spoofed by SoftSoldier exaggerated adware. You should instead uninstall this rogue anti-spyware immediately after it’s spotted on your computer.


How to remove Soft Soldier manually:
Manual removal of Soft Soldier is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %Program Files%\SoftSoldier Software
    * %Program Files%\SoftSoldier Software\SoftSoldier
    * %Program Files%\SoftSoldier Software\SoftSoldier\license.txt
    * %Program Files%\SoftSoldier Software\SoftSoldier\softsoldier.exe
    * %Program Files%\SoftSoldier Software\SoftSoldier\uninstall.exe
    * %WINDOWS%\102z6w59m3c4.cpl
    * %WINDOWS%\1044zhackt9ol5b2.dll
    * %WINDOWS%\10683v9rzs656.cpl
    * %WINDOWS%\10915hief309z.cpl
    * %Documents and Settings%\All Users\Desktop\SoftSoldier.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\SoftSoldier
    * %Documents and Settings%\All Users\Start Menu\Programs\SoftSoldier\1 SoftSoldier.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\SoftSoldier\2 Homepage.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\SoftSoldier\3 Uninstall.lnk

The registry entries that need to be removed are as follows:

    * HKEY_CURRENT_USER\Software\SoftSoldier
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftSoldier
    * HKEY_LOCAL_MACHINE\SOFTWARE\SoftSoldier
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOFTSOLDIERSVC
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SoftSoldierSvc
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “SoftSoldier”

Please, be aware that manual removal of Soft Soldier is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional help with the removal of Soft Soldier, which will save your time and enable avoiding any system malfunctions and guarantee the needed result




Malware Description:
The latest ‘know-how’ of cyber fraudsters is the fake anti-spyware campaign involving the program called Antivirus. These virtual crooks seem to have started applying some real intricate tactics for pushing their fake anti-spyware products. It’s quite hard to look up Antivirus removal with the help of a random search engine because the top results will include tons of other stuff that is not relevant. Actually, Antivirus originates from the same subgroup of rogue security programs as Antivirus Pro 2010 and PC Antispyware 2010. Antivirus malware spreads by non-standard means which involve the use of rootkits and trojan viruses whose mission is to help the rogue freeware get inside and modify some system processes. The first thing Antivirus rogue anti-spyware does when inside a new host OS is interfering with the system registry, i.e. it creates some registry entries of its own. This will result in inevitable system mutation and annoying insecure activity of Antivirus ransomware. Antivirus will trigger a large number of its obsessive ads (popup alerts, fake Windows Security Center windows and bogus scanners) that notify the user of exposing multiple infections on the compromised computer. Upon completion of this disinformation attack, Antivirus fake anti-spyware suggests the user to install and buy its full version which is absolutely no good for the security of any PC. Please, do not get crooked by the trickeries of the malware called Antivirus. It might sound odd but this particular Antivirus application is not actually antivirus – it’s a completely fake one. The only thing one can say about Antivirus program for sure is you need to uninstall it as soon as possible if your PC happens to be infected with its malicious code.


How to remove Antivirus manually:
Manual removal of Antivirus is feasible if you have sufficient expertise in working with program files, system processes, .dll files and registry entries.

The associated files to be deleted are listed below:

    * %Documents and Settings%\All Users\Desktop\Antivirus.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\Antivirus
    * %Documents and Settings%\All Users\Start Menu\Programs\Antivirus\Antivirus.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\Antivirus\Uninstall.lnk
    * %AppData%\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
    * %Temp%\winupd64x.exe
    * %Program Files%\Antivirus
    * %Program Files%\Antivirus\Antivirus.exe
    * %Program Files%\Antivirus\AvBho.dll
    * %Program Files%\Antivirus\Uninstall.exe
    * %Program Files%\Antivirus\wscsvc32.exe

The related registry entries to be removed are as follows:

    * HKEY_CLASSES_ROOT\AvBho.AvBhoApp
    * HKEY_CLASSES_ROOT\AvBho.AvBhoApp.1
    * HKEY_CLASSES_ROOT\CLSID\{9d541c6a-573b-4888-b35e-6816e68c3620}
    * HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
    * HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
    * HKEY_CLASSES_ROOT\TypeLib\{65DA0CE6-30D1-4144-A0B6-59BD01372E26}
    * HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d541c6a-573b-4888-b35e-6816e68c3620}
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Antivirus.exe”
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “wscsvc32.exe”

Please, be aware that manual removal of Antivirus is a cumbersome procedure and does not ensure complete deletion of the malware, due to the fact that some files might be hidden or may automatically reanimate themselves afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of Antivirus, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.





Malware Description:
PC Antispyware 2010 (aka PCAntispyware 2010) is the updated version of the infamous PC Security 2009 and Home Antivirus 2010. All the above programs refer to the rogue anti-spyware family and even share the same graphical user interface. The distribution tactics practiced by PC Antispyware 2010 are based on Trojan intrusion techniques which usually take place imperceptibly for the security tools installed on the potential host computer. PC Antispyware 2010 is as well advertised on certain websites that display exaggerated malware detection alerts and may run fake scanners to persuade the user he/she has some PC trouble to fix. When inside one’s system, PC Antispyware 2010 unregistered version will trigger security scanners which are fabricated because they have no actual antivirus engine behind them. Such misleading scans are the core instrument to spoof the users into installing and purchasing PC Antispyware 2010 commercial software and making them believe PC Antispyware 2010 is the right antivirus utility to eliminate all the detected parasites. In addition to the scanners mentioned above, PC Antispyware 2010 also tends to issue false ads that notify you of non-existent problems to lure you once more into buying the license for the fraudulent program. Please, avoid PC Antispyware 2010 rogue anti-spyware and get rid of it if you notice its presence on your machine. You can follow our tips below to detect and remove PC Antispyware 2010 scareware.

How to remove PC Antispyware 2010 and affiliated threats manually:
Manual removal of PC Antispyware 2010 is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %Program Files%\Common Files\aqamodero.dat
    * %Program Files%\Common Files\hubeweqa.lib
    * %Program Files%\Common Files\jatikysup._dl
    * %Program Files%\Common Files\ofyxodaqa.dat
    * %Program Files%\Common Files\sahaso.bat
    * %Program Files%\Common Files\zotys.bin
    * %Program Files%\PC_Antispyware2010
    * %Program Files%\PC_Antispyware2010\AVEngn.dll
    * %Program Files%\PC_Antispyware2010\htmlayout.dll
    * %Program Files%\PC_Antispyware2010\PC_Antispyware2010.cfg
    * %Program Files%\PC_Antispyware2010\PC_Antispyware2010.exe
    * %Program Files%\PC_Antispyware2010\pthreadVC2.dll
    * %Program Files%\PC_Antispyware2010\Uninstall.exe
    * %Program Files%\PC_Antispyware2010\wscui.cpl
    * %Program Files%\PC_Antispyware2010\data
    * %Program Files%\PC_Antispyware2010\data\daily.cvd
    * %Program Files%\PC_Antispyware2010\Microsoft.VC80.CRT
    * %Program Files%\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
    * %Program Files%\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll
    * %Program Files%\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll
    * %Program Files%\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll
    * %WINDOWS%\akudyta.lib
    * %WINDOWS%\hoxigawax.inf
    * %WINDOWS%\kyci.dl
    * %WINDOWS%\nuxojih.scr
    * %WINDOWS%\qynomikov.bin
    * %WINDOWS%\seni.reg
    * %WINDOWS%\yfoneby.db
    * %WINDOWS%\system32\_scui.cpl
    * %WINDOWS%\system32\cocefezyj.dl
    * %WINDOWS%\system32\qebykiti.dl
    * %Documents and Settings%\All Users\Application Data\pybisezyr.db
    * %Documents and Settings%\All Users\Application Data\ulycozoho._dl
    * %Documents and Settings%\All Users\Documents\ekenubes.com
    * %Documents and Settings%\All Users\Documents\icosagula.reg
    * %UserProfile%\Application Data\jugifyryve.exe
    * %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk
    * %UserProfile%\Cookies\ajeby.reg
    * %UserProfile%\Cookies\yqeqaranym.vbs
    * %UserProfile%\Cookies\zebav.pif
    * %UserProfile%\Desktop\_scui.cpl.txt
    * %UserProfile%\Desktop\PC_Antispyware2010.lnk
    * %UserProfile%\Local Settings\Application Data\xoqupuwytu._dl
    * %UserProfile%\Start Menu\Programs\PC_Antispyware2010
    * %UserProfile%\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk
    * %UserProfile%\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk

The registry entries that need to be removed are as follows:

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC_Antispyware2010
    * HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010
    * HKEY_CURRENT_USER\Control Panel\don’t load “scui.cpl”
    * HKEY_CURRENT_USER\Control Panel\don’t load “wscui.cpl”
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “PC Antispyware 2010″

Please, be aware that manual removal of PC Antispyware 2010 is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of PC Antispyware 2010, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.



Malware Description:
Active Security is the newest rogue anti-spyware utility that does not deserve one’s trust since it attempts to crook people out of their money. Active Security maintains the ‘traditions’ of ransomware programs so it trespasses on one’s computer without letting the user know. Having made itself comfortable inside the compromised digital environment, Active Security reconfigures the host system and makes it mutate so that the rogue’s commands are easily executed. The apparent signs of Active Security presence on your machine will include the following: general PC slowdown, multiple popup ads and unwanted scanners, disabling Task Manager and System Restore and occasionally Safe Mode; not to mention browser hijacking which leads to web-surfing redirections to insecure websites. The alerts and security scanners triggered by Active Security bear no informative value because they report non-existent infections without checking if they are actually on your computer. Such approach exhibited by Active Security pursues the mission to make you think your computer is in trouble and needs Active Security commercial software to resolve these security issues. The most essential thing one should realize about Active Security is its being a computer impostor that wants your money and cannot protect your PC in fact. So please do not waste your time considering whether you should install Active Security; instead, you should immediately remove this nasty rogueware as it greatly jeopardizes any computer it infects.


How to remove Active Security manually:
Manual removal of Active Security is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %System Root%\Samples
    * %User Profile%\Local Settings\Temp
    * %Program Files%\Active Security
    * %Program Files%\LabelCommand
    * %Documents and Settings%\All Users\Start Menu\Programs\Active Security
    * %Documents and Settings%\All Users\Application Data\Active Security

The registry entries that need to be removed are as follows:

    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Active Security”
    * HKEY_CURRENT_USER\Software\Active Security
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Active Security
    * HKEY_LOCAL_MACHINE\SOFTWARE\Active Security

Please, be aware that manual removal of Active Security is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of Active Security, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.



Malware Description:
Alpha Antivirus (aka AlphaAntivirus or Alfa Antivirus) is the newest rogue anti-spyware application that possesses huge destructive potential and has been released to take advantage of computer users’ credulity. Alpha Antivirus GUI appears to be similar to the nasty rogueware known as Personal Antivirus, so we do not exclude these programs’ referring the same malware family. Alpha Antivirus installs onto one’s PC through exploiting the “traditional” rogueware tactics which pre-suppose the use of Trojan.Downloader or annoying browser hijacking routine. Having infiltrated the computer system without letting the user know about it (i.e. without any signs of user authorization), Alpha Antivirus commences deploying its dirty strategy by making some slight system modifications and dropping a number of executables into the System32 folder and creating some registry keys. Consequently, the compromised computer receives Alpha Antivirus signals to launch its executable each time Windows is logged on to. When operating, Alpha Antivirus displays multiple security alerts and fake system scanners which report the alleged detection of malware applications, viruses, trojans, worms, rootkits etc. and recommend the unsuspecting user to install and register Alpha Antivirus paid full version (doing which is a BIG mistake). The truth is - Alpha Antivirus alerts and scanners are fabricated and must therefore not be trusted. Please, do not follow the tips prompted through Alpha Antivirus ads – it’s the shortest known way to severe system contamination. Alpha Antivirus rogue anti-spyware has been developed to bring profit to its creators by deceiving people, so don’t become one of its victims. Please, follow the security guide below to neutralize and uninstall Alpha Antivirus badware ASAP.

How to remove Alpha Antivirus manually:
Manual removal of Alpha Antivirus is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %Program Files%\AlphaAV
    * %Program Files%\AlphaAV\AlphaAV.exe
    * %UserProfile%\Desktop\Alpha Antivirus.lnk
    * %WINDOWS%\system32\msnaoladdon.dll
    * %WINDOWS%\system32\NetFilter.exe
    * %WINDOWS%\system32\ndisapi.dll
    * %WINDOWS%\system32\drivers\NDISRD.sys

The registry entries that need to be removed are as follows:

    * HKEY_LOCAL_MACHINE\Software\Alpha Antivirus
    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “AlphaAV”
    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “Alpha Antivirus”
    * HKEY_CURRENT_USER\Software\Alpha Antivirus
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alpha Antivirus

Please, be aware that manual removal of Alpha Antivirus is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of Alpha Antivirus, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.





Malware Description:
SystemCop (aka System Cop) is a new fake anti-spyware utility emanating from the same malware family as BlockDefense, SaveDefense, SaveSoldier, SaveKeep and a string of other dangerous rogues released by WiniSoft hackers. SystemCop has the exact same Graphical User Interface (GUI) as its above-mentioned forerunners – but for the program name, of course (which is probably the only difference. SystemCop installs in a hidden manner, i.e. without one’s awareness – that’s because the rogueware uses trojan viruses to assist in infiltrating a random computer system via security exploits. After the malware gets successfully inside, it configures the new host system to run SystemCop executable every single time the PC starts. Therefore, SystemCop fake scanners and its annoying bogus pop-ups will accompany the victim’s everyday PC use routine. Since SystemCop reports a variety of infections on the compromised computer, it asks the user to remove them – but first, he/she needs to purchase System Cop full version. Please, do not go that far and prevent SystemCop malware from brainwashing you. Just stick to the instructions below and remove SystemCop rogue anti-spyware as soon as it attacks your system.


How to remove SystemCop manually:
Manual removal of SystemCop is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %Program Files\SystemCop Software
    * %Program Files\SystemCop Software\SystemCop
    * %Program Files\SystemCop Software\SystemCop\license.txt
    * %Program Files\SystemCop Software\SystemCop\SystemCop.exe
    * %Program Files\SystemCop Software\SystemCop\uninstall.exe
    * %WINDOWS\102z6w59m3c4.cpl
    * %WINDOWS\1044zhackt9ol5b2.dll
    * %WINDOWS\10683v9rzs656.cpl
    * %WINDOWS\10915hief309z.cpl
    * %Documents and Settings\All Users\Desktop\SystemCop.lnk
    * %Documents and Settings\All Users\Start Menu\Programs\SystemCop
    * %Documents and Settings\All Users\Start Menu\Programs\SystemCop\1 SystemCop.lnk
    * %Documents and Settings\All Users\Start Menu\Programs\SystemCop\2 Homepage.lnk
    * %Documents and Settings\All Users\Start Menu\Programs\SystemCop\3 Uninstall.lnk

The registry entries that need to be removed are as follows:

    * HKEY_CURRENT_USER\Software\SystemCop
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemCop
    * HKEY_LOCAL_MACHINE\SOFTWARE\SystemCop
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCOPSVC
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemCopSvc
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “ha8tozmj.exe”
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “SystemCop”

Please, be aware that manual removal of SystemCop is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of SystemCop, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.



Malware Description:
One of the vastest fake anti-spyware groups has been recently refreshed by the latest ransomware called Trust Cop (aka TrustCop). This dangerous and misleading program was preceded by very similar yet different-named badware applications such as Secure Warrior, Secure Fighter, SecureVeteran, SecuritySoldier and SecurityFighter. A computer user is quite unlikely to notice Trust Cop intrude because the rogue exhibits rootkit infiltration methods which consist in stealthy attack bypassing the authentication. Upon installation, Trust Cop transforms the System Registry and thus messes up the system. With Trust Cop on your machine, you won’t be able to surf the internet normally because you will keep undergoing browser redirections to fake online scanner sites. In addition, your desktop will be overfilled with Trust Cop ads that unwanted scanners that deliver deceitful information about alleged spyware detection. By annoyingly telling you how badly infected your computer is Trust Cop tries to have you install and register the paid full version of its software. Take it easy and do not go panicking and installing Trust Cop fraud. You should instead take timely measures to make Trust Cop rogueware vanish. Please, review the tips below to make your computer operate in its usual manner like it used to.



How to remove Trust Cop manually:
Manual removal of Trust Cop is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %Program Files%\TrustCop Software
    * %Program Files%\TrustCop Software\TrustCop
    * %Program Files%\TrustCop Software\TrustCop\license.txt
    * %Program Files%\TrustCop Software\TrustCop\trustcop.exe
    * %Program Files%\TrustCop Software\TrustCop\uninstall.exe
    * %WINDOWS%\102z6w59m3c4.cpl
    * %WINDOWS%\1044zhackt9ol5b2.dll
    * %WINDOWS%\10683v9rzs656.cpl
    * %WINDOWS%\10915hief309z.cpl
    * %Documents and Settings%\All Users\Desktop\TrustCop.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustCop
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustCop\1 TrustCop.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustCop\2 Homepage.lnk
    * %Documents and Settings%\All Users\Start Menu\Programs\TrustCop\3 Uninstall.lnk

The registry entries that need to be removed are as follows:

    * HKEY_CURRENT_USER\Software\TrustCop
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustCop
    * HKEY_LOCAL_MACHINE\SOFTWARE\TrustCop
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRUSTCOPSVC
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustCopSvc
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “TrustCop”

Please, be aware that manual removal of Trust Cop is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of Trust Cop, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.







Malware Description:
Smart Protector is a new rogue anti-spyware program and an ultimately fraudulent money-hunter. As a rule, Smart Protector employs trojans to get inside one’s Operating System and mess it up afterwards. The main mission of Smart Protector is to make it look like the user needs the registered version of the program to defend the compromised computer against malicious programs out there. The first suspicious thing noticed by spyware analysts about Smart Protector is the fact that the corresponding antivirus database is empty, which testifies to the fact that Smart Protector is not meant for protecting one’s PC. Indeed, when Smart Protector scans your system, it returns deliberately misleading results that state you have multiple security issues to neutralize. All the above testifies to the fact that Smart Protector scanners and detection alerts are nothing but pre-designed animations used for tricking the unsuspecting user. Do not be naive and refrain from downloading Smart Protector full version. In addition, it’s worth mentioning that Smart Protector slows down the compromised system by consuming CPU resources. Another possible symptom of Smart Protector is restricted internet connection and browser redirections to affiliate websites such as Smartprotectorpro.com, Gosmrtprt.com, where you are supposed to get interested in buying Smart Protector licensed software. Please, review the info below to find out more about Smart Protector removal methods.



How to remove Smart Protector manually:
Manual removal of Smart Protector is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %Program Files%\Smart Protector
    * %Program Files%\Smart Protector\config.cnf
    * %Program Files%\Smart Protector\mainbase.adb
    * %Program Files%\Smart Protector\q.adb
    * %Program Files%\Smart Protector\queue.vdb
    * %Program Files%\Smart Protector\smartprotector.exe
    * %Program Files%\Smart Protector\uninstall.exe
    * %Program Files%\Smart Protector\virusbase.adb
    * %Program Files%\Smart Protector\quarantine
    * %Documents and Settings%\All Users\Application Data\Microsoft\Media Index\Drivers
    * %Documents and Settings%\All Users\Application Data\Microsoft\Media Index\internet.dll
    * %UserProfile%\Desktop\Smart Protector.lnk
    * %UserProfile%\Start Menu\Programs\Smart Protector
    * %UserProfile%\Start Menu\Programs\Smart Protector\Smart Protector.lnk
    * %UserProfile%\Start Menu\Programs\Smart Protector\Uninstall.lnk

The registry entries that need to be removed are as follows:

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Protector
    * HKEY_LOCAL_MACHINE\SOFTWARE\Smart Protector
    * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\S
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Smart Protector”

Please, be aware that manual removal of Smart Protector is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend professional removal of Smart Protector, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.








Internet Security 2010 is a rogue antivirus program. Please read the removal instructions and get rid of this fake program from your computer as soon as possible. InternetSecurity2010 is a clone of Advanced Virus Remover malware & security tool. If you take a closer look, you will see that both programs use the same graphical user interface. This rogue application is promoted through the user of Trojans. Most of the time, Trojans have to be manually installed and come from various misleading websites, for example fake online anti-malware scanners. Once installed, Internet Security 2010 will imitate a system scan and report many false system security threats. Then it will ask you to pay for a full version of the program to remove those security threats or infections. However, do not buy it, this is a scam. If you or anyone you know has bought this program or if you have entered any personal information such as passwords, bank accounts etc.. This infection will compromise them.  The safest way to fix the issues is to manually remove this infection. Most systems with this infection is also infected with other types of malware.

When running, Internet Security 2010 will also display fake security alerts. Those alerts will state that IS2010 (Internet Security 2010) has found critical vulnerabilities on your computer. The rogue program displays these infections:

Rogue:W32/XPAntivirus.gen!
AdWare.Win32.Zwangi
Trojan-Spy.HTML.Visafraud.a
Worm:W32/Agent
Trojan-PSW.W32/Steam
Net-Worm.Win32.DipNet.d
Trojan-Dropper:W32/Trojan-Dropper
Worm:W32/Downadup.gen
Trojan-Downlaoder:W32/Fakerean.gen!A
Net-Worm.Win32.Mytob.t
Trojan-Spy.Win32.Hookit.11
Trojan-Clicker.HTML.IFrame.g
Virus:W32/Alman.b
Trojan-Dropper.Win32.Agent.sd
Email-Worm.Win32NetSky.q
riskware.Win32
Rootkit.win32.agent

The supposed infections are usually detected in Windows System or System32 folder. If you decide to remove these infections with Internet Security 2010, you will get an activation windows with further information what to do. This fake window states that currently installed version of Internet Security 2010 is for trial purpose only. You have to buy an activation code to remove the infections, which of course do not even exist. Warning do NOT buy this software, it will steal your credit card info.


Internet Security 2010 will also display fake notifications from Windows Taskbar. The fake notifications state:

System warning!
Intercepting programs that may compromise your privacy and harm your system has been detected on your PC. It's highly recommended you scan your PC right now.

System warning!
Continue working in unprotected mode is very dangerous. Virus can damage your confidential data and work on your computer. Click here to protect your computer



At the same time you will be taken to the pay page of the Internet Security 2010. It is shown in the image below. As you can see, it costs $49.95 dollars and even state that now they include AVG Firewall and Email Protection for free. That's obviously not true.  Internet Security 2010 does not include any part of AVG, this is just another lie designed to trick you into buying this fraudulent program.

c:\documents and settings\Test User\Desktop\Internet Security 2010.lnk
c:\documents and settings\Test User\Start Menu\Internet Security 2010.lnk
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
c:\program files\SGPSA
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Microsoft.NET\nimarab.bak1
c:\windows\Microsoft.NET\nimarab.bak2
c:\windows\Microsoft.NET\nimarab.tmp
c:\windows\system32\bszip.dll
c:\windows\system32\bunefife.dll
c:\windows\system32\uttss.bak1
c:\windows\system32\uttss.bak2
c:\windows\system32\uttss.ini
c:\windows\system32\uttss.ini2
c:\windows\system32\uttss.tmp
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\zugovela.dll
c:\windows\Tasks\hdpcddyn.job
c:\windows\Tasks\wpwfkgwk.job

BHO-{c2c59d47-6785-48ec-8857-311aed106954} - yipiwopa.dll
Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-kazodusuk - c:\windows\system32\bunefife.dll
HKLM-Run-tokevohisi - lenamahi.dll
SharedTaskScheduler-{c8d2c1bd-f1f0-4a16-8cc9-a4a03da8a5fe} - c:\windows\system32\bunefife.dll
SSODL-fagimufud-{c8d2c1bd-f1f0-4a16-8cc9-a4a03da8a5fe} - c:\windows\system32\bunefife.dll




Trojan.PWS.ChromeInject.A
Trojan.PWS.ChromeInject.B

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers.

Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it.

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

BitDefender, AVG, Malwarebytes has updated its products to detect it, and other vendors will likely follow suit quickly, Canja said. Users could avoid it by only downloading signed, verified software, but that's a measure that restricts the usability of a PC.

The malware is not present in Mozilla's repository of add-ons, Canja said. Mozilla had taken steps to ensure that its official site hosting add-ons -- also called extensions -- are free from malware.

In May, Mozilla acknowledged that the Vietnamese language pack for Firefox contained a bit of unwanted code. Although widely reported as a virus, the language actually contained a line of HTML code that would cause users to view unwanted advertisements.

Mozilla now scans new add-ons for malware. However, those scans will only detect known threats, and there was no signature in the security software Mozilla was using at the time that could detect the code.

Mozilla said the code probably ended up in the language pack after the PC of its developer became infected. More than 16,000 people downloaded the language pack, but only about 1,000 people regularly use it.

A password stealing trick masquerades as a Firefox Plugin, to filter sent login credentials

A new type of malware designed to harvest web passwords has been detected in-the-wild by BitDefender antivirus research labs. This latest e-threat called Trojan.PWS.ChromeInject.A / Trojan.PWS.ChromeInject.B is intended to be delivered onto a compromised computer system by other malware for subsequent download into Mozilla Firefox's Plugin folder. Once installed it gets to work every time Firefox is started.

According to BitDefender researchers, the Trojan filters data sent by the victim to a large number of designated banking websites which are used everyday in the UK for online shopping and financial transactions.

Harvested login credentials will be sent to a web address similar to [removed]eex.ru. Both the domain and the hosting server are located in Russia, which points to the origins of this latest e-threat.

In order to stay safe, home computer users are advised to install effective Internet Security protection and make sure they are updated regularly, to ward off these attempts, says Nick Lockard, head of NickLockard.com anti-virus research lab.

It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox's chrome environment.

TECHNICAL DESCRIPTION:

It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.

It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials.

On January 26, 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. As of that date, Microsoft's case against Secure Computer remained pending.





The Conficker Worm
The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction

Am I at risk of having the Conficker worm?

Most antivirus software could detect and block the Conficker worm, so if you have updated antivirus software on your computer, you are at a much lower risk of being infected by the Conficker worm.

If you or your network administrator have not installed the latest security updates from Microsoft and your antivirus provider, and if you have file-sharing turned on, the Conficker worm could allow remote code execution. Remote code execution allows an attacker to take control of your computer and use it for malicious purposes.

The Conficker worm can also disable important services on your computer.

Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog will show one additional option.

In the screenshot of the Autoplay dialog box below, the option Open folder to view files Publisher not specified was added by the worm. The highlighted option Open folder to view files using Windows Explorer is the option that Windows provides and the option you should use.

If you select the first option, the worm executes and can begin to spread itself to other computers.

What to do if you are infected

1. Use your AVG product to identify which variant of the worm is on your computer.
2. Follow the detailed removal instructions for the specific version of the of the worm. These can be found here:
   

W32.Downadup.A writeup
W32.Downadup.B writeup
W32.Downadup.C writeup


The Conficker Worm A

Once executed, the worm copies itself as the following file:
%System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

The worm connects to the following URLs to obtain IP address of the compromised computer:

• [http://]www.getmyip.org
• [http://]getmyip.co.uk
• [http://]checkip.dyndns.org

Next, the worm downloads a file from the following URL and executes it:
[http://]/]trafficconverter.biz/4vir/antispyware/loada[REMOVED]

The worm then creates a http server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

The worm then sends this URL as part of its payload to remote computers.

Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

Next, the worm connects to a UPnP router and opens the http port.

It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

The worm then attempts to download a data file from the following URL:
[http://]/]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]

The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.

Next, the worm attempts to contact the following sites to obtain the current date:

• http://www.w3.org
• http://www.ask.com
• http://www.msn.com
• http://www.yahoo.com
• http://www.google.com
• http://www.baidu.com

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer.

Recommendations

Nick Lockard Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources

The Conficker Worm B

W32.Downadup.B is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. It also attempts to spread to network shares protected by weak passwords and block access to security-related Web sites.

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: 1000+
• Number of Sites: 10+
• Geographical Distribution: Medium
• Threat Containment: Moderate
• Removal: Moderate

Damage

• Damage Level: Medium
• Modifies Files: Modifies the tcpip.sys file.

Distribution

• Distribution Level: Medium
• Shared Drives: Attempts to spread to network shares protected by weak passwords.
• Target of Infection: Spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874)

The Conficker Worm C



Manual Removal:
The following instructions pertain to all current and recent AVG antivirus products.  If you have problem with removing this infection chat with Nick Lockard for more help.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Find and stop the service.
   
4. Run a full system scan.
5. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or chat with Nick Lockard.

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder 

2. To update the virus definitions
AVG Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running Update now, which is the easiest way to obtain virus definitions.
  
  If you use AVG definitions are updated daily.
  

3. To find and stop the service

1. Click Start > Run.
2. Type services.msc, and then click OK.
3. Locate and select the service that was detected.
4. Click Action > Properties.
5. Click Stop.
6. Change Startup Type to Manual.
7. Click OK and close the Services window.
8. Restart the computer.
   

4. To run a full system scan

1. Start your AVG antivirus program and make sure that it is configured to scan all the files.
   
2. Run a full system scan.
3. If any files are detected, follow the instructions displayed by your antivirus program.

Important: If you are unable to start your AVG antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions chat with Nick Lockard.. Once you have restarted in Safe mode, run the scan again.


After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

5. To delete the value from the registry
Important: Nick Lockard strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. If you have questions or need professional help chat with Nick Lockard..

1. Click Start > Run.
2. Type regedit
3. Click OK.
   
   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
   
   
4. Navigate to and delete the following registry subkeys:
   
   
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
   
   
   
5. Navigate to and delete the following registry entries:
   
   
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe "[RANDOM DLL FILE NAME]", [RANDOM PARAMETER STRING]"
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = "%System%\svchost.exe -k netsvcs"
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Parameters\"ServiceDll" = "[PATH TO THE THREAT]"
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
     
     
   
   
6. Restore the following registry entries to their previous values, if required:
   
   
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
   
   
7. Exit the Registry Editor.
   
   Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
   

I recommend running CCleaner to take care of the registry.


To deter spyware, computer users have found several practices useful in addition to installing anti-spyware programs.

Many system operators install a web browser other than IE, such as Opera or Mozilla Firefox. Though no browser is completely safe, Internet Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX.

Some ISPs particularly colleges and universities have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. Many other educational institutions have taken similar steps. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may more readily attract institutional attention.

Some users install a large hosts file which prevents the user's computer from connecting to known spyware related web addresses. However, by connecting to the numeric IP address, rather than the domain name, spyware may bypass this sort of protection.

Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

The first step to removing the virus(spyware) is to put your computer on "lockdown." This can be done in various ways such as using your anti-virus software, or simply disconnect your computer from all internet activies. This will make whoever is in control of the virus unable to have any control of your computer. The second step to removing the spyware is to locate it and remove it, manually or by virus protection software. Also, stay away from websites that have potential threats to your computer.

The 2 Security programs that are needed to keep a system running secured.  The paid edition of Malwarebytes & AVG Internet Security.  Having both and setting your host file to read only will help protect the system from attacks of all kinds.





w32.Nytemare says - > Next time you try to remove me your harddrive gets reformated.


    Sony's Extended Copy Protection involved the installation of spyware from audio compact discs through autorun. This practice sparked considerable controversy when it was discovered.
    WildTangent The antispyware program Counterspy used to say that it's okay to keep WildTangent, but it now says that the spyware Winpipe is "possibly distributed with the adware bundler WildTangent or from a threat included in that bundler".



    AOL Instant Messenger (AOL Instant Messenger still packages Viewpoint Media Player, and WildTangent)
    DivX (except for the paid version, and the "standard" version without the encoder). DivX announced removal of GAIN software from version 5.2
    FlashGet (trial version prior to program being made freeware)






Imagine what your life would be like if you weren't waiting on your computer and dealing with pop ups and errors.  Your time on the computer could be spent doing what you want to do and not dealing with what you don't.

You can only benefit if you take action now! Infections only get worse over time and you risk damaging your hard drive.

You deserve to have a Quicker and more Secured Computer and Network.

Let me prove it to you with my 100% money back guaranteee

Thirty days (30) from now you could be out $300+ dollars wasted on tech support such as geek squad who tries TO UPSELL you pointless hardware and software that doesn't fix or creates new problems, Or you could be surfing the internet much faster all while knowing your personal information is secured! (503)719-7028

(View Offical Certificate)

HOME  |  ABOUT COMPANY  |  SERVICES  |  ToS  |  CONTACT US